Information about HIPAA compliance

Myopia.Care– HIPAA Compliant Website Checklist
1. Do you have a valid SSL certificate?
2. Is the website hosted with a HIPAA compliant hosting company?
3. Have you encrypted data at rest and in transit?
4. Are you using HIPAA-compliant web forms?
5. Have you set access controls?
6. Are you recording and monitoring logs?
7. Are you backing up all PHI?
8. Have you obtained consent from patients before publishing testimonials on your website?
9. Does your website include a notice of privacy practices?

1. Do you have a valid SSL certificate?
Common name: myopia.care
SANs: myopia.care, www.myopia.care
Valid from June 19, 2022 to September 17, 2022
Serial Number: 03a6fab27d1d3c9cfbd1fa8665085e06df36
Signature Algorithm: sha256WithRSAEncryption
Issuer: R3

Common name: R3
Organization: Let’s Encrypt
Location: US
Valid from September 3, 2020 to September 15, 2025
Serial Number: 912b084acf0c18a753f6d62e25a75f5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: ISRG Root X1

Common name: ISRG Root X1
Organization: Internet Security Research Group
Location: US
Valid from January 20, 2021 to September 30, 2024
Serial Number: 4001772137d4e942b8ee76aa3c640ab7
Signature Algorithm: sha256WithRSAEncryption
Issuer: DST Root CA X3

2. Is the website hosted with a HIPAA compliant hosting company?
HETZNER ONLINE IS CERTIFIED IN ACCORDANCE WITH DIN ISO/IEC 27001
The ISO 27001 certificate, an internationally recognized standard for information security, certifies that Hetzner Online GmbH and Hetzner Finland Oy have established and implemented an appropriate information security management system (ISMS). The scope of Hetzner’s certified ISMS includes the infrastructure, operation and customer support of the data center parks in all three locations: Nuremberg, Falkenstein, and Helsinki. FOX Certification, a third party certification authority, performed the audits and officially awarded the cerificates.
The certificate confirms that Hetzner Online GmbH and Hetzner Finland Oy will uphold strict information security standards using its ISMS, including protecting the security, confidentiality, and integrity of its customers’ data. Moreover Hetzner will provide safeguards, so only authenticated users will have access to their IT systems. Finally, the certificate means that Hetzner’s ISMS will not remain at the status quo. The ISO 27001 certificate requires Hetzner to continually reassess and improve its information security methods. Regular audits will be performed to verify that Hetzner’s ISMS remains current.
Additional information/downloads:
Certificate Hetzner Online – German
Certificate Hetzner Online – English
Statement of Applicability – English

3. Have you encrypted data at rest and in transit?
Data at rest represents any data that you persist in non-volatile storage for any duration in your workload.
For our website it means databases and backup archives.

Database:
We are using a two-tier encryption key architecture, which used below two keys

● Tablespace keys: This is an encrypted key which is stored in the tablespace header
● Master Key: the Master key is used to decrypt the tablespace keys

Data at rest encryption implemented using keyring file plugin to manage and encrypt the master key

● A strong Encryption of AES 256 is used to encrypt the InnoDB tables
● It is transparent to all applications as we don’t need any application code, schema, or data type changes
● Key management is not done by DBA.
● Keys are securely stored away from the data.

Encryption in transit

We are using encrypted connections between DB clients and the database server using the TLS (Transport Layer Security) protocol.

TLS uses encryption algorithms to ensure that data received over a public network can be trusted. It has mechanisms to detect data change, loss, or replay. TLS also incorporates algorithms that provide identity verification using the X.509 standard.

4. Are you using HIPAA-compliant web forms?
Yes.
Proper encryption and security software are in place to protect any data at rest and in transit (see above). AES-256 at rest and TLS 1.2+ in motion.
All our formssecure data at the device and when it traverses applications within a network.
We are NOT using third-party forms.

5.Have you set access controls?
Yes. There are 5 levels / roles.
Access to the website it’s RBAC based (Role Based Access Control )

6. Are you recording and monitoring logs?
YES.
Server Level – We are using special logs for recording and tracking the actions and user who performed them. There are two types of logs:
● access log;
● action log.

Webservice level –
● Access log
● Error log

Logrotate utility is used to automate the process of log rotation.

7. Are you backing up all PHI?
Dailly and weekly backups are in place.
Backups are encrypted and stored remotely over a secure VPN to a SFTP box

8. Have you obtained consent from patients before publishing testimonials on your website?
N/A – we are not publishing testimonials on our websites

9. Does your website include a notice of privacy practices
Yes– https://www.myopiacare.org/privacy-policy/

HIPAA Privacy Officer: Sigrid Blaser and external IT supplier Infiniteonlinesolutions, Spain