Security Notice
How we protect your data on our web-based medical billing software
What this security policy covers
This security policy pertains to the security measures in place at Kareo for protection of personal and protected health information in connection with the use of the Kareo web site or Kareo web-based medical billing software.
Unique identification of users
To comply with the HIPAA requirements and to provide a high quality secure service, Kareo requires all users to have a unique username. Kareo currently requires a valid email address to be the username for the Kareo web-based medical billing software service.
In addition to a username, every user account must be protected with a password of sufficient complexity. Kareo allows its customers to set their own password complexity policy. If your user account has access to multiple Kareo customers, you will be required to use the more restrictive policy.
All Kareo web-based medical billing software sign-ins are protected by account lock-out systems. If a user incorrectly authenticates a number of times, their user account will be locked until an administrative user unlocks it.
Security on the Kareo web site
Kareo service users may choose to sign into their account at the Kareo web site in order to access the downloads or account status. Such sign-ins are protected by SSL security. Your browser will usually display an indicator (such as a "lock" icon) when using a secure SSL connection.
Security in the Kareo service
All Kareo web-based medical billing software applications communicate with a server hosted entirely by Kareo. All communications are secured with public-key encryption.
Role-based security
Every user in the Kareo web-based medical billing software system belongs to one or more roles. A role is defined by each customer, and is assigned a set of permissions. Kareo roles follow an allow, then deny, pattern of applying permissions — such that multiple role permissions are combined, and then filtered against any role's restrictions.
Application locking
In accordance with HIPAA policies, Kareo's web-based medical billing software applications will automatically lock up if left unattended for a period of time. Correct credentials of the user will need to be provided prior to using the application again.
Kareo password policy
Kareo system passwords are meant to serve as the last line of defense in protecting sensitive patient medical and financial records, as well as practice financial information. They serve as a deterrent to malicious agents as well as protection against casual or accidental lowering of security through carelessness.
The passwords are encouraged to be as long as possible and have to maintain a level of complexity such that they will not be easily guessed or cracked by a determined attacker. The passwords will expire on a regular basis, no less than 30 days and no greater than 180 days. Upon expiration, the new password cannot be any password used within the preceding year. A user may change their password at any point in the application or the Kareo web site. Passwords changed by third-parties will immediately expire to allow users to log in but also to ensure that they immediately change their passwords to something that only they know.
Kareo will never store any passwords in permanent storage in a way that is reversible. The Kareo web-based medical billing software will never show the password in plain-text, human-readable form.
Changes to this security policy
Kareo may update this policy at any time for any reason. If there are any significant changes to how we handle security we will send a notice to the contact email address specified in your company's Kareo account or by placing a prominent notice on our site.
Questions
If you have questions or suggestions you can contact us at:
Kareo Security Administrator
111 Academy Drive, Suite 150
Irvine, CA 92617
security@kareo.com
To report a security violation, please call us at 888-77-KAREO (888-775-2736).
Last Updated
This policy was last updated on July 22, 2009. The last change was an update of the Kareo mailing address.
