In this episode, Luke Fletcher shares with Yianni Serpanos the development process of Foxo and how design-thinking has helped them build a modern,...
Foxo Achieves HIPAA Compliance
We’ve achieved HIPAA compliance to continue to uphold the highest level of transparency, security, and privacy around Foxo users’ protected health and personal data.
The Health Insurance Portability and Accountability Act (HIPAA) regulates the way companies safeguard patients’ protected health information (PHI) through a set of physical, technical, and administrative standards.
As a leader in health tech, Foxo has been particularly focused on technical safeguards which include regulations around the confidentiality, integrity, and availability of electronic protected health information (ePHI) with cybersecurity a key factor.
Why did we strive to become HIPAA compliant?
As Australian healthcare continues to lead the Notifiable Data Breach Scheme year on year, with the majority of incidents attributed to stolen personal information, we wanted to hold Foxo to higher standards, try to close the industry gap, and reverse the trend.
Simply put, the security and privacy of customer and patient data is our top priority. Purpose-built with a security-first mindset, the Foxo platform delivers powerful communication solutions that uphold the expectations of the healthcare community. This means having stringent standards around data protection and storage, security testing, user verification, user access controls, file sharing, and, of course, personal data.
By striving for HIPAA compliance, we wanted to ensure that our existing practices aligned with the most current standards for patient privacy – and that Foxo users could be assured even further transparency around how their data is stored, shared, and used.
Becoming HIPAA compliant now helps enterprise organisations and individuals to understand our process and operations in a way that’s recognisable, measurable, and comparable across the healthcare industry.
How did we achieve HIPAA compliance?
Our road towards achieving HIPAA compliance was paved by new and improved security and privacy activities and the maintenance of our own existing practices.
Along the way, we authenticated our compliance with The Privacy Act 1988 and the Health Information Technology for Economic and Clinical Health (HITECH) Act and HIPAA Omnibus Rule – all of which help govern our business practices further in association with health information.
In practical terms, we’ve incorporated the following measures into our operations to uphold HIPAA standards:
- Implemented additional policies and procedures to ensure the security and privacy of our customers’ data with ongoing regular risk assessments to maintain these.
- Provided regular cybersecurity training and awareness for all of our staff members.
- Maintained a high level of security in our software products and underlying infrastructure.
- Conducted regular security risk assessments to identify any areas for improvement.
- Updated emergency mode operation, disaster recovery, and security incident response plans.
Importantly, we’ve also appointed a HIPAA Compliance Officer as we believe that upholding patient privacy is an ongoing commitment and a collaborative effort between software vendors, individuals, and healthcare organisations who all have an obligation to manage PHI and ePHI responsibly. Our HIPAA Compliance Officer’s duties traverse all areas of our business from infrastructure planning to onboarding new employees. This crucial role ensures our commitment to best practice and security growth across our business.
What does this mean for Foxo users?
We’ve made sure that Foxo is best in class when it comes to compliance so that the security and privacy of our users’ protected health and personal information are never in question.
Luke Fletcher, Co-Founder and CEO of Foxo, says, “We are constantly improving the ways in which we approach security and privacy on our platform. Although achieving HIPAA compliance is an important step for our Information Security Management & Governance (ISG) program, I consider it routine for doing business in healthcare. We encourage all vendors to go above and beyond when it comes to the critical security and privacy of personal and health data.”
Here are the ways in which this plays out on our platform:
- All users are reviewed, verified, and approved before joining the Foxo network to ensure quality control over who has access to information.
- Any personal information stays confidential at all times and is never accessible by an unauthorised user.
- Every user’s data, patient data, and shared information never leaves Australian soil to comply with data sovereignty regulations.
- Foxo is GDPR compliant and all data is stored on local servers under compliant ISO standards; data is also encrypted in both transit and rest states.
- Anyone can retract shared information if it’s sent to the incorrect recipient to minimise the risk of unauthorised disclosure.
- All actions are indefinitely stored in an auditable log for easy governance.
- Users must abide by strong password policies and behavioural mechanisms which are in place to deter abuse.
- Many more behind the scenes.