Treehouse Eyes HIPAA - Myopia.Care - the eye care management support for myopia control

Information about HIPAA compliance

Treehouse Eyes– HIPAA Compliant Website Checklist
1. Do you have a valid SSL certificate?
2. Is the website hosted with a HIPAA compliant hosting company?
3. Have you encrypted data at rest and in transit?
4. Are you using HIPAA-compliant web forms?
5. Have you set access controls?
6. Are you recording and monitoring logs?
7. Are you backing up all PHI?
8. Have you obtained consent from patients before publishing testimonials on your website?
9. Does your website include a notice of privacy practices?

1. Do you have a valid SSL certificate?
Common name: treehouseeyes.myopia.care
SANs: treehouseeyes.myopia.care, www.treehouseeyes.myopia.care
Valid from August 21, 2022 to November 19, 2022. Auto-renewal when the certificate is within 30 days of expiry.
Serial Number: 0382670895ea73ba0382838ed185437334c0
Signature Algorithm: sha256WithRSAEncryption
Issuer: R3

Common name: R3
Organization: Let’s Encrypt
Location: US
Valid from September 3, 2020 to September 15, 2025
Serial Number: 912b084acf0c18a753f6d62e25a75f5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: ISRG Root X1

Common name: ISRG Root X1
Organization: Internet Security Research Group
Location: US
Valid from January 20, 2021 to September 30, 2024
Serial Number: 4001772137d4e942b8ee76aa3c640ab7
Signature Algorithm: sha256WithRSAEncryption
Issuer: DST Root CA X3

2. Is the website hosted with a HIPAA compliant hosting company?

DigitalOcean maintains SOC 2, SOC 3, CSA STAR Level 1, and APEC PRP certifications. With a robust set of common controls that cover asset management, configuration management, data management, identity and access management, systems monitoring, network operations, risk management, and several more, we help to better protect customer data. These controls extend to customers running HIPAA workloads on covered DigitalOcean products.

More details on : https://www.digitalocean.com/blog/host-ephi-on-select-digitalocean-products

3. Have you encrypted data at rest and in transit?
Data at rest represents any data that you persist in non-volatile storage for any duration in your workload.
For our website it means databases and backup archives.

Database:
We are using a two-tier encryption key architecture, which used below two keys

● Tablespace keys: This is an encrypted key which is stored in the tablespace header
● Master Key: the Master key is used to decrypt the tablespace keys

Data at rest encryption implemented using keyring file plugin to manage and encrypt the master key

● A strong Encryption of AES 256 is used to encrypt the InnoDB tables
● It is transparent to all applications as we don’t need any application code, schema, or data type changes
● Key management is not done by DBA.
● Keys are securely stored away from the data.

Encryption in transit

We are using encrypted connections between DB clients and the database server using the TLS (Transport Layer Security) protocol.

TLS uses encryption algorithms to ensure that data received over a public network can be trusted. It has mechanisms to detect data change, loss, or replay. TLS also incorporates algorithms that provide identity verification using the X.509 standard.

4. Are you using HIPAA-compliant web forms?
Yes.
Proper encryption and security software are in place to protect any data at rest and in transit (see above). AES-256 at rest and TLS 1.2+ in motion.
All our formssecure data at the device and when it traverses applications within a network.
We are NOT using third-party forms.

5.Have you set access controls?
Yes. There are 5 levels / roles.
Access to the website it’s RBAC based (Role Based Access Control )

6. Are you recording and monitoring logs?
YES.
Server Level – We are using special logs for recording and tracking the actions and user who performed them. There are two types of logs:
● access log;
● action log.

Webservice level –
● Access log
● Error log

Logrotate utility is used to automate the process of log rotation.

7. Are you backing up all PHI?
Dailly and weekly backups are in place.
Backups are encrypted and stored remotely over a secure VPN to a SFTP box

8. Have you obtained consent from patients before publishing testimonials on your website?
N/A – we are not publishing testimonials on our websites

9. Does your website include a notice of privacy practices
Yes– https://www.myopiacare.org/privacy-policy/

HIPAA Privacy Officer: Sigrid Blaser and external IT supplier Infiniteonlinesolutions, Spain