In this article:

• Hardware/Software Requirements

• Disaster Recovery Process

• Security Incident and Breach Management

• Patient Privacy Management

• HIPAA Compliance 

Hardware/Software Requirements

---

Bamboo Health does not require you to install any additional software or hardware and will work on both Windows and Mac operating systems. 

Supported Browsers include:

• Internet Explorer 11 (IE11) and later
• Chrome (any version)
• Edge (any version)
• Firefox 10 and later
• Safari 5 and later

If you try to access Bamboo Health from an unsupported browser, you will see the following page:

Bamboo Health works best when used with the latest version of your browser. If you haven't already, we suggest using the links above to upgrade your preferred browser to enable high-quality access while using Bamboo Health.

Disaster Recovery Process

---

Bamboo Health has designated an Emergency Response Manager, as required by the Security Rule. The Emergency Response Manager oversees all ongoing activities related to responding to an emergency or other occurrence (e.g., fire, vandalism, system failure, natural disaster, political disturbances, or internal malicious activities) that damages systems that contain PHI.

Security Incident and Breach Management

---

As part of Bamboo Health's Policies and Procedures, all Security Incidents relating to the improper use or disclosure of Protected Health Information (PHI) must be reported to Bamboo Health's Privacy Officer upon discovery. If the Security Incident is determined to have resulted in a Successful Breach (rather than merely a Potential Breach), Bamboo Health will follow the Breach notification procedures outlined in the Business Associate Agreement that governs the use or disclosure of the PHI that is the subject of the Breach.

Patient Privacy Management 

---

Bamboo Health takes the security of patient data very seriously and takes the following steps to ensure the privacy of such information both generally, and in providing the Bamboo Health Services:

(1) Bamboo Health has a robust internal HIPAA compliance program.

(2) Bamboo Health has successfully completed numerous security reviews and undergoes annual third-party security assessments and penetration tests. In addition, we are happy to provide copies of SOC-2 reports for our hosted environment provider (Amazon Web Services), as well as, any reports generated from relevant security reviews or assessments. Our team is always willing to answer additional security questions that you may have. SOC-2 reports may be obtained from Bamboo Health or directly from AWS upon signing a non-disclosure agreement.

(3)Bamboo Health uses a rigorous, multi-factor patient matching algorithm to ensure accurate encounter notifications. This algorithm ensures that we only share encounter information between Bamboo Health customers the receiving customer has a relationship with the patient that satisfies the requirements of HIPAA’s TPO Exception.

(4) Bamboo Health enters into Business Associate Agreements with all of its customers who have access to PHI via the Bamboo Health Services, as well as with all of its subcontractors who need access to PHI in furtherance;of its obligations to Bamboo Health.

Bamboo Health has designated an Emergency Response Manager, as required by the Security Rule. The Emergency Response Manager oversees all ongoing activities related to responding to an emergency or other occurrence (e.g., fire, vandalism, system failure, natural disaster, political disturbances, or internal malicious activities) that damages systems that contain PHI.

HIPAA Compliance

---

Bamboo Health receives and discloses Protected Health Information ("PHI") under the "TPO Exception" set forth in HIPAA. The TPO Exception states that a Covered Entity may use or disclose PHI for its own Treatment, Payment, and Health Care Operations activities, or for the Treatment, Payment, and Health Care Operations of another Covered Entity, without the need to obtain patient authorization. In addition to the foregoing, such uses and disclosures of PHI may either be facilitated directly by the Covered Entity or done on behalf of such Covered Entity, via its Business Associate.

Bamboo Health enters into a Business Associate Agreement with every single one of its customers, and the receipt and use of PHI from any given customer is done pursuant to such Business Associate Agreement. Further, Bamboo Health only discloses PHI via the Pings Services to another Pings customer if, and only if, such customer has a Treatment, Payment, or Health Care Operations relationship with the patient to whom the information pertains, as determined by Bamboo Health's proprietary matching algorithm.

All capitalized terms not defined herein shall have the meanings ascribed to them in HIPAA.

Under HIPAA's TPO Exception, a Covered Entity may share PHI with another Covered Entity without obtaining patient consent if such PHI is used or disclosed for purposes related to Treatment, Payment, and Health Care Operations.

However, there may be additional federal regulations (see 42 C.F.R. Part II) or certain state patient privacy laws that may impose additional authorization or consent obligations with respect to patient confidential information. However, these additional regulations or laws typically pertain only to certain categories of providers or information.

It is important that you understand what patient privacy laws apply to you before providing any information to Bamboo Health. As the Covered Entity, you are responsible for obtaining all necessary consents required to disclose information to Bamboo Health, as your Business Associate, as well as to other Covered Entities, via the Bamboo Health Services.