Your usage of KnowledgeOwl can be HIPAA compliant if you meet the following requirements:
- Sign a Business Associate Agreement (BAA) with KnowledgeOwl. BAA are available for our Business and Enterprise customers. Please contact us to execute a BAA.
- Enable the "Force SSL links" option under Settings > Basic. This ensures that your data is always encrypted. KnowledgeOwl encrypts data in-transit and at-rest.
HIPAA Dos and Don't
There are many features in KnowledgeOwl. Some will help with HIPAA-compliance, while others could cause issues. Here are some dos and don'ts for your HIPAA-compliant configuration.
|Use unique logins for each user and reader||Share logins|
|Use Single Sign-On for authentication||Use less secure authentication options like shared passwords|
|Force SSL||Use the "remember me" function to keep you logged in|
|When possible, require authentication to view any image or file from your file library||Upload files containing PHI to the file library. Files are not encrypted.|
|Use teams, groups and roles to practice the principle of least privilege with regards to access control||Increase the reader expiration to keep readers logged in longer than necessarily. Readers should be automatically logged out after a period of inactivity. The default is 2 hours.|
|Disable comment notification emails when using comments. Emails are not encrypted.||Approve any comment submissions containing PHI.|
|Enable "Do not store any collected ticket information within KnowledgeOwl" when using the contact form that might contain PHI.||Use the Send Email method when using the contact form. Emails are not encrypted.|
It's a HIPAA best practice to store PHI in as few places as possible. When you delete items in KnowledgeOwl, they are still stored in a deleted status and are not permanently destroyed by default.
If you realize that you accidentally added PHI to KnowledgeOwl and want to permanently delete it from the database, contact us to have it destroyed.
Breach notification rule
The Breach Notification Rule requires KnowledgeOwl, if acting as a business associate, to notify you, the covered entity, of breaches at or by the business associate. We will notify you without unreasonable delay and no later than 60 days from the discovery of the breach.
When possible, we will provide you with the identification of each individual affected by the breach as well as any other available information required to be provided by you in your notification to affected individuals. While you are ultimately responsible for ensuring individuals are notified, you may delegate the responsibility of providing individual notices to us as the business associate.
If you have any questions or would like to lodge a complaint regarding our compliance of the Breach Notification Rule, you can email firstname.lastname@example.org. You may also file an online compliant with the Office of Civil Rights (OCR).