Data & Security
Introduction
This page is intended to explain what the rules are, how they apply to your use of the autoPatient platform and the steps we have taken to comply.
You should review this document in conjunction with our Privacy Policy and contact a specialist legal professional if you require more information or advice.
General Data Protection Regulation (GDPR)
The GDPR is focused on giving individuals more control over how their data is used by companies, and making the collection and processing of data more transparent.
The GDPR was incorporated directly into UK law following the end of the Brexit transition period, meaning that UK businesses still have to comply with its provisions through the ‘UK GDPR’.
Basic GDPR concepts
Controller and processor
The GDPR imposes various obligations on a person depending on whether they are a controller or a processor of personal data.
A controller is an entity which decides to process personal data, and makes decisions regarding the basis of processing and the methods which will be used. Controllers have certain obligations regarding personal data, which you should familiarize yourself with before collecting personal data from your customers.
A processor is an entity which processes data for and on behalf of a controller. They make no independent decisions regarding the data or its processing, as they only process it on behalf of the controller and must comply with all instructions given by the controller.
When you use the autoPatient service, you are a controller. You are in control of the data you upload to the autoPatient system, what you do with that data, and why. As a result, you are responsible for ensuring that you have a legal basis on which to process the data, and that you do not retain the data for any longer than is necessary.
You should ensure that you understand your obligations as a controller, and update your own systems and policies to allow the lawful transfer of personal data to autoPatient. autoPatient is a data processor. We, through the autoPatient platform, store and manage the data you have collected under your instructions. We will never use any personal data which you have uploaded to the autoPatient system for our own purposes or without your instruction.
Basic GDPR concepts
Controller and processor
The GDPR imposes various obligations on a person depending on whether they are a controller or a processor of personal data.
A controller is an entity which decides to process personal data, and makes decisions regarding the basis of processing and the methods which will be used. Controllers have certain obligations regarding personal data, which you should familiarize yourself with before collecting personal data from your customers.
A processor is an entity which processes data for and on behalf of a controller. They make no independent decisions regarding the data or its processing, as they only process it on behalf of the controller and must comply with all instructions given by the controller.
When you use the autoPatient service, you are a controller. You are in control of the data you upload to the autoPatient system, what you do with that data, and why. As a result, you are responsible for ensuring that you have a legal basis on which to process the data, and that you do not retain the data for any longer than is necessary.
You should ensure that you understand your obligations as a controller, and update your own systems and policies to allow the lawful transfer of personal data to autoPatient. autoPatient is a data processor. We, through the autoPatient platform, store and manage the data you have collected under your instructions. We will never use any personal data which you have uploaded to the autoPatient system for our own purposes or without your instruction.
Steps we have taken to ensure GDPR compliance
We take our duties as a processor very seriously. We have put in place a number of procedures and taken a number of steps in order to ensure that we remain compliant with the GDPR and that you are able to lawfully send personal data collected by you to us, for example:
- Our data processing agreement utilizes the Standard Contractual Clauses to ensure that you are able to lawfully send personal data to us in the USA.
- We are able to detect personal breaches and to inform our customers as soon as possible.
- We are able to deal with subject access requests and rights of erasure requests, and ensure that we inform you when a data subject has made such a request to us.
- We have assessed and documented the personal data processed by us on your behalf.
- We have assessed our security and upgraded this where necessary to ensure that it is appropriate for the level of risk we face in relation to a data breach.
HIPAA (Health Insurance Portability And Accountability Act)
What is HIPAA?
HIPAA stands for the Health Insurance Portability And Accountability Act of 1996, which is a United States legislation that provides data privacy and security provisions for safeguarding medical information.
The act, which was signed into law by President Bill Clinton on Aug. 21, 1996, contains five sections, or titles:
- Title I: HIPAA Health Insurance Reform
- Title II: HIPAA Administrative Simplification
- Title III: HIPAA Tax-Related Health Provisions
- Title IV: Application and Enforcement of Group Health Plan Requirements
- Title V: Revenue Offsets
In context of online marketing, adhering to HIPAA Title II is what most people mean when they refer to HIPAA compliance.
HIPAA Title II
Also known as the Administrative Simplification provisions, Title II includes the following HIPAA compliance requirements:
- National Provider Identifier Standard. Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit national provider identifier number, or NPI.
- Transactions and Code Sets Standard. Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
- HIPAA Privacy Rule. Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.
- HIPAA Security Rule. The Security Standards for the Protection of Electronic Protected Health Information sets standards for patient data security.
- HIPAA Enforcement Rule. This rule establishes guidelines for investigations into HIPAA compliance violations.
The two requirements that apply to the relationship between autoPatient, a customer Agency, and the agency’s client (the Practice) are the HIPAA Privacy Rule and the HIPPA Security Rule. The details of each of these rules can be found here:
- HIPAA Privacy Rule
- HIPPA Security Rule
autoPatient Compliance
autoPatient has worked with The Compliancy Group consultancy to ensure that we are in full compliance with the HIPAA Privacy Rule and the HIPPA Security Rule, so that we can enter into HIPAA Business Associate Agreements (BAA) with our customers.
autoPatient will never again let you worry about your practice growth!
See how we help aesthetic practices grow their clinics and thrive.