At LinkHMS, we are dedicated to maintaining the highest standards of legal compliance and data protection to ensure the security and privacy of our users.
>Compliance standards
LinkHMS operates following internationally recognized data protection and healthcare standards, including:
HIPAA (Health Insurance Portability and Accountability Act): ensures the confidentiality, integrity, and security of health information.
Access control
- Each user has a unique ID assigned to track their access and activity within the system
- Emergency access procedures established have facilitated access to PHI during emergencies.
- Automatic logoff features were implemented to prevent unauthorized access after periods of inactivity.
- PHI is encrypted at rest and in transit to protect data from unauthorized access.
Audit controls
- Logging mechanisms were put in place to record access and modifications to PHI.
- Regularly monitored and analyzed audit logs to detect and respond to unauthorized access or anomalies.
Integrity controls
- Implemented mechanisms ensure that PHI is not improperly altered or destroyed, by utilizing checksums, hash functions, or digital signatures.
- Applied data validation techniques prevent the input of incorrect or malicious data.
Transmission security
- Used secure encryption protocols (e.g., TLS) to protect PHI during electronic transmission over networks.
- Applied integrity controls ensure transmitted data is not altered during transmission, using digital signatures or secure hashing algorithms.
Authentication
- Implemented two-factor authentication enhances the security of user logins, ensuring that only authorized users can access PHI.
- Enforced strong password policies, including complexity requirements and regular changes, ensure robust access control.
Device and media controls
- Implemented policies and procedures to ensure the secure disposal of PHI stored on physical media, such as hard drives, USB drives, or paper records.
- Established procedures securely wipe PHI from media before reuse or repurposing.
- Encrypted data on portable devices and removable media protects against unauthorized access in case of loss or theft.
Data backup and disaster recovery
- Data Backup: Regularly backup PHI to ensure data can be restored in case of data loss or corruption.
- Disaster Recovery Plan: Implement a disaster recovery plan that includes procedures for restoring access to PHI in the event of an emergency or system failure.
Data minimization and retention
- Collected and stored only the minimum necessary PHI serves the intended purpose.
- Established data retention and deletion policies ensure PHI is retained only as necessary.
Secure development practices
- Followed secure coding standards to prevent vulnerabilities like SQL injection, XSS, and CSRF.
- Conducted regular security assessments, including vulnerability scanning and penetration testing, to identify and mitigate security risks.
Business Associate Agreements (BAAs)
- All third-party service providers accessing PHI signed a Business Associate Agreement (BAA), outlining their responsibilities under HIPAA.
- Regularly assessed and monitored third-party vendors’ compliance with HIPAA security requirements to ensure adherence to standards.
Training and awareness
- Providing regular training ensures employees understand HIPAA compliance and the importance of protecting PHI.
- Trained employees on incident response and prepared to handle security breaches involving PHI.
Breach notification and incident response
- Implemented monitoring systems to detect potential security incidents or data breaches involving PHI.
- Established procedures ensure timely notification of affected individuals, the Department of Health and Human Services (HHS), and other entities in case of a PHI breach.
Physical security measures
- Ensured facility access controls restrict physical access to facilities storing PHI to authorized personnel only.
- Implemented physical and technical safeguards for workstations to prevent unauthorized access to PHI.
GDPR (General Data Protection Regulation): protects personal data and privacy in the European Union.
Data encryption
- Encrypted: All personal data, stored on servers, databases, and storage devices, using robust algorithms (e.g., AES-256), has remained protected.
- TLS-Protected Transmission: Data transmitted between systems has maintained integrity and confidentiality.
Access controls
- Role-Based Restricted Access: Access to personal data, limited based on user roles, has ensured employees only access necessary data.
- Multi-Factor Verified Authentication: Multiple forms of verification (e.g., passwords, biometrics) are required for sensitive data access.
- Session-Managed Timeout: Implemented automatic session timeouts and re-authentication for prolonged inactivity.
Anonymization and pseudonymization
- Anonymized Data: Personal identifiers, removed or modified, have prevented direct or indirect identification of individuals.
