AlayaCare is a provider of hosted, electronic health record solutions. Its customers are home health care providers and are subject to laws and regulations governing the use and disclosure of Protected Health Information (PHI).
In Canada, provincial laws govern the handling of PHI.
In the United States, HIPAA and HITECH, along with their associated regulations, and similar state laws (where those laws are more stringent than HIPAA) govern the handling of PHI. Health care providers are Covered Entities under HIPAA and are subject to its rules regarding PHI. AlayaCare, delegated by its Customers to access and manage PHI, is considered a Business Associate, and a Business Associate Agreement (BAA) is required. AlayaCare's standard form of BAA can be found here.
Although the terminology differs in Canada and there isn’t an equivalent to a BAA, AlayaCare applies the same rigorous standards and practices for safeguarding the confidentiality, integrity, and accessibility of PII and PHI in all jurisdictions.
- SOC 2 Type II
This independent audit certifies that AlayaCare’s systems and processes meet the American Institute of Certified Public Accountants (AICPA) Trust Service Principles and Criteria. The SOC 2 Type 2 report documents the risk management controls put in place to address security and data protection risks relating to AlayaCare’s core, cloud-based electronic health record platform. AlayaCare's SOC reporting also verifies its compliance with, and the operational effectiveness of, this set of controls and includes a review of critical security policies, procedures, and safeguards necessary to protect and secure client data.
- Product Security
AlayaCare's SaaS platform logs and audits a variety of user activities within the application and relating to access to and security of each Customer's AWS tenant.
As audit logs and trails become a bigger focus of healthcare and privacy regulators, and while they can vary by jurisdiction, AlayaCare takes a comprehensive but user-driven approach to many audit inquiries. These primarily can be access via clinical functions and user roles and permissions.
This overview of the elements of AlayaCare's capabilities can serve as a baseline from which Customers can map to their specific requirements and use cases. Some additional configurations can be implement upon request by AlayaCare's professional services and data management teams.
More detailed information can be access through this requestable document:
- SAML SSO
AlayaCare supports all SAML 2.0 Identity Providers for Single Sign-On (SSO)
- Data Security
- Data Encrypted At-Rest
From HRIS and CRM systems to AlayaCare
Data can be exchanged either using external APIs using HTTPS or by using flat files. In the latter case, files containing data to be loaded in AlayaCare are uploaded by the external system to a SFTP server that requires authentication and presence of a SSH key on the server. Files containing data to be exported from AlayaCare are manually generated from within the software and then uploaded to the system of record.
While at rest on AlayaCare database servers
The data is encrypted at rest. The encryption keys implement the AES-256 algorithm.
Between AlayaCare servers and the web UI
The browser is stateless in the sense that no data resides locally. The software uses internal APIs using HTTPS to transfer data.
Between AlayaCare servers and the mobile applications
The mobile application uses the same internal APIs using HTTPS as the web application.
While on the mobile device
Some data can be cached locally on the device using its encrypted database. The database is destroyed on logout and the data needs to be downloaded again from the servers.
When AlayaCare’s data warehouse is accessed from the client’s BI tool
A VPN IPSec tunnel can be setup between a client and the data warehouse with limited read access to the client’s own schema.
When accessed via public APIs
The API endpoints only accept HTTPS connections and the user needs to be authenticated.
- Data Encrypted In-Transit
All data in transit is encrypted via TLS 1.2
1 more topic
AlayaCare’s Privacy Policies describe how we address the privacy and security of the data and other information entrusted to us:
- by our customers through their access and use of the AlayaCare electronic health record platform;
- by our business partners and specific third-party providers of key services to us; and
- by everyone else, including partners, prospective customers, and those who seek information or contact us through our website.
- Data Retention Policy
AlayaCare will retain information in its custody to ensure its customers' ability to comply with legal requirements and their own governance guidelines.
AlayaCare obtains no ownership of customer data and will promptly return it in common formats, the details of which are set out in its customer contracts.
- Incident Management & Response
- Data Breach Notification
- Incident Response Plan (IRP)
AlayaCare maintains a comprehensive Security Incident Response Plan (SIRP) which includes detailed processes and resource inventories designed to provide a comprehensive roadmap to manage its response in the event of a suspected or actual data breach or security incident. AlayaCare, in conjunction with its partnership with AWS and AWS-provided protocols, conducts regular "table-top" exercises performed with key members of its SRE infrastructure team and with the guidance of insurer-provided subject matter experts.
- Availability & Reliability
- Infrastructure Redundancy
As a cloud-based SaaS provider, AlayaCare relies heavily on the redundancy and fault tolerance of its cloud service provider to avoid, respond, and recover from major service interruptions or other disasters.
The production platform is designed and implemented within AWS such that critical components are distributed across multiple availability zones, providing fault tolerance to service failures.
Availability zones are geographically segregated data centers maintained by AWS that operate in high-availability mode. In the event of a data center failure, failover and failback occur automatically in real-time and are transparent to AlayaCare and its customers.
- Organizational Security
- Confidentiality Agreements
AlayaCare has controls in place to maintain the confidentiality of all data in accordance with its data risk classifications and the terms of its customer agreements. All AlayaCare employees and contractors receive training in and are bound by AlayaCare’s policies regarding the confidentiality of data.
- Employee Background Checks
AlayaCare performs background checks on all new employees at the time of hire in accordance with applicable local laws. AlayaCare verifies a new employee’s education and previous employment and performs reference checks. Where permitted by applicable law, AlayaCare may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.
4 more topics
- Business Continuity
- Data Backups
AlayaCare performs regular backups of all of its production data, leveraging advanced AWS data infrastructure tools. Backed-up data is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256).
- Physical Access Control - Data Center
AWS data centers that host the AlayaCare Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.
Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions.
Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. For further information, please refer to AWS Physical Controls.
In addition, AlayaCare headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security. All employees, contractors, and visitors are required to wear identification badges.
- Threat Management
- Penetration Testing
AlayaCare performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly.
- Vulnerability Scanning
Internal vulnerability scans are run on a regular basis across all platforms and infrastructure.
Sign up to see the rest of AlayaCare's posture and unlock unlimited access.
Unlimited access to the directory allows you to review and compare thousands of security postures sourced from around the web.