HIPAA Training and Compliance

Owned by Ben Derr
Last updated: Jan 31, 2024
1 min read

Tidepool complies with all HIPAA security, privacy, and breach notification rules.

Search this space

All employees and independent contractors are required to review HIPAA training materials and to undergo a HIPAA security audit for all computers and mobile devices that access Tidepool's servers on an annual basis.

Each Tidepool user is audited for and attests to the following, at minimum:

  • HIPAA Policy Awareness and Training

  • HIPAA Privacy and Confidentiality Training

  • Security Best Practices and Processes

  • Password/passcode use, strength and composition

  • Implementation of 2-factor/Multi Factor authentication for all capable services

  • Certification of HIPAA-compliant data storage, no external cloud storage to be used for PHI

  • Screen locking policy

  • Engineers/Admins - additional security controls applied to admin accounts and those that can commit source code

  • Data protection - hard drive encryption implemented for all personal storage

  • HIPAA-compliant device configuration for all mobile devices as above (enforced encryption, screen lock, wiping, password complexity)

  • Remote tracking and wipe of all capable devices

  • Firewall enabled

  • Backup devices or services fully encrypted

See https://tidepool.atlassian.net/wiki/spaces/SEC/pages/2147615403 for a detailed look at HIPAA-compliant services used.

The content of the Tidepool Technical Documentation is licensed under a Creative Commons CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.