Is Magpi compliant with HIPAA? We get this question often and the answer is that HIPAA does not specify individual requirements, but the HIPAA security rule specifies three security "safeguards":
Administrative Safeguards — making sure that you have a system in place to control access to the data, including the issuing of passwords (and removing them if an authorized user leaves), not sharing passwords, having written procedures in place, etc.
Physical Safeguards — measures to prevent physical theft and loss of devices containing electronic PHI (personal health information). This would be our province, and our servers are very well locked down, and monitored 24/7/365.
Technical Safeguards — technology-related measures to protect your networks and devices from data breaches and unauthorized access. Again, this is mostly our side. This means things like encrypting the data in transit, making sure our website is secure, making sure the mobile app is secure, etc.
Keep in mind also that HIPAA allows organizations with different levels of resources to utilize different methods of security. For example, it is possible to have a paper-based system that is HIPAA-compliant (if, for example, a doctor's practice cannot afford to purchase an EHR), as long as appropriate steps are taken to safeguard the data.
In short, no software can be “HIPAA-compliant”, but if it includes certain features it can be part of a HIPAA-compliant overall solution. Magpi certainly fits into this category, as we provide modern security features like encryption, hashed passwords, training of our staff, controls over access, etc. For Magpi users to be collecting protected health information, they would be responsible for putting in place many of the safeguards outlined above. In addition, we would need to sign a Business Associate Agreement, per regulation, which is essentially an addendum to our terms of service that applies only to Enterprise accounts.
To determine if you are in compliance with HIPAA would require a very thorough documentation of your activity, the path of the data at every step, all of the administrative protocols mentioned above and in the link, etc.
To learn about Magpi being compliant with GDPR, please read here.