Guest Intake, a wholly owned subsidiary of Book4time Inc. (“Guest Intake”, “we”, “us” or “our”) has created this security policy (“Security Policy”) in order to demonstrate our commitment to safeguarding our customers’ data using commercially reasonable and appropriate security controls for such data that we obtain from you on www.guestintake.com, our mobile sites and applications, and/or on consumers completing intake forms on (the “Site”) and the services, features, content or applications we offer (collectively with the Site, the “Guest Intake Service” or “Services”).
We reserve the right to change this Security Policy from time to time. Your access and use of the Site and Service is subject to the Security Policy in effect at the time of such access. If we make material changes to our security controls, we will notify you by posting an announcement on the Service or sending you an email; and we will post the most up-to-date version of this Security Policy at www.guestintake.com/security-policy. Please review this Security Policy frequently to remain informed of Guest Intake’s information security practices. You are bound by any changes to the Security Policy when you use the Service after such changes have been first posted.
We take the confidentiality, integrity and availability of our customers’ data seriously. As part of this effort, we have established an Information Security team, tasked with all aspects of security: from the physical security of corporate offices and data centers, to the development and operational areas of Information Technology.
Guest Intake’s software complies with HIPAA and PCI DSS standards. Our information security program, built mainly around HIPAA and industry-standard PCI compliance, is a comprehensive governance framework designed to educate, protect, detect and respond to security incidents.
We conduct automated scans of all our corporate, non-production and production environments, looking for missing patches and vulnerabilities. We do similar tests on our web applications, including penetration testing exercises performed by highly skilled ethical hackers, as well as code scanning.
We also implement anti-virus and anti-malware protection on all our devices. We review our firewall policies periodically to ensure we only allow legitimate traffic in.
We protect HIPAA and PCI data at rest and in transit with strong encryption, following best practices and applying all relevant fixes when zero day issues are detected.
Guest Intake employs various intrusion detection technologies at the network and system level. These are designed to alert us to possible malicious activities or malware infections targeting our networks and systems.
We are also following alerts issued by the various vendors and security groups, especially related to newly found vulnerabilities, also called zero day vulnerabilities.
All access to our production data center requires two-factor authentication.Our hosting provider, Amazon EC2, is PCI and HIPAA compliant and has completed the industry standard SOC 1 and SOC 2 certifications. This means their security processes are compliant with very strict criteria for service organizations.
Recommended Best Practices
While Guest Intake meets the HIPAA requirements, if you are printing intake forms on physical paper you also have your own HIPAA obligations and other recommended best practices that you are responsible for, specifically:
- Maintain an appropriate level of security (both physical and logical) for all local systems (including but not limited to networks, desktop computers, tablets, and mobile phones) involved in possible storing, processing and transmission of health intake forms.
- The security program should include, but is not limited to:
- Installing appropriate anti-virus and anti-malware protection;
- Implementing a robust software patching process;
- Implementing a good user and password management process, including periodic password changes, deleting user accounts promptly after staff departures and so forth;
- Using the Guest Intake system as designed; and
- Notifying Guest Intake immediately of any suspected compromise or unusual account activity via email@example.com.
How to Contact Us
Questions regarding this Security Policy or the security-related practices of the Site should be directed by sending an email to firstname.lastname@example.org.
Effective Date: This Security Policy is effective as of April 1, 2016.