HIPAA Compliance

1. Our Commitment to HIPAA

ClinicCube is committed to protecting the privacy and security of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and all applicable federal and state regulations.

As a healthcare technology platform that processes, stores, and transmits PHI on behalf of healthcare providers (Covered Entities), ClinicCube operates as a Business Associate under HIPAA. We maintain comprehensive administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all PHI entrusted to us.

2. Protected Health Information (PHI)

PHI includes any individually identifiable health information that relates to a patient's past, present, or future physical or mental health condition, the provision of healthcare, or payment for healthcare. On our platform, PHI may include:

Patient names, dates of birth, addresses, and contact information
Medical records, diagnoses, treatment plans, and clinical notes
Prescription and medication information
Lab orders and test results
Appointment history and scheduling data
Insurance and billing information
Communications between patients and providers (chat, video consultations)

3. Business Associate Agreement (BAA)

ClinicCube enters into a Business Associate Agreement with every Covered Entity (clinic or healthcare provider) that uses our platform. The BAA establishes:

Permitted and required uses and disclosures of PHI
Obligations to safeguard PHI against unauthorised use or disclosure
Reporting requirements for security incidents and breaches
Requirements for subcontractor compliance
Terms for return or destruction of PHI upon contract termination

We also maintain BAAs with all subcontractors and third-party service providers that may access, process, or store PHI on our behalf, including cloud infrastructure providers, payment processors, and communication service providers.

4. Administrative Safeguards

We implement comprehensive administrative safeguards, including:

Security Officer: A designated HIPAA Security Officer oversees our compliance programme.
Privacy Officer: A designated HIPAA Privacy Officer manages policies related to PHI use and disclosure.
Workforce Training: All employees and contractors complete HIPAA training upon hire and annually thereafter.
Access Management: Role-based access controls ensure that only authorised personnel can access PHI. Access is granted on a minimum-necessary basis.
Risk Assessments: Regular risk assessments identify vulnerabilities and inform our security strategy.
Policies & Procedures: Documented policies cover data handling, incident response, access control, and workforce sanctions.
Contingency Planning: Business continuity and disaster recovery plans ensure PHI remains available during emergencies.

5. Physical Safeguards

Our physical safeguards protect the infrastructure where PHI is stored and processed:

Data Centre Security: PHI is hosted in SOC 2 Type II certified data centres with 24/7 physical security, biometric access controls, and surveillance.
Facility Access Controls: Physical access to server rooms and networking equipment is restricted to authorised personnel.
Workstation Security: Policies govern the use, positioning, and protection of workstations that access PHI.
Device & Media Controls: Policies for hardware and electronic media ensure secure disposal, re-use, and transfer of PHI.

6. Technical Safeguards

We employ robust technical safeguards to protect PHI:

Encryption in Transit: All data transmitted between users and our servers is protected using TLS 1.2 or higher. API communications use HTTPS exclusively.
Encryption at Rest: PHI stored in our databases and file systems is encrypted using AES-256 encryption.
Access Controls: Multi-factor authentication (MFA), strong password requirements, and automatic session timeouts protect user accounts.
Audit Logging: Comprehensive audit logs track all access to and modifications of PHI, including who accessed what data, when, and from where.
Intrusion Detection: Network monitoring and intrusion detection systems alert our security team to potential threats in real time.
Automatic Log-off: Sessions are automatically terminated after a period of inactivity to prevent unauthorised access.
Data Integrity: Mechanisms ensure that PHI is not improperly altered or destroyed, including checksums and database integrity constraints.

7. Breach Notification

In the event of a breach of unsecured PHI, ClinicCube follows a strict incident response process in accordance with HIPAA's Breach Notification Rule:

Detection & Investigation: Our security team investigates potential breaches immediately upon detection.
Risk Assessment: We evaluate the nature and extent of the PHI involved, the unauthorised person who accessed it, whether PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.
Notification to Covered Entity: We notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery of the breach.
Individual Notification: Through the Covered Entity, affected individuals are notified within 60 days of breach discovery.
HHS Notification: Breaches affecting 500 or more individuals are reported to the Department of Health and Human Services within 60 days. Smaller breaches are reported annually.
Remediation: We implement corrective actions to prevent future breaches and document all findings.

