HIPAA Compliance
MMNT’s Milton platform is built on a secure foundation. This document describes how the user data is protected on this platform while the data flows through various components and how the data is handled at various points and also at the storage level where the data at rest is secured.
Three main components used in building Milton play a part in securing the data in Milton.
1. Cloud Infrastructure, primarily AWS
2. Software components built by MMNT engineering teams that go into Milton
3. Third-party services such as Azure OpenAI APIs that Milton uses
This document describes a high-level view of how these parts contribute to Milton’s overall HIPAA compliance. User data is handled and passed through these systems. There are two separate flows.
1. User/member interaction with Milton
2. A provider/coach interaction with Milton Portal.
User/member interaction with Milton
- A user sends messages to Milton with a telephone number. That message goes through telecommunications networks, and then Milton receives it.
- After receiving the message, Milton processes it, constructs a prompt message, and invokes the MMNT-built API called HIPAA-compliant Azure Services API.
- The resulting message is formatted and sent to the user's phone via AWS Pinpoint API.
A provider/coach interaction with Milton Portal
- A provider who buys Milton as a SaaS product signs into the Milton Provider Portal.
- They can add/delete members and do administration tasks.
- They can view data related to individual members/patients.
Third-Party HIPAA Compliance
Milton uses the following 3rd Party services. Each of these services has its own HIPAA document that explains its compliance.
- AWS Infrastructure
- AZURE LLM APIs for AI Services
- AWS Service for SMS Text messaging
In addition to these individual documentation, MMNT also has BAA agreements with these companies that address HIPAA compliance.
Data Protection at Rest
Milton platform runs on AWS cloud infrastructure for data storage. RDS databases that store data have encryption at rest. AWS RDS systems are HIPAA compliant. Please refer to the AWS HIPAA documentation2,5 for further details.
Data Protection in Motion
Connections between components are based on SSL/TLS standards. They authenticate communication endpoints before communication is authorized. During the communication, all the data that flows through the connection is encrypted using SSL/TLS standards. Please refer to Encrypting File Data with Amazon Elastic File System for more details on AWS support for data in motion.
Data Access Controls & Governance
Data is protected in motion and at rest on the Milton platform. We have strong controls on who has access to production data via strict controls. Any person needing access needs to get approved based on the role of the person and the scope of the access privileges. Only a limited number of people are allowed. MMNT has a well-established approval process for data access controls and approvals. Infrastructure level access control in AWS is controlled through IAM and subaccounts. Access to the portal is controlled via account-level controls at the user level. A portal user (coach/provider) can only access the data of his members and can not access any other members.
Business Process Around Data
MMNT has engaged a 3rd party company, Compliancy Group, to perform audits of business processes and data handling compliance with HIPAA requirements. MMNT employees also underwent required training to meet the compliance requirements.
Tracing and Auditing of Data Access
All-access to data stored in Milton creates a record and is stored in a persistent data store for auditing and traceability. Each such access records who accessed the data, when it was accessed, and what data elements and tables were accessed. This will create a full history of the data usage that can be retrieved for any compliance audit requests. We also have tracing of any breach of data by anyone who is not authorized to access the data.
References:
1. Microsoft Azure Compliance Offerings
2. HIPAA Reference Architecture on AWS
3. US Department of Health & Human Services HIPAA Security Rules