- Pseudonymized Information: Identifiable information replaced with pseudonyms or encrypted tokens, minimizing privacy risks while enabling data use.
Regular security audits
- Regularly Assessed Vulnerabilities: Security weaknesses are identified and remediated through regular assessments.
- Penetration-Tested Systems: Cyber-attack simulations tested system resilience.
- Continuously Monitored Activities: Intrusion detection and prevention systems monitored for suspicious activities.
Data minimization and retention
- Minimized Data Collection: Only the minimum amount of personal data necessary for specific purposes was collected.
- Retention-Defined Policies: Data retention periods are defined and automated mechanisms are implemented for secure data deletion.
Data breach notification and response
- Documented Incident Response Plan: Procedures established for identifying, reporting, and mitigating data breaches.
- Notified Protocols: Ability to notify authorities and affected individuals within 72 hours of a breach discovery.
Backup and disaster recovery
- Regularly Backed-Up Data: Personal data backups are regularly performed and securely stored with encryption.
- Disaster-Recovery Tested: Disaster recovery plans are regularly tested for data integrity and availability during failures or attacks.
Data integrity and accuracy
- Validated Data Accuracy: Data validation checks are implemented to ensure accuracy.
- Audited Trails: Audit logs are maintained to track access, modifications, and transfers for accountability.
Privacy by design and default
- Privacy-Assessed Projects: New projects involving personal data underwent Privacy Impact Assessments (PIAs) to mitigate risks.
- Default Privacy Settings: Systems defaulted to the highest privacy settings (e.g., opt-in for data sharing).
Regular employee training
- Ongoing Security-Aware Employees: Regular training on GDPR requirements and best practices provided to employees.
- Simulated Phishing Responses: Employees’ responses are tested regularly with simulated phishing attacks..
CCPA (California Consumer Privacy Act): grants rights to California residents regarding their personal information.
Data access controls
- Role-Based Access-Controlled: Access to personal information is restricted based on user roles, ensuring only authorized personnel access specific data.
- Multi-Factor Authenticated: Sensitive data access required multiple verification forms (passwords, biometrics, hardware tokens).
Encryption
- Encrypted Data at Rest and In Transit: Strong encryption protocols (AES-256 for storage and TLS for transmission) are used to secure consumer data from unauthorized access or breaches.
Data minimization and retention policies
- Minimized Data Collection: Only necessary data is collected for specified business purposes.
- Retention-Defined Policies: Clear retention periods defined, with securely disposed data no longer needed, complying with CCPA.
Audit logs and monitoring
- Detailed Logged Access: Comprehensive logs maintained for access, modifications, deletions, and transfers, providing a clear audit trail.
- Continuously Monitored Activities: Real-time systems implemented for monitoring unauthorized access attempts or suspicious activities.
Privacy controls and consumer rights
- Opt-Out Enabled Mechanisms: Easily accessible options provided for consumers to opt out of data selling or sharing.
- Developed Data Access Requests: Processes developed to handle consumer data access, deletion, or disclosure requests within mandated timeframes.
Regular security audits
- Regularly Assessed Vulnerabilities: Regular vulnerability assessments are conducted to identify security gaps and improve controls.
- Penetration-Tested Security: Periodic penetration testing is engaged to evaluate security measure effectiveness and identify potential weaknesses.
Data deletion procedures
- Automated Deletion Processes: Automated processes created to ensure timely consumer data deletion upon verified requests, following CCPA guidelines.
- Regularly Sanitized Backup Data: Backup data is reviewed and sanitized regularly to ensure compliance with deletion requests.
Incident response and breach notification
- Incident-Responsive Plans: Comprehensive plans developed for detecting, responding to, and mitigating data breaches.
- Established Breach Notification Procedures: Protocols were established to promptly notify affected consumers in case of a data breach, in line with CCPA requirements.
Regular employee training
- CCPA-Aware Employees: Regular training sessions conducted for employees on CCPA requirements, data privacy best practices, and secure consumer data handling.
HL7/FHIR standards: facilitates data exchange between healthcare systems, ensuring interoperability and standardization.