8. Patient Rights Under HIPAA

ClinicCube supports healthcare providers in upholding patient rights under HIPAA:

Right to Access: Patients can request access to their PHI through the patient portal.
Right to Amendment: Patients can request corrections to inaccurate PHI via their healthcare provider.
Right to an Accounting of Disclosures: Patients can request a log of disclosures of their PHI.
Right to Request Restrictions: Patients can request restrictions on certain uses and disclosures of their PHI.
Right to Confidential Communications: Patients can request to receive communications through alternative means or at alternative locations.
Right to a Copy of the Notice: Patients can obtain a copy of their provider's Notice of Privacy Practices at any time.

9. Minimum Necessary Standard

ClinicCube applies the HIPAA Minimum Necessary Standard to all uses and disclosures of PHI. Our platform is designed so that healthcare providers, staff, and systems only access the minimum amount of PHI needed to perform a given task. Role-based access controls, field-level permissions, and data segmentation enforce this principle at the technical level.

10. Subcontractor Compliance

All third-party service providers that access, process, or store PHI on behalf of ClinicCube are required to:

Execute a Business Associate Agreement (BAA) or equivalent data protection agreement
Demonstrate compliance with HIPAA security requirements
Undergo regular security assessments
Report any security incidents or breaches involving PHI

Our key subcontractors include HIPAA-compliant cloud infrastructure providers for hosting, PCI DSS-compliant payment processors, and encrypted communication providers for telehealth services.

11. Regular Audits & Assessments

ClinicCube conducts regular compliance activities to maintain and improve our HIPAA posture:

Annual Risk Assessments: Company-wide security risk assessments following NIST guidelines
Penetration Testing: Third-party penetration tests are conducted at least annually
Vulnerability Scanning: Automated vulnerability scanning of all systems on a continuous basis
Policy Reviews: All HIPAA policies and procedures are reviewed and updated annually
Training Verification: Completion of HIPAA training is tracked and verified for all workforce members

12. Data Retention & Disposal

We retain PHI for as long as required by the applicable BAA, applicable law, or legitimate business need. When PHI is no longer required:

Electronic records are securely overwritten or cryptographically erased
Physical media is destroyed using NIST 800-88 compliant methods
Backup copies are purged according to our retention schedule
Confirmation of destruction is documented and retained

13. Contact Us

If you have questions about our HIPAA compliance programme or wish to report a privacy concern, please contact our Privacy Officer:

Email: privacy@cliniccube.com
General inquiries: info@cliniccube.com

1. Our Commitment to HIPAA

2. Protected Health Information (PHI)

Patient names, dates of birth, addresses, and contact information
Medical records, diagnoses, treatment plans, and clinical notes
Prescription and medication information
Lab orders and test results
Appointment history and scheduling data
Insurance and billing information
Communications between patients and providers (chat, video consultations)

3. Business Associate Agreement (BAA)

ClinicCube enters into a Business Associate Agreement with every Covered Entity (clinic or healthcare provider) that uses our platform. The BAA establishes:

Permitted and required uses and disclosures of PHI
Obligations to safeguard PHI against unauthorised use or disclosure
Reporting requirements for security incidents and breaches
Requirements for subcontractor compliance
Terms for return or destruction of PHI upon contract termination

4. Administrative Safeguards

We implement comprehensive administrative safeguards, including:

Security Officer: A designated HIPAA Security Officer oversees our compliance programme.
Privacy Officer: A designated HIPAA Privacy Officer manages policies related to PHI use and disclosure.
Workforce Training: All employees and contractors complete HIPAA training upon hire and annually thereafter.
Access Management: Role-based access controls ensure that only authorised personnel can access PHI. Access is granted on a minimum-necessary basis.
Risk Assessments: Regular risk assessments identify vulnerabilities and inform our security strategy.
Policies & Procedures: Documented policies cover data handling, incident response, access control, and workforce sanctions.
Contingency Planning: Business continuity and disaster recovery plans ensure PHI remains available during emergencies.

5. Physical Safeguards

Our physical safeguards protect the infrastructure where PHI is stored and processed:

Data Centre Security: PHI is hosted in SOC 2 Type II certified data centres with 24/7 physical security, biometric access controls, and surveillance.
Facility Access Controls: Physical access to server rooms and networking equipment is restricted to authorised personnel.
Workstation Security: Policies govern the use, positioning, and protection of workstations that access PHI.
Device & Media Controls: Policies for hardware and electronic media ensure secure disposal, re-use, and transfer of PHI.

