This Application collects some Personal Data from its Users.
Personal Data: Trackers; Usage Data
Personal Data: Trackers; unique device identifiers for advertising (Google Advertiser ID or IDFA, for example); Usage Data
Personal Data: Trackers; Usage Data
Personal Data: date of birth; email address; first name; gender; last name; phone number
Personal Data: Trackers; Usage Data
Personal Data: Trackers; Usage Data; various types of Data as specified in the privacy policy of the service
Personal Data: Trackers; Usage Data
In addition to any opt-out feature provided by any of the services listed in this document, Users may learn more on how to generally opt out of interest-based advertising within the dedicated section of the Cookie Policy.
Epiphany Women's Health uses ModMed EMR (EHR) for all health care recording. In order to book an appointment, receive services, receive medical treatment, and/or engage in any professional manor with Epiphany Women's Health you will be submitting your personal information to Epiphany Women's Health via ModMed. ModMed also operates in conjunction with Klara and ModMed BOOST.
Klara is ModMed's Conversational Patient Engagement Software that is used to schedule and/or reschedule appointments for Epiphany Women's Health.
Epiphany Women's Health utilizes ModMed BOOST payment processing. Epiphany Women's Health accepts cash and insurance providers for services provided at its clinics.
Below you will find the privacy policy information and how ModMed handles person information within their database.
Confidentiality:
Confidentiality is the prevention of the disclosure of information to unauthorized individuals or entities. Our EHR system, EMA® (Electronic Medical Assistant), maintains confidentiality by encrypting all of the communication to and from its servers to your computer (or iPad) during transmission. Encryption is achieved using “high-grade” (AES-256 bit) TLS encryption. This is the same level of encryption that banks use for online transactions. Encryption occurs automatically and requires no special configuration by you. This method of encryption allows for the secure exchange of information under almost any network environment. EMA does not support unencrypted methods of communication — all communications are encrypted.
Integrity:
Integrity means that data cannot be modified without detection. Since all messages to and from EMA are sent using TLS, all messages have a built-in integrity check. Think of integrity as the fingerprint of the original message that allows detection if the message has been tampered with.
Authentication:
Authentication answers the question: “Are you who you say you are?” Authentication in EMA occurs
via a password that has a minimum length and complexity. We strongly recommend passwords with
at least 12 characters that contain at least one uppercase letter, one lowercase letter and one number.
Passwords should never be a real word found in a dictionary, identifiable names, the name of the
practice or the word “password.” The strongest passwords are random, and to make them easier
to remember, try a combination of a word spelled incorrectly, a date and a symbol. For example:
ehamPulpass1974? or Luvs28^s or Sk!nd0ct0rz. Once you tell EMA a password, we use a one-way encryption function and never store the original password in our system. To further safeguard against unauthorized access, we also recommend enabling multifactor authentication (MFA). With this feature you must provide a security code displayed on an authenticator app running on your mobile device in addition to entering your password.
Availability:
Availability means the software is accessible when expected and needed. We view EMA as a “mission-critical” application — we understand that it needs to be available for you to conduct your business, and we have taken a number of steps and implemented various characteristics intended to maintain the availability of EMA, including cloud computing, built-in redundancies, a backup data center, load-balanced application servers, continuous backup and replication, and planned downtime.
CLOUD COMPUTING
EMA is hosted “in the cloud.” Cloud computing is the use of computing resources (hardware and
software) that are delivered as a service over a network (typically the internet). EMA utilizes Amazon’s cloud computing EC2 (Elastic Cloud Computing) network — the same computing environment used by many Fortune 500 companies to host their own high-availability sites.
REDUNDANCY
Redundancy is the provision of additional or duplicate systems and equipment that function in case
an operating part or system fails. First, the hardware we use within Amazon’s cloud has built-in
redundancies such as multiple power supplies, multiple network controllers, and multiple CPUs.
If there is a hardware failure, we are likely to continue operations. Second, within Amazon we use
redundant computers at each level of our application architecture. We have multiple application
servers and database servers. Beyond this, your data is replicated in “real-time” across multiple
Amazon “zones.” The value of this is that EMA should not be affected even if an entire Amazon
zone experiences an unplanned outage.
LOAD BALANCED APPLICATION SERVERS
Inside the cloud, EMA is configured to run in a “high-availability” environment. Incoming requests are routed through a load balancer and directed to banks of EMA application servers that have redundant components. For example, in the unlikely event that a server becomes unresponsive, the load balancer will redirect traffic to the other functional servers allowing the practice to continue using EMA.
CONTINUOUS REPLICATION
EMA uses Amazon Web Services’ Simple Storage Service (S3) storage network, which gives us an
ability to scale high-availability storage. S3 is a highly available storage network with redundancy at
every level. As with the EMA application data, EMA replicates your practice data spanning multiple
availability zones within the robust AWS infrastructure. Your valuable data benefits from seamless
redundancy, which supports uninterrupted access to your practice’s critical information.
PLANNED DOWNTIME
We try to schedule downtime during non-clinic hours to minimize interruptions to our customers.
Updates are typically completed in the late night and early morning hours or over the weekend.
We try to provide at least 48 hours of advance notice for this planned downtime.
