Last Modified: April 03, 2017

Visible Health, Inc (“Visible Health”) is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As providers of compliant, hosted infrastructure used by health technology vendors, developers, designers, agencies, custom development shops, and enterprises, Visible Health strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by Visible Health to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for Visible Health Customers.

Visible Health Organizational Concepts

The physical infrastructure environment is hosted with Amazon Web Services (AWS) and a business associate agreement (BAA) is in place with AWS. The network components and supporting network infrastructure is contained within AWS infrastructure and managed by AWS. Visible Health does not have physical access into the network components or servers.

Within the Visible Health Platform,all data transmission is encrypted and all hard drives are encrypted so data at rest is also encrypted; this applies to all servers - databases, APIs, log servers, etc. Visible Health assumes all data may contain ePHI, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.

The Virtual Private Network (VPN) host, and Load Balancer servers are externally facing and accessible via the Internet. The database and application servers, where the ePHI resides, are located on the internal Visible Health network and can only be accessed directly over an SSH connection through the VPN host. The access to the internal database is restricted to a limited number of personnel and strictly controlled to only those personnel with a business justified reason. Remote access to the internal servers is not accessible except through the load balancers and VPN host.

All Visible Health platform operating systems are tested end-to-end for usability, security and impact prior to deployment to production.