Security and Privacy

We'll earn and keep your trust

HealthTap understands that security and privacy is crucial to our customers, and ourselves. Security and privacy are key to all types of data, but for healthcare data it's especially so. Our Information Security and Compliance team are committed to protecting you and your family's data. We use numerous monitoring and security tools with the industry's best practices to safeguard your information and confidentiality.

Certification and audits

As a core effort with our compliance program, we maintain a Service Organization Control Type 2 (SOC 2) Type 2 certification. This means that our controls and systems for non-financial matters including security, availability, processing integrity, confidentiality, and privacy are audited and certified by an American Institute of Certified Public Accountants (AICPA)-accredited firm on a yearly basis. This SOC 2 Type 2 also measures our compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

As a key part of our software development and engineering life cycles, we conduct penetration testing by third-party, independent firms that specialize in this service. We continuously improve our software development and engineering efforts based on the results of these tests. Additionally, Privacy Shield, General Data Protection Regulation 2016/679 (GDPR), and the upcoming California Consumer Privacy Act (CCPA) help shape our standards and policies.

Culture and process

Before a potential employee joins HealthTap, they undergo complete criminal, educational and employment background checks. In their first week with the company, they receive privacy and security training, and sign a legally binding non-disclosure and confidentiality agreement. We have regular conversations about security and privacy to support HealthTap customers as well as our own personal data. The HealthTap Information Security & Compliance team provides additional security awareness updates via email, blog posts, instant messaging, and in presentations during internal events.

The only people who have access to data are those who need it to do their jobs. This role based access control (RBAC) is integral to accessing all systems and data for HealthTap, and is reviewed on a regular basis. To access our Production Network, individuals are required to use multiple factors of authentication and obtain permission beforehand. With every new project or initiative, part of the planning process involves identifying, assessing, and planning to address the security and privacy considerations.

Technology and design

HealthTap incorporates compliance into data, product and platform architecture, as well as the code we write. We safeguard the communications between you and HealthTap by using the industry's best-practices for encryption, including Transport Layer Security (TLS) and Hypertext Transfer Protocol Secure (HTTPS) over public networks. TLS is also supported for encryption of emails while in transit.

As minimum guidelines for our servers, networks, and other computing platforms, we use various industry standards and best practices from the Center for Internet Security (CIS), Cloud Security Alliance (CSA), and other organizations.