GeriJoy takes privacy and security very seriously, and we will never disclose or sell any personally identifiable client/patient information to a third party (anybody who is not legally bound to confidentiality with GeriJoy) except under the following circumstances:
We use de-identified or statistical information for a variety of purposes including research or marketing. This usage does not affect the privacy of any personally-identifiable or otherwise private information.
Our servers which run the GeriJoy Connected Care platform are located in the US, so any malicious attacks on GeriJoy’s system may be prosecuted to the full extent of US law. On our servers, we use commercial-grade password protection and other security systems to prevent unauthorized access. All passwords are one-way cryptographically hashed so that not even GeriJoy has access to the plain text of any client-generated passwords.
Our internal information security policies prohibit our employees and contractors from storing any client information off-server unless the storage medium is also password-protected and is secured by encryption. If any sensitive client information is communicated within the GeriJoy team not through the GeriJoy Connected Care service, such sensitive information is transmitted through an encrypted medium.
For more information, please consult the information below:
Is GeriJoy HIPAA compliant?
GeriJoy complies with all applicable federal laws and regulations regarding data privacy and security. GeriJoy is not itself a covered entity under HIPAA, and when GeriJoy works with other organizations that are covered under HIPAA, we ensure through our privacy and security policies that all covered entities continue to comply with HIPAA.
What is HIPAA?
HIPAA is the federal Health Insurance Portability and Accountability Act, a federal law that protects the privacy and security of personal health information. It also allows healthcare providers and certain related operations enough access to do their jobs effectively. The relevant portions of HIPAA that pertain in general to health-related information technology are the Privacy Rule and the Security Rule, as well as the HITECH Act which enforces the former two. Note that state laws may be different from federal laws, and in cases of conflict, federal law supersedes state law.
How does the HIPAA Privacy Rule apply to GeriJoy?
The Privacy Rule covers protected health information (PHI) in any form, whether paper, oral, electronic, etc. While it requires covered entities to implement “administrative, physical, and technical safeguards” for protecting PHI, it differs from the Security Rule in that it discusses the cases in which PHI can be used, when authorization is required and what rights patients have with respect to their health information. (Read the Privacy Rule summary here — much of the content below is excerpted verbatim from that document.)
A covered entity is defined as a “health plan”, “health care clearinghouse”, or “health care provider” that electronically transmits health information in connection with certain transactions. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. To clarify, using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction.
GeriJoy is not a health plan, a health care clearinghouse, or a health care provider that electronically transmits health information in connection with covered transactions, and therefore GeriJoy is not itself a covered entity. The HIPAA Privacy Rule does not directly apply to GeriJoy. GeriJoy does adhere to its own stringent privacy policies, which are described above and in our Terms of Service.
How does the HIPAA Privacy Rule apply to GeriJoy’s interactions with other health care providers which are covered entities?
When a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement. In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI). In order to be individually identifiable, and thus PHI, an information set must identify the individual, e.g. through the use of name, address, birth date, Social Security Number.
In contrast to individually identifiable health information, there are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual.
When working with a covered entity such as a hospital that may refer a patient on discharge to GeriJoy, GeriJoy only receives information from the covered entity that has been de-identified under the “Safe Harbor” method described under Section 164.514(a) of the HIPAA Privacy Rule, and thus GeriJoy is not considered to be a HIPAA business associate.
As an example, the only key pieces of information GeriJoy needs to start administering a health coaching program are a GeriJoy account name corresponding to a GeriJoy Connected Care unit, e.g. “patient1223”, and a description of any coaching or other reminders and programming that we are requested to administer through that unit. Before sending the patient home with the unit, the covered entity simply updates their own confidential record that matches the GeriJoy account name with a patient identifier such as a medical record number. That way, if GeriJoy reports to the hospital that “patient1223” has an issue that may justify contact from the clinician to prevent a hospital readmission, the clinician can easily pull up patient1223’s full medical record and contact information. Because GeriJoy does not provide medical diagnosis, advice, or treatment, we do not need access to the full medical record of the patient.
How does the HIPAA Security Rule apply to GeriJoy?
The Security Rule applies only to protected health information in electronic form (E-PHI) and builds on the Privacy Rule requirements of “administrative, physical, and technical safeguards.” Unlike the Privacy Rule which is more concerned about patients’ rights and how health information is used and released, the Security Rule sets standards on the processes and technical security measures that should be taken to keep PHI private.
Because the HIPAA Privacy Rule does not apply to GeriJoy, and the HIPAA Security Rule is a more specific ruling regarding electronic forms of PHI, the HIPAA Security Rule also does not apply directly to GeriJoy.
However, with GeriJoy’s video calling features, it is possible for a covered entity to communicate directly with a patient face-to-face using the GeriJoy hardware platform, so the question arises: how does the HIPAA Security Rule apply to direct patient-provider communication through a video calling platform?
Under the Security Rule, paper to-paper faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail do not count as E-PHI because they did not exist in electronic form before the transmission. Thus those activities are not covered by the Security Rule.
We still take security very seriously, of course, so our video calling is implemented through the industry-leading video calling platform, Skype*, owned by Microsoft*. All our video calls are encrypted through AES (Advanced Encryption Standard), which is used by the US Government to protect sensitive information, and are secured using the strong 256-bit encryption level. Compared to a regular phone call, fax, or mail, which can be relatively easily tapped or intercepted, the 256-bit AES-encrypted videocalls on GeriJoy’s platform are highly secure.
*”Skype” and “Microsoft” are registered trademarks of Microsoft. GeriJoy is not affiliated with Skype or Microsoft.