6. Technical Safeguards

We employ robust technical safeguards to protect PHI:

Encryption in Transit: All data transmitted between users and our servers is protected using TLS 1.2 or higher. API communications use HTTPS exclusively.
Encryption at Rest: PHI stored in our databases and file systems is encrypted using AES-256 encryption.
Access Controls: Multi-factor authentication (MFA), strong password requirements, and automatic session timeouts protect user accounts.
Audit Logging: Comprehensive audit logs track all access to and modifications of PHI, including who accessed what data, when, and from where.
Intrusion Detection: Network monitoring and intrusion detection systems alert our security team to potential threats in real time.
Automatic Log-off: Sessions are automatically terminated after a period of inactivity to prevent unauthorised access.
Data Integrity: Mechanisms ensure that PHI is not improperly altered or destroyed, including checksums and database integrity constraints.

7. Breach Notification

In the event of a breach of unsecured PHI, ClinicCube follows a strict incident response process in accordance with HIPAA's Breach Notification Rule:

Detection & Investigation: Our security team investigates potential breaches immediately upon detection.
Risk Assessment: We evaluate the nature and extent of the PHI involved, the unauthorised person who accessed it, whether PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.
Notification to Covered Entity: We notify affected Covered Entities without unreasonable delay and no later than 60 days after discovery of the breach.
Individual Notification: Through the Covered Entity, affected individuals are notified within 60 days of breach discovery.
HHS Notification: Breaches affecting 500 or more individuals are reported to the Department of Health and Human Services within 60 days. Smaller breaches are reported annually.
Remediation: We implement corrective actions to prevent future breaches and document all findings.

8. Patient Rights Under HIPAA

ClinicCube supports healthcare providers in upholding patient rights under HIPAA:

Right to Access: Patients can request access to their PHI through the patient portal.
Right to Amendment: Patients can request corrections to inaccurate PHI via their healthcare provider.
Right to an Accounting of Disclosures: Patients can request a log of disclosures of their PHI.
Right to Request Restrictions: Patients can request restrictions on certain uses and disclosures of their PHI.
Right to Confidential Communications: Patients can request to receive communications through alternative means or at alternative locations.
Right to a Copy of the Notice: Patients can obtain a copy of their provider's Notice of Privacy Practices at any time.

9. Minimum Necessary Standard

10. Subcontractor Compliance

All third-party service providers that access, process, or store PHI on behalf of ClinicCube are required to:

Execute a Business Associate Agreement (BAA) or equivalent data protection agreement
Demonstrate compliance with HIPAA security requirements
Undergo regular security assessments
Report any security incidents or breaches involving PHI

Our key subcontractors include HIPAA-compliant cloud infrastructure providers for hosting, PCI DSS-compliant payment processors, and encrypted communication providers for telehealth services.

11. Regular Audits & Assessments

ClinicCube conducts regular compliance activities to maintain and improve our HIPAA posture:

Annual Risk Assessments: Company-wide security risk assessments following NIST guidelines
Penetration Testing: Third-party penetration tests are conducted at least annually
Vulnerability Scanning: Automated vulnerability scanning of all systems on a continuous basis
Policy Reviews: All HIPAA policies and procedures are reviewed and updated annually
Training Verification: Completion of HIPAA training is tracked and verified for all workforce members

12. Data Retention & Disposal

We retain PHI for as long as required by the applicable BAA, applicable law, or legitimate business need. When PHI is no longer required:

Electronic records are securely overwritten or cryptographically erased
Physical media is destroyed using NIST 800-88 compliant methods
Backup copies are purged according to our retention schedule
Confirmation of destruction is documented and retained

13. Contact Us

If you have questions about our HIPAA compliance programme or wish to report a privacy concern, please contact our Privacy Officer:

Email: privacy@cliniccube.com
General inquiries: info@cliniccube.com

1. Our Commitment to HIPAA

2. Protected Health Information (PHI)

3. Business Associate Agreement (BAA)

4. Administrative Safeguards

5. Physical Safeguards

6. Technical Safeguards

7. Breach Notification

8. Patient Rights Under HIPAA

9. Minimum Necessary Standard

10. Subcontractor Compliance

11. Regular Audits & Assessments

12. Data Retention & Disposal

13. Contact Us

Related Documents

HIPAA Compliance

1. Our Commitment to HIPAA

2. Protected Health Information (PHI)

3. Business Associate Agreement (BAA)

4. Administrative Safeguards

5. Physical Safeguards

6. Technical Safeguards

7. Breach Notification

8. Patient Rights Under HIPAA

9. Minimum Necessary Standard

10. Subcontractor Compliance

11. Regular Audits & Assessments

12. Data Retention & Disposal

13. Contact Us

Related Documents