We take patient data privacy seriously.

We understand that trust is critical when it comes to patient/therapist relationships, so we do not take any shortcuts to protect your client’s information. Our entire platform is HIPAA compliant and held to the utmost privacy standards, including the encryption of data on record, in transit and at rest. We don’t stop with HIPAA and we take the extra step to make sure your data is safe. This includes continuous monitoring of our system, internal and external audits, and holding one of the highest standards for information security.

How do we store and handle PHI?

Once a therapist starts to use our system, the PHI goes through the following process:

​

Recorded -> Encrypted -> Analyzed -> Populated back into the therapist’s dashboard for 90 days -> After 90 days, the information is de-identified/deleted.
 

We believe 90 days is sufficient for most therapists to review the recording and its analysis, however, if you wish to save the recording for a longer period of time that is perfectly fine with us. Simply click the ‘download’ button and the recording will be downloaded to your device. At this point, we have no responsibility for the handling of that recording and you must obey the relevant rules and regulations regarding holding of PHI. In any case, the individual user is not responsible for maintaining records (e.g., clinical training programs). His administrator/supervisor will be granted access to enable/disable the option to download the recording for his users/trainees.

What is the initial storage period and what happens after it?

The initial storage period is a period of time that PHI ( in the form of recording) are available for the user. After the pre-defined storage term, PHI (in the form of recordings) are completely de-identified and will no longer be accessible for the user. De-identification means that there would not be any possibility to re-identify the patient/session or undo this process. All personal information (such as names and addresses) will be changed/removed entirely using proprietary technology and human quality assurance. In the event that you wish to permanently delete the recording, just press the delete button and no de-identified data will be saved in any way (all PHI will be deleted forever).

What do you do with the de-identified data?

We may retain de-identified recordings (audio only) in order to assure and improve the accuracy of our system. Prior to this internal and secure process, we make sure that no personal information is still available throughout the recording. In the event that we use your de-identified information to improve our system performance, the handling of that information will be carried out only by the members of our clinical review team who are professionals in data protection and sensitive data handling. All other Eleos Health employees have no access to this data.

Do you sell the de-identified data?

We do not sell or license information, recordings or any other form of data to anyone. 

What about informed consent from my clients?

You are responsible for obtaining consent to record sessions from your clients. The rules and laws governing the recording of patient sessions can differ by jurisdiction and the provider’s credential type. It is your responsibility to know what laws apply to you, your practice, and the records you maintain. Lastly, it is important for you to know that several academic studies have shown that the vast majority of clients see the value in recording their sessions and for the most part you will not encounter any resistance in asking for their consent.