Data Privacy and Security Practices
Read more about how AccelerateFP does Data privacy and security
GDPR Compliant Mobile Marketing
AccelerateFP is fully compliant with The General Data Protection Regulation (GDPR) in the European Union (EU). We’ll help you navigate, understand, and manage the complex regulations surrounding compliance. GDPR requires ongoing changes to ensure your processing of EU personal data is supported. We offer enhancements and ongoing maintenance to dashboards, SDK, API, and documentation to protect personal data. Fast-track your implementation of GDPR using AccelerateFP’s data security and privacy solutions and practices, as well as empower your users in knowing their data is secure.
What are your obligations under GDPR?
Among the key changes in the GDPR are the data subject rights for EU individuals, added security measures, contractual obligations, and operational enforcements such as data breach notifications and updates to privacy policies to address the new regulation.
The GDPR is an extensive regulation and while AccelerateFP cannot offer legal advice on the regulation, our goal is to make it easy for you to understand and apply the GDPR’s principles for your users.
HIPAA Compliance for Marketers
Technology and wearables are becoming widely adopted by consumers to track and monitor their own health and wellness. In fact, mobile apps are empowering individuals to take control of their health and poised to take a critical role in the healthcare industry. AccelerateFP understands the role HIPAA will play in protecting patients and building a relationship of trust between providers and patients.
Mobile apps can connect patients and doctors, as well as provide a faster path for patiences to get care. It will also allow for information to flow from patient and doctor in real-time resulting in potentially better care.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that safeguards medical information. It’s the standard for electronic health transactions and outlines the data privacy and security provisions for collecting, storing, and processing unique health identifiers. It protects private health information (PHI) and affects how it is accessed, stored, and shared to give patients rights to their health information.
What’s Considered Private Health Information (PHI)?
Private Health Information (PHI) is any information that can be used to identify an individual. It includes identity information, medical records, conversations with doctors and other healthcare professionals and billing information with patient identifiable information on it. Examples of PHI include patient name, address, dates (birth, admittance, discharge) medical record numbers, account numbers, and email addresses.
Who Needs to be HIPAA Compliant?
Any organization that falls under the definition of covered entity under HIPAA has to comply. Covered entities include health care providers, health plans, and health care clearinghouses that electronically store and transmit any health information. If these entities create their own mobile applications that collect, store, or use PHI, then these mobile apps must be HIPAA compliant.
A business associate is anyone who collects, stores, maintains, or transmits any PHI on behalf of a covered entity. Most businesses that provide services that manage or use PHI for covered entities are included in this category. These are contractors, subcontractors, and other companies that are not employed by a covered entity but still need to access health information when offering their services to a covered entity. You can find more information on this on the official US Department of Health & Human Services website.
Within the purview of the HIPAA privacy rule, AccelerateFP is neither a covered entity nor a business associate.
How AccelerateFP Customers Address HIPAA Compliance Within their Marketing Organizations
Several healthcare companies leverage user behavior data in their marketing campaigns to acquire and engage users via email, push notifications, and social media. When users sign up for a healthcare service, they expect personalized communications, such as appointment confirmations and service notifications.
While companies use certain data to make their marketing campaigns more effective, the use of private patient data is not allowed. HIPAA mandates that healthcare companies restrict the use of private patient information to promote their products or services without written permission from the patient and that this permission may be revoked by the user at their discretion. Performing due diligence while developing your app can help ensure that your app stays HIPAA compliant.
Avoid sending or storing PHI: AccelerateFP has seen customers build HIPAA compliant use cases by ensuring that there is no sensitive information, specifically PHI, being processed, stored, or transmitted to AccelerateFP. That is the easiest way to adhere to the HIPAA privacy rule. Companies can still store behavioral data such as app launched, appointment scheduled, and payment submitted on a platform like AccelerateFP to make their marketing campaigns more relevant.
Do not use PHI for marketing campaigns: A good rule of thumb is to make sure marketing messages do not use any PHI to identify or disclose sensitive information across channels that are non-HIPAA complaint. For example, do not send health conditions in your appointment confirmation text message. Simply send a reminder of the time and place. Or avoid specifying prescriptions used or physician names in your push notifications or in-app messages.
Use separate systems for marketing and patient data: Another best practice for companies is to make sure marketing teams are well-versed in compliance and are taking measures to keep online marketing data separate from patient data. One option is to use different systems to collect marketing data such as name, email, and phone number from customers so that the information is strictly marketing oriented.
Use encrypted channels to store and transmit PHI data: As an industry best practice, mobile app publishers must make sure that PHI data is not stored or transmitted over unencrypted channels.
Ensure cloud storage compliance: If an app has its data stored in the cloud, app publishers should verify that the hosting provider meets HIPAA requirements. For example, if you are using Amazon Web Services (AWS) as your cloud service provider, ensure that all the AWS services that are used are HIPAA eligible.
Amazon provides a AWS Business Associate Addendum (AWS BAA), which is available on a self-service portal on AWS to run HIPAA sensitive workloads. Once a service is covered by the AWS BAA, they can process and transmit PHI on their mobile app.
