How does SimpleLTC protect Protected Health Information (PHI)?
SimpleLTC takes measures to comply with the Security and Privacy rules under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act, as well as other applicable federal and state laws.
The SimpleLTC web application protects customer data in-transit using industry-standard SSL/TLS encryption technology and recommends that all customers use modern browsers with the latest security features.
By company policy, SimpleLTC employees are required to complete mandatory training about health information privacy under HIPAA and HITECH as a condition of employment. Access to PHI is restricted to employees who have a valid business need to access the data (such as customer support).
The SimpleLTC primary data center, located in the Dallas-Ft. Worth Metroplex, maintains PCI DSS section 9 and 12 compliance and has also obtained a dual-standard Service Organization Controls 1 (SOC 1) Type 2 report in accordance with SSAE 16 and ISAE 3402. Physical access to company data center assets containing PHI is restricted to authorized personnel only with a valid business justification (such as system administration or server maintenance).
All company-owned notebook computers, portable hard drives, and other removable media that contain PHI are required to be encrypted using Advanced Encryption Standard (AES) technology approved by the U.S. government for protecting sensitive information (FIPS 197).
How does SimpleLTC use our data?
SimpleLTC makes use of customer data (including PHI) to provide tools and services to assist long-term care providers in improving quality of care and complying with state and federal requirements such as those imposed by Medicare and Medicaid.
SimpleLTC may also use customer data in order to compute and share anonymized statistical analysis at a federal, state, or regional level with outside entities such as other customers, its business partners, and researchers. Data identifying a customer, provider, or resident will never be disclosed to an outside entity without the express written permission of the provider owning the data or in compliance with a lawful order from a federal or state authority.
Will SimpleLTC disclose my data to a third-party?
SimpleLTC will never disclose customer data (including PHI) to third-party organizations without the consent of the provider. The only exception to this policy is the sharing of customer data with SimpleLTC’s business associates who have a valid business reason for accessing the data (such as IT contractors) or in compliance with a lawful order from a federal or state authority.
Who really controls my data?
You do! As a result, SimpleLTC does not charge for standard data extracts from our system and even makes a third-party API available so that your own developers or IT staff can write applications that interact with data on SimpleLTC. However, some charges and fees may apply for non-standard or excessive data extract requests.
If my company is no longer a customer of SimpleLTC, what happens to my data?
You can easily export your data via a data extract request with the help desk or through the SimpleLTC API. Although SimpleLTC makes no guarantee about maintaining data for former customers, we will typically maintain archives of your data for at least seven years from the date of termination. You, the customer, may request to have your data removed from the SimpleLTC system. A request to remove data must be submitted in writing (letter or email) and sent to the Chief Technology Officer of SimpleLTC. Once data is permanently deleted from SimpleLTC it cannot be restored.
How is my data protected in the event of a natural disaster?
Customer data is encrypted and backed up securely to remote data centers to ensure availability and recovery of customer data in the event of a natural disaster at the primary data center in the extremely unlikely event that it is rendered inoperable.
In the event of a natural disaster at the nursing facility or corporate office, SimpleLTC data will remain accessible from any Internet-connected computer allowing for a simplified recovery for facility staff in the event of a disaster.