Is my data stored and transmitted securely in Practice Better?
Your data is encrypted both in transit (between the browser and our servers) and also at rest (when stored on our servers).
- We use AES-256 bit encryption while transferring your data to/from our servers.
- We encrypt and store data on our servers using the AES 256-bit encryption.
AES-256 is the industry standard for storing and transferring sensitive data. All backups of your data are also encrypted using AES-256 bit encryption.
We use TLS 1.2 to encrypt your data both between your browser and our servers and between our servers and other internal networks.
Is any of my data stored or processed using cloud-based services?
Yes, we use Amazon Web Services (AWS) and Box.com to store your data in the cloud.
What third-party service providers does Practice Better use to store my data?
We use Amazon Web Services and Box.com to store your data in the cloud. Our core infrastructure is hosted using these two services. We have Business Associate Agreements (HIPAA BAA) and Data Processing Agreements which requires these providers to meet the highest level of security and privacy for storing personal health information.
What data is stored using these providers?
Any documents you upload to Practice Better will be stored in AWS. Any generated PDFs for completed forms, archived notes and protocols will also be stored here.
We use Box.com to facilitate our "Document Preview" feature within the portal. This allows PDFs, Word Docs and other document types to be viewed directly from the website without having to install 3rd party extensions or download files to your computer.
Do you have agreements with these third-party cloud providers?
We have HIPAA Business Associate Agreements and GDPR Data Processing Agreements with vendors which store and process data on our behalf.
How is my data protected from unauthorized access?
We have access controls, role-based authorization and IP whitelisting in place to restrict unauthorized access to cloud data.
Both AWS and Box.com adhere to strict SSAE 18 auditing and reporting standards for managing access to data stored in their systems.
Do these cloud service providers have the ability to permanently delete my data?
Yes, these providers are mandated to provide options (which we utilize) to completely wipe data from their servers.
What happens to my data in the event of a natural disaster?
Data is replicated across multiple redundant servers within our environment which mitigates the risk of loss of connectivity with one or more nodes (this guidance is specific to our AWS infrastructure - database and file servers).
How will I be notified of changes in third-party providers who will have access to my data?
Can I export my clients' data?
You can export client data by following the instructions here:
Your export will be provided as a Zip archive which includes spreadsheets of data included in the client file and documents associated with your client.
Data you or your clients have created/uploaded to PB will be wiped completed from our system after 30 days either via automated batch processes or data retention rules defined in our infrastructure. For example:
- we have policies defined to limit database backups to a maximum of 30 rolling days.
- we run a nightly batch process to purge accounts (and related data) which have been marked for deletion by practitioner or client
What happens when I delete my data from Practice Better?
We provide the option to delete records directly in our system. Once you confirm the deletion of a client record, we will erase data from our primary databases immediately. Client data will remain in the system for up to 30 days within our backups. We have automated batch processes to purge backups within a rolling 30-day cycle.
Your clients can also request their data be deleted from the system either via the Client Portal (or by contacting us directly).
More information on this can be found here:
Can I request a record of all accesses and transfers of personal health information associated with my clients?
We can provide a record of access/transfer of your clients' health information at your request. In general, we will only access your health information at your request to assist with troubleshooting issues related to your use of the system.
Can I be provided with a threat risk and privacy impact assessment of services provided through Practice Better?
We can provide summarized reports of our regular vulnerability assessments. We generally conduct these assessments once per quarter and with the release of major features.
What policy do you have in place in the event of a data breach?
In the event of a data breach we will follow these procedures:
- Access to affected systems will be locked down
- Access credentials will be updated
- We will access the access logs and activity logs to determine the scope and impact of the breach
- Steps will be taken to determine how the breach occurred
- We will define steps to remediation (i.e. wipe data, update software code, increase logging)
- We will communicate data breach to affected parties via email
We will provide notice of breaches of security or privacy to affected parties within 72 hours.