HIPAA Notice

1. Overview

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a United States federal law that establishes national standards for the protection of sensitive patient health information. While NurseOS is primarily designed for the Nigerian healthcare market and is governed by Nigerian law, we have voluntarily aligned our platform with the core principles and safeguards of HIPAA to ensure we provide the highest standard of health data protection to our users.

This alignment demonstrates our commitment to building a platform that meets or exceeds international best practices for health information security and privacy. By implementing HIPAA-aligned controls, NurseOS ensures that healthcare facilities using our platform can trust that their patient data is protected with the same rigor expected by the most stringent healthcare data protection frameworks globally.

2. HIPAA Privacy Rule Alignment

The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information, known as Protected Health Information (PHI). NurseOS aligns with the Privacy Rule through the following measures:

• Minimum Necessary Standard: Our role-based access control system ensures that healthcare professionals only access the minimum amount of patient information necessary to perform their job functions. Access permissions are configured based on clinical role, department, and care relationship.
• Notice of Privacy Practices: This page serves as our notice describing how we use and disclose health information. Users are informed of their privacy rights at the time of account creation and through our Privacy Policy.
• Patient Rights: We support patient rights consistent with the Privacy Rule, including the right to access their health records, request amendments, receive an accounting of disclosures, and request restrictions on uses and disclosures.
• Business Associate Agreements: We maintain data processing agreements with all third-party service providers that may handle PHI, ensuring they are contractually bound to protect health information with the same level of care.

3. Encryption Standards

Consistent with HIPAA Security Rule requirements for technical safeguards, NurseOS implements comprehensive encryption to protect electronic Protected Health Information (ePHI):

3.1 Encryption at Rest

All ePHI stored in our database and file storage systems is encrypted at rest using AES-256 encryption. This includes patient records, clinical notes, vital signs, medication orders, and all other health-related data. Database encryption is implemented at the storage layer, ensuring that even if physical storage media were compromised, the data would remain unreadable without proper decryption keys.

3.2 Encryption in Transit

All data transmitted between client applications and our servers is encrypted using TLS 1.3 with strong cipher suites. This ensures that ePHI cannot be intercepted or read during transmission over the network. We enforce HTTPS for all connections and reject any attempts to connect over unencrypted channels.

3.3 Key Management

Encryption keys are managed through a dedicated key management service with automatic key rotation, separation of duties for key access, and comprehensive audit logging for all key operations. Keys are stored separately from the data they encrypt, adding an additional layer of security.

4. Access Controls

Consistent with HIPAA requirements for access management and the "access control" standard (§ 164.312(a)), NurseOS implements the following access control mechanisms:

• Unique User Identification: Each user is assigned a unique identifier, and all actions are attributed to individual users. There is no shared account access.
• Role-Based Access Control (RBAC): Access to ePHI is controlled through a comprehensive RBAC system. User roles include Nurse, Doctor, Facility Admin, and Super Admin, each with defined permissions that limit access to only the data necessary for their role.
• Multi-Factor Authentication (MFA): NurseOS supports optional two-factor authentication (2FA) using time-based one-time passwords (TOTP). Facility administrators can enforce MFA for all users in their facility.
• Automatic Session Timeout: User sessions are automatically terminated after a period of inactivity, requiring re-authentication to regain access. Session duration is configurable by facility administrators.
• Emergency Access Procedure: In emergency situations where normal access procedures cannot be followed, NurseOS provides a break-glass mechanism that allows authorized personnel to access patient data, with all such access logged and flagged for review.

5. Audit Trails

Consistent with the HIPAA Security Rule's audit control requirement (§ 164.312(b)), NurseOS maintains comprehensive audit trails that record all access to and modifications of ePHI:

• Access Logging: Every instance of viewing, creating, modifying, or deleting patient records is logged with the user ID, timestamp, action type, and affected records.
• Authentication Logging: All login attempts (successful and failed) are logged, including the IP address, device information, and timestamp.
• Data Modification Tracking: Changes to clinical records include before-and-after values, enabling complete reconstruction of the record at any point in time.
• Export and Download Tracking: All data exports and downloads are logged, including the user, data scope, and timestamp.
• Retention: Audit logs are retained for a minimum of six (6) years, consistent with HIPAA requirements and Nigerian healthcare record retention standards.

6. Integrity Controls

NurseOS implements mechanisms consistent with the HIPAA integrity standard (§ 164.312(c)) to ensure that ePHI is not altered or destroyed in an unauthorized manner. These controls include: checksums and integrity verification for stored data, database constraints that prevent orphaned or inconsistent records, version history for all clinical documents, and automated monitoring for unauthorized data modifications.

7. Transmission Security

Consistent with the HIPAA transmission security standard (§ 164.312(e)), NurseOS implements safeguards to guard against unauthorized access to ePHI being transmitted over electronic communications networks. All API communications use TLS 1.3 encryption. Data exchanged between NurseOS modules (referrals, consultations) is encrypted both in transit and at the destination. Our PWA offline-first architecture stores data locally using encrypted storage and synchronizes securely when connectivity is restored.

8. Disclaimer

While NurseOS is designed to align with HIPAA principles and implements comparable safeguards, NurseOS has not undergone formal HIPAA certification or audit by a certified HIPAA assessor. Our alignment with HIPAA principles is a voluntary commitment to best practices in health data protection and does not constitute legal certification or compliance with HIPAA as a Covered Entity or Business Associate under U.S. law. Healthcare organizations that are subject to HIPAA should conduct their own compliance assessment before using NurseOS for processing PHI subject to HIPAA.

9. Contact Us

For questions about our HIPAA alignment or security practices, please contact our security team: