The following Alohi Suite HIPAA Compliance Statement is intended to inform our Enterprise users, who are “covered entities” under HIPAA, that we are aware of their HIPAA requirements and will do our part to help ensure their patient data is kept confidential. This statement is not intended to take the place of a Business Associate Agreement (BAA).
We have instituted policies and procedures to ensure that our customers’ data is kept confidential. These include (not limited to) the following:
Alohi Suite employs multiple levels of audit control — from secure and automatic archiving of all files sent or received through Alohi Suite for the life of your organization’s account, to software and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
HIPAA requires careful attention be paid to data that is in motion and at rest. All signed docuements and faxed files at rest are encrypted using 256-bit Advanced Encryption Standard (AES). To protect data in transit between Alohi Suite apps (currently mobile, API, or web) and our servers, we use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.
FAX.PLUS employs multiple levels of audit control — from secure and automatic archiving of all faxes sent or received through FAX.PLUS for the life of your organization’s account, to software and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
Users can access the Alohi Suite services via Email or online only with a valid username and password combination which are SSL encrypted. An encrypted session ID cookie is used to uniquely identify each user. While logged into our servers, all communications will be encrypted at all times.
For FAX.PLUS, users have the option to not save their fax data on our servers. Once activated, the user gets received faxes via email and nothing is stored on our servers. The same applies for sent faxes, in which we delete the fax data as soon as the transmission has been completed.
At the end of a Covered Entity’s contract with FAX.PLUS, they may request their data to be deleted from the Alohi Servers. No printed reports or paper copies are ever retained in our facility. If reports are ever printed to further support the Covered Entity, they are shredded immediately upon completion of the task that required the paper output.
Our data centers are in locations conforming to the most restrictive security standards (ISO 27001) and they are part of the Cloud Security Alliance (CSA). They also conform to the OCF Level 1, having completed their Cloud Control Matrix which maps to the following selected frameworks: COBIT, HIPAA / HITECH Act, ISO/IEC 27001-2005, NISTSP800-53, FedRAMP, PCI DSSv2.0, BITS Shared Assessments, GAPP.
We’re always assessing risks and improving the security, confidentiality, integrity, and availability of our systems. We regularly review and update security policies, provide our employees with security training, perform application and network security testing (including penetration testing), conduct risk assessments, and monitor compliance with security policies.
We also sign Business Associate Agreement (BAA) with users of our Enterprise plan.