Use Two-factor Authentication (2FA): Two-factor Authentication (2FA) requires customers to go through an additional layer of security to enter information that only they will possess. 2FA helps you verify that user information is not misused and that there is a strong authentication process in place.
Building a Secure, HIPAA-Compliant Healthcare Experience
HIPAA compliance is an opportunity for marketing and compliance functions to come together and build a positive brand experience for patients.
Data-driven marketers can strengthen relationships with their customers while ensuring that they incorporate the appropriate regulations in their workflows.
AccelerateFP recommends that customers seek legal guidance for any compliance related questions that apply to their applications. AccelerateFP does not offer legal advice and it is up to the customer to identify applicable laws and its nuances to determine how best to architect their application to comply with the HIPAA regulation.
Data Retention Policy
User Profile and Event data will be stored until data subject has withdrawn consent to processing. We also have the ability to customize data retention to meet client’s specific requirements.
Role Based Access
Teams come in all shapes and sizes. Build smarter user roles to simplify workflow and protect data. Role based access is a method of restricting network access based on the roles of individual users within a larger team or company. This lets employees have access rights only to the information they need and prevents them from accessing information that doesn’t pertain to them.
Two Factor Authentication
Coming soon - Secure each sign-in across on any device
Two-factor authentication provides a higher level of assurance than authentication methods that depend on single-factor authentication (SFA), in which the user provides only one factor-- typically a password. Two-factor authentication methods rely on users providing a password as well as a second factor like security token for added security measure. AccelerateFP will soon allow two factor authentication while logging in.
Coming soon - Ensure all campaigns are compliant with maker-checker approvals
Dual approval is a security feature within Campaign Management that enables you to have increased control on who can deploy and send campaigns within your team. Within your marketing team, you might have one person who is responsible for creating campaigns in AccelerateFP (the maker), and then have a second person (checker) who reviews and approves these campaigns before they can be sent. The Dual Approval feature enables this workflow in AccelerateFP by requiring approval from that second person before a campaign can be sent.
Localized AWS Instances Availability
AccelerateFP has ability to provide localized AWS for data hosting & processing based on client’s requirement. This ensures geographical boundaries for user data in order to be in compliance with regional data privacy regulations.
Data Encryption Practices
Rest assured with enterprise-leading data encryption at all data collection points - incoming and outgoing, as well as at rest and in motion.
Our security and risk management processes safeguard each customer’s data within their own silo, preventing any movement of data between clients and thereby ensuring there is no inadvertent access to data other than yours. AccelerateFP leverages multi-factor authentication, inflight data security across devices, formal change management policies and up-to-date security protocols on the dashboard and across all API endpoints to ensure that customer security is not compromised.
Enable Physical and Network Security: We maintain data-centers on AWS that are fully compliant with a range of certifications for industry-specific applications. We do not store any data off-site outside of AWS and do not use any off-site physical storage facilities. We follow best practices to protect the network perimeter, including maintaining redundant DNS servers and a denial-of-service (DoS) prevention and mitigation system. Intrusion detection system (IDS) are used on all production servers.
Encrypting Data at Rest and Data in Motion: AccelerateFP performs encryption at all incoming and outgoing data collection endpoints. The most up-to-date TLS protocols with SHA256 algorithms are used to handle communications between AccelerateFP and customer applications.
Business Continuity and Disaster Recovery: AccelerateFP’s infrastructure scales automatically for ebbs and flows in traffic. Our proprietary technology is custom built and allows us to provide high availability and rapid recovery in the event of an issue. We are not reliant on any external launch cycles or product updates to improve performance. Our infrastructure is connected with multiple network carriers to dynamically respond to each request with the best connectivity in order to ensure reliable and continuous availability of critical resources at all times. All data backups are protected by stringent role-based access control restrictions. Data is replicated periodically to provide state-of-the-art fault tolerance, highly responsive recovery, and scalability at all times.
Compliance: AccelerateFP is committed to maintaining strong data protection commitments while also ensuring that we provide our customers with the tools required to comply. By maintaining a shared responsibility with AWS, AccelerateFP is able to maintain fully compliant data centers that allow sensitive data to be stored securely.
Data Privacy Practices
Leverage a scalable platform with advanced authentication & privacy controls to safeguard your data and the data of your users.
Types and Uses of Collected Information:
Personal Data: Personal Data is information that identifies a specific person. When you engage in certain activities via the AccelerateFP Service and/or the AccelerateFP Websites, including but not limited to creating an account, sending feedback, or otherwise participating in the AccelerateFP Service (collectively, “Identification Activities”), we may ask you to provide certain information.
Non-Personal Data: Non-Personal Data is information that does not identify a specific person. This type of information may include things like the URL of the website you visited before coming to the AccelerateFP Websites or otherwise participating in the AccelerateFP Service, the URL of the website you visit after leaving the AccelerateFP Websites, the type of browser you are using, or general and/or aggregated location data that does constitute Personal Data.
Use of the AccelerateFP Service and the AccelerateFP Websites is subject to our Terms of Service found at https://acceleratefp.com/privacy