Secure data exchange protocols
- HL7/FHIR standardized for structured data exchange, ensuring that data was interoperable across different healthcare systems.
- Securely communicated protocols like HTTPS and TLS for data in transit to protect against unauthorized access.
Data validation and integrity checks
- Robustly validated data procedures ensured that exchanged data adhered to FHIR formats and schema definitions.
- Integrity-checked methods, such as digital signatures, verified data authenticity and prevented tampering.
Access management
- Strictly controlled mechanisms, such as OAuth 2.0, authenticated and authorized users and applications accessing health data.
- SMART on the FHIR framework provided secure access control on APIs.
Audit logging and monitoring
- Comprehensively logged audit records captured all data exchanges, modifications, and access events.
- Continuously monitored tools detected and responded to suspicious activities, ensuring data security and compliance.
Interoperability testing
- Regularly tested interoperability with external healthcare systems ensured seamless data exchange and compliance with FHIR requirements.
- Tested environments simulated real-world scenarios and validated the system’s compliance with FHIR standards.
Data privacy and security controls
- Encrypted data techniques were adopted for both stored and transmitted data to comply with privacy and security requirements.
- Anonymized and pseudonymized methods protected patient identities while sharing data for research or analytics.
Compliance with versioning and updates
- Regularly updated systems remained compliant with the latest FHIR specifications and supported multiple FHIR versions to facilitate smooth transitions and interoperability.
Regular staff training and awareness
- Ongoing training provided staff with knowledge of HL7/FHIR standards, data handling, and security protocols to maintain awareness and competence in managing health data securely.
POPIA (Protection of Personal Information Act): regulates data protection and privacy in South Africa.
Data encryption
- Encrypted Data in Transit and at Rest: All personal data, including sensitive information, was protected using advanced encryption methods such as AES-256, ensuring that unauthorized access or data breaches were effectively mitigated.
- Secured Encryption Key Management: Established a process for managing encryption keys to control access and prevent unauthorized decryption of data.
Access control and authentication
- Role-Based Access Controls (RBAC): Restricted access to personal information based on employee roles, ensuring that only necessary personnel had access to specific data.
- Multi-Factor Authentication (MFA): Implemented protocols requiring multiple verification methods, such as passwords and biometrics, to access sensitive data.
- Reviewed User Access: Conducted audits of user access permissions to ensure that only authorized individuals retained access to personal information.
Data minimization and retention policies
- Minimized Data Collection: Collected only the minimum amount of personal information necessary for specific purposes, in line with POPIA’s requirements for purpose limitation.
- Automated Data Retention Schedules: Created schedules to securely delete or anonymize personal information once it was no longer needed.
- Comprehensive Data Deletion Procedures: Developed protocols to ensure all copies of data, including backups, were properly disposed of once retention periods expired.
Audit logging and continuous monitoring
- Comprehensive Audit Logs: Maintained detailed logs of all access, modifications, and deletions of personal information, enabling tracking of data handling activities and identifying potential security incidents.
- Real-Time Monitoring: Employed advanced tools to detect unauthorized access attempts, anomalous behavior, and other suspicious activities.
- Automated Alerts: Set up alerts for any unusual activities or access patterns, allowing for swift investigation and response.
Regular security assessments
- Regularly Assessed Vulnerabilities: Identified weaknesses in data security through assessments and ensured they were promptly addressed.
- Periodically Tested Penetration: Simulated cyber-attacks to evaluate the resilience of data protection measures.
- Engaged Security Audits: Utilized third-party auditors to verify compliance with POPIA and identify gaps in security controls.
Incident response plan
- Established Incident Detection and Response: Formed a dedicated team and implemented a detailed plan to quickly detect, respond to, and mitigate data breaches or security incidents.
- Prompt Breach Notification Protocols: Developed procedures for notifying the Information Regulator and affected individuals in the event of a data breach, as required by POPIA.
Data subject rights management
- Managed Data Access and Correction Requests: Implemented systems and processes to handle requests from data subjects for access to, correction of, or deletion of their personal information.
- Provided Opt-Out Mechanisms: Offered tools and processes for individuals to opt out of direct marketing and object to the processing of their data.
