The security of your data is our top priority. We are committed to providing a highly secure, HIPAA compliant environment that you can trust.
We’ve got the compliance certifications to prove it
Eleos Health’s security model and controls are based on international protocols and standards, and adhere to industry best practices. To support our customers’ security and compliance needs, Eleos Health has invested significantly in compliance accreditations and has contracted with an independent third-party agency the conducts annual penetration testing and automatically monitors our product for security vulnerabilities via external tools and auditors.
Eleos Health has successfully passed the rigorous external audit of SOC 2 Type II + HITRUST, leveraging the collaboration between AICPA and HITRUST, resulting in the highest level of security in the healthcare industry.
Security, Privacy and Compliance
We take consumers data seriously.
We understand that trust is critical when it comes to consumer/clinician relationships, so we do not take any shortcuts to protect your consumers’ information. Our entire platform is HIPAA compliant and held to the highest privacy standards, including the encryption of data on record, in transit, and at rest. We don’t stop with HIPAA and take additional steps to ensure the safety of your data, among which are:
- Continuous monitoring of our system
- Internal and external audits
- Highly complex passwords, strict policies and 2FA
- A thorough architecture and organizational governance
Our technology team, led by our Chief Technology Officer, are alumni of the IDF’s Center of Encryption and Cyber Security, one of the most prestigious centers for information security in the world.
How do we handle PHI?
Once a clinician starts using our system, the PHI goes through the following process:
Captured -> Encrypted -> Analyzed -> Populated back into the clinician’s dashboard for a predefined amount of days -> After that period, the information can be de-identified/deleted upon request, depending on state and federal laws.
What is the initial storage period and what happens after?
The initial storage period is the period of time that PHI is available for the user (clinician). After the pre-defined storage term, the PHI is completely de-identified and will no longer be accessible by the user. De-identification means that there is no way to re-identify the patient/session, or undo this process (we do not keep zip codes). All personal information (such as names and addresses) will be changed/removed entirely using proprietary technology and human quality assurance.
What do you do with the de-identified data?
We may retain de-identified data (audio only) in order to ensure and improve the accuracy of our system. In the event that we use your de-identified information to improve our system’s performance, the handling of that information will be carried out only by the members of our clinical review team who are data protection professionals. All other Eleos Health employees have no access to this data.
Do you sell the de-identified data?
We do not sell or license information, or any other form of data to anyone.
What about informed consent from my consumers?
You are responsible for obtaining consent from your clients to record sessions. The rules and laws governing the recording of patient sessions can differ by jurisdiction and the provider’s credentials. It is your responsibility to know which laws apply to you, your practice, and the records you maintain. Lastly, it is important for you to know that several academic studies have shown that the vast majority of clients see the value in recording their sessions, and for the most part, you should not encounter resistance in asking for their consent.