Security of patient information and privacy is the foundation of the Greenspace platform. We take this responsibility very seriously and have implemented significant measures to safeguard patients' personal health information that exceed industry standards and best practices. Greenspace is SOC 2 Type II compliant and conforms to digital and physical security protocols, including HIPAA, with SSL-secured access, AES encryption at the filesystem level, and firewalls protecting all data. We take many additional precautions to protect privacy including: requiring strong passwords, automatic logouts, automatic access logging, secured data backups, two factor authentication and restrictive data access procedures. All data and information is stored in the United States.
Below are some of the measures that have been implemented to safeguard patient data and information.
Data is encrypted in transit and at rest using AES encryption with 256-bit keys, as recommended by the US National Institute of Standards and Technology and Federal Information Processing Standard.
Database backups are automatically completed on a regular schedule. Databases are encrypted, backed up nightly, and stored in multiple locations.
Yes. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines requirements for companies that create, receive, maintain or transmit protected health information (PHI). To meet its obligations under HIPAA, Greenspace has implemented extensive technical, physical and administrative safeguards to ensure the security of the PHI that it controls. Greenspace takes its regulatory responsibilities very seriously and has also implemented a risk management and compliance framework to ensure continued compliance with HIPAA and industry standards. Greenspace is also AICPA SOC 2 Type II compliant, which means an independent auditing firm has reviewed and examined our control objectives and activities, and tested our controls to ensure operational excellence.
Yes. As part of Greenspace's commitment to ensure best-in-class privacy and security standards, Greenspace has completed a SOC 2 Type II review by an independent AICPA auditing firm that has examined our control objectives and activities, and tested our controls to ensure operational excellence. Reach out anytime if you'd like to discuss privacy and security, learn more or review our SOC 2 Type II Report.
Greenspace maintains administrative, technical and physical safeguards that meet or exceed industry best practices. Greenspace’s commitment to information security within the organization is codified in its Information Security Policy. The policy provides direction and requirements with respect to the security of personal health information to guard against theft, loss, unauthorized use, disclosure, disruption, modification or disposal. Greenspace is also AICPA SOC 2 Type II compliant, which means an independent auditing firm has reviewed and examined our control objectives and activities, and tested our controls to ensure operational excellence.
Yes, we've passed privacy and security reviews at many major hospitals and health systems including Sunnybrook Hospital, Mount Sinai Hospital, Sick Kids Hospital and The Royal Mental Health Centre. Greenspace supports customers through any necessary Privacy Impact Assessments (PIA) and we will work directly with security review teams to ensure compliance, and provide any necessary documents for review.
Greenspace stores all data and information in the United States with a secure cloud storage provider called Aptible. Aptible is an industry leader in securely managing and storing confidential and highly sensitive healthcare information. Aptible has been tested and passed audits by Kaiser Permanente, MD Anderson, UnitedHealth Group, Johns Hopkins, Stanford, and many others. In addition, Aptible is certified for compliance with ISO 27001, SOC 2, and HITRUST CSF.
Greenspace’s database runs in a private subnet (hidden from the outside internet) and access is restricted to Greenspace. Database traffic is encrypted in transit, and data is encrypted at rest using modern technology standards.
The assessments that are delivered to patients in office, by email or sms don’t contain any personally identifying information or health information about patients. When assessments are completed, the data is sent to the application’s server through secure channels (HTTPS, SSH, etc.). No patient information in conjunction with patient names is ever sent over unsecured email or other unsecured channels.
Only patients and their care providers have access to patients’ personal health information and assessment results. Since each participant is identified by a unique code rather than their name, it is not possible for a Greenspace administrator to ascertain the identities of patients. If access to identifying information is required and authorized by the patient and/or therapist, such access is logged and is prohibited from being used or disclosed for any other purpose.
No. The only people that can see patient information or results are the patient and their therapist(s). Patient information or results are not shared with or sold to any third parties (such as a pharmaceutical or insurance company).