Careswitch is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic Protected Health Information (PHI) it receives, maintains, processes and/or transmits on behalf of its customers. As providers of applications used by covered entities, Careswitch strives to maintain compliance, proactively address information security, mitigate risk for its customers, and assure known breaches are completely and effectively communicated in a timely manner.
Careswitch is built using the Aptible Platform as a Service (PaaS), a compliant software hosting infrastructure. Aptible has passed hundreds of security and compliance audits alongside customers such as Kaiser Permanente, MD Anderson, UnitedHealth Group, Johns Hopkins, Stanford and many others. Aptible is ISO 27001 certified, meaning it complies with international standards for security.
Using the Aptible PaaS, Careswitch inherits various aspects of compliance, for which Aptible assumes associated risk. In doing so, Aptible helps Careswitch achieve and maintain compliance, and helps mitigate risk for Careswitch customers.
Web Application Technical Safeguards
In addition to the technical safeguards provided by Aptible, the Careswitch web application is built using industry-standard best practices with technical safeguards to properly handle PHI. These safeguards include, but are not limited to, authorization and access control, encryption over the wire via HTTPS, no PHI in email, SMS and web notifications, no PHI stored in browser session storage, browser local storage, cookies, etc.
Mobile Application Technical Safeguards
The Careswitch mobile applications are built as hybrid apps, meaning the apps consist of web technologies embedded inside a native container. The mobile apps share the same technical safeguards as the web application, including but not limited to the following additional safeguards:
PHI data is not persisted in mobile device storage; you must have an internet connection to use the apps
PHI is not exposed in any of our notification delivery mediums such as push notifications; you can only view the full notification messages inside of the apps
Documents containing PHI can only be viewed within each app’s sandbox and cannot be persisted to mobile storage
Business Associate Agreement
Careswitch has signed Business Associate Agreements (BAAs) with all software vendors that handle PHI on Careswitch’s behalf. Careswitch signs BAAs with all customers.