Our Compliance with HIPAA, GDPR, PIPEDA, Privacy Act & Other Security Standards |
Social Work Portal Case Management Hub Compliance Policies
Last update: August 26, 2024
Overview of Our Compliance & Security Standards (HIPAA, GDPR, PIPEDA, Privacy Act & Other Security Standards)
At Airiodion Group LLC (dba Social Work Portal, dba Case Management Hub), we are committed to providing quality software solutions for case management, and this includes respecting individuals’ and patients’ rights to maintain the privacy of their personally identifiable information (PII) and protected health information (PHI).
This webpage provides information and guidance on the policies and procedures related to the security measures and compliance with HIPAA, GDPR, PIPEDA, Australia’s Privacy Act, PCI-DSS, and other compliance standards in place at the Social Work Portal website and our Case Management Hub web-based software platform (collectively, the “Services”)
For more information on Social Work Portal and Case Management Hub platform security, please visit our Security FAQs.
Table of Contents: Our Compliance & Security
Keep on scrolling down this page to read each section or click any link below to go directly to that section.
- Our Security & Compliance Overview
- HIPAA Compliance (U.S.)
- HIPAA Business Associate Agreement (U.S.)
- GDPR Compliance (Europe & U.K.)
- PIPEDA Compliance (Canada)
- Australia’s Privacy Act Compliance (Australia, Asia, and APAC)
- PCI-DSS Compliance
- SOC II Compliance
- Other Data Privacy Compliance
- Compliance FAQ
Contact Social Work Portal if you have any questions about our security protocols
Our Security & Compliance Overview
The security mechanisms, procedures, and policies put in place on our Services are developed with the highest level of security protocols to be used for a wide range of organizations and clients.
This includes federal governments, state and local governments, large commercial enterprises, small and mid-sized practices, individual therapists, psychologists, psychiatrists, social workers, and counselors, and their clients, non-profit organizations, agencies, educational institutions, healthcare & medical institutions, insurance companies, and more.
We apply a layered approach to ensure that the data you enter into our platform is safe, secure, meets regulatory compliance, and is available only to registered users that you add to your account.
Our security policies and procedures are developed to meet the compliance requirements:
- The Health Insurance Portability and Accountability Act (HIPAA) – US
- The General Data Protection Regulation (GDPR) – EU
- The Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
- The Privacy Act 1988 (Privacy Act) – Australia
- The Payment Card Data Security Standard (PCI-DSS)
- And others
Here is an overview of some of the safeguards we have in place.
How We Protect Your Data on Our Web-based Software Services
Encryption & Data Integrity
The sensitive data in our services is encrypted when in transit and at rest (while being stored), this includes intake and assessment forms being sent to and received from patients/clients. We use encryption throughout areas of the platform where sensitive data is kept, used, or accessed in any way.
Your data is protected from improper alteration or destruction, and our mechanisms ensure that data hasn’t been altered or destroyed in an unauthorized manner.
Website Security
Social Work Portal and Case Management Hub are protected by SSL security. Your browser will usually display an indicator (such as a “lock” icon) when using a secure SSL connection.
We conduct regular security risk assessments to ensure the continued security of your data and our Services. Any identified risks are documented and quickly mitigated.
All software, scripts, and other technologies that make up the architecture of our Services are kept updated and patched to the latest versions to mitigate the risk of a breach.
As part of our comprehensive security parameters to protect our customers and their data, Case Management Hub protects its image URL structure via URL masking protocols which encrypts the images and protects against public directory browsing on our platform. Rendering such information public can make a site vulnerable to hackers, as they reveal the important information needed to exploit a potential vulnerability in the domains. And that is why we protect such information as a way to increase how we protect users of our platform.
Unique Identification of Users
We require users of our Case Management Hub to have a unique username and a password to log in.
Case Management Hub allows its customers to set their own password complexity policy, however, we provide recommendations as to password complexity and length.
The password complexity we recommend to our Services users and require of our employees is:
- 12 characters minimum length
- At least 1 upper case letter
- At least 1 lower case letter
- At least 1 number
- At least 1 symbol
A user may change their password at any point in the Case Management Hub. When this happens, the old password is immediately removed, and can no longer be used to access the application.
