HIPAA & GDPR Regulations
The PostureScreen, LeanScreen and SquatScreen apps do not require PII data of the app user. The user may enter non-PII data (business address, clinic name) which is stored on the device itself. The user may enter their own name (Dr. Mary Smith) to be used in outgoing email communications and customized reports which is stored on the device itself. Security, access, addition, removal, and monitoring of the data is the responsibility of the device owner.
The PostureScreen, LeanScreen and SquatScreen apps collect PII data of the user’s clients. This data is entered into the apps by the user for the purpose of performing health screenings of the client. This client PII data is stored on the device. Security, access, addition, removal, and monitoring of the data is the responsibility of the device owner, which includes arrangements the owner has made with each individual client.
If the user connects to the SyncScreen service they have the option to store client PII data on the PostureCo controlled storage systems. The storage does not happen automatically and the user must manually trigger the “upload” to store data onto the PostureCo storage systems. The storage systems are hosted by Amazon Web Services (AWS) in the USA only, which is GDPR and HIPAA compliant with end to end encryption. In addition to using GDPR and HIPAA compliant storage systems, PostureCo’s technology:
- provides comprehensive data management to the device user: the user can add, review, modify, and remove all of the PII data through the existing tools within the PostureScreen app, which specifically includes complete deletion from both the user’s device and the PostureCo controlled storage systems;
- controls access with “fine grain” segmented storage: each SyncScreen storage location is segmented apart from other storage accounts;
- controls access with API-request authentication: each SyncScreen account user must authenticate with the PostureCo APIs before reading or writing to the storage locations;
- controls access by using temporary access tokens: each authenticated session is valid for a limited time and cannot be reused after the temporary token has expired;
- encryption of the data at rest with an AES symmetric block cipher;
- encryption of data in transit with TLS/SSL communications;
- no third parties have access to the PII data;
- PostureCo business processes allow only a limited number of senior-level PostureCo technology staff access to the storage systems, for the purposes of technology maintenance.
Finally, non-PII data is always stored on the PostureCo controlled analytics system, hosted by Google Cloud Platform which is GDPR and HIPAA compliant. This analytics data includes aggregate human body measurements (range of motion angles, postural translations) but does not contain PII data (name, address, government ID numbers).