Data Protection, HIPAA and Breach Policies

These policies cover SurgicalPerformance’s approach to the U.S. Health Insurance Portability and Accountability Act (HIPAA, 1996), Data Security Incident & Breaches and Data Protection. It is our objective to conduct ourselves with the highest ethical standards and comply with HIPAA, Australian Privacy laws and regulations and any other appropriate international and industry standards.

The following are key measures undertaken by us to to protect users’ data in SurgicalPerformance applications:

  • All surgeons (users) have the option of not providing personally identifying information in their accounts;
  • No patient identifying data such as names or addresses, etc is recorded in the system. All Protected Health Information (PHI) is limited to date fields (including date of birth and procedure);
  • During data entry we strongly recommend that the Patient Identifier be a unique value for SurgicalPerformance and note relate to an identifier found on other patient data;
  • All reporting code does not disclose records. They are non-identifiable and pre-processed on the server prior to display for a user;
  • Where there is a risk that a user may be identified by a small sample size, e.g. in the institution system, protections have been put in place to not show reports;
  • All traffic on the site is encrypted over HTTPS;
  • The marketing website is kept separate from the application layer to limit and hacking;
  • The application site has been hardened with tight permissions and unnecessary functionality removed;
  • All record entry has a full audit trial and records can only be edited but not deleted;
  • Any suspected or known data breach affecting their data will be communicated to affected users as soon as possible;
  • All data is cloud-hosted in Amazon Web Services, a HIPAA compliant and highly protected environment with automated snapshots and backups kept both locally and remote. In the event of an unrecoverable disaster, the site can be re-launched with an alternate provider rapidly.

In order to further protect the data of our customers, several additional measures are taken by SurgicalPerformance but not disclosed here for security reasons. You can review the full contents of each policy below