To further ensure the ability to track unauthorized access, user activity is tracked within our system, logged, and reviewed regularly for any anomalies or suspicious behavior.
Temporary Forms Passwords
The Case Management Hub enables users to send assessment and intake forms to patients/clients. The recipient of the form notification is provided a strong temporary password to initially access the system. This password must be changed by the recipient before having access to the forms.
Inactivity Lock
All Case Management Hub sign-ins are protected by an automatic logout after a period (15 minutes) of inactivity. The user’s credentials need to be provided prior to using the application again.
Role-based Security
Every user in the Case Management Hub is assigned one or more roles. Roles dictate the types of data and administrative functions that can be accessed by each user. This enables account owners and administrators of an account to restrict visibility into patient/client records to only those users/staff that should have access.
Documentation & Policies
In accordance with HIPAA and other data privacy standards, we maintain and update the following documentation to help us ensure the continued security of your data and our Services.
- Policies and Procedures Manual
- Security Activity Logs
- Employee Training
- Risk Assessments
- Minor and Major Security Incidents
- ePHI Storage Device Inventory
- Disaster Recovery Plan
- Disaster Recovery Testing
Workforce Security
To foster a culture of cybersecurity at our company, we regularly train our team on cybersecurity and compliance-related best practices, which include the use of phishing identification tests.
Additionally, all employees that access the data of our customers and users have signed to attest to personal device security, including the existence of anti-virus software, DNS filtering, screen lock, device firewall, secured Wi-Fi, and other device safeguards.
Minimum Necessary Standard
We adhere to the HIPAA standard of “minimum necessary” whenever access to PHI is granted to employees. This means staff is provided the minimum necessary access needed to adequately serve customers.
This includes restricting access to PHI for specific purposes, such as rendering user-requested assistance and ensuring data availability and integrity in our Services. Further, access is restricted to only the time needed for the approved activity.
Business Associate Agreement
We have and will continue to maintain a Business Associate Agreement with our cloud server provider, Linode. As part of our responsibilities under the HIPAA Security Rule physical safeguards, we have confirmed that the required physical safeguards are being fulfilled by our dedicated cloud server provider Linode.
Service & Data Availability
Case Management Hub makes all reasonable efforts to ensure service availability and data availability for our users. We have instituted a data backup up and recovery strategy that ensures access to data stored in our systems in the case of an emergency, when normal systems are not operating as usual.
Changes to this Security & Compliance Policy
Airiodion Group LLC (dba Social Work Portal, dba Case Management Hub) may update this policy at any time for any reason. If there are any significant changes to how we handle security, we will make a reasonable commercial effort to send a notice to the contact email address specified in your company’s Case Management Hub account or by placing a prominent notice on our site.
Questions?
If you have questions or suggestions, you can contact us at:
Contact us
Airiodion Group Security Officer
San Jose, CA 95127
To report a security violation, please call us at +1 (707) 397-9717 or contact us here.
Our Compliance with HIPAA Regulations (U.S.)
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal legislation that covers a wide range of patient healthcare rights, such as the rights of individuals to have a copy of their healthcare records and the privacy of collected healthcare data.
The HIPAA Security Rule is a set of national standards that protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity or their business associate. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
Is Social Work Portal HIPAA Compliant?
Yes, Social Work Portal has completed the required steps to be compliant with the HIPAA guidelines. This includes:
- Ensuring the confidentiality, integrity, and availability of all ePHI
- Detecting and safeguarding against anticipated threats to the security of the information
- Protecting against anticipated impermissible uses or disclosures that are not allowed by the rule
- Certifying compliance by our workforce
Airiodion Group LLC (dba Social Work Portal, dba Case Management Hub) is a “business associate” under the HIPAA guidelines.
In accordance with the standards set forth in HIPAA, we are committed to ensuring the confidentiality, integrity, and availability of all electronic protected health information (ePHI) we create, receive, maintain, or transmit. We comply with the provisions of HIPAA, including the HITECH Act, which includes the Breach Notification Rule.
Am I HIPAA Compliant When Using Your Platform?
Our Case Management Hub web-based application is compliant with HIPAA Rules, and the ePHI that you enter into our platform is secured according to that standard. However, this does not make YOUR company or practice HIPAA compliant.
