Security Policy

1. Introduction

 

Salus EMR is committed to protecting the personal health information (PHI) of its users. We adhere to the highest industry standards and comply with both federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA) and the Texas Medical Records Privacy Act. This policy outlines the steps Salus EMR takes to secure data and protect users’ privacy.

 

2. Compliance Framework

Salus EMR complies with the following regulations:

·          HIPAA (Health Insurance Portability and Accountability Act): Ensures the protection of PHI by setting national standards for electronic healthcare transactions.

·          HITECH (Health Information Technology for Economic and Clinical Health Act): Supports the enforcement of HIPAA, particularly in relation to breaches of health information.

·          TMRPA (Texas Medical Records Privacy Act): Enforces more stringent PHI protection standards in Texas than the federal HIPAA guidelines.

 

3. Data Collection and Usage

·          Minimum Data Collection : Salus EMR collects only the information necessary for healthcare purposes, such as medical records, billing data, and personal identification.

·          Data Use Transparency : All uses of your PHI, whether for treatment, billing, or healthcare operations, are disclosed to you. Users can access and request amendments to their data as per HIPAA.

For more information on the policies in place at Salus EMR for data collection, usage and protection, please refer to the Privacy Policy, Terms of Use and the Terms of Service Agreement.

 

4. Data Protection Measures

a)       Encryption : All user data is encrypted both in transit and at rest using industry-standard encryption protocols. Salus EMR employs TLS/SSL for secure communication channels and AES-256 for storage encryption.

b)       Cloud Security : Salus EMR utilizes Amazon Web Services (AWS), a trusted cloud service provider, which offers advanced security, firewalls, threat detection systems, and automatic backups.

c)       Access Controls :

·          Role-based access is enforced, meaning users only have access to the data necessary for their role.

·          Multi-factor authentication (MFA) is available for all users, adding an extra layer of protection beyond passwords.

·          Secure physical access and limited access to authorized personnel only.

d)       Audit Logs : All access and changes to PHI are logged and monitored. These logs are subject to regular audits to identify any unauthorized or suspicious activity.

e)       Backup & Disaster Recovery : Regular, encrypted backups are maintained to ensure data availability in the event of a system failure. The data centers are spread across different geographic regions, based on strategical assessment,  in order to ensure data protection from natural as well as man-made disasters including cyber-attacks. The Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) ensures complete data redundancy and emergency recovery protocols.

f)        Monitoring & Surveillance: 24/7 surveillance, intrusion detection, and real-time monitoring.

g)       Environmental Protections : Fire suppression systems and climate controls to protect hardware.

h)       Risk Management : Regular audits, risk assessments, and business continuity planning.

i)        Device Management : Secure handling and disposal of hardware.

For more information on the policies in place at Salus EMR for data collection, usage and protection, please refer to the Privacy Policy, Terms of Use, Terms of Service Agreement and Anti-Spam Policy.

 

5. Data Breach Response

In the event of a data breach:

·          Users will be notified within 60 days as per HIPAA regulations.

·          Affected individuals and relevant authorities, including the Texas Attorney General’s office, will be informed if the breach affects more than 500 residents.

·          A thorough investigation will be conducted, and measures will be taken to prevent future breaches.

 

6. Third-Party Vendors

Salus EMR works with third-party service providers for data storage, security, and operational support. These providers are vetted and required to sign Business Associate Agreements (BAAs), ensuring they adhere to HIPAA and TMRPA standards. Regular security audits are conducted to monitor compliance.

 

7. User Responsibilities

·          Users are responsible for maintaining the security of their accounts by using strong, unique passwords and enabling multi-factor authentication (MFA).

·          Users should report any suspicious activities or potential breaches immediately to Salus EMR.

 

8. Security Awareness and Training

Salus EMR employees undergo mandatory training on data privacy and security best practices, including recognizing phishing attacks, securing sensitive data, and complying with HIPAA and TMRPA requirements. Regular updates and refresher courses are provided to the employees.

 

9. Data Retention and Disposal

PHI is retained as long as necessary to fulfil the purpose of its collection or as required by law. Once no longer needed, data is securely deleted in compliance with NIST (National Institute of Standards and Technology) as listed under NIST 800-88 guidelines for media sanitization.

 

10. Changes to the Policy

Salus EMR reserves the right to update this policy as necessary to reflect changes in technology, legal requirements, or business practices. Users will be notified of any significant changes.

 

11. Contact Information

For any questions regarding this policy or to report security issues or concerns please email security@salusemr.com