About Upheal: Our HIPAA compliance and how we value your privacy
Welcome to the first of our About Upheal blog series, where we delve into important topics that you, our audience, have wanted to know more about. Whether it’s for yourself or your clients, we’ll be covering how we work with data security and privacy as well as AI in order to help answer any questions you may have as transparently as possible. First up, we’ll talk about our HIPAA compliance and ways we handle data privacy.
What makes us HIPAA compliant
We spend a large portion of our time keeping up with security and privacy laws, and work with a team of legal and mental health professionals for guidance. When it comes to HIPAA compliance, there are several things we have to do.
Firstly, we are required to de-identify any session data used to improve the product or to train AI. On top of the de-identification, we add our own voluntary second step, which is alerting clients to the use of their data for AI improvements. (It is a necessary part of our sign up process that the client knows about it, however, agreeing to it, is entirely optional.) It is also always possible for the client to change their mind about data sharing, and the consent can be revoked. In this case, we’ll delete the data immediately.
Second, we’re required by HIPAA regulations to act as a Business Associate and comply with the HIPAA Security and Privacy Rules. This means we have to ensure that clients’ electronic health information (ePHI) is protected with proper administrative, physical, and technical safeguards to ensure confidentiality, integrity, and security.
As a Business Associate under HIPAA, Upheal enters into an agreement with each healing professional who uses the platform. Under the terms of the BAA, Upheal can only use and disclose personal health information (ePHI) as permitted by the HIPAA-approved BAA or as required by law or in response to a valid subpoena – the same way as for “regular, offline” therapy. In addition, Upheal always has to make requests for any sensitive information from the therapist; we cannot just access data without permission.
The same BAA rules apply to any subcontractors or supporting IT services. And because you asked, we are strictly bound by the BAA, and no, we cannot sell the data nor give it to any third party for profit. You can read more about that here.
Finally, we undergo regular checks by supervisory bodies that provide us with third-party reports about how we’ve performed when it comes to meeting HIPAA requirements. You can read through our reports here.
More about data privacy
In order to keep client data private we use a method called de-identification.
We de-identify session data by default, by pseudonymizing private identifiers and predefined types of data like names, addresses, identifying codes, telephone numbers, social security and credit card numbers, email addresses, medical records and more.
Pseudonymization replaces private identifiers with fake identifiers or pseudonyms, for example replacing the identifier “Mark Smith” with “John Houser”.
However, because even de-identified information is still considered personal information, for example by GDPR standards, we choose to ask that clients provide consent to use Upheal. This is not requested by all players in the mental health space currently, and we believe it should be.
In any case, after the data has been de-identified, the risk of it then connecting to any one individual is really negligible.
If at any point, the client wishes for Upheal to delete any personal data, we must be able to track it back and do so (a process called re-identification). In case you’re wondering, others can’t do the same, since we are the only ones who have the re-identification keys, and we store these in a secured, separate repository.
We may use them solely for the purpose of deleting the de-identified data upon client request. And, we adopt appropriate safeguards to protect de-identified data in accordance with applicable data protection standards and regulations (e.g. HIPAA, GDPR, CCPA, etc.).
What your clients should know
As described above, you can tell your client that we delete the session audio immediately. We store the complete session transcript and generated notes until you, the mental health professional, decide to delete the transcript, the session, or the client (and all of the client's data).
If the client gives their optional consent for product and AI improvements, we first de-identify their transcript. We do this in order to create notes and session insights, remember the right people and places on behalf of the therapist, and capture medication names. You can read about that in our upcoming blog article on how we work with AI.
In addition, we’ve also made it possible to set data sharing preferences at the therapist level. This means that if you opt out of data sharing, your clients will be opted out by default as well. So if a therapist doesn’t wish for any of their clients to be asked about giving optional consent to share de-identified session data, the therapist can pre-set that preference in the Settings section of the app on their clients’ behalf.
Key takeaways
- Upheal is HIPAA compliant and checked regularly to make sure we keep meeting the latest HIPAA requirements.
- Providing data to Upheal for AI and product improvements, is optional.
- If the client grants consent, the data we keep for AI improvement purposes is always de-identified first so it can’t be tracked back to an actual person.
- Sharing de-identified data is optional at both the client and the therapist level.
We hope this helps answer some of your most pressing questions! If you have any more data or privacy related questions, you can peruse our Support center or drop us an email.
Next time, we’ll be looking at data security, and after that, our obligation to law enforcement, before moving onto how we work with AI.