As a “covered entity” that directly collects protected health information from your patients and clients, you have your own obligations under HIPAA that you must follow. You can read more about HIPAA compliance here.
Overview of Our HIPAA Compliance Activities
Here is an overview of HIPAA Security Rule Provisions that we have instituted:
Administrative Safeguards
- Security Management Processes
- Risk Analysis (Required)
- Risk Management (Required)
- Sanction Policy (Required)
- Information System Activity Review (Required)
- Assigned Security Responsibility
- Identify a Security Officer (Required)
- Workforce Security
- Authorization and/or Supervision (Addressable)
- Workforce Clearance Procedure (Addressable)
- Termination Procedures (Addressable)
- Information Access Management
- Restrict access to ePHI & Isolate Functions (Required)
- Access Authorization (Addressable)
- Access Establishment and Modification (Addressable)
- Security Awareness and Training
- Security Reminders (Addressable)
- Protection from Malicious Software (Addressable)
- Log-in Monitoring (Addressable)
- Password Management (Addressable)
- Security Incident Procedures
- Response and Reporting (Required)
- Contingency Plan
- Data Backup Plan (Required)
- Disaster Recovery Plan (Required)
- Emergency Mode Operation Plan (Required)
- Testing and Revision Procedures (Addressable)
- Applications and Data Criticality Analysis (Addressable)
- Evaluation
- Periodic Security Compliance Evaluations (Required)
- Business Associate Contracts and Other Arrangements
- Written Contract or Other Arrangement (Required)
Physical Safeguards
- Facility Access Controls
- Contingency Operations (Addressable)
- Facility Security Plan (Addressable)
- Access Control and Validation Procedures (Addressable)
- Maintenance Records (Addressable)
- Workstation Use
- Specify workstation functions (Required)
- Workstation Security
- Implement physical workstation safeguards (Required)
- Device and Media Controls
- Disposal (Required)
- Media Re-Use (Required)
- Accountability (Addressable)
- Data Backup and Storage (Addressable)
Technical Safeguards
- Access Control
- Unique User Identification (Required)
- Emergency Access Procedure (Required)
- Automatic Logoff (Addressable)
- Encryption and Decryption (Addressable)
- Audit Controls
- Implement Audit Controls (Required)
- Integrity
- Implement data integrity mechanisms (Addressable)
- Person or Entity Authentication
- Implement authentication mechanisms (Required)
- Transmission Security
HIPAA Business Associate Agreement for Airiodion Group LLC (dba Social Work Portal)
The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information.
To facilitate this requirement for our customers, we offer a downloadable PDF version of our Business Associate Agreement for review. Please contact us to execute a signed copy of this agreement.
Download Our Business Associate Agreement
Our Compliance with GDPR Regulations (Europe & U.K.)
The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation became effective and enforceable on the 25th of May 2018.
Our commitment: We have undertaken the required business and technology steps to operate in a manner compliant with GDPR.
What has Case Management Hub done about the GDPR?
We store all data in North America, and not in the EU. However, we have staff members in the EU who access consumer data. Compliance with and to international law and regulations is very important to us.
Here’s a condensed version of our GDPR Roadmap and steps taken on our journey:
Thoroughly research the areas of our product and our business impacted by GDPR – COMPLETE
- Appoint a Data Protection Officer – COMPLETE
- Draft the Data Protection Agreement – COMPLETE
- Develop a strategy and requirements for how to address the areas of our product impacted by GDPR – COMPLETE
- Perform the necessary changes/improvements to our product based on the requirements:
- Suppression Controls – COMPLETE
- Visitor Lookup – COMPLETE
- Feedback Consent Controls – COMPLETE
- Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – COMPLETE
- Finalize and communicate our full compliance – COMPLETE
What do Case Management Hub Business Customers / Practices need to do?
There are two things that you might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using Case Management Hub:
- Make sure your Terms of Service or Privacy Policy properly communicate to your users how you are using our Services (and any other similar services) on your website or app. This requirement has always been part of our Terms of Service, but the GDPR can heavily penalize you if you’ve not done this clearly. We recommend you ensure your policies are up to date and clear to your readers.
