HIPAA Compliance

TDAppointments is committed to maintaining HIPAA compliance and protecting PHI. While we implement technical and administrative safeguards to support HIPAA compliance, it is important to understand that:

• HIPAA compliance is a shared responsibility between healthcare providers and their business associates
• Healthcare providers using TDAppointments are responsible for their own HIPAA compliance program
• We serve as a Business Associate and implement safeguards as required by the HIPAA Business Associate Agreement (BAA)
• Our platform is designed to support HIPAA compliance, but proper use and configuration by healthcare providers is essential

We implement comprehensive administrative safeguards to ensure HIPAA compliance:

Business Associate Agreements (BAA)

• We execute Business Associate Agreements with all healthcare providers using our platform
• BAAs outline our responsibilities for protecting PHI and complying with HIPAA requirements
• All agreements are reviewed by legal counsel and include standard HIPAA compliance provisions
• BAAs can be provided upon request during the onboarding process

Workforce Training and Management

• All employees with access to PHI undergo HIPAA training upon hiring and annually thereafter
• Access to PHI is limited to authorized personnel on a need-to-know basis
• Regular security awareness training ensures staff understand their responsibilities
• Background checks are conducted for employees with access to sensitive data

Security Officer and Incident Management

• Designated Security Officer oversees HIPAA compliance and security measures
• Incident response procedures are documented and tested regularly
• Security incidents are investigated and remediated according to HIPAA breach notification rules
• Breach notification procedures comply with HIPAA requirements (notification within 60 days)

We implement robust physical safeguards to protect PHI stored and processed in our infrastructure:

Data Center Security

• All data is hosted in HIPAA-compliant, SOC 2 Type II certified cloud data centers
• Data centers are located in secure facilities with 24/7 physical security monitoring
• Access to data centers requires multi-factor authentication and is logged and audited
• Environmental controls (fire suppression, climate control, backup power) protect infrastructure

Device and Media Controls

• Workstations and devices that access PHI are encrypted and password-protected
• Removable media containing PHI is encrypted and tracked
• Secure disposal procedures ensure PHI is properly destroyed when no longer needed
• Mobile device management enforces security policies on company devices

Technical Safeguards

Technical safeguards are critical for protecting PHI in our cloud-based platform:

Access Controls

• Unique User Identification: Each user has a unique identifier and secure authentication
• Role-Based Access Control: Access to PHI is restricted based on job function and responsibilities
• Multi-Factor Authentication: MFA is required for all accounts with access to PHI
• Session Management: Automatic session timeout after periods of inactivity
• Password Policies: Strong password requirements and regular password changes

Encryption

• Encryption in Transit: All data transmitted between users and our servers is encrypted using TLS 1.3
• Encryption at Rest: All PHI stored in databases is encrypted using AES-256 encryption
• Backup Encryption: All backups are encrypted before storage
• Key Management: Encryption keys are managed securely using industry-standard key management systems

Audit Controls

• Comprehensive audit logging tracks all access to PHI, including who, what, when, and from where
• Audit logs are retained for a minimum of 6 years as required by HIPAA
• Regular audit log reviews identify unauthorized access or suspicious activity
• Audit logs are tamper-proof and cannot be modified or deleted

Transmission Security

• All API communications are secured using TLS encryption
• WhatsApp messages are transmitted through Twilio's secure infrastructure
• Email notifications use secure email protocols (TLS/SSL)
• Network segmentation and firewalls protect against unauthorized access

In the event of a security incident that may compromise PHI, we follow HIPAA breach notification requirements:

• Incident Detection: 24/7 security monitoring detects potential security incidents
• Immediate Response: Security incidents are investigated immediately upon detection
• Risk Assessment: We assess whether a breach occurred and the risk to PHI
• Breach Notification: Covered entities are notified of breaches within 60 days as required by HIPAA
• Remediation: Immediate steps are taken to contain and remediate security incidents
• Documentation: All security incidents and breaches are thoroughly documented

HIPAA compliance is a shared responsibility. As a healthcare provider using TDAppointments, you must:

• Execute a Business Associate Agreement (BAA) with TDAppointments before using the Service with PHI
• Obtain patient authorization for collecting and storing PHI in accordance with HIPAA
• Implement your own HIPAA compliance program, including workforce training and policies
• Use strong, unique passwords and enable multi-factor authentication on your accounts
• Control access to your TDAppointments account and ensure only authorized personnel have access
• Report security incidents or suspected breaches to TDAppointments immediately
• Comply with minimum necessary standards when accessing and sharing PHI
• Maintain appropriate backup and recovery procedures for your data

Compliance Documentation and Certifications

We maintain comprehensive documentation of our HIPAA compliance efforts:

• SOC 2 Type II: Annual SOC 2 audits validate our security controls and processes
• Penetration Testing: Regular third-party penetration testing identifies and addresses vulnerabilities
• Security Assessments: Annual security risk assessments evaluate our HIPAA compliance posture
• Policy Documentation: Written policies and procedures document our security and compliance measures
• BAAs: Business Associate Agreements are available for review and execution

Ongoing Compliance Efforts

HIPAA compliance is an ongoing process. We continuously:

• Monitor and update security controls to address evolving threats
• Conduct regular security training for our workforce
• Review and update policies and procedures
• Perform security assessments and risk analyses
• Stay current with HIPAA regulatory updates and guidance
• Update our platform to maintain compliance with changing requirements