Phreesia is a company built on your trust
We are fully committed to the privacy and security of our users’ data. Our administrative, technical and physical safeguards are designed to secure and protect patient-related health and financial information.
Under the Health Insurance Portability and Accountability Act (HIPAA), Phreesia is defined as a “business associate,” which is an individual or entity that is not a member of the “covered entity’s” (i.e., the healthcare provider’s) workforce and performs certain functions involving the use or disclosure of protected health information (PHI) on behalf of the covered entity. As a business associate, Phreesia is subject to, and committed to, all applicable HIPAA privacy and security requirements.
Phreesia’s healthcare clients can configure and direct the Phreesia Platform to collect patients’ information. Phreesia may collect other information and request certain permissions from healthcare clients to ensure Phreesia’s products and services are functioning and for other permissible purposes. Phreesia will retain information for the period necessary to fulfill the purposes outlined in this policy and as otherwise required or permitted by law. Healthcare clients may contact Phreesia’s Support team at firstname.lastname@example.org regarding their permissions or with questions regarding the products or services they purchased.
If you are a patient of a healthcare provider that uses Phreesia, your healthcare provider may direct Phreesia to communicate with you to check you into your appointment or perform other services or activities on behalf of your healthcare provider. You may consent or decline to engage with any Phreesia communication or otherwise use Phreesia. Phreesia will collect, retain, and use your PHI solely as permitted by your healthcare provider and as described in this policy. Phreesia may also use third parties to help provide and support the products and services for your healthcare provider and for other permissible purposes. These third parties will be subject to privacy and security requirements in order to safeguard confidential information. If you wish to correct any data you submitted to your healthcare provider through Phreesia, please contact your healthcare provider directly.
Phreesia’s Privacy and Security Procedures
Phreesia’s privacy and security procedures include the following safeguards:
- Phreesia does not sell, rent, disclose or use PHI without patient authorization or unless permitted or required by law.
- PHI is secured through password protection and can only be accessed by authorized users within the healthcare practice.
- PHI is firewall-protected and under electronic surveillance 24 hours a day, seven days a week.
- PHI is never stored on PhreesiaPads or Arrivals kiosks, so if either device is lost or stolen, no PHI will be compromised.
- PHI transmitted between the Phreesia platform and Phreesia’s data centers is protected using industry-standard TLS (256-bit AES keys).
- PhreesiaPads and Arrivals kiosks are configured from the factory to use WPA2 encryption and the AES algorithm.
- Patient data is stored in a highly-secured data center, protected by multi-layer protocols. This means:
- The servers that house the data are stored in a secured building with multiple layers of physical security.
- At the network level, these servers are placed in a secure subnet protected by firewalls.
- Front-end servers and database servers are on physically different networks and have limited connectivity.
- The security of all server networks is monitored by an intrusion detection system that is staffed 24/7 by trained security professionals.
- Within the database server, data is stored in an encrypted form.
- Patient data is stored using AES encryption with a key size of 256 bits.
Phreesia is HITRUST-certified, SOC 2-certified, and PCI Level 1-compliant. Phreesia also is listed on the most current lists of PCI Level 1 service providers for both Visa and Mastercard.
If you have any questions or comments about this policy, or concerns about Phreesia’s privacy processes, or the use of this site in general, please contact us by email at email@example.com.
Last revised: July 17, 2020