How is Curv Health data secured?
Data is encrypted both at rest and in transit. Data at rest is encrypted using the 256-bit Advanced Encryption Standard (AES-256) or better, using symmetric keys. The data keys are themselves encrypted using a key stored in a secure keystore managed by our cloud service provider (Google Cloud), and changed regularly. Data in transit is encrypted using TLS (Transport Layer Security) certificates provided by Google Certificate Manager, which provides end-to-end security for data sent over the internet.
How is Curv Health data accessed?
****Data is only accessed by password-protected accounts which have explicitly been granted permission to view the data. Providers can only view data for their own clients, and clients can only view their own data. Curv Health administration may occasionally access data for quality control and to correct issues.
How is Curv Health data backed up?
Curv Health’s database takes daily snapshots of all client data and stores these backups at a different physical location than the active database. Additionally, Curv Health’s database uses regional failover so that if the original data centre fails for any reason, the database will immediately be migrated to a data centre in another region.
Who owns Curv Health data?
As per HIPAA requirements, all health data including Chart notes, video assessments and communications between clients and providers is owned by the client. Curv Health is acting as an agent for storing the client’s data and is responsible for the privacy and security of the data.
What happens if there is a breach of privacy or security?
If a breach were to occur within Curv Health we are required to notify affected individuals whose unsecured protected health information has been impermissibly accessed, acquired, used, or disclosed, compromising the security or privacy of the protected health information. In certain circumstances, a breach must also be reported to the relevant government bodies including the Secretary of Health and Human Services (HHS) or Privacy Commissioner. Providers on Curv’s platform have the same obligations to report breaches in privacy or security.