Your usage of KnowledgeOwl can be HIPAA compliant if you sign a Business Associate Agreement (BAA) with KnowledgeOwl. BAAs are available for our Business and Enterprise customers. Please contact us to execute a BAA.
HIPAA Dos and Don't
There are many features in KnowledgeOwl. Some will help with HIPAA-compliance, while others could cause issues. Here are some do's and don'ts if you want to maintain HIPAA compliance:
| DO | DON'T |
|---|---|
| Use unique logins for each author and reader | Share logins |
| Use Single Sign-On for authentication | Use less secure authentication options like shared passwords |
| When possible, require authentication to view any image or file from your file library | Use the "remember me" function to keep you logged in |
| Use teams, groups, and roles to practice the principle of least privilege for access control | Upload files containing PHI to the file library. Files are not encrypted. |
| Disable comment notification emails when using comments. (Emails are not encrypted.) | Increase the reader expiration to keep readers logged in longer than necessarily. Readers should be automatically logged out after a period of inactivity. The default is 2 hours. |
| Enable Do not store any collected ticket information within KnowledgeOwl when using the contact form if submissions might contain PHI. | Use the Send Email method when using the contact form. Emails are not encrypted. |
| Approve any comment submissions containing PHI. |
Deleting data
It's a HIPAA best practice to store PHI in as few places as possible. When you delete items in KnowledgeOwl, they are still stored in a deleted status and are not permanently destroyed by default.
If you realize that you accidentally added PHI to KnowledgeOwl and want to permanently delete it from the database, contact us to have it destroyed.
Breach notification rule
The Breach Notification Rule requires KnowledgeOwl, if acting as a business associate, to notify you, the covered entity, of breaches at or by the business associate. We will notify you without unreasonable delay and no later than 60 days from the discovery of the breach.
When possible, we will provide you with the identification of each individual affected by the breach as well as any other available information required to be provided by you in your notification to affected individuals. While you are ultimately responsible for ensuring individuals are notified, you may delegate the responsibility of providing individual notices to us as the business associate.
If you have any questions or would like to lodge a complaint regarding our compliance of the Breach Notification Rule, you can email support@knowledgeowl.com. You may also file an online compliant with the Office of Civil Rights (OCR).