Leadferno provides a cloud service, securely handling and storing customer information that individual user account controls and permissions.As such, we follow security best practices including:
- Secure platforms provide cloud computing and storage via Amazon Web Services (AWS) and Bandwidth for carrier connectivity. We monitor and update platforms once assessed for security and safety.
- Penetration testing and threat modeling to ensure we're protected against external threat. We regularly scan our application using third parties to ensure Leadferno is protected against threats.
- Network security and process controls are instituted to ensure only authorized software and persons can access the app and its data, with multiple layers of authentication including user accounts and VPNs.
The Leadferno stores and transmits information securely. The Leadferno web and mobile apps are secure in nature, requiring authentication to sign in. Additionally, the data transmitted to and from the app is encrypted over HTTPS, preventing third parties from intercepting data appearing in our app over internet connections.
Data storage & access
All Leadferno data are stored securely, including message and account information. Access to the data is controlled at the customer and profile level through the Team settings in Leadferno. As a company, Leadferno controls access to data via encrypted, authenticated connections. Data are only accessed by Leadferno employees when necessary to provide support or services for customers.
To ensure data permanency, data are backed up daily.
No 3rd party sharing
We don't share or sell personal or message information from your Leadferno account. Since we use cloud services, for example, AWS, to provide customers with the Leadferno product, there are third party services involved in providing the product; however, we never sell or distribute your account information to others.
Our services are hosted on a HIPAA compliant platform with internal processes and policies in compliance. As necessary, we may sign a business associate agreement (BAA) with a customer.
HIPAA compliance recommendations for your business
That said, unlike other data requirements in HIPAA, text messages are not and cannot be encrypted. So, if you intend to share personal health information (PHI) over text, you should get explicit permission from your patients. This goes one step beyond the permission received via the Leadbox. You'll want to advise your patients of the risks of text messaging, which can happen over text message or in your office, and get their consent.
Here is an example HIPAA permission message you could send (and saved as a template in our Shortcuts feature):
We want to send messages regarding your healthcare. Since texts are not encrypted, they could be accessed by third parties just like phone calls. May we have your permission to text you information regarding your healthcare?
Any additional technical safeguards should be implemented for employee devices using Leadferno by the practice to ensure best HIPAA compliance.