Compliance Offerings

Owned by Scott Peterson
Last updated: Nov 21, 2022 by Anders Damkjaer Nielsen
3 min read

HIMSA is committed to the highest levels of trust, transparency, standards conformance, and regulatory compliance. Our services are all built from the ground up to address our customer's most rigorous security and privacy demands to help comply with national, regional, and industry-specific requirements governing the collection and use of individuals' data.

  • GDPR (EU)

  • HIPAA/HITECH

Please make sure to also read HIMSA’s privacy policy at https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/2151972995 as well as https://himsanoah.atlassian.net/wiki/spaces/NESP/pages/2152005772

Risk Analysis

At the core of HIMSA’s compliance offerings is an extensive process to continually analyze potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information that HIMSA processes for hearing care businesses. HIMSA’s commitment to Risk Analysis covers the below topics:

  • Well described data processing data inventory for both:

    • Noah ES User/business data. How business can make use of Noah ES features to manage users and access to patient data within the business's Noah ES account.

    • Patient-related data. HIMSA’s focus here is to consider the types of patient data that are supported by Noah ES and how hearing care professionals can best make use of Noah ES features to best manage patient data.

  • The risk analysis process starts as each requirement is studied, defined, and refined over time.

  • Each risk is assigned a score that combines Impact and Likelihood. Risks that can not be removed are then set up to be controlled to minimize the chance of occurrence and impact.

  • All risk analyses are reviewed and approved by product management, software development, quality assurance, and business directors.

GDPR (EU)

We are committed to GDPR compliance for Noah ES and provide GDPR related assurances in our contractual commitments.

GDPR Principles we Operate by

Accountability: HIMSA is committed to the principles of the GDPR by adopting the concept of ‘data privacy by design’ within its operational model. HIMSA will remain accountable by having detailed policies and systems in place. Our policies are regularly reviewed and updated, and our staff is periodically trained on data protection and security throughout the year. Additionally, HIMSA is committed to regular, independent ISAE 3000 Audits to ensure that HIMSA is complying to GDPR regulations.

Transparency, Fairness, and Lawfulness: We process data for hearing care businesses and design our features and systems to ensure that we process data with transparency, maintaining fairness in what we do. This way, we can be sure that we are processing data lawfully.

Data Integrity and Confidentiality: We hold data on secure systems. Information security and integrity are key to our smooth operation.  We also have an Incident Response Team on hand to support us in the event data may become compromised. 

Data Minimization and Data Storage: We will not keep data for longer than is necessary and only keep data if there is a lawful basis that allows fair retention. When we do need to remove data from our possession, we do so by using industry-approved standards, so the disposal is thoroughly compliant.

Data Accuracy: Keeping data accuracy is very important to us. Our software solutions are desired with a focus on adherence to different HIMSA data standards.

Purpose Limitation: We use the data we attain for a specific purpose. This means that data is not processed for any alternative reasons other than what the data was originally collected.

Your Questions:  If you have any questions regarding the GDPR Topic, you should open a support issue at essupport.himsa.com by using "GDPR" in the subject line.  

HIPAA & the HITECH Act

HIMSA offers Health Insurance Portability & Accountability Act Business Associate Agreements (BAAs) to customers located within the United States.
HIPAA regulations require that covered entities and their business associates—in this case, HIMSA when it provides services, including cloud services, to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI.

The BAA clarifies and limits how HIMSA can handle PHI and sets forth each party's adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Once a BAA is in place, HIMSA customers—covered entities—can use its services to process and store PHI.

FAQ

Q: Will HIMSA fill out and sign my company’s required security/compliance questionnaire?

A: HIMSA is dedicated to providing your company with the information you need to ensure that your patient data is handled with the highest standards.  We provide a great level of details at Compliance Offerings that should address your concerns.  If you are not able to find an answer or need further details you are welcome to use the support help desk to ask for answers to your open questions.

HIMSA does not offer to fill out your questionnaire under the included self-service support plan.  You may submit your form and HIMSA will provide you with a cost and time estimate. See further details on Noah ES Support offerings.