SECURITY AND COMPLIANCE
Working Together in Partnership for Your Protection
Thank you for reviewing Therapy Partner’s Security and Compliance Page. We value our professional relationship with you and are invested in protecting your information. Ensuring your security and privacy is our top priority. This page will detail a list of processes we perform to protect your information.
HIPAA COMPLIANCE
Therapy Partner policies, processes, procedures and systems are designed to be in compliance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and their implementing regulations set forth at 45 C.F.R. Parts 160 and Part 164 (the “HIPAA Rules”).
This includes the following security measures:
-
Therapy Partner hosts it's servers at a Tier III data center. This data center provides strict physical security including:
- 24x7x365 magnetic card key access with secondary pin code
- 24x7x365 on-site staffed Network Operations Center (NOC)
- Digital motion activated security cameras and intercom system
- Power delivery infrastructure, generators, diesel fuel, cooling towers and telecommunications infrastructure maintained in secured areas
- Therapy Partner uses a state of the art Firewall that offers an Intrusion Prevention System and System Administrator Alerting system for network attacks and overall general health of the firewall.
- The network architecture is designed to prevent unauthorized access with the most recent security methodologies.
-
Therapy Partner has obtained a SSL High-Grade Encryption Certificate that is utilized in conjunction with all Therapy Partner websites and services. This certificate provides:
- Enterprise grade Encryption technology to protect information that is transmitted across the Internet
- Secure encrypted transmissions created from Therapy Partner’s server to Provider’s Web browser
- Secure encrypted transmissions created from Therapy Partner’s server to Provider’s Web browser
- Therapy Partner assigns unique user identification logins to secure the system.
- Therapy Partner’s security administrator tracks all access to data by unique identification. These logs are kept for a minimum of one year.
- All administrative users have a minimum of fifteen digit passwords that are highly complex with frequent change requirements and prohibitions on frequent reuse.
- The online software application uses unique session identifiers with short expiration periods that are randomly generated at login for every user session.
- Servers and network equipment is regularly scanned and tested using enterprise grade penetration and forensic tools.
- All system data is routinely backed-up and stored on encrypted media in offsite geo-diverse locations.
- Therapy Partner requires all employees to sign a code of ethics, and company security policy.
Therapy Partner offers a Business Associates Agreement that may be optionally incorporated into the standard Therapy Partner Service Agreement and Service Terms.
PCI COMPLIANCE
Therapy Partner does not store, process or transmit credit card data for any reason, including as part of collecting payment for services or as part of providing the payment processing functions that are part of our services.
All payment processing, and collection of payment account data, is accomplished via integrations with third-party service providers. These providers are contractually required to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS), and with all NACHA rules for ACH transaction processing. This includes secure transmission of credit card/bank account information, and encrypted storage of all payment account information.
All third party service providers that process payments on behalf of Therapy Partner, and those that are approved for processing payments on behalf of Therapy Partner’s Users, have been independently audited to certify that they are fully PCI DSS compliant. This includes the guarantee that
- All credit card data is stored encrypted, and cannot be decrypted-except during the process of transmitting a transaction. This means that if transactions are entered directly into the system, or if card numbers are saved in the system for future one-time or recurring transactions, the merchant is, by definition, operating under PCI compliant standards, because the third party itself has been certified.
- CVV2 data is never stored, however the opportunity to enter it for one-time transactions is provided to enhance security and the probability the transaction will be approved.
- Swiped track data is never stored for any reason.
If you contract with a third party for payment processing services to be used in conjunction with Therapy Partner, it is your responsibility to ensure that you properly certify PCI Compliance annually as a merchant if you process credit card transactions.
The security and compliance policies, processes, procedures and systems described above may change at any time at Therapy Partner’s sole discretion. Therapy Partner will update this security and compliance page as needed to reflect our current operating conditions.
Please feel free to contact Therapy Partner if you have any questions.
Email: [email protected]
Phone: 877-232-9847
Web: www.TherapyPartner.com