Innovation in healthcare requires trust. Assuring the privacy and security of patient data is at the core of our mission. Hint Health is fully compliant with the HIPAA/HITECH regulations, as updated by the Omnibus Rule, and is also fully compliant with PCI, ISO27001 and SOC2 (Security, Confidentiality, Integrity and Available).
Hint is committed to keeping customer and patient data private and secure. We keep your data safe so that you can focus on providing care.
Hint Health has instituted safeguards, policies, and procedures to protect patients’ health information, in compliance with the final rule issued by the United States Department of Health and Human Services regarding the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Our partner Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
Stripe forces HTTPS for all services, including through the Hint Health service and they regularly audit the details of our implementation.
All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe's internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe's infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure and doesn't share any credentials with Stripe's primary services (API, website, etc.).
In addition to HIPAA/HITECH, Hint Health has also gone through the ISO27001 security framework and SOC2 auditing process to strengthen its security program and has received both an ISO27001 certificate and a SOC2 Type 2 attestation report.
Data Center Security: Hint Health runs in highly secure data centers. Our hosting providers are regularly audited against comprehensive frameworks including SSAE 16 and ISO 27001. All Hint Health services run within private, secure network layers, addressable only through whitelisted gateways.
Data Encryption: All data (including ePHI) is encrypted whenever possible. All traffic is encrypted in transit with SSL/TLS. All data is encrypted at rest with full key/data segregation.
Vulnerability Management: Hint Health continuously scans our systems and code for OWASP, CVE, and NVD-reported vulnerabilities.
Data Access & Activity Audit: All data access is restricted to approved employees based on job function. All access activities are logged and stored for auditing and anomaly detection. All changes to customer data are tracked via audit logs.
Web Application Security: Hint Health applications are built with industry best practice safeguards such as input data validation, CSRF protection, and password encryption.
Business Continuity: The Hint Health platform is designed to be resilient. We continuously implement and test contingency and disaster recovery plans as part of our operations cycle. Encrypted backups are performed every 24 hours. Hint Health uses only hardened, best-in-class configurations for all of our services.
Policy Management: Hint Health’s security program is defined by a formal set of policies and procedures, which are reviewed regularly by our Chief Technology Officer and executive team. Our policies and procedures are mapped directly to the HIPAA Security Rule’s Administrative, Physical, and Technical Safeguards.
Ongoing Audit: Hint Health’s security controls are audited by internal and external auditors on an annual basis.
Secure Coding: Hint Health software development lifecycle (SDLC) policy dictates review, delivery, merge processes and more to minimize downtime, security incidents and design flaws.
Risk Assessment: Ongoing assessments of risks to the confidentiality, integrity, and availability of patient data.
Access Management: Hint Health follows the principle of least privilege when granting access. Access to ePHI is only granted after proper training has been met.
Governance: Designation of a Security Committee responsible for information system monitoring and information security policy oversight.
Training: Mandatory HIPAA privacy and security training for all workforce members.
Vendor Management: Execution of Business Associate Agreements with customers, vendors, and subcontractors, where appropriate.
We approach compliance and security as a continuous cycle. Our NIST SP 800-30 Rev 1 risk assessment drives our organizational policies and procedures, which in turn drive our training cycle. We use operational feedback to continuously refine and improve our risk posture. All of our operational security metrics are monitored continuously and our compliance status is available in real time, 24/7.