Patient Privacy & Security
Protecting your health and financial data
At Epion Health, we understand that trust is essential to giving and getting care. That’s why we take your data security and protection to heart.
We hold ourselves accountable to the highest industry standards, so you can have peace of mind, knowing your personal information are safe and compliant. If you have any questions regarding privacy and security, please email firstname.lastname@example.org and we will respond within two business days.
We work with outside experts to ensure we maintain the highest standards and security practices. Epion has earned the CSF certification for information security from HITRUST. This achievement places Epion in an elite group of organizations worldwide and validates our comprehensive, prescriptive and scalable framework to manage risk and data security. Learn more about our HITRUST certification.
Privacy & Security
Epion is held to the same data protection and privacy standards as your provider and is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and other federal and state standards for keeping your information safe and secure.
Epion is not a healthcare provider. Under HIPAA, Epion is defined as a “business associate” – a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a healthcare provider (covered entity). Examples of business associate activities include claims processing or administration; data analysis, processing or administration; and billing — to name a few.
Epion Health’s privacy and security procedures include the following:
- We do not sell, disclose or use protected health information without express patient authorization or unless permitted or required by law.
- We comply with all HIPAA requirements, including signing a Business Associate Agreement (BAA) with all our partners.
- Employee laptops are centrally managed, encrypted and protected with state-of-the-art anti-malware.
- Employee hard drives are securely erased before being reused or recycled.
- Portable storage media is generally not allowed and must be encrypted when it is.
- All patient data is encrypted — whether stored on servers or moving on the network.
- Epion has documented policies and procedures for managing encryption keys.
Incident Management & Response
Epion Health has incident management and response plans and processes in place in the event of a security breach. This includes notifying users of potentially compromised health and financial data. We test our plans and practice responses across disciplines at least twice a year.
We have a formal risk management process that includes annual risk assessment, testing and mitigation to find and remediate any vulnerabilities that could pose a threat to our platform or data.
Epion Health operates a comprehensive vendor management program that includes risk and security assessments. To further ensure all service providers who touch patient data meet our rigorous standards, they are required to sign a Business Associate Agreement. Epion has formal processes for starting and ending our relationships with vendors to ensure patient data is properly transferred and not kept.
Disaster Management & Business Continuity
We have a robust disaster management and recovery plan that supports business continuity. We test our plans and practice responses to scenarios at least twice a year.
Secure Software Development
At Epion, our mission is to provide innovative solutions that improve how healthcare works — without jeopardizing security or compliance. Our platform provides a safe, secure and scalable way to exchange healthcare data. To ensure the highest level of security, we follow strict policies and procedures, including:
- Utilizing a standard, agile software development methodology
- Requiring all changes to be documented, approved and reviewed by at least two engineers
- Leveraging an extensive suite of automated tests and a robust QA process
- Restricting access to production environments
For more information, please see: