Compliance with HIPAA When Using Weave

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that seeks to improve the efficiency and effectiveness of the healthcare care system, while also establishing national standards for privacy and security protections for health information. The following information regarding HIPAA is not legal advice and is provided for information purposes only. Weave encourages you to seek legal advice from an attorney to obtain specific guidance-related compliance with HIPAA and the requirements applicable to your business.

HIPAA includes three primary rules:

• The Privacy Rule establishes standards for the protection of certain protected health information (PHI).
• The Security Rule establishes security standards for protecting the confidentiality, integrity, and availability of PHI held or transmitted in electronic form, otherwise known as electronic protected health information (ePHI). 
• The Breach Notification Rule establishes standards for notification following a breach of unsecured PHI.

HIPAA generally applies to health plans, health care clearinghouses, and to most healthcare providers. These are referred to as “covered entities.” Additionally, persons or entities (like Weave) who perform functions or activities on behalf of a covered entity that involve access to PHI may also be considered “business associates” subject to certain HIPAA standards. 

You can learn more about HIPAA requirements from the Department of Health and Human Services (HHS). 

It’s important to know that HHS does not endorse or recognize private organizations’ HIPAA “certifications”. Some service providers may claim that they or their systems are “HIPAA compliant” or “HIPAA certified”. These claims are misleading, as compliance with HIPAA and other applicable laws and regulations will depend on your particular use case and context. 

Weave is committed to protecting your data, including the PHI of your patients. Weave has been designed with features to support you in complying with HIPAA, while also enabling you to make the most of your communications with patients. However, primary responsibility for compliance with HIPAA rests with you. You are responsible for your use of the Weave service and for ensuring that your use of the Weave service complies with HIPAA and other applicable laws. This includes, but is not limited to:

• Taking your own steps to maintain appropriate security and privacy protections, including properly limiting access to the Weave service. 
• Ensuring that all communications sent through the Weave service comply with the HIPAA Privacy and Security Rules, including calls, texts, faxes and email marketing messages. 
• Notifying Weave of any of your policies, agreements or restrictions to which you have agreed that may affect Weave’s performance of services, and any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Weave’s use or disclosure of PHI.

Our legal, compliance, and security teams work across the company and alongside our customers to understand and meet customer needs. Weave has implemented the following safeguards to meet HIPAA requirements:

• Weave has established and implemented policies governing the protection and use of PHI. 
• Weave has implemented administrative, technical, and physical safeguards for protecting PHI. Weave regularly reviews and enhances safeguards based on risk assessments. Safeguards in place include:
• Logical and physical access controls are employed to ensure that only authorized personnel access PHI.
• Encryption of data in-transit and at rest. Weave employs industry standard TLS 1.2+ and HTTPS encryption when transferring data between subscribers and Weave’s infrastructure. All subscriber data is encrypted at rest using AES-128-bit symmetric encryption keys or better.
• Security awareness training and education for all Weave personnel.
• Incident detection and response capability to detect and respond to security incidents and appropriately report any unauthorized access or use of PHI.
• Data is regularly backed up and replicated to geographically dispersed locations, which allows us to quickly recover and restore data and systems in the case of data corruption or loss.
• Weave’s privacy and security safeguards are reviewed and assessed by independent advisors. 
• Weave has established a standard business associate agreement (BAA), which is an addendum to our standard Terms of Service. Our Terms of Service and BAA, together with our Privacy Policy, are designed to address Weave’s commitments for protection and use of personal information and PHI, per HIPAA, and other applicable privacy laws and regulations. Weave only uses your data to provide the Weave service to you, except with your prior written consent or as otherwise expressly permitted under the Terms of Service or BAA.
• Weave ensures that its subcontractors and personnel authorized to access PHI are bound by appropriate obligations of confidentiality or a BAA.

Below is additional information of which you should be aware and that will help you comply with HIPAA when communicating through the Weave service:

Team Chat

• Team Chat is designed to support secure communication between team members, with all messages encrypted in transmission and at rest.

Messages

• Weave Messages can be used to communicate in a manner that is compliant with HIPAA. However, it is your responsibility to discuss with your patients what information may be communicated via text, especially sensitive information and PHI. Text messages sent through Weave are transmitted via traditional SMS text message methods. Traditional SMS text messages are generally considered an insecure mode of communication, as texts are not encrypted in transit and there are limited controls over the message after it is sent. Compliance with HIPAA when sending texts will depend on the content of the text and other factors.

Fax

• Faxes sent through Weave are encrypted at rest with a unique encryption key for each customer. Additionally, Weave encrypts faxes sent through Weave. However, you should apply reasonable safeguards when sending PHI through fax to protect the information from inappropriate use or disclosure. More guidance is available by visiting the HHS website.

Email Marketing

• The Email Marketing feature was designed for our subscribers to communicate updates, promotions, and newsletter-type information with their patient base. Weave's Email Marketing feature was not designed for the purpose of communicating ePHI. Accordingly, the Weave Email Marketing feature does not include end-to-end encryption or other security features which would protect the contents of an email, such as sensitive ePHI, while in transit to the intended recipient. Emails sent to customers through Weave Email Marketing should never include sensitive information, and you should always discuss with your customers what information may be emailed to them.
• The HIPAA Privacy Rule provides individuals important controls over whether and how their PHI is used and disclosed for marketing purposes as that term is defined by HIPAA. With some exceptions, the Privacy Rule requires an individual’s written authorization before a use or disclosure of his or her PHI can be used for marketing. Compliance with the Privacy Rule while using Weave’s Email Marketing will depend on the content of the email and other factors. You can learn more about HIPAA and marketing by visiting the HHS website. 

Digital Forms

• Forms sent and received through the Digital Forms service are encrypted in transit and at rest. 

Call Recordings

• Call recordings are encrypted at rest with a unique encryption key for each customer. 

Keep in mind, Weave cannot give you legal advice. Compliance with HIPAA and other applicable laws and regulations will depend on your particular use case and context. This information should not be relied upon as legal advice or to determine how legal requirements apply to your use of the Weave service. Weave encourages you to seek guidance from your legal counsel regarding the requirements of HIPAA and other relevant laws and regulations to ensure compliance.