This General Provisions section provides an overview of the security information for iWellnessNow.
iWellnessNow is a HIPAA-compliant tool for the collection and reporting of both patient-identifiable and de-identified data. Since all patient protected health information (PHI) and personally identifiable information (PII) is stored centrally, data security and HIPAA compliance is of paramount importance. This document describes the security and HIPAA compliance measures taken within the iWellnessNow system.
All data obtained from or for this system is governed by strict safeguards, as described in this document. Data that is used or recorded is limited to the minimum that is required for the purposes of the operation of iWellnessNow. Access to user data is limited to the User Group (company) to which the user belongs. Within each User Group, health coaches are given access to user data. Designated health coaches can only access PHI with the consent of the user. Revoking a health coach’s account immediately blocks the health coach from logging into my.myofitnes and accessing any user data. Any possible disclosure of data, other than those outlined in this document, will be immediately reported to User Group (company) to which the user belongs.
Other than the members of the User Groups identified above, only Flipside Media (the developers and maintainers of the iWellnessNow software and database) and Integrated Corporate Health (the biometric screening company) have any access to the system or data. Flipside Media and Integrated Corporate Health have a business associates agreement with Myofitness and Innovative Wellness Solutions binding them to the security and privacy provisions set forth in this document. No outside vendor(s) is ever given access to any of the patient data that is used during the operation of iWellnessNow. Nor do any outside vendor(s) ever have knowledge of the patient’s inclusion in iWellnessNow.
A central database is used to store all data for all iWellnessNow User Groups. This database is hosted on a secure server at Rackspace in Texas, U.S. Data is never transferred out of or accessed from outside the United States. All patient-identifiable data is stored in encrypted format. The database(s) reside on hardware that is secured physically to prevent unauthorized access. For all instances where data must be transferred or transmitted (e.g. from the server to a web browser), all data is encrypted during transfer. All data and access logs are retained for a minimum of seven years.
Multiple User Groups use iWellnessNow and store their data in iWellnessNow. All user data is restricted to their single User Group based on the access control credentials of the User, their Site(s) and their User Group. Patient data is not shared or moved between User Groups.
Part of the Innovative Wellness Solutions wellness program is to submit aggregate information (including summarized, non-identifiable patient data) to each User Group. In such a case the User Group will receive summarized, non-identified data about the users in the User Group’s program. At no time does any User Group ever have access to individual or identified patient data.