Privacy & Security FAQ
At Ellipsis Health, we respect our users' right to privacy and security and value the trust they put in us. In today’s digital era, technical teams and IT professionals are not the only ones who need to worry about cybersecurity—we recognize that security and privacy are issues that everyone needs to understand.
Our goal at Ellipsis Health is to go beyond the industry standard of regulatory compliance and define new standards for security and privacy.
Data Privacy vs. Data Security
The terms “data privacy” and “data security” are often used interchangeably, but they in fact mean two different things. Security is about the safeguarding of data from malicious threats, whereas privacy is about the safeguarding of user identity and using data responsibly. The specific differences, however, are more complex, and there can certainly be areas of overlap between the two.
For example, hospital and clinic staff use secure systems to communicate with patients about their health, instead of sending information via personal email accounts. This type of data transmission is an example of security. On the other hand, privacy provisions might limit patient health record access to specific hospital staff members, such as doctors, nurses and medical assistants.
Data security is commonly referred to as the confidentiality, availability and integrity of information - also known as the CIA triad. It is all about the practices and procedures that focus on protecting personal information from unauthorized access, data breaches, cyberattacks and accidental or intentional data loss. Data security ensures that data is accurate and reliable and is available for authorized users.
Data privacy is concerned with the procedures and policies that govern the collection, storage, sharing and usage of Personal Health Information (PHI), Personally Identifiable Information (PII) and proprietary corporate information. It refers to the rules and regulations that ensure personal or private information is being controlled on par with the preferences of the concerned individual(s).
Now, data privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR) impose a broader set of privacy standards and regulatory compliance requirements on companies like Ellipsis that store or process PHI and PII.
Frequently asked questions
Do you comply with HIPAA and GDPR?
We absolutely do. Not only do we follow the data privacy laws imposed by these governances when required, we are also working toward additional procedures and practices to safeguard data and PHI and PII.
HIPAA is a set of national standards for the protection of certain health information. Specifically, it protects PHI and PII held or transmitted in any form or media.
For more information on HIPAA, click here.
GDPR sets a new standard for consumer rights regarding their data as it takes a wide view of what constitutes PII, which could be thought as the non-health information constituting PHI. It requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory. The regulation includes seven principles of data protection that must be implemented and eight privacy rights that must be facilitated.
For more information about GDPR, click here.
What data do you collect from me?
We collect your name, year of birth, gender, email address, phone number and medical record number (MRN). All fields are optional except your MRN and an email or a phone number. We may also collect other information that you intentionally give us through our app or another interface.
Can I limit the personal data that Ellipsis collects?
Yes, you can. We only ask for a minimal amount of personal data (i.e. name, gender and year of birth) and many responses are optional.
Do you sell my data?
No, we do not sell your data!
Who can see my data?
Very few people. When working in a HIPAA-regulated setting, “the covered entity (such as a provider) policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access.” To translate, when we work with you and your provider, the only people that can see your data are those who are on an approved need-to-know basis to carry out their job duty.
Additionally, HIPAA states that “a third party (such as Ellipsis) hired by partners can only access information through a federally mandated agreement, which ensures the privacy and security of your data.” For example, if a covered entity (such as a provider) engages a business associate (Ellipsis) to help it carry out its health care activities and functions, the provider must have a written contract or other arrangement with Ellipsis that establishes specifically what Ellipsis has been engaged to do and requires Ellipsis to comply with the HIPAA requirements to protect the privacy and security of protected health information.
Can I delete my data?
Absolutely. As long as we do not have to keep your data for regulatory purposes, you can delete it at any time. Data deletion is permanent and cannot be canceled, undone, withdrawn or restored.
How safe is my data?
Your data is encrypted using strong encryption methods across all channels and within our cloud storage. Access to your data is limited to only those that need access in order to carry out their job function.
What do you do to keep my data safe and secure?
- Encryption – We encrypt all data across all channels and in storage.
- Limited Access – In compliance with HIPAA, access to information is limited to individuals that need to have it and who are also HIPAA trained.
- Daily backup – We backup all data daily to safeguard against any unforeseen occurrences like system malfunction, accidental deletion, service outages, etc.
- Two-Factor identification (2FA) – Two-factor identification is an extra layer of security used to make sure that people who try to gain access to an account are who they say they are. All our internal systems require 2FA for employees. Externally, all users need to be invited or pre-registered to use our system. As part of the login process we send a code to their phone or email to verify their identity.
- Logical access control – We practice role-based logical access control. As such, very few people in our company have access to our production data. Additionally, because our service is multi-tenant, we provide logical separation between data belonging to various tenants/partners.
- Audit logs – All accesses and changes to the data and backend systems are kept in an audit log for a year.
- Penetration tests – We conduct monthly penetration tests of our production services and immediately address all urgent issues that are identified.
- Breach response – Data breaches are security incidents where information is accessed, stolen and used by a cybercriminal without authorization. In consultation with TW Security, a third party security service, we have a breach response process that is immediately activated as soon as any intrusion into our systems is detected.
- Data de-identification – When data is made available in our analytical system for our machine learning team, we strip data of all PII so that it neither identifies nor provides a reasonable basis to identify an individual.
- Security audits – We perform annual security audits by a third party to ensure all practices and procedures meet the highest industry standards.
- Security policy review – In-line with our security audits, we perform an annual review and update of all security policies.
Where does my data go? Where is it stored? How is it stored?
Like all other healthcare or financial transactions, data is encrypted when it is sent over the internet. We then store all data in an encrypted format in a secured cloud platform.
How long do you keep my data?
We follow all applicable rules, regulations and best practices and generally keep your data for ten years. After that time, we de-identify the data (which means we strip it of all PII) and maintain it for research and development. Should providers request data be deleted, then we will comply with all requests that are in-line with the prevailing regulations and laws.
What happens if Ellipsis receives a legal request for my data?
As applicable, we will comply with all relevant state, federal and international laws and regulations.
Who do I contact if I have more questions?
If you have questions regarding our privacy and security, we encourage you to contact us.