- If you are in the European Union, you’ll likely want to sign a Data Processing Agreement with Airiodion Group LLC (dba Social Work Portal, dba Case Management Hub). We’re happy to do so. Working with outside counsels in Germany and Malta we’ve updated this document to be in compliance with the GDPR and other generally acceptable privacy laws.
I’m new to the GDPR and would love more details on what it is
The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive.
The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer, or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
In summary, here are some of the key changes to come into effect with the upcoming GDPR:
- Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
- Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities, and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring the behavior of EU individuals.
- Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
If you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes the personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organization has a physical presence in the EU.
Contact us if you have any questions or need support.
Our Compliance with PIPEDA Regulations (Canada)
The Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted in 2000 and came fully into force in 2004. It is Canada’s national private sector data privacy law, enforced by the Officer of the Privacy Commissioner or OPC.
PIPEDA is similar to the EU’s GDPR and seeks to protect internet users’ privacy rights by requiring that organizations inform users of their data handling practices and get consent from users to collect, use, and disclose personal information.
How Do PIPEDA and HIPAA Differ?
While both PIPEDA and HIPAA require organizations to be responsible for the secure collection and storage of sensitive personal data, they have different focuses. HIPAA is a US regulation focused specifically on safeguarding individuals’ protected health information (PHI). PIPEDA is a Canadian regulation that focuses on safeguarding all types of personal data, including health information.
What has Case Management Hub done to comply with PIPEDA?
There are a few things we have done to address PIPEDA compliance.
1) The cloud server where our Case Management Hub is hosted is located in Toronto, Canada. Our cloud server provider, Linode, notes that it “satisfies the in-country data compliance requirements of the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Anti-Spam Legislation (“CASL”).”
2) Many of the administrative, technical, and physical safeguards that we have implemented for compliance with other data privacy regulations (GDPR, HIPAA, PCI-DSS, etc.), also help us comply with PIPEDA.
3) We comply with the 10 Fair Information Principals required by PIPEDA:
- Accountability: We have a Security Office that is accountable for our compliance with the fair information principles.
- Identifying Purposes: We identify the purposes for which the personal information is being collected in our Privacy Policy.
- Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
- Limiting Collection: We limit our collection of personal information to that which is needed for the purposes of providing our Services as noted in our Terms of Use and Privacy Policy. We only collect information by fair and lawful means.
- Limiting Use, Disclosure, and Retention: Unless the individual consents otherwise or it is required by law, we only use or disclose personal information for the purposes for which it was collected. Personal information is only kept as long as required to serve those purposes.
- Accuracy: We strive to keep collected personal information as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
- Safeguards: We protect personal information by appropriate security relative to the sensitivity of the information.
- Openness: We make detailed information about our policies and practices relating to the management of personal information publicly and readily available in our Terms of Use and Privacy Policy.
- Individual Access: Upon request, an individual will be informed of the existence, use, and disclosure of their personal information and be given access to that information. You can challenge the accuracy and completeness of the information and have it amended as appropriate by contacting our Security Officer.
- Challenging Compliance: If you have any questions or challenges to our organization’s compliance with the above principles. You can address it to our Security Officer through our website.
Would you like to learn more about PIPEDA? You can learn more about PIPEDA compliance here.
Our Compliance with Privacy Act (Australia, Asia, & APAC)
The Privacy Act 1988 (Privacy Act) is the principal piece of Australian legislation protecting the handling of personal information about individuals. This includes the collection, use, storage, and disclosure of personal information in the federal public sector and the private sector.
In addition to covering organizations with an annual turnover of at least $3 million, The Privacy Act also covers some small business operators with an annual turnover of $3 million or less, including private sector health service providers and businesses related to those covered by the Privacy Act.
The Case Management Hub is not located in Australia, however, as our Services serve Australian customers that may be required to comply with The Privacy Act (termed “APP entities”), we have put policies and procedures in place to meet the 13 Australian Privacy Principles (APPs).
What has Case Management Hub done to comply with Australia’s Privacy Act?
There are a few things we have done to address Privacy Act compliance.
1) Many of the administrative, technical, and physical safeguards that we have implemented for compliance with other data privacy regulations (GDPR, HIPAA, PIPEDA, PCI-DSS, etc.), also help us comply with The Privacy Act.