How We’re Addressing Malware and Other Cybersecurity Attacks:
Our security team has deployed a number of security defenses on our overall infrastructure, and we enforce ongoing employee security awareness training to help reduce the risk of an attack. These efforts include regular code review, analysis, and penetration testing against both our EMA application and our infrastructure. EMA uses Amazon’s S3 storage to store your unstructured (file) data. S3 is designed to provide high durability and availability of objects over a given year. EMA replicates your structured (database) data in real time across multiple availability zones, all located in the United States. So if one zone is imperiled, another zone stands ready to process and help prevent service interruptions. EMA also backs up your structured data (database) daily, putting a copy of the backup files into S3, isolating the backups from the local file store. Data in S3 is stored across multiple devices spanning a minimum of three physically separated AWS Availability Zones. We update the software with security patches on a regular basis. We also engage an independent third party to assess our internal security and IT controls and to help us evaluate their ongoing effectiveness by conducting an annual SOC 2 audit.
Our Commitment:
The team at ModMed is dedicated to making sure that your data is safe and sound and that EMA is
available when you need it. We have invested in redundancies for business resiliency and to mitigate risk. We test and drill our teams and practice our protocols so that if and when there is a problem, we are ready to respond. You have our commitment that we’ll do our best to notify you of issues and be as transparent as we can be. We have an incredibly good track record of uptime, and we continuously work to improve it.
ModMed is transforming how healthcare information is created, consumed and utilized in order to
increase practice efficiency and improve patient outcomes. Our specialty-specific, data-driven and
cloud-based EHR and Practice Management systems were built by subject matter experts including
specialty physicians and practice management professionals. Our suite of products and services
is designed to transform the clinical, financial and operational aspects of allergy, dermatology,
gastroenterology, OBGYN, ophthalmology, orthopedics, otolaryngology, plastic surgery, pain
management, podiatry and urology practices. ModMed also offers intuitive ASC software
solutions that have been used by thousands of physicians and hundreds of surgery centers.
EMA® EHR Security FAQ
Here’s a list of our most frequently asked security questions about our EHR system, EMA. If
your question isn’t covered here, let us know. We’ve got answers.
Q: How does ModMed® help mitigate the risk of ransomware?
A: We take several measures to help prevent and mitigate potential attacks.
Here are some of the things we do:
• Use advanced malware protection
• Scan uploaded files for malicious software
• Limit potential entry points for attackers
• Review and test changes made to the operating system, our products and application infrastructure before going live
• Automate patches, product upgrades and other server configuration changes
• Employ intrusion detection intended to detect unauthorized modifications that could indicate a security breach
• Perform regular database backups so we can restore files and databases in case of an incident
• Isolate our production servers from the corporate network and restrict access
Here are some of the things we DON’T DO
• Install desktop environments, GUI-based browsers or email clients on our production servers
• Configure our servers to use removable media
• Think that an attack could never happen to us — we strive to keep our systems and teams prepared
Q: What would ModMed do if a ransomware attack occurred?
A: We would deploy a coordinated emergency response, and our incident response team is prepared to work around the clock until the issue is resolved.
If there were an extended outage, ModMed would try to restore service in an alternate AWS Availability Zone and provide data extracts (if available) upon request.
Q: What are some differences between cloud-hosted and on-premise EHR systems,
particularly when it comes to security?
A: In a cloud-hosted environment, security responsibilities are shared between you and your vendor. This environment is naturally more compartmentalized or isolated from end-user computers. Even if malware infects one portion of your practice’s infrastructure, with a cloud-hosted EHR, that malware is better isolated from your EHR system.
In on-premise environments you retain full responsibility and control for security responsibilities. If malware infects your on-site IT environment, it could more easily spread to your EHR system, other critical business systems and IT infrastructure.
Q: Does your EHR support Active Directory (AD) authentication or SAML (Security Assertion Markup Language)?
A: Yes, we support SAML, which will allow clients to log in through their own Active Directory (AD). In this way, your Active Directory (or other identity provider / directory) can enable your users’ login to EMA via the SAML protocol for Single Sign-On (SSO)* through your own Active Directory - based SSO service.
Q: How are redundancy and replication implemented?
A: Your data is replicated to redundant availability zones for increased resiliency. If a database becomes unresponsive, we automatically redirect traffic to a second database.
Q: How do you address planned downtime for software and security updates?
A: We try to schedule downtime during non-clinic hours to minimize interruptions to our customers. Updates are typically completed in the late night and early morning hours, or over the weekend. We try to provide at least 48 hours of advance notice for planned downtime.
Q: How do we get started with multifactor authentication (MFA)?
A: Practice administrators manage authentication and user privileges for practice staff users. They set up password rules, can restrict access by time and IP address, and can configure practice staff logins to require MFA for more secure authentication. The MFA feature is available in the practice administrator’s firm admin settings for them to enable when ready. Please note: MFA is not available for our Patient Portal at this time.
Q: Are you SOC 2-audited, and how does that benefit me if I become your client?
A: We undergo the SOC 2 auditing process annually to evaluate the effectiveness of our security measures and to demonstrate our commitment to protecting sensitive information. SOC 2 audit reports provide ModMed and its clients with independent professional assessments of information technology controls. These reports serve as a valuable resource to clients for their own vendor risk assessment needs.
Q: What type of role-based access does your EHR offer?
A: Within EMA, we offer the option to create three levels of user roles, with the added flexibility to assign more detailed access privileges. For example, some users may need to access e-prescribe medications, override scheduling templates, or view Analytics reports.
Roles are typically broken into these three areas:
• Front desk staff who need access to demographics and scheduling
• Medical assistants and others who do not bill for services
• Clinical staff who bill for services
For more information, call ModMed - 561.235.7505
5008 North Glen Park Place Road
Suite B
Peoria, IL 61614
Owner contact email: info@epiphanywomenshealth.com