Do you sign HIPAA, BAA, or other confidentiality agreements?
We maintain ongoing compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and is able to process, maintain and store protected health information for any entities restricted by these regulations. On request, we will sign a business associate agreement (BAA) with your organization. HIPAA support is currently only available on a Business Plan and above only.
Please note that we will provide you our BAA for you to sign.
What's involved in HIPAA compliance?
We run through annual compliance assessments and checklist as required by HIPAA.
Where is VPM customer data hosted?
Our entire infrastructure is hosted on Amazon Web Services (AWS), which is a highly scalable cloud computing platform with privacy and end-to-end security built in. AWS is also HIPAA compliant and will also sign a BAA with you if needed.
What sort of security is in place?
All VPM web application communications are encrypted over secure connection using 256 bit SSL encryption, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.
In addition, all physical mail is trashed in secure and locked trash bins. We have mobile shredding companies who shred all mail on-site.
Will you sign our company's BAA instead of using VPM's BAA?
No, unfortunately we do not use your company's BAA. This is because using your company's BAA will require us to get our lawyer to review the agreement. The effort and cost involved is not worth the price that we charge you.
We do provide an Enterprise Plan to cater to these additional specialized requirements and assessments. The plan starts at $500 / month with a minimum 1 year contract. However, we're currently not taking on customers with these custom requirements at this time as we're exploring a better business model to accommodate such requirements.
Will you complete security / risk assessment from our company?
Not at this time. Security assessment takes a large portion of our time to complete and is also not covered by our Business Plan BAA. Instead, we are planning to obtain SOC2 compliance to satisfy security requirements. Until we complete this, we will not be completing risk assessments.