Visible Health Compliance

Visible Health Compliance

Last Modified: April 03, 2017

Visible Health HIPAA compliance measures are outlined in this document. We take compliance seriously, and want you to learn as much as possible about our approach. To get started, below is a high-level summary of our architectural design, and our guiding principals.

Need Visible Health Approach
Encryption All data is encrypted in transit, end to end, and at rest. Log data is also encrypted to mitigate risk of ePHI stored in log files.
Minimum Necessary Access Access controls are always defaulted to no access unless overridden manually.
System Access Tracking All access requests and changes of access, as well as approvals, are tracked and retained.
Monitoring All network requests, successful and unsuccessful, are logged, along with all system logs. API PHI requests log the requestor, and data changed/viewed. Alerts are triggered on some types of malicious activity.
Auditing All log data is encrypted enabling secure access to full historical network activity records.
Minimum Risk to Architecture Secure, encrypted access is the only form of public access enabled to servers. All application access must first pass through firewalls. To gain full access to Visible Health systems, users must login via 2 factor authentication through VPN, authenticate to the specific system as a regular user, and upgrade privileges on the systems temporarily as needed.
Vulnerability Scanning All application code is scanned for vulnerabilities
Intrusion Detection All production systems have intrusion detection software running to proactively detect anomalies.
Backup All customer data is backed up every 24 hours.
Disaster Recovery Visible Health has a tested disaster recovery plan.
Documentation All documentation (policies and procedures that make up our security and compliance program) is stored and versioned using GitHub, available to customers, and published internal for all members of the workforce.
Risk Management We proactively perform risk assessments to assure changes to our infrastructure do not expose new risks to ePHI. Risks mitigation is done before changes are pushed to production.
Workforce Training All Visible Health workforce members undergo HIPAA and security training regularly.