Is Simply.Coach HIPAA compliant?

Simply.Coach is a comprehensive coaching platform designed to assist professionals in managing their coaching services efficiently.

Safeguarding protected health information (PHI) is required by HIPAA, so covered entities must ask: Is Simply.Coach HIPAA compliant? Our analysis suggests that Simply.Coach is HIPAA compliant.

What is Simply.Coach?

Simply.Coach is a comprehensive platform for coaching management and client engagement tailored for coaching professionals and businesses seeking to optimize their coaching services.

It offers practice management software for therapists and counselors as well as enterprises that help them run their practices in-person, online, or both. It also presents integrated features for coach-client interaction, schedule management, and performance tracking, offering a streamlined experience to enhance coaching outcomes and client relationships.

See also: Is Dropbox Sign HIPAA compliant?

Coach and Business Associate Agreement (BAA's)

Under HIPAA, a Business Associate Agreement (BAA) is a crucial document that outlines the responsibilities of third-party vendors when handling PHI. Any software or service that stores, processes, or transmits PHI on behalf of a healthcare entity is considered a business associate and should, therefore, sign a BAA. 

Given Simply.Coach's functionalities, such as providing a platform for coaching management and client engagement, it would likely be categorized as a business associate when used within healthcare settings, and so a BAA is required.

Upon reviewing their provided information, it is mentioned in their terms of service that "Customer shall not upload any electronic protected health information subject to HIPAA ("ePHI") to the Service(s) without entering into a Business Associate Agreement ("BAA") with the Provider. Unless a BAA is signed with the Provider, the Provider shall have no liability under these Terms for ePHI transmitted by the Customer, notwithstanding anything to the contrary contained in these Terms or any law in force."

This provides clear information about their willingness to sign a BAA upon further inquiry.

The FAQs in their website footer state, "Simply.Coach is SOC2, HIPAA and GDPR-compliant – this means certified high-end security for you and your clients' data. Your information will not get shared with anyone unless you share it with them. All meetings, documents, and conversations are completely encrypted and are accessible solely to you."

Simply.Coach and data security

The following are a few of the measures taken by Simply.Coach to ensure security standards for the protection of customer data meet the necessary standards. 

1. Encryption: Data is encrypted both during transmission and at rest. All network traffic is encrypted using Transport Layer Security (TLS), and data is automatically encrypted using encrypted storage volumes while at rest.
2. Access controls: Access to the platform is secured by role-based access through Identity and Access Management (IAM), which enforces segregation of duties. This ensures that data is only accessible by users with valid access rights.
3. Database access restrictions: Database access is limited to the production application server through a secure tunnel. This approach restricts direct access to the data and helps prevent unauthorized access.
4. Password security: User passwords are protected with hashed salts, ensuring that passwords are not stored in plaintext. Accounts are locked after a certain number of failed attempts, and password reset links have a limited validity period for enhanced security.
5. Virtual private cloud (VPC): Dedicated clusters are deployed in a unique Virtual Private Cloud (VPC) with dedicated firewalls. This isolation helps prevent unauthorized access and enhances the overall security of the infrastructure.

Is Simply.Coach HIPAA compliant?

Simply.Coach demonstrates a commitment to data security through its multi-layered security infrastructure, which includes encryption, access controls, and dedicated firewalls. Furthermore, their willingness to sign a business associate agreement (BAA) indicates their compliance with HIPAA standards. 

Conclusion: Simply.Coach is HIPAA compliant.

See also: HIPAA Compliant Email: The Definitive Guide