HIPAA

Nextup is committed to keeping your data private and secure.

We understand that customers that interact with health care data are subject to specific compliance obligations, including those under the Health Insurance Portability and Accountability Act (HIPAA). So, we have created this guide to help inform our  customers about what Nextup is doing to support them with their unique compliance responsibilities. Nextup’s privacy practices, technical controls, and security measures are designed to protect the data its customers submit to Nextup, as defined in our privacy policy.

What is HIPAA?

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).1 The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.

What is Protected Health Information?

Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos to name a few.

PHI transmitted, stored, or accessed electronically also falls under HIPAA regulatory standards and is known as electronic protected health information, or ePHI. ePHI is regulated by the HIPAA Security Rule, which was an addendum to HIPAA regulation enacted to account for changes in medical technology.

How does HIPPA apply to Nextup?

When Nextup provides Services to customers that are required to comply with HIPAA we act as Business Associate.

  • Business Associates: A business associate is defined by HIPAA regulation as any organization that encounters PHI in any way over the course of work that it has been contracted to perform on behalf of a covered entity. There are many, many examples of business associates because of the wide scope of service providers that may handle, transmit, or process PHI. Common examples of business associates affected by HIPAA rules include: billing companies, practice management firms, third-party consultants, EHR platforms, MSPs, IT providers, faxing companies, shredding companies, physical storage providers, cloud storage providers, email hosting services, attorneys, accountants, and many more.

Here’s how Nextup supports  customers with their HIPAA compliance.

  • HIPAA Compliance. Nextup has been evaluated by a 3rd party and confirmed to HIPAA compliant in our operations. To start the process of signing a business associates agreement (BAA) please contact our team.
  • Data Privacy. We store data only as specified in our privacy policy. In most cases this will mean that all applicable data under HIPAA will never be stored in our systems.
  • Data Security. We support the latest recommended secure cipher suites and protocols to encrypt Customer Data in transit and at rest. We also perform regular vulnerability scans and application-level penetration tests by independent entities. For more information on our security visit our security center.
  • Transparent security and privacy practices. Our policies and practices are customer-conscious, and transparent. Our security practices and privacy policy are publicly available. Customers can review our third-party audit reports, including our annual SOC-2 report, upon their request (and they are available to potential customers after signing an NDA).
  • Subprocessor Transparency. We are also transparent about our subprocessors —third-party data processors that help support the delivery of our Services with whom we share Customer Data. View our current list of subprocessors.
  • Physical Safeguards. Amazon Web Services (AWS) is our third-party hosting provider. AWS has world-class physical and environmental security, including strictly controlled perimeters, ingress points with video surveillance, on-site security, and two-factor authentication. More on AWS’s physical and environmental security is available here.

Our Security Infrastructure and Certifications

Protecting our customers’ information and their users’ privacy is extremely important to us. As a cloud-based company we’ve set high standards for security. We’ve received security certifications from the American Institute of Certified Public Accountants such as SOC 2 and can be configured for HIPAA compliance.

Nextup has invested in building a robust security team, one that can handle a variety of issues — everything from threat detection to building new tools. In accordance with GDPR requirements around security incident notifications, Nextup will continue to meet its obligations and offer contractual assurances.

If you’d like to learn more about Nextup’s security policies and procedures, please see our security page. It provides detailed information on how we approach security, and includes information on how Nextup ensures user data security in particular, including our technical and organizational measures (TOMs) as well as our encryption standards.

If you would like a copy of our security reports or penetration tests we are happy to provide the details for your teams review.

Updates

At Nextup, we are committed to the security and privacy of your data. So we’re glad to comply and help you comply with the FERPA. If you have any questions about your rights under the FERPA as a user or how Nextup can help you with compliance as a Customer, we hope you’ll reach out to us at privacy@nextup.ai.

Please also visit our Trust Center to learn more about our privacy, security and compliance programs.