Patient Privacy & Security
Protecting your healthcare data
At Epion Health, we understand that trust is essential to giving and getting care. That’s why we take data security and protection to heart. We hold ourselves accountable to the highest industry standards, so you can have peace of mind, knowing your patient-related health and financial information are safe and compliant.
Screening, Training & Data Security
The security of your data is important to us. At Epion, all employees undergo an extensive background check. Our employees are carefully selected and are required to attend annual data security training. Our commitment to accountability, ethics, education and professional standards is part of our company culture. It’s explicitly spelled out under our security policies and acknowledged by employees as well as contracted personnel.
We work with outside experts to ensure we maintain the highest standards and security practices. Epion has earned the CSF certification for information security from HITRUST. This achievement places Epion in an elite group of organizations worldwide and validates our comprehensive, prescriptive and scalable framework to manage risk and data security.
Privacy & Security
Epion is held to the same data protection and privacy standards as providers are and we are compliant with the Health Insurance Portability and Accountability Act (HIPAA), and other federal and state standards for keeping information safe and secure.
Under HIPAA, Epion is defined as a “business associate” – a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a healthcare provider (covered entity). Examples of business associate activities include claims processing or administration; data analysis, processing or administration; and billing — to name a few.
Epion Health’s privacy and security procedures include the following:
- We do not sell, disclose or use protected health information without express patient authorization or unless permitted or required by law.
- We comply with all HIPAA requirements, including signing a Business Associate Agreement (BAA) with all our partners.
- Employee laptops are centrally managed, encrypted and protected with state-of-the-art anti-malware.
- Employee hard drives are securely erased before being reused or recycled.
- Portable storage media is generally not allowed and must be encrypted when it is.
- All patient data is encrypted — whether stored or moving on the network.
- Epion has documented policies and procedures for managing encryption keys.
Protecting your data requires information security governance. Epion maintains a formal security plan with documented roles, standards, guidelines, policies and procedures to ensure the quality, security and proper management of data. We also have reporting channels for anonymous whistleblower complaints that further protect our clients from inside and outside threats.
Incident Management & Response
Epion has incident management and response plans and processes in place in the event of a security breach, disaster or other business disruptions. This includes notifying users of potentially compromised health and financial data. We test our plans and practice responses across disciplines at least twice a year.
We have a formal risk management process that includes annual risk assessment, testing and mitigation to find and remediate any vulnerabilities that could pose a threat to our platform or data.
Epion operates a comprehensive vendor management program that includes risk and security assessments. To further ensure all service providers who touch patient data meet our rigorous standards, they are required to sign a Business Associate Agreement. Epion has formal processes for starting and ending our relationships with vendors to ensure patient data is properly transferred and not kept.
Secure Software Development
At Epion, our mission is to provide innovative solutions that improve how healthcare works — without jeopardizing security or compliance. Our platform provides a safe, secure and scalable way to exchange healthcare data. To ensure the highest level of security, we follow strict policies and procedures, including:
- Utilizing a standard, agile software development methodology
- Requiring all changes to be documented, approved and reviewed by at least two engineers
- Leveraging an extensive suite of automated tests and a robust QA process
- Restricting access to production environments
If you have any questions regarding our security and privacy practices, please email firstname.lastname@example.org.
For more information, please see: