HIPAA

HIPAA: Our Commitment

📥 Download HIPAA Information for Patients Here

📥 Download this Guide HERE

Bundle Birth is dedicated to maintaining the highest standards of privacy and security for your patients’ data. Our compliance with all applicable HIPAA requirements ensures that your patient’s information is protected at all times, and we never engage in the sale of data. We do not share health information with third-party advertising companies. 

As an organization committed to upholding the highest standards of data privacy and security, we recognize the exclusive authority of the Department of Health and Human Services in granting full HIPAA compliance. We firmly adhere to this regulatory framework, acknowledging the importance of regulatory oversight in safeguarding patient information. To learn more please reference this article

While we do not possess the authority to confer full HIPAA compliance, we have diligently and proactively undertaken measures to align with all applicable requirements. Our comprehensive efforts span across various facets of data protection, encompassing stringent protocols, robust encryption measures, and ongoing training initiatives. 

At the core of our mission is a steadfast commitment to ensuring that patients’ data remains protected at all times. We understand the gravity of our responsibility and the trust placed in us by healthcare professionals and patients alike. Therefore, we spare no effort in upholding the integrity of our compliance efforts and continually enhancing our practices to meet evolving regulatory standards.

How We Protect Data:

As part of the Motion app, certain non-PHI and generic information may be collected. This data is stored in a secure database and aggregated to identify trends in practice, enhance user dashboards, ultimately leading to informed recommendations for improved outcomes. It’s important to note that all inputs are optional and depend on the user’s discretion. No personally identifiable information is stored within the app.

To further protect privacy, an auto-logout feature is implemented every 10 minutes. Additionally, the only PHI collected is time stamped events and hospital affiliations. We strictly adhere to HIPAA guidelines and do not collect any other personal identifiers, including names, addresses, or contact details.

Our commitment to HIPAA compliance is reinforced by our collaboration with expert HIPAA attorneys and compliance specialists. Continuous testing through automated compliance platforms ensures that we meet all HIPAA requirements.

While we prioritize HIPAA compliance in data storage and handling, it’s important to note that our business practices may involve the use of non-HIPAA-compliant programs for purposes unrelated to sensitive information handling.

Our team adheres to the following 25 comprehensive policies and procedures related to HIPAA compliance:

  • Acceptable Use Policy
  • Asset Management Policy
  • Backup Policy
  • Breach Notification Policy
  • Business Associate Policy
  • Business Continuity Plan
  • Code of Conduct
  • Data Classification Policy
  • Data Protection Policy
  • Data Retention Policy
  • Device and Media Controls Policy
  • Disaster Recovery Plan
  • Encryption Policy
  • Incident Response Plan
  • Information Security Policy
  • Notice of Privacy Practices
  • Password Policy
  • Physical Security Policy
  • Privacy, Use, and Disclosure Policy
  • Responsible Disclosure Policy
  • Risk Assessment Policy
  • Software Development Life Cycle Policy
  • System Access Control Policy
  • Vendor Management Policy
  • Vulnerability Management Policy

These policies are available upon request by emailing [email protected].

Regular security and HIPAA training for our team members, along with annual compliance reviews, ensure that we maintain the highest standards of data security. Access to sensitive data is strictly limited to employees on a need-to-know basis, and we have Business Associate Agreements in place with all contractors and companies handling sensitive information.

For further information on our privacy practices, please review our Terms of Service, Notice of Privacy Practices, Privacy Policy, and End User License Agreement (EULA).

FAQ: HIPAA

How do you manage and protect sensitive data?

Some key steps that we follow to protect the data include:

  • Access Controls: Limit access to PHI to only authorized personnel. Use unique user IDs, strong passwords, and access logs to track who accesses PHI and when.
  • Encryption: Encrypt PHI both in transit and at rest to prevent unauthorized access. This includes encrypting emails containing PHI and using encryption for data stored on devices or servers.
  • Physical Security: Secure physical access to facilities and devices where PHI is stored. This may involve using locks, security systems, and surveillance cameras to prevent unauthorized entry.
  • Training and Awareness: Provide regular training to employees on HIPAA regulations, security policies, and procedures for handling PHI. Raise awareness about the importance of data protection and the risks of unauthorized disclosure.
  • Risk Assessment and Management: Conduct regular risk assessments to identify potential vulnerabilities in systems and processes that could compromise PHI. Develop and implement risk management plans to address identified risks.
  • Audit Controls: Implement audit trails and logs to track access to PHI and monitor for suspicious activity. Regularly review audit logs to detect and investigate security incidents or breaches.
  • Policies and Procedures: Establish clear policies and procedures for handling PHI, including protocols for data access, storage, transmission, and disposal. Ensure that employees are aware of and adhere to these policies.
  • Business Associate Agreements: If working with third-party vendors or service providers who handle PHI, ensure that they sign business associate agreements (BAAs) outlining their responsibilities for protecting PHI.
  • Incident Response Plan: Develop an incident response plan to guide the organization’s response in the event of a data breach or security incident involving PHI. This should include procedures for containment, notification, and mitigation of the breach.
  • Ongoing Compliance Monitoring: Continuously monitor compliance with HIPAA regulations and regularly update security measures and policies to address emerging threats and changes in regulations.

Why can’t you call yourself HIPAA compliant?

No one can claim that they are HIPAA compliant. HIPAA (Health Insurance Portability and Accountability Act) compliance is a complex set of regulations governing the handling of protected health information (PHI). While there are many companies that claim to provide HIPAA compliance, the only way to be truly HIPAA compliant is to undergo a thorough assessment by the Department of Health and Human Services. A great resource that speaks to this can be found HERE. While we do not have the authority to grant full HIPAA compliance, we have diligently and proactively undertaken measures to align with all applicable requirements. Our comprehensive efforts span across various facets of data protection, encompassing stringent protocols, robust encryption measures, and ongoing training initiatives. 

What do you use the data for?

We use the data to populate the user’s dashboard that tracks births you have been a part of over time. This data is aggregated to identify trends in practice ultimately leading to informed recommendations for improved outcomes. 

Will this data be sold to a third-party or used for targeted advertising?

We will never sell individual data to a third-party or used for targeted advertising. 

Which PHI is being collected/protected?

The only PHI collected is time stamped events and user hospital affiliations. All other PHI is not collected. 

What non-PHI data is being collected?

Data collected is entirely based on the user’s choice. In general, think of the data being collected like a case study in one of our tracing tuesdays… we give the G’s and P’s, IUP, relevant medical history, course of labor, and delivery details without ever identifying who the patient is. This is the same here. We empower our users to input data according to their preference, whether it’s a little or a lot. This information is then leveraged to enrich their dashboard experience, enabling them to visualize their patient’s labor history. Through this data-driven approach, we provide practice recommendations that encourage better outcomes, ensuring a more informed and game changing approach to patient care.

Are there other companies that have access to this data? 

Only necessary contractors of Bundle Birth have access to the data specifically for business purposes (ex. App developer). All contractors that work with us have Business Associate Agreements where they agree to comply with HIPAA.

How do I inform the patient about the consent?

We always suggest openness and honesty when speaking to your patient about this app. We suggest first, getting to know your patient and building rapport with them. Once you’ve established a relationship, we recommend something like, “I’m really excited about this new app, and I’ve witnessed its incredible impact on the care of other laboring patients. Your safety and birth experience is my top priority, but having this app handy could be a game-changer if we ever hit a bump during labor or need some extra support. The app works by gathering some info from your labor to provide customized recommendations. The only information that is considered PHI it collects are timestamps and my hospital affiliation, all of which are totally protected under HIPAA. Plus, any data it gathers is anonymized and thrown into a secure database, solely for the purpose of helping us improve and learn from different cases. My hope is that using this app will enhance your experience and give us even more options to help you achieve a safe birth. But, if you’re not comfortable with it, that’s totally okay too. I can still use it to help you, but rest assured, it will delete everything afterward, and nothing will be stored. Any questions or concerns on your end? Do you agree and are ok with us using it during your labor?” 

Why do I have to ask for their consent?

Because you are entering their health information somewhere outside the hospital, it is a requirement as a part of HIPAA compliance. Plus, we 100% believe in openness and transparency in the process and hope that even patients are excited that they will benefit from all of the education and tools you’ll find in Motion!

How do you identify the patient within the app?

When adding a new patient, you will be asked to choose an emoji to represent the patient. Find something that uniquely reminds you of them! You will also be able to enter their G’s & P’s and due date, which will help you identify between patients if you have more than one at a time on your shift. 

Is there anywhere in the app I can type notes in about my patient?

No. This would leave the potential to add PHI into the app. 

Am I entering personal info into my phone?

No data is stored on your personal device. All data storage is within the Bundle Birth database. This database is protected by following applicable HIPAA requirements. 

What happens if the patient doesn’t consent to its use? 

In this case, you can continue to use the labor algorithm to aid in helping labor progress and as a tool when you get stuck. We recommend using your discretion and not using it at the bedside, so as to not confuse the patient. You will not be able to log some things and when you finish with the patient, this data will not go to your dashboard and will be deleted in the Bunde Birth Database. 

Do I need permission from management? 

We recommend that you are up front and transparent about your use of Motion with hospital management. If this includes getting their expressed approval, we are happy to help by answering any questions they may have. You can also guide them here to this page for reference. There’s even a place to drop their info in the app and we’ll reach out letting them know about the app!

Why am I logged out of my account so much? 

HIPAA requires that we implement technical safeguards to ensure the security of the data in the application. In order to keep the application secure when not in active use, the application will auto-logout every 10 minutes. FaceID or TouchID make this process simple and should not be a nuisance to you. If this is not enabled on your phone, you will need to login after 10 minutes of inactivity.

As a nurse using the app, how can I help keep the data safe?

Use FaceID, TouchID, or a strong PIN to lock your phone. If you do not have any of these enabled on your phone, you will have to manually enter your email and password at every login. Do not share your password.