Phreesia is a company built on your trust
We take security very seriously and have built our systems to meet and exceed the strict security requirements of the healthcare and financial services industries to guarantee our users’ protection. A combination of federal guidelines and corporate policies ensures that all patient-related health and financial information is protected by the most stringent administrative, technical and physical safeguards
Data collection is done solely to support our customers' workflow and clinical needs. Phreesia's data-use policy is in strict accordance with federal laws and HIPAA Regulations. Under HIPAA, Phreesia is classified as a "business associate," which is defined as an individual or corporate "person" that is not a member of the covered entity's workforce and performs (on behalf of the covered entity—i.e. the practice) any function or activity involving the use or disclosure of protected health information (PHI). Phreesia complies with all HIPAA standards under the federal privacy and security rules.
Phreesia's Privacy Procedures
Phreesia is committed to maintaining and securing protected health information. We take this responsibility seriously and work to continuously protect patients' rights and security. This means:
- Phreesia does NOT sell, rent or disclose protected health information to anyone or use it without patient authorization or as governed, permitted or required by law.
- Phreesia's technology was designed to safeguard protected health information and conforms to HIPAA guidelines.
- Patient information is secured through password protection and is accessible within a practice only by doctors and authorized staff.
- Phreesia employs leading physical and technical security measures to store and protect all health-related data. Patient information is firewall-protected and is under electronic surveillance 24 hours a day, 7 days a week.
All patient information is transmitted through encrypted connections to its designated data centers. No patient information is stored on the PhreesiaPad.
Phreesia is PCI Level 1 compliant. We are listed on the up-to-date lists of PCI Level 1 service providers for both Visa and Mastercard.
- All data to and from our services is protected using industry-standard SSL (128 bit RC4 keys)
- This encryption is enforced at the hardware level—no data can be exchanged without using this encryption
- All PhreesiaPads are configured from the factory to use WPA2 encryption, using the AES algorithm. Financial data uses independent channels for transmission into our PCI-secured/SAS 70 certified data center. Phreesia does not store any sensitive financial data.
- Patient data is stored in a highly-secured data center, protected by multi-layer security.
- The servers that house the data are stored in a physically secured building with multiple layers of physical security
- At the network level, these servers are placed in a secure subnet and protected by firewalls
- Front-end servers and database servers are on physically different networks and have limited connectivity
- The security of all server networks is monitored by an intrusion detection system that is staffed 24/7 by trained security professionals
- Within the database server, the data is stored in an encrypted form
- All data transmitted to and from the database servers is sent in this encrypted form.
- Patient data is stored using reversible AES encryption, with a key size of 256 bits.
This key size is the strictest allowed in the standard.
- No data is ever stored on PhreesiaPads; in case of theft, no data is left vulnerable.
Phreesia, Inc. 432 Park Ave South, 12th Floor, New York, NY 10016
Back to Top