The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and is designed to improve the effectiveness and efficiency of the U.S. healthcare system and mandates national standards in several areas. 

Among HIPAA regulations are two important provisions: 

Bonterra is compliant with all requirements of the HIPAA act signed into law in 1996. Bonterra is committed to maintaining the highest levels of information security. 
​
The guiding principles of HIPAA can be summarized in the sections below and details on how each applies to ETO are included.

Audit trails for demographic information, participant program history, TouchPoints, and Collections includes tracking of the following: old value, new value, date changed and user who made the changes.

ETO software utilizes user name and password functionality to prevent unauthorized application access and roles to restrict user access to components within the application. Each unique user account is assigned access to particular programs and also assigned one of nine levels of access which can be customized to allow users access to certain features. Role levels typically range from the administrator, who manages all the structural elements of the system, or program managers who have access to individual and aggregate staff and client information, to end-users who have the narrowest access. A user or a local site administrator can change/reset a password as needed. Bonterra Customer Support Center will never reset a user’s password and provide them with the password, but Support will, instruct a user how to reset their own password

Bonterra recognizes the importance of maintaining secure and confidential access to client data. Toward that end, ETO software offers highly sensitive password protection and management functionality.

Data housed in ETO is stored and processed separately by program. For example, users who are working on the ABC project access and process ETO data separately from users working on the XYZ project. Therefore users assigned to a program can only see data for the participants, services, or outcomes associated with that program. This protection can extend down to an optional caseload level, as needed, where one user can only see data related to participants assigned to his/her own caseload.

Internal emails that are sent within ETO require the recipient log in to ETO to read the message. These messages are maintained in history for 60 days. External emails that are sent within ETO do not contain full PII.

Bonterra, Inc. uses Amazon Web Services (AWS) hosting facilities for data protection, disaster recovery, and backup strategy. As part of this partnership, Bonterra’s clients receive the benefit of a world class managed and fully redundant data center infrastructure.

All ETO software servers are backed up nightly using Quest/Dell NetVault Backup software. For added security, the backup data is encrypted using AES-256 algorithm.

Bonterra, Inc. uses Amazon Web Services (AWS) hosting facilities for data protection, disaster recovery, and backup strategy. As part of this partnership, Bonterra’s clients receive the benefit of a world class managed and fully redundant data center infrastructure.

AWS security certifications such as SOC1 allow us to remain compliant with your data. Standards such as AES 256, which enables encryption of data at rest, ensures no one can view your data. Amazon Virtual Private Cloud allows us to create a private facing subnet for databases and application servers, in order to have more security control around your mission critical workloads.

All ETO software servers are backed up nightly using Quest/Dell NetVault Backup software. For added security, the backup data is encrypted using AES-256 algorithm.

Nightly full backup of all ETO Data using AES-256 encryption algorithm.