Privacy and compliance

Yes. We have undergone an assessment by a 3rd party auditor which confirmed we are meeting all requirements set by the Personal Health Information Protection Act (PHIPA) and the Personal Information Protection and Electronic Document Act (PIPEDA).
‍
This means that whether you're using our product across Canada or in the province of Ontario, your data remains under the safeguard of the highest privacy protocols.

Yes. The Upheal platform empowers healing professionals to concentrate on their services by offering automated notes and analytics for client conversations. As a part of this process, Upheal handles protected health information for practitioners, adhering to HIPAA regulations as a Business Associate.

Upheal fully complies with the HIPAA Security Rule and Privacy Rule, ensuring that clients’ electronic health information (ePHI) is protected with proper administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security.

Our platform provides a secure environment for your ePHI through a combination of technical and nontechnical measures. Learn more here. 

Yes. Upheal is fully compliant with the General Data Protection Regulation (GDPR), UK GDPR, and UK Data Protection Act (DPA). We prioritize the privacy and protection of our users' personal data, ensuring that all data processing activities are carried out in accordance with the stringent requirements set forth by these regulations.

Yes. You can find our Business Associate Agreement (BAA) here which governs our cooperation between us as a Business Associate and healing professionals when they are defined as a Covered Entity under HIPAA. All Covered Entities who use our platform agree to the terms of the BAA upon signing up. 

Personal data including protected health information (PHI) processed by the Upheal platform is stored in a pseudonymized format. This means that personal data is not stored in its original form but is instead replaced with a pseudonym or a random identifier. This process ensures that personal data is not directly identifiable, reducing the risk of unauthorized access to sensitive information.

Upheal only accesses a client’s protected health information (PHI) when it’s necessary in investigating a technical issue that a care provider reports to Upheal Support. Most technical problems are solved without any access to PHI, but sometimes, we need to see some details to understand exactly what went wrong. The Upheal Support team who may access PHI are HIPAA-trained engineers and act in line with our SOC 2 Type II attestation. They do not share, sell, or expose your data to others.

Access to personal data is strictly controlled and limited to individuals who require access to perform their job functions. All access to personal data is logged and monitored, and access rights are reviewed regularly to ensure that they are appropriate and up-to-date.

At Upheal, we are committed to protecting the data on our platform and have therefore implemented several measures to ensure its security. We understand that trust is critical in our industry, and we are therefore committed to protecting our customers' data:
‍

• HIPAA, PHIPA & PIPEDA compliant. We comply with the strict standards set by the Health Insurance Portability and Accountability Act (HIPAA), Personal Health Information Protection Act (PHIPA)and the Personal Information Protection and Electronic Document Act (PIPEDA) to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI). Learn more here. 
• GDPR compliant. We follow the data regulations established by the GDPR, UK GDPR and UK DPA to provide important security measures for the protection of personal data of individuals within the EU and UK. Combining US and EU standards, we also meet and exceed US state and federal laws for security and privacy of data.
• SOC 2 compliance. Furthermore, we are working towards obtaining SOC 2, a globally recognized standard for organisational and technical security controls. SOC 2 compliance ensures that our security controls, policies, and procedures are designed to protect customer data against unauthorized access, disclosure, alteration, and destruction. In addition, we use AWS for our cloud infrastructure and storage, a highly secure and reliable vendor. 
• Availability of personal data. Upheal takes appropriate measures to ensure the availability of personal data. This includes implementing backup and disaster recovery procedures to ensure that personal data is available in the event of an unexpected outage or disaster.
• Record-level encryption of customer PII and PHI data. This helps to protect data in case of a security breach and ensures that only authorized personnel can access the data. 
• Security incident readiness. In the event of a security incident, we have a security incident policy and protocol to follow to ensure fast resolution and mitigation of harm to personal data. 

Upheal reviews the platform’s security regularly to ensure that it remains effective and up-to-date.

We've put together some best practices to help protect sensitive information while using our platform:
‍

• Follow security best practices: It is essential to use a strong and unique password for your Upheal account. Make sure it is not shared with any other services and avoid using the same password for multiple accounts. Make sure to also avoid networks susceptible to attack such as public wifi when using the platform.
• Don't share access: Do not share access to your Upheal account with anyone else, even trusted colleagues. Upheal accounts are designed to be individual, and sharing access can lead to a breach of client confidentiality.
• Use a HIPAA compliant storage: If you export data from Upheal, make sure you store it on a safe and HIPAA compliant storage. Only use trusted services that are compliant with data protection regulations, like Upheal.
• Contact us for support: If you have any doubts about the safety or security of your data on the Upheal platform, please contact our support team. We are here to help you keep your client's data safe.

Don’t forget to also follow any security guidelines that may apply to you as a professional in your location. By following these best practices, you can help ensure the security and confidentiality of data while using Upheal. We are committed to maintaining the highest standards of data protection, and we encourage our community to do the same.

Yes, we offer various methods to collect client consent through the app. It can be shared via email or directly during the call. For more details about the consent collection process, you can visit the support center. Additionally, you can check this Privacy Policy template.