Protecting your account and electronic Patient Health Information (ePHI) is essential to us at SimplePractice. When using SimplePractice, your account information is stored securely in our platform. This guide outlines how we safeguard your data and the steps you can take to protect your account.
Below, we'll cover:
- Trusting SimplePractice with your data
- Reviewing our security and technology practices
- Protecting your account and data
- Keeping your data records
Trusting SimplePractice with your data
SimplePractice is fully HIPAA compliant. We use a range of security measures to protect your account information, including:
- Transmitting all account information securely using multiple layers of encryption
- Encrypting your passwords so they're not accessible to anyone but you
- Housing our servers in a secure facility protected by proximity readers, biometric scanners, and 24/7/365 security staff
- Continuously testing our system for vulnerabilities, including scanning ports, testing for SQL injection, and safeguarding against cross-site scripting
- Maintaining bank-level security standards
- Earning the VeriSign security seal
- Achieving HITRUST certification, which incorporates the full set of controls required by HIPAA, PCI, NIST CSF, ISO 27001, and ISO 27002
Reviewing our security technology and practices
With SimplePractice, your sensitive data is hosted by a Tier 1 secure hosting provider that specializes in supporting healthcare organizations in meeting HIPAA and HITRUST security requirements.
Below are some of the security practices we follow to protect your data:
- Securing all web pages and APIs with 128-bit Secure Socket Layer (SSL) encryption
- Using multi-factor authentication within our cloud infrastructure
- Applying advanced key management and transparent data encryption
- Monitoring at the application level and protecting against intrusions
- Maintaining HIPAA-compliant encryption
- Using a HIPAA-compliant hosting architecture on enterprise-level hardware
- Operating a HIPAA-compliant system architecture with separate web and database environments
- Isolating application and database servers
- Protecting our network with managed firewall systems
- Retaining logs with detailed audit trails
- Maintaining secure backup and disaster recovery systems
- Maintaining managed patching, version control processes, and security updates
- Processing credit card transactions with secure encryption on a PCI-compliant network
Protecting your account and data
There are several steps you can take to help keep your SimplePractice account and information secure. We take extensive measures to protect your data, and your actions play an important role in maintaining that security.
- Don’t share your sign-in credentials with anyone to prevent unauthorized access
- Change your password periodically and avoid reusing passwords from other accounts to reduce risk if another service is compromised
- Keep your operating system and browser up to date so you have the latest security protections
- Install and regularly update anti-virus software to help safeguard your device from malware
- Password-protect your home and office networks to limit who can connect to your systems
- Use personal firewalls to help block unauthorized attempts to access your devices and networks
- Avoid storing your SimplePractice password on shared or personal devices to help keep your account secure
- Enable 2-step verification for an added layer of security when signing in
- Sign out of your account after each session, especially on shared or public computers, to prevent unauthorized access
Keeping your data records
If you decide to cancel your account, you’ll no longer be in contract with SimplePractice, and we will no longer retain identifiable data from that account. All PHI is de-identified according to the Safe Harbor method and fully anonymized, which means it cannot be re-identified or recovered by our team.
Please note that our Terms of Service currently states a retention period of no more than 64 days after an account is terminated. We are in the process of updating this policy and practice.
We strongly recommend initiating a data export before canceling your account, so you can continue to access your records afterward. As a covered entity, you’re responsible for complying with federal, state, and local data retention laws, including HIPAA. These regulations require that you maintain the availability, accuracy, integrity, and confidentiality of protected health information. You are responsible for the retention and security of any client data you export.