Privacy Impact Assessments (PIAs)
- Regular PIAs: Conducted assessments for new projects, systems, or processes involving personal information to identify and mitigate privacy risks proactively.
- Designed Data Protection by Design: Integrated data protection principles into the design and implementation of systems, applications, and processes from the outset.
Data transfer security
- Secure Data Transfer Methods: Used channels (e.g., VPNs, SFTP) for transferring personal data, especially when sharing data with third parties or across borders.
- Ensured Third-Party Compliance: Verified that third-party service providers or partners adhered to equivalent data protection standards and had data processing agreements in place.
Staff training and awareness
- Comprehensive Training Programs: Provided regular sessions to all employees on POPIA requirements, privacy principles, data protection practices, and safeguarding personal information.
- Phishing and Social Engineering Training: Conducted sessions to help employees recognize and respond to phishing attempts and other social engineering attacks that could compromise personal data.
NITDA (National Information Technology Development Agency Act): sets data protection regulations in Nigeria.
Data encryption
- Encrypted all personal and sensitive data at rest and in transit using strong encryption protocols like AES-256, ensuring protected data against unauthorized access and breaches.
Access controls
- Role-based access control (RBAC) is applied to limit access to personal data based on user roles.
- Multi-factor authentication (MFA) is implemented to enhance security by requiring multiple verification methods before granting access to sensitive information.
Data minimization and retention policies
- Minimally Collected and Retained only the necessary personal data for specific, lawful purposes.
- Established data retention policies ensured the timely and secure deletion of personal data that is no longer needed.
Audit logging and monitoring
- Detailed audit logs are maintained to track all access, modifications, deletions, and transfers of personal data, allowing for full transparency and accountability.
- Continuous monitoring systems are implemented to detect and respond to unauthorized access or suspicious activities promptly.
Regular security assessments
- Regular security assessments, including vulnerability scanning and penetration testing, are conducted to identify and address potential weaknesses in the system.
- Comprehensive security audits engaged third-party auditors to validate compliance with NDPR standards.
Incident response plan
- RA comprehensive incident response plan was developed detailing the steps to detect, report, and mitigate data breaches or security incidents promptly.
- Breach Notification protocols were established to inform the relevant authorities and affected individuals following NDPR requirements.
Data subject rights management
- Procedurally Managed data subject rights, including access to, correction of, and deletion of personal data, with processes established to handle complaints and grievances effectively.
Data transfer security
- Secure transmission methods (e.g., VPN, HTTPS) are ensured for all personal data transfers, especially those involving third parties or cross-border exchanges.
- Adhering to third-party service providers is verified to ensure similar data protection standards and adequate data processing agreements in place.
Staff training and awareness
- Regular training sessions are conducted for all employees on NDPR requirements, privacy principles, and security best practices to maintain compliance and awareness.
- Specific training programs were developed to recognize and prevent social engineering attacks, such as phishing.
Privacy by design and default
- Privacy-integrated design of all systems, applications, and processes ensured data protection principles were upheld from the outset.
- Regularly Reviewed and updated systems and processes aligned with evolving NDPR requirements and industry best practices.
DPA (Data Protection Act): governs the use of personal data in various jurisdictions.
Data encryption
- Encrypted all personal data using strong algorithms like AES-256 to safeguard against unauthorized access during storage and transmission.
Access controls
- Role-Based Access Control (RBAC): Restricted access to personal data by assigning roles and privileges based on job requirements.
- Multi-Factor Authentication (MFA): Employed MFA for accessing sensitive data, ensuring multiple layers of verification.
Data minimization and retention policies
- Minimally Collected data for specific, legitimate purposes.
- Automated Retention Schedules: Established protocols to remove data when no longer needed, ensuring compliance with data retention principles.
Audit logging and monitoring
- Comprehensive Audit Logs: Maintained detailed logs of data access, modifications, and deletions to track user actions and maintain accountability.
- Continuous Monitoring: Deployed systems to detect suspicious activity and respond to potential security incidents promptly.
Regular security assessments
- Vulnerability and Penetration Testing: Conducted regular assessments to identify potential vulnerabilities in the system.
