SpotlerCRM is compliant with HIPAA on all price plans.

The Health Insurance Portability and Accountability Act (HIPAA) is US legislation designed to both protect US citizens’ health insurance and also to provide safeguards over the handling of patients’ personal and medical electronic data.

In Europe this protection is standard and a legal requirement for all EU citizens’ data, not just medical records, and is therefore covered by the EC data directives and the UK’s Data Protection Act.

For a CRM system to be HIPAA compliant it needs to have systems and policies in place to ensure that individuals’ data confidentiality is maintained, that the data is stored securely, is not transmitted unencrypted, and is backed up.

HIPAA compliance covers these key areas:

HIPAA Administrative Safeguards in SpotlerCRM

  • All PHI (Protected Health Information) data held on behalf of our customers is legally owned by the customer and will not be disclosed to anybody else. See our Cloud CRM Data Security FAQ.
  • All staff are briefed on the importance of customer data security and have specific clauses in their contacts covering data confidentiality
  • All data is backed up both with real time replication across two datacentres and snapshot backups every night
  • Should any security breaches be identified by SpotlerCRM they will be immediately communicated to the customer
  • Staff will only access customer data with the customer’s permission

HIPAA Physical Safeguards in SpotlerCRM

  • All data is securely stored on physical servers owned by SpotlerCRM.
  • The servers are hosted in ISO-27001 compliant datacentres protected by CCTV and secure access controls, in locked racks.

HIPAA Technical Safeguards in SpotlerCRM

  • No data is stored on the users’ workstations
  • Data flows between the users’ workstations and our servers which is encrypted using SSL
  • All users have unique login credentials consisting of company name, email address and password
  • All data changes are timestamped with the user’s id

It is, of course, up the users of the CRM to also maintain their own systems and policies. They need to ensure that the data stored in the CRM is only accessed by authorised users, and is not transmitted insecurely or to unauthorised personnel, and that data extracts and reports downloaded by their users are securely held.

Business Associate Agreements

Signed Business Associate Agreements that certify compliance with HIPAA are available for Enterprise Plan customers.