We take privacy seriously
At Phreesia, we're committed to patient privacy and keeping health information secure.
We are fully committed to the privacy and security of our users' data. Our administrative, technical and physical safeguards are designed to secure and protect the information consumers trust us to use in service of their health goals. Under the Health Insurance Portability and Accountability Act (HIPAA), Phreesia is defined as a “business associate,” which is an individual or entity that is not a member of the “covered entity's” (i.e., the healthcare provider's) workforce and performs certain functions involving the use or disclosure of protected health information (PHI) on behalf of the covered entity. As a business associate, Phreesia is subject to, and committed to, all applicable HIPAA privacy and security requirements.
Phreesia's Provider clients can configure and direct intake tools on the Phreesia Platform to collect their patients' information. Phreesia may collect other information and request certain permissions from Provider clients to ensure our products and services are functioning and for other permissible purposes.
In order for a patient to see content from Life Science or any other third-party sponsor, the patient must first provide a specific consent: patients are always welcome to decline this authorization and not see any third-party content, and declining the authorization does not impede check-in. If a patient agrees to receive additional content, it may only appear after check-in is complete.
Phreesia's privacy and security procedures
Phreesia's privacy and security procedures include the following safeguards:
- PHI is secured through password protection and can only be accessed by authorized users within the healthcare practice.
- PHI is firewall-protected and under electronic surveillance 24 hours a day, seven days a week.
- PHI is never stored on PhreesiaPads or Arrivals kiosks, so if either device is lost or stolen, no PHI will be compromised.
- PHI transmitted between the Phreesia platform and Phreesia's data centers is protected using industry-standard TLS (256-bit AES keys).
- PhreesiaPads and Arrivals kiosks are configured from the factory to use WPA2 encryption and the AES algorithm.
- Patient data is stored in a highly-secured data center, protected by multi-layer protocols. This means:
- The servers that house the data are stored in a secured building with multiple layers of physical security.
- At the network level, these servers are placed in a secure subnet protected by firewalls.
- Front-end servers and database servers are on physically different networks and have limited connectivity.
- The security of all server networks is monitored by an intrusion detection system that is staffed 24/7 by trained security professionals.
- Within the database server, data is stored in an encrypted form.
- Patient data is stored using AES encryption with a key size of 256 bits.
Phreesia is HITRUST-certified, SOC 2-certified, and PCI Level 1-compliant. Phreesia also is listed on the most current lists of PCI Level 1 service providers for both Visa and Mastercard.