Phreesia is a company built on your trust
Phreesia is a company built on your trust. We take security very seriously and have built our systems to meet and exceed the strict security requirements of the Healthcare and Financial Services industries to ensure our users are protected. A combination of Federal guidelines and corporate policies ensures that all patient-related health and financial information is protected by the most stringent administrative, technical and physical safeguards.
Data collection is done strictly to support our customers' workflow and clinical needs. Phreesia's data-use policy is in strict accordance with Federal Laws and HIPAA Regulations. Under HIPAA, Phreesia is classified as a business associate, which is defined as an individual or corporate "person" that is not a member of the covered entity's workforce and performs (on behalf of the covered entity, i.e. the practice) any function or activity involving the use or disclosure of protected health information (PHI). Phreesia complies with all HIPAA standards under the federal Privacy and Security Rules.
Phreesia's Privacy Procedures:
Phreesia is committed to maintaining and securing all protected health information as comprehensively as possible. We take this responsibility seriously and work to continuously protect patients' rights and security. This means:
Phreesia does NOT sell, rent or disclose protected patient health information to anyone or use it without patient authorization or as governed, permitted or required by law.
Phreesia's technology was designed to safeguard protected health information and conforms to HIPAA guidelines.
Patient information is secured through password protection and is accessible within a practice only by doctors and authorized staff.
Phreesia employs leading physical and technical security measures to store and protect all health-related data. Patient information is firewall-protected and is under electronic surveillance 24 hours per day, 7 days per week.
All patient information is transmitted through encrypted connections to its designated data centers. No patient information is stored on the PhreesiaPad.
- All data to and from our services is protected using industry-standard SSL (128 bit RC4 keys)
- This encryption is enforced at the hardware level: no data can be exchanged without using this encryption
- All pads are configured from the factory to use WPA2 encryption using the AES algorithm.
Financial data uses independent channels for transmission into our PCI-secured/SAS 70 certified data center. We store no sensitive financial data.
- Patient data is stored in a highly secured data center. Protected by multi-layer security, this means:
- The servers that store the data are stored in a physically secured building with multiple layers of physical security
- At the network level these servers are placed in a secure subnet and protected by firewalls
- Front-end servers and database servers are on physically different networks and have limited connectivity
- The security of all server networks are watched by an Intrusion Detection System that is staffed 24x7 with trained security professionals
- Within the database server the data is stored encrypted
- All data that is transmitted to and from the database servers is sent in this encrypted form.
- Patient data is stored using reversible AES encryption with a key size of 256 bits. This key size is the strictest allowed in the standard.
- No data is ever stored on the devices, in case of theft no data is left vulnerable
Last Updated: February, 2011