You don't have to choose between
efficiency and ethics

Yes. The Upheal platform empowers healing professionals to concentrate on their services by offering automated notes and analytics for client conversations. As a part of this process, Upheal handles protected health information for practitioners, adhering to HIPAA regulations as a Business Associate.

Upheal fully complies with the HIPAA Security Rule and Privacy Rule, ensuring that clients’ electronic health information (ePHI) is protected with proper administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security.

Our platform provides a secure environment for your ePHI through a combination of technical and nontechnical measures. Learn more here. 

Yes. We have undergone an assessment by a 3rd party auditor which confirmed we are meeting all requirements set by the Personal Health Information Protection Act (PHIPA) and the Personal Information Protection and Electronic Document Act (PIPEDA).
‍
This means that whether you're using our product across Canada or in the province of Ontario, your data remains under the safeguard of the highest privacy protocols.

Yes. Upheal is fully compliant with the General Data Protection Regulation (GDPR), UK GDPR, and UK Data Protection Act (DPA). We prioritize the privacy and protection of our users' personal data, ensuring that all data processing activities are carried out in accordance with the stringent requirements set forth by these regulations.

At Upheal, we are committed to protecting the data on our platform and have therefore implemented several measures to ensure its security. We understand that trust is critical in our industry, and we are therefore committed to protecting our customers' data:
‍

• HIPAA, PHIPA & PIPEDA compliant. We comply with the strict standards set by the Health Insurance Portability and Accountability Act (HIPAA), Personal Health Information Protection Act (PHIPA)and the Personal Information Protection and Electronic Document Act (PIPEDA) to ensure the confidentiality, integrity, and availability of Protected Health Information (PHI). Learn more here. 
• GDPR compliant. We follow the data regulations established by the GDPR, UK GDPR and UK DPA to provide important security measures for the protection of personal data of individuals within the EU and UK. Combining US and EU standards, we also meet and exceed US state and federal laws for security and privacy of data.
• SOC 2 compliance. Furthermore, we have obtained SOC 2 certification, a globally recognized standard for organizational and technical security controls. SOC 2 compliance ensures that our security controls, policies, and procedures are designed to protect customer data against unauthorized access, disclosure, alteration, and destruction. In addition, we use AWS for our cloud infrastructure and storage, a highly secure and reliable vendor.
• Availability of personal data. Upheal takes appropriate measures to ensure the availability of personal data. This includes implementing backup and disaster recovery procedures to ensure that personal data is available in the event of an unexpected outage or disaster.
• Record-level encryption of customer PII and PHI data. This helps to protect data in case of a security breach and ensures that only authorized personnel can access the data. 
• Security incident readiness. In the event of a security incident, we have a security incident policy and protocol to follow to ensure fast resolution and mitigation of harm to personal data. 

Our systems regularly undergo comprehensive penetration testing by external security firms, following industry-leading OWASP standards. All issues are addressed, and tests are reported in our Trust Center.

Yes. You can find our Business Associate Agreement (BAA) here which governs our cooperation between us as a Business Associate and healing professionals when they are defined as a Covered Entity under HIPAA. All Covered Entities who use our platform agree to the terms of the BAA upon signing up. 

Personal data including protected health information (PHI) processed by the Upheal platform is stored in a pseudonymized format. This means that personal data is not stored in its original form but is instead replaced with a pseudonym or a random identifier. This process ensures that personal data is not directly identifiable, reducing the risk of unauthorized access to sensitive information.

Upheal only accesses a client’s protected health information (PHI) when it’s necessary in investigating a technical issue that a care provider reports to Upheal Support. Most technical problems are solved without any access to PHI, but sometimes, we need to see some details to understand exactly what went wrong. The Upheal Support team who may access PHI are HIPAA-trained engineers and act in line with our SOC 2 Type II attestation. They do not share, sell, or expose your data to others.

Access to personal data is strictly controlled and limited to individuals who require access to perform their job functions. All access to personal data is logged and monitored, and access rights are reviewed regularly to ensure that they are appropriate and up-to-date.

Yes, we offer various methods to collect client consent through the app. It can be shared via email or directly during the call. For more details about the consent collection process, you can visit the support center. Additionally, you can check this Privacy Policy template.