We understand the importance for schools and clinics to only use platforms that are compliant with the latest data protection regulations, HIPAA, FERPA and EdLaw.
Here are a few important points in this article that may be helpful to you in confirming compliance with FERPA or EdLaw in your state, clinic and school district:
- We do not sell any data to third parties. In keeping with the parents' bill of rights for data privacy and security shall state in clear and plain English terms that a student's personally identifiable information cannot be sold or released for any commercial purposes.
- We have data security protections, including data systems monitoring, data encryption, incident response plans, limitations on access to personally identifiable information, safeguards to ensure personally identifiable information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of personally identifiable information when no longer needed.
- Our entire site is on a HIPAA and FERPA compliant server. This means that the site is on a server that adheres to the strict technical requirements outlined in legislation in order to store medical records safely. This involves things like complete data encryption, user authentication, and other privacy and security regulations.
The site is also on a private hosted environment. This means that public cloud or hybrid servers are not used.
Personal data is used only for the specified purposes of logging data, scheduling students and monitoring progress.
We act as a ‘data controller’ on behalf of SLPs. We only act on the SLPs behalf; all data belongs to the SLP.
Here are the requirements that Speech Therapy Plans has complied with in order to be HIPAA compliant:
- Complete Data Encryption — All health data is encrypted while in the server and during transit. This includes data at rest in the file system, data moving from the application layer to the server layer or among server components. Encryption must ensure that a malicious party cannot bypass server controls and access information directly.
- Proper Encryption Key Management — including keys, initialization vectors, and HMAC keys.
- Unique User IDs — HIPAA requires unique user IDs for all users and prohibits the sharing of user login credentials.
- Authorization — The server must control access to PHI by the assignment of differing — and appropriate — roles and privileges to users.
- Audit Logs — All data usage (user logins, reads, writes, and edits) must be logged in a separate infrastructure and archived according to HIPAA requirements. Generally, this means at least six years.
- Server Backups — Must be created, tested and securely stored. All server backups must themselves be fully encrypted if they contain PHI. Note that, under current HIPAA Rules, data that has been properly encrypted does not trigger mandatory Breach Reporting if the data is stolen or compromised.
- Dedicated Infrastructure — All HIPAA compliant servers must reside in a high-security infrastructure that is itself fully HIPAA compliant.
- Automatic Updates — Regular software upgrades to ensure that software is always running the latest and best tech available.
- Data Disposal — Methods must be in place or available to ensure that data and media are disposed of securely when no longer needed. High-security file wiping, according to current NIST standards, is a must.
- Data Minimization. This is a general HIPAA concept which states that only the “minimum necessary” health data actually needed for any particular purpose should be used. For example, if a developer or technician needs to access actual PHI (not anonymized or dummy data) for testing, configuration, or repair purposes, the least amount of PHI necessary to accomplish the task must be used in every case. This is sometimes referred to as the Minimum Necessary Standard.
- And finally, every HIPAA compliant server must generally support the primary goals of the HIPAA Security Rule, which is to “ensure the confidentiality, integrity, and availability of PHI.”