- Third-Party Audits: Engaged external auditors to verify that data protection practices met DPA standards.
Incident response plan
- Breach Response Procedures: Developed a plan to detect, investigate, and mitigate data breaches.
- Breach Notification Protocols: Established procedures to notify affected individuals and relevant authorities promptly in case of a data breach, as required by the DPA.
Data subject rights management
- Right-to-Access, Correct, and Erase Processes: Implemented procedures to handle requests from individuals to access, rectify, or delete their data.
- Transparency Tools: Provided clear mechanisms for individuals to exercise their rights under the DPA.
Data transfer security
- Secure Transfer Protocols: Ensured secure transmission of personal data, particularly across borders, using encrypted channels like HTTPS or VPNs.
- Third-Party Data Protection Agreements: Verified that all third-party service providers adhered to similar data protection standards, with agreements outlining responsibilities for protecting personal data.
Staff training and awareness
- Ongoing Training Programs: Delivered regular training on DPA requirements, data protection principles, and best practices to all employees.
- Incident Awareness: Educated staff on recognizing potential security threats, such as phishing attempts and other social engineering tactics.
Data Protection Impact Assessments (DPIAs)
- Risk Assessment Framework: Conducted DPIAs for new projects, systems, or processes that involve handling personal data to evaluate risks and ensure compliance with data protection principles.
- Privacy-by-Design: Integrated privacy considerations into the design and development of all data processing activities.
Other applicable local regulations: we adhere to data protection laws applicable in various jurisdictions.
Data protection measures
At LinkHMS, we employ a multi-layered approach to data security, including:
- Administrative safeguards: Regular staff training on privacy policies, data protection standards, and breach response protocols. We enforce strict access controls based on roles, requiring authentication and authorization for data access.
- Technical safeguards: Data encryption in transit and at rest using industry-standard protocols. We deploy advanced firewalls, intrusion detection systems, and secure coding practices to protect against cyber threats. Regular vulnerability assessments and penetration testing are conducted to identify and mitigate potential risks.
- Physical safeguards: Secure facilities with restricted access to authorized personnel only, 24/7 surveillance, and data centers with robust environmental controls. All hardware and storage devices are disposed of securely following data deletion protocols.
- Regular security audits: Ongoing monitoring and annual third-party audits to verify compliance with legal and regulatory standards. We continuously assess and update our security measures to adapt to new threats and maintain a high level of protection.
This comprehensive strategy ensures that all user data is protected against unauthorized access, disclosure, and loss, in compliance with international and local regulations.
Data breach response protocol
LinkHMS has a comprehensive data breach response plan to promptly identify, assess, and mitigate any security incidents. In the event of a breach, affected parties will be notified following legal requirements.
Data processing agreements
We engage with third-party processors who meet our high compliance standards. All data processing activities are governed by agreements that require compliance with HIPAA, GDPR, and other applicable data protection laws.
User compliance responsibilities
Users of LinkHMS are responsible for ensuring their use of the platform complies with applicable legal and regulatory requirements, including securing appropriate consent from patients for data processing.
Legal grounds for data processing
We process personal data based on consent, legal obligations, contractual necessity, and legitimate business interests, in line with applicable laws. Each processing activity undergoes legal assessment to ensure compliance.
Monitoring and auditing
LinkHMS conducts regular internal audits to verify compliance with legal standards and regulatory requirements. We continually assess our processes and update our policies to align with evolving legal landscapes.
Dispute resolution
Any disputes related to compliance and data protection will be addressed through amicable negotiations. Unresolved disputes may be escalated to regulatory authorities or courts in the applicable jurisdiction.
Updates to legal & compliance policies
LinkHMS reserves the right to update its Legal & Compliance policies to reflect changes in laws, regulations, or business practices. Users will be notified of any significant updates through our official channels.
Refund policy
You can request refund on our Refunds page. Refunds can be requested within 24 hours of the payment, provided the payment was made in error. We strive to process refund requests as quickly as possible, and our team will review each case individually to ensure a fair resolution. Please include your payment details and reason for the refund request when contacting us to expedite the process.