Praktice AI.com, Inc (“Praktice AI”) is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As a health technology vendor used by providers, payors and other healthcare organizations, Praktice AI strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by Praktice AI to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for Praktice AI Customers.
Praktice AI provides secure and compliant hosted and mobile application software for healthcare providers and payor organizations. Our software falls into two broad categories: 1) Software as a Service (SaaS) and 2) Mobile Applications. These Categories are cited throughout our polices as Customers in each category may inherit different policies, procedures, and obligations from Praktice AI.
1.1 Software as a Service (SaaS)
SaaS Customers utilize hosted software from Praktice AI to implement patient-facing services aimed at informing, supporting and engaging patients as well as enabling digital workflows and care pathways. The software supporting these Customers is deployed into compliant containers run on systems secured and managed by Praktice AI. As a SaaS provider, Praktice AI secures and manages risk associated with application level vulnerabilities and security weaknesses. Praktice AI makes every effort to reduce the risk of unauthorized disclosure, access, and/or breach of SaaS Customer data through network and server settings (encryption at rest and in transit, OSSEC throughout our Platform, etc).
1.2 Mobile Applications
Mobile Applications Customers offer mobile applications on iOS and Android phones to their members or patients to implement patient-facing services aimed at informing, supporting and engaging patients as well as enabling digital work flows and care pathways. The mobile application software is developed and maintained by Praktice AI, but published in the respective application stores under the Customers’ accounts. As a developer, Praktice AI ensures compliance of mobile applications with HIPAA requirements to protect ePHI. The implemented safeguards include secure authentication, automatic log-off, data encryption at rest on the device and secure communication between the mobile client application and the server using TLS encryption.
1.3 Praktice AI Organizational Concepts
The physical infrastructure environment is hosted at Amazon Web Services (AWS). The network components and supporting network infrastructure are contained within the AWS infrastructures and managed by AWS. Praktice AI does not have physical access into the network components. The Praktice AI environment consists of Kubernetes container orchestration and scaling; nginx web servers; Node.js and Python application servers; mongoDB database servers; fluentd logging servers; Docker containers; and developer tool servers running on Linux Alpine.
Within the Praktice AI Platform on AWS, all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers - those hosting Docker containers, databases, APIs, log servers, etc. Praktice AI assumes all data may contain ePHI, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.
Praktice AI has implemented strict logical access controls so that only authorized personnel are given access to the internal management servers. The environment is configured so that data is transmitted from the load balancers to the application servers over a TLS encrypted session.
The nginx web server and certain application servers are externally facing and accessible via the Internet. The database servers, where the ePHI resides, are located on the internal Praktice AI network and can only be accessed through a bridge host with secure, private key-based authentication. Access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business-justified reason. Remote access to internal servers is not accessible except through load balancers.
1.4 Requesting Audit and Compliance Reports
Praktice AI, at its sole discretion, shares audit reports with Customers on a case by case basis. All audit reports are shared under explicit NDA in Praktice AI format between Praktice AI and party to receive materials. Audit reports can be requested by Praktice AI workforce members for Customers or directly by Praktice AI Customers.
The following process is used to request audit reports:
Email is sent to compliance@Praktice AI.com. In the email, please specify the type of report being requested and any required timelines for the report.
Praktice AI staff will log an Issue with the details of the request into the Praktice AI Compliance Report Request Project on JIRA. JIRA is used to track requests status and outcomes.
Praktice AI will confirm if a current NDA is in place with the party requesting the audit report. If there is no NDA in place, Praktice AI will send one for execution.
Once it has been confirmed that an NDA is executed, Praktice AI staff will move the JIRA Issue to “Under Review”.
The Praktice AI Security Officer or Privacy Officer must Approve or Reject the Issue. If the Issue is rejected, Praktice AI will notify the requesting party that we cannot share the requested report.
If the Issue has been Approved, Praktice AI will send the customer the requested audit report and complete the JIRA Issue for the request.
1.5 Version Control
Refer to the GitHub repository at AIINC/Praktice AI-hipaa-policies/ for the full version history of these policies.
Note: These policies were adapted from work by Catalyze.io. All policies are licensed under CC BY-SA 4.0. Refer to the linked repository for additional copyright information.