HIPAA Compliance

In this section, learn more about how Dimagi’s CommCare software can assist you with HIPPA compliance.

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets national standards for protecting sensitive patient health information. It applies to covered entities like healthcare providers, software providers, health plans, and healthcare clearinghouses that handle protected health information (PHI). HIPAA aims to safeguard the privacy and security of individuals' medical records and other health data.

As a user of Dimagi's CommCare software on an Advanced plan or higher, you can take advantage of Dimagi's HIPAA-compliant data handling. This means CommCare provides the necessary technical, physical, and administrative safeguards to allow you to store and transmit PHI in a HIPAA-compliant manner.

Dimagi offers to sign a Business Associate Agreement (BAA), formally establishing Dimagi as your HIPAA-compliant business associate for handling PHI via the CommCare platform. With a BAA in place, you can leverage CommCare's mobile data collection capabilities while meeting HIPAA's stringent data privacy and security requirements.

HIPAA Log Queries

To view digital activity logs of users, the following options are available:

  1. For day-to-day operational audits, we recommend using our in-product capabilities. For each data element CommCare tracks the entire trail of changes which includes the following metadata associated with each change: 

    1. Record and Data Element Identifier 

    2. Who made the change

    3. How the change was made

    4. When the change was made

    5. What the specific change was (and it’s prior value)

  2. Additionally, CommCare also supports a comprehensive suite of Messaging Reports, which can be used to audit automated interactions with cases and manual interactions between users and cases.

  3. For more targeted queries that are not attainable through CommCare’s UI, we request our partners create a support ticket by writing to us at support@dimagi.com. Within the request, please clearly outline exactly what logs you are requesting and in what time frame. The support team will review the request for HIPAA log eligibility and, if eligible, we will then work with you to provide a secure file containing the relevant information. We commit to responding to all HIPAA log queries within our Service Level Agreement timelines.

Retention Policy 

In alignment with HIPAA, we store these logs for 6 years.