Privacy & Security

Gaining and keeping the trust of both patients and providers is of the highest importance to RoundingWell. Under the guidance of requirements established in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we are firmly committed to ensuring the security and privacy of personal health information (PHI) contained on our platform. We have implemented industry-leading best practices that are equal to, and in many cases better than, traditional computing environments in adherence with HIPAA’s Privacy Rule and Security Rule.

RoundingWell is built on the same robust technology that uses to run its global web properties. Amazon Web Services (AWS) provides a reliable, scalable, and cost-effective computing platform "in the cloud" that RoundingWell uses to deliver a HIPAA-compliant platform for our customers.

Privacy Controls

HIPAA's Privacy Rule sets standards regarding the encryption of all PHI in transmission and in storage. The same data encryption mechanisms used in a traditional computing environment, such as a local server or a managed hosting server, are being used in the RoundingWell platform, a virtual computing environment.

  1. All data containing PHI is encrypted using 256-bit AES algorithms during transmission and in storage. To further extend this policy, only PHI required for the platform to function is transmitted.
  2. Our system administrators utilize key-based authentication to access RoundingWell virtual servers. Each administrator account is secured with a 2048-bit RSA key pair, with private and public keys and a unique identifier for each key pair.

Security Controls

HIPAA's Security Rule requires covered entities to put in place detailed administrative, physical and technical safeguards to protect electronic PHI. We comply with these requirements by implementing access controls, encrypting PHI, and implementing audit and backup controls.

  1. The RoundingWell system administrator sets user and computer access controls to restrict data access and ensure security.
  2. RoundingWell auditing capabilities allow security analysts to drill down into detailed activity logs or reports to see who had access, IP address entry, what data was accessed, etc. The activity log files are detailed down to the packet layer and also track any IP traffic that reaches RoundingWell virtual servers, just as on traditional hardware. Activity log files are backed up on Amazon S3 for long-term, reliable storage.
  3. RoundingWell has a contingency plan in place to protect data in case of an emergency. Exact copies of electronic protected health information are backed up automatically in the form of point-in-time snapshots. These snapshots are then stored in multiple availability zones to ensure data availability regardless of infrastructure failure or natural disaster.
  4. Disaster recovery, one of the more expensive HIPAA regulations to comply with, involves 1) maintaining highly available systems, 2) keeping both the data and system replicated off-site, and 3) enabling continuous access to both. Our platform is inherently structured to comply with this regulation at no additional cost. RoundingWell administrators can very quickly launch platform instances across multiple geographically diverse data centers to ensure uninterrupted service, should the need arise. These capabilities allow RoundingWell to achieve service level availability of 99.9% with no single points of failure.