Protecting Your Healthcare Data
We are committed to maintaining the highest standards of security and compliance while keeping patient data where it belongs—in your systems.
Our Commitment to HIPAA Compliance
OncoPA Solutions is committed to maintaining full compliance with the Health Insurance Portability and Accountability Act (HIPAA) and protecting the privacy and security of healthcare information. Our platform is designed with a privacy-first approach that fundamentally separates our services from Protected Health Information (PHI).
Important: No Patient Data Storage
OncoPA Solutions does NOT store, process, or have access to any patient information, medical records, or Protected Health Information (PHI). Our system is designed to keep patient data where it belongs—in your secure internal systems.
What Data We Store
Data We Store
- Clinic Information: Clinic name, address, and contact details
- Staff Accounts: Username, email, and encrypted passwords
- User Roles: Access levels and permissions
- Generic PA Documents: Template forms and checklists
- Reference Numbers: System-generated identifiers for tracking
- Usage Analytics: System usage patterns and performance metrics
Data We DO NOT Store
- Patient Names: No patient identifiers
- Medical Record Numbers: No MRN or patient IDs
- Diagnosis Information: No medical conditions or diagnoses
- Treatment Details: No specific patient treatment plans
- Insurance Information: No patient insurance details
- Any PHI: No Protected Health Information whatsoever
Reference Number System
Our platform generates unique reference numbers that clinics can use to track prior authorization workflows internally. This system is designed to maintain complete separation between our platform and patient data.
Generate Reference
Our system creates a unique reference number (e.g., PA-2024-10-001234)
Clinic Records Internally
Your team associates the reference number with patient records in your secure EMR/EHR system
Track Without PHI
Use the reference number to track PA status without exposing patient information
HIPAA Technical Safeguards
Even though we don't store PHI, we implement comprehensive technical safeguards to protect the clinic and staff data we do maintain:
Data Encryption
All data is encrypted in transit (TLS 1.2+) and at rest using industry-standard encryption algorithms
Access Controls
Role-based access controls ensure users only access information necessary for their role
Authentication
Secure password requirements, encrypted storage, and session management
Audit Logging
Comprehensive logging of system access and activities for security monitoring
Secure Infrastructure
Hosted on secure servers with regular security updates and patches
Data Backup
Regular encrypted backups with secure recovery procedures
Administrative Safeguards
Security Officer
Designated security officer responsible for developing and implementing security policies and procedures
Workforce Training
Regular training for all team members on security practices, HIPAA requirements, and privacy protection
Risk Assessment
Regular security risk assessments and vulnerability testing to identify and address potential threats
Incident Response
Comprehensive incident response plan for security breaches or unauthorized access attempts
Business Associate Agreements
Proper agreements in place with any third-party service providers handling our data
Physical Safeguards
Secure Data Centers
Our servers are hosted in certified data centers with 24/7 physical security, environmental controls, and access monitoring
Access Controls
Restricted physical access to servers and infrastructure, with logged entry and exit procedures
Secure Disposal
Proper procedures for secure disposal of hardware and media containing any system data
Your Responsibilities
While we maintain a secure platform, healthcare providers using OncoPA Solutions have important responsibilities to maintain HIPAA compliance:
Account Security
Maintain secure passwords, don't share login credentials, and log out when sessions are complete
No PHI Entry
Never enter patient names, medical record numbers, diagnoses, or any PHI into our system
Internal Records
Maintain the connection between reference numbers and patient records securely in your own systems
Device Security
Ensure devices used to access our platform are secured, updated, and protected from unauthorized access
Network Security
Access the platform only from secure, trusted networks—avoid public Wi-Fi for sensitive work
Staff Training
Ensure all staff members using the platform understand proper security practices and limitations
Best Practices for HIPAA Compliance
Use Reference Numbers Consistently
Always use our system-generated reference numbers to track PA workflows. Document the reference number in your internal patient records immediately.
Print and Handle Documents Securely
When printing PA documents to add patient information, follow your organization's PHI handling procedures. Keep printed materials secure and dispose of them properly.
Limit Screen Visibility
Position screens to prevent unauthorized viewing. Lock screens when stepping away from workstations.
Regular Security Reviews
Periodically review user access levels and remove access for staff members who no longer need it.
Report Security Concerns
Immediately report any suspected security incidents, unauthorized access, or unusual system behavior to our support team.
Breach Notification Procedures
In the unlikely event of a security breach affecting clinic or staff data:
Immediate Response (0-24 hours)
- Contain and investigate the breach
- Assess scope and potential impact
- Begin remediation efforts
Notification (Within 60 days)
- Notify affected clinics and users
- Provide details of breach and impact
- Offer guidance on protective measures
Prevention (Ongoing)
- Implement additional safeguards
- Review and update security measures
- Provide additional user training if needed
Important Note: Because we do not store any PHI, a breach of our system would NOT constitute a breach of Protected Health Information under HIPAA. However, we would still notify you promptly of any security incidents affecting clinic or staff data.
HIPAA Compliance Contact
For questions about our HIPAA compliance practices or to report security concerns:
Security Officer
Phone
Security Incident Reporting
Policy Updates
We regularly review and update our HIPAA compliance practices to ensure we maintain the highest security standards. When significant changes are made to our security practices, we will notify all users.