3) We comply with the 13 Australia Privacy Principals required by The Privacy Act:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use, or disclosure of government-related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
Learn more about Australia’s Privacy Act and whether or not your practice, agency, or organization may be subject to compliance: https://www.oaic.gov.au/privacy/the-privacy-act
Our Compliance with PCI-DSS Regulations
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of industry-mandated requirements for any business that handles, processes, or stores credit cards – regardless of the business’s size or location. The PCI Security Standards Council was founded by 5 of the major card brands, and they each share equal responsibilities in the council’s work.
Social Work Portal and Case Management Hub are PCI DSS compliant which means that our security policies and procedures meet the requisite standard.
We do not store any credit card information ourselves. We use Stripe and PayPal as our payment data processors. These processors are validated Level 1 PCI DSS compliant service providers. For more details, please head to Stripe and PayPal.
https://www.paypal.com/us/home
Contact us if you have any questions or need support: Contact Us
Our SOC II Compliance
The Case Management Hub application is hosted by our service provider Linode at its Toronto data center. That data center has achieved SOC 2 compliance.
Achieving SOC 2 compliance demonstrates that an organization has taken significant steps to ensure the security and privacy of customer data and can provide assurance to its customers and stakeholders that it is committed to protecting sensitive information.
The SOC 2 compliance audit is conducted by an independent third-party auditor who reviews the organization’s internal controls and procedures to ensure they meet the standards outlined by the American Institute of Certified Public Accountants (AICPA).
View our SOC 2 agreement here.
Other Data Privacy Compliance
Just because a data privacy standard is not listed on this page, doesn’t mean that Airiodion Group LLC (dba Social Work Portal, dba Case Management Hub) doesn’t comply. By the nature of our compliance activities with the data privacy standards listed above, we also may easily comply with other standards as well.
Please contact us if you would like to know whether or not we comply with a data privacy standard not listed on this page.
Social Work Portal Compliance FAQ
What is considered PHI by HIPPA?
The HIPAA guidelines outline 18 key identifiers of protected health information (PHI):
1. Patient names 2. Geographical elements (such as a street address, city, county, or zip code. 3. Dates related to the health or identity of individuals (including birthdates, date of admission or discharge, date of death, or exact age of a patient older than 89.) 4. Telephone numbers 5. Fax numbers 6. Email addresses 7. Social security numbers 8. Medical record numbers 9. Patient names 10. Geographical elements (such as a street address, city, county, or zip code. 11. Dates related to the health or identity of individuals (including birthdates, date of admission or discharge, date of death, or exact age of a patient older than 89.) 12. Telephone numbers 13. Fax numbers 14. Email addresses 15. Social security numbers 16. Medical record numbers
What types of data does PIPEDA Cover?
Under PIPEDA, personal information includes any factual or subjective information about an identifiable individual. This includes information in any form, such as: • age, name, ID numbers, income, ethnic origin, or blood type; • opinions, evaluations, comments, social status, or disciplinary actions; and • employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, and intentions (for example, to acquire goods or services, or change jobs).
Business contact information is not included. This is described as: Business contact information such as an employee’s name, title, business address, telephone number or email addresses that are collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession.
By using the Case Management Hub software is my company HIPAA, PIPEDA, or Australia Privacy Act compliant?
You are not considered compliant simply because you use a software platform that is compliant or do business with a company that is compliant.
We attest to our compliance with HIPAA, PIPEDA, and the Australia Privacy Act. This means that our organization has taken the necessary physical, technical, and administrative steps to properly secure and protect personal data and PHI according to those standards.
HOWEVER, your organization has its own responsibility to ensure that you comply with any necessary standards.
Contact us if you have any questions or need support: Contact Us
Airiodion Group LLC
4022 Sunrise Blvd.
STE 120, PMB#104
San Jose, CA 95742
+1 (707) 397-9717
Note: Content on Social Works socialworkportal.com website is copyrighted.
Social Work Portal Disclaimer:Social Work Portal is not a social work agency and we do not refer social workers. This web site is provided for educational and informational purposes only and does not constitute providing medical advice or professional services. The information provided should not be used for diagnosing or treating a health problem or disease, and those seeking personal medical advice should consult with ... Read our full disclaimer here: Social Work Portal Disclaimer.