1 . INTRODUCTION
At Inclusive.AI, we take data storage, protection, and privacy extremely seriously. All information handling, whether residing on a device or in the cloud in our AWS data repository has gone through comprehensive analysis to ensure that any data remains available, secure, and in compliance with the Health Insurance Portability and Accountability Act, 1996 (“HIPAA”) to ensure protection of electronic protected health information (ePHI). This HIPAA statement (“Statement”) is in addition to the privacy policy available at https://myinclusive.ai/privacy-policy/.
All personal data is maintained solely to provide services through https://myinclusive.ai/ (“Website”). Other than this purpose, ePHI is not used, shared, or accessed without authorized consent.
By using or accessing the Website or by creating an account on the Website, you (i) agree and acknowledge that you have read and understood the terms of Statement, and (ii) acknowledge and consent to the collection, retention and use of your ePHI as described in this Statement.
2.ADMINISTRATIVE CONSIDERATIONS
(a) Business Associate Agreements: We execute business associate agreements with each of our business associates, which document and ensure that all relevant parties remain obligated to comply with HIPAA (among other obligations) throughout the business relationship. It also allows for corrective action should the agreement be breached.
(b) Documented Policies and Procedures: Inclusive.AI maintains a full set of standard operating procedures for all aspects of the business. This includes the privacy policy available at https://myinclusive.ai/privacy-policy/ and all procedures that access any ePHI.
(c) Training and Audits: Inclusive.AI mandates that all employees of Inclusive.AI given access to any ePHI go through rigorous training of the relevant HIPAA policies. In addition to the above, annual audits are performed to assess compliance and to identify vulnerabilities and risks associated with current policies. Identifying these potential issues leads to corrective action that further enhances the policy.
(d) Detection and Correction: Inclusive.AI identifies all deviations from existing policies and requires those incidents be documented and analysed for corrective action. Corrective action may include changes in training or in the policies themselves.
3.SOFTWARE AND DATA
(a) Data Encryption: Inclusive.AI employs end-to-end encryption for all data transfer transactions. This includes an encrypted two-step authorization.
(b) Data Backup and Storage: All data is stored and is backed up to an AWS cluster repository / cloud. AWS complies with backup, data breach identification, notification, and audit/logging necessary for compliance. AWS also provides local data storage in cases where data centers exist in the country in question, such that data from a particular country resides in that country. Inclusive.AI can provide specific information relevant to the available data center locations. All data associated with a medical information, which may include ePHI is securely maintained indefinitely.
(c) Login and Log-off Activity: All login and user activity are maintained in a software audit log that may be reviewed in case of a breach. These audit logs also include level-of-access information to determine particular data that would be available to the user. Further, there is an automatic logoff implementation to avoid inadvertent access to ePHI and 2-factor authentication.