Here at Kalix, we take HIPAA and other security regulations very seriously. We have the most stringent procedures and cutting-edge technology in place, making sure Kalix meets government privacy and security requirements. Here you will find the policies that you are subject to:
Health Information Portability and Accountability Act (HIPAA) of the United States requires healthcare providers and their business associates (like Kalix) to establish and follow procedures and practices that ensure the confidentiality and security of patient Protected Health Information (PHI) when it is transferred, received, handled, or shared. The HIPAA privacy and security provisions are broadened by the Health Information Technology for Economic and Clinical Health Act (HITECH).
Kalix is compliant with HIPAA and HITECH, which means customers can rest easy knowing we have the highest standards of security in place to protect PHI.
All paying users in the United States enter into a Business Associate Agreement (BAA) with Kalix. A BAA is a legally binding relationship between covered entities (healthcare providers) and business associates (Kalix) to ensure the complete protection of PHI.
We host Kalix using a HIPAA compliant cloud storage provider located in the US. All data is stored in triple redundancies in two data centers 500 miles apart.
Healthcare providers must distribute a Notice of Privacy Practices on treatment commencement to all patients. This notice must explain how they collect, handle and disclose PHI, including any EMR system use. Example Notice of Privacy Practices forms are available as part of Kalix’s Template Library.Start My Free Trial
Kalix follows the Australian Privacy Principles (APP) that describe how businesses including healthcare providers can collect, use, and disclose personal information. Customers can rest easy knowing we have the highest standards of security in place to protect patient personal information.
We host Kalix outside of Australia on Windows Azure servers located in the USA. The Australian Privacy Principle 8 (APP 8) applies when personal information is disclosed overseas. APP 8 allows for the processing and storing of personal data out of Australia if the overseas recipient takes reasonable steps to ensure there is no breach of the APPs. The following section describes how Kalix meets all 13 Australian Privacy Principles.
As per APP8, Kalix’s Australian customers should expressly inform and gain their patients’ permission before their personal information is entered into Kalix and disclosed overseas. Consent can be obtained verbally, but best practice recommends providing patients with a privacy statement that explains the potential consequences of giving consent. An example consent form is available as part of Kalix’s Template Library.Start My Free Trial
In Canada, several laws govern privacy rights and personal information, including seven provincial acts and one federal privacy law. The federal privacy law – Personal Information Protection and Electronic Documents Act (PIPEDA), describes how private organizations – such as private healthcare practices, collect, use, or disclose personal health information during their activities via the Ten Fair Information Principles.
We request that all paying customers in Canada enter a Data and Privacy Agreement with Kalix. This agreement aims to ensure that both Kalix as a software vendor and our Canadian customers meet the Ten Fair Information Principles.
We host, process, and maintain Kalix and the Personal Health Information provided through Kalix on Windows Azure servers located in the United States of America. It is not against PIPEDA and provincial laws for private organizations such as healthcare practices to transfer Canadian personal health information out of Canada; in fact, it is common practice.
It is the responsibility of our Canadian customers to expressly inform and gain the consent of all their patients before collecting, using, and disclosing their data. It is recommended to provide all patients with a Personal Health Information Consent to Disclosure Agreement that explains the potential consequences of giving consent. An example consent form is available as part of Kalix’s Template Library.Start My Free Trial
In New Zealand, the law that governs privacy rights and the collection, handling, and use of personal information is called the Privacy Act 2020. Kalix meets the requirements of the 13 privacy principles that make up this act.
In New Zealand, Principle 12 (Cross-border Disclosure) applies when sending personal information outside New Zealand. Kalix is hosted on Windows Azure servers located in the United States of America.
At Kalix, we understand the importance of maintaining the highest data security and privacy standards, especially for healthcare practices managing sensitive patient data. With the implementation of the General Data Protection Regulation (GDPR) in the European Union (EU), we have taken proactive measures to ensure full compliance with this regulation and have reinforced our commitment to providing secure, trustworthy, and transparent services to our clients in the EU.
We request that all paying customers in the EU enter a Data Processing Agreement with Kalix. This agreement ensures that Kalix, the Processor, and our EU customers, the Controllers, meet the EU General Data Protection Regulation and other data protection laws.
Under GDPR, healthcare providers in the EU must obtain explicit consent from patients before transferring any data to a service such as an EMR hosted out of the EU. Kalix is hosted on the Microsoft Azure cloud in the United States. It is hence the responsibility of our EU customers to expressly inform and gain the consent of each of their patients before entering any of their data into Kalix.
This requirement ensures that patients in the EU are aware of what information is being collected and how their data is being used, stored and shared. The GDPR also requires healthcare providers to inform patients of their rights to access, modify, or delete any personal data collected via Kalix.
As part of our commitment to GDPR compliance, Kalix is hosted on the Microsoft Azure cloud in the United States. Microsoft Azure holds a wide-array of EU and international certifications and adherence to the GDPR, ensuring that your data is processed and stored securely within GDPR guidelines.
Our primary obligation as a GDPR-compliant provider is to protect personal health information from unauthorized access, alteration, disclosure, or destruction. We have implemented a multi-layered security infrastructure to ensure high standards of data security, including:
1. Strong encryption: We use industry-leading encryption techniques to protect your data, both during transmission and while it is stored within our system.
2. Secure access controls: Our platform features role-based access controls, secure password policies, and multi-factor authentication options to restrict unauthorized access.
3. Data backup and recovery: Regular backups are performed to ensure data integrity and availability, and a disaster recovery plan is in place to protect your data from unforeseeable events.
We acknowledge and respect the importance of data subject rights under the GDPR, and we are committed to upholding these rights for our users, including:
Right to access: Your patients have the right to access their personal data held by Kalix, and we will provide the necessary tools to facilitate their data requests.
Right to portability: You are entitled to request the transfer of your personal data to another provider of your choice.
Right to erasure: We will process and execute data deletion requests, ensuring the complete removal of your patients’ personal information from our systems, subject to any legal requirements and retention periods.
Keeping abreast of the latest data protection regulations and requirements is paramount to our commitment to GDPR compliance. Our team continuously monitors regulatory developments and works closely with legal advisors to ensure our platform stays up-to-date with the latest guidance from the EU.
In the unlikely event of a personal data breach or any other GDPR-related incidents, we are dedicated to providing you with timely and transparent communication. We understand the importance of working in partnership with you to prevent any potential risks to your data and ensure the highest level of data security.Start My Free Trial
Payment Card Industