MyWay Health Security Notice
This security notice is a dynamic document that can change from time to time. It helps you understand how MyWay Health stores and protects the data being saved to our cloud-based software services.
What this Security Notice Addresses
This security notice pertains to the security measures in place at MyWay Health for the protection of personal and protected health information in connection with the use of MyWay Health’s cloud-based EMR, Telehealth, Marketplace, and the MyWay Health Consumer App (collectively, Service).
The Unique Identification of Users
To comply with the HIPAA requirements and to provide a secure service, MyWay Health requires all users to have a unique username. MyWay Health requires a valid email address to be the username for the Service.
In addition to a username, every user account must be protected with a password of sufficient complexity. MyWay Health allows its customers to set their own password complexity policy. If your user account has access to multiple Kareo customers, you will be required to use the more restrictive policy.
All MyWay Health Service sign-ins are protected by account lock-out systems. If a user incorrectly authenticates a number of times or the user’s account is locked by a system administrator, their user account will be locked until a system administrator of the user ‘s account unlocks it. MyWay Health’s support team is prohibited from unlocking user accounts unless the account is the system administrator account.
Website & Myway Health Service Security
MyWay Health Service users may choose to sign into their account at the MyWay Health website in order to access their account. Such sign-ins are protected by SSL security. Your browser will usually display an indicator (such as a “lock” icon) when using a secure SSL connection.
The MyWay Health Service communicates with secure MyWay Health hosted and controlled servers and networks. All communications are secured with public-key encryption. MyWay Health disallows the use of low cipher strength in our production service.
For the processing and storage of health information, the MyWay Health Service is hosted on Amazon Web Services (AWS) architected and configured for Health Insurance Portability and Accountability Act of 1996 (HIPAA) security and compliance. HIPAA was expanded in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For additional information on HIPAA and HITECH, go to the Health Information Privacy Home.
Through AWS, MyWay Health Service and our business associates utilize a platform with industry-recognized certifications and audits such as ISO 27001, FedRAMP, and the Service Organization Control Reports (SOC1, SOC2, and SOC3). AWS services and data centers have multiple layers of operational and physical security to help ensure the integrity and safety of customer data.
With AWS, MyWay Health Service enables covered entities and their business associates subject to HIPAA to securely process, store, and transmit PHI and maintains a standards-based risk management program to ensure that the HIPAA eligible services specifically support HIPAA administrative, technical, and physical safeguards.
In addition to these controls, MyWay Health deploys up-to-date advanced threat protection services which help to identify, block, and track hacking attempts, scans, data breaches, adware, malware, spyware, Trojans, phishing attempts, and other equally malicious requests.
Role-based Access Control
Every user in the MyWay Health Service belongs to one or more roles. A role is defined by each customer, and is assigned a set of permissions. MyWay Health roles follow an allow-then-deny pattern of applying permissions — such that multiple role permissions are combined, and then filtered against any role’s restrictions.
In accordance with HIPAA policies, MyWay Health Service will automatically lock out access if left unattended for a period of time. Correct credentials of the user will need to be provided prior to using the application again.
MyWay Health Service Password Policy
MyWay Health Service system passwords are meant to help protect sensitive patient medical and financial records, as well as practice financial information. They serve as a deterrent to malicious agents as well as protection against casual or accidental lowering of security through carelessness.
The passwords are encouraged to be at least (8) eight characters long and have to maintain a level of complexity such that they will not be easily guessed or cracked by a determined attacker.
A user may change their password at any point in the service. Passwords changed by third-parties will immediately expire to allow users to log in but also to ensure that they immediately change their passwords to something that only they know.
MyWay Health will never store any passwords in permanent storage in a way that is reversible. The MyWay Health Service will never show the password in plain-text, human-readable form.
Changes to this Security Policy
MyWay Health may update this policy at any time for any reason. If there are any significant changes to how we handle security we will make a reasonable commercial effort to send a notice to the contact email address specified in your company’s MyWay Health account or by placing a prominent notice on our site.
If you have questions or suggestions you can contact us at:
MyWay Health Security Administrator
Last Updated: This policy was last updated on March 30, 2021