We are HIPAA Compliant
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States law that regulates the collection and handling of “protected health information” (PHI). Certain organizations called “covered entities” and their business associates are required to comply with HIPAA.
We are “HIPAA-compliant”. This means that when we are acting as a vendor to a covered entity, we offer a service that enables covered entities to collect and manage PHI through our services in a manner compliant with HIPAA. As part of offering this service, Moterum Technologies, Inc. (“Moterum”) ensures that it operates in a way that is consistent and compatible with those laws and Moterum’s role as a business associate to a covered entity user.
If you are a Clinician, an agency supplying Clinicians, or third party agency registered with Moterum, Inc. you must enter into a Business Associate Agreement (BAA) with Moterum, Inc. to enable HIPAA-compliance features on your account or team. In accordance with our Terms & Conditions Moterum only permits PHI to be collected by regulated entities if it is done through a “HIPAA-enabled account” with a business associate agreement (BAA) in place.
Moterum’s Business Associate Agreement
Moterum offers a standard form BAA which meets the requirements of HIPAA and lets covered entities enter into it within their Moterum account. When a covered entity accepts the BAA, the name and title of the individual signing on behalf of the entity is recorded, along with the date of acceptance. A copy of the BAA is then made available for download or future reference through the My Account page. Upon acceptance of the BAA, an account will be converted into a HIPAA-enabled account.
We acknowledge that some covered entities have certain items they need to include in BAAs with their business associates. Due to the fact that we offer HIPAA-enabled accounts at no additional cost, we do not negotiate customer form BAAs.
HIPAA Security Measures that Moterum Employs
- As required by HIPAA, we implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we receive, maintain, and transmit on behalf of covered entities with respect to their HIPAA-enabled accounts. These safeguards include measures required by the Security Rule, such as:
- Regular risk assessments of systems to ensure that safeguards remain relevant and effective
- Assigned security team which is responsible for maintaining compliance with HIPAA’s security requirements
- Screening, authorization, and training of Moterum staff who come into contact with customer PHI
- Data backup plans
- Disaster recovery plans
- Systems regularly monitored, updated, and patched
- Incident response plan that includes reporting of security incidents to affected covered entities
- All communications with Moterum servers encrypted with SSL
- For more information, see our Security Statement.
The following features required by HIPAA are activated on your account. These features help covered entities to comply with their own HIPAA obligations:
- Security reminders: We remind users of their HIPAA obligations with in-product messages that appear whenever they perform certain sensitive operations on PHI (such as exporting therapy data that could potentially be shared with third parties).
- Automatic logoff: We time out user sessions after 30 minutes of inactivity.
- BAA: View a copy of your BAA in your account at any time.
- Logging: We provide enhanced logging of account access activity and modifications to therapy data. We log a variety of events relating to HIPAA-enabled accounts by timestamp, identity (IP Address and/or account username), and event type. Event types that we log include:
- Account login successes and failures
- Account password reset requests
- Account username requests
- Therapy response exports
- Therapy response sharing and unsharing
- Therapy response deletions
- API application authorizations and deauthorizations
At the moment, we do not have a way by which you can access these logs through your online account. You may contact us to request logs.
Changes to the Terms of this Notice
We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request, in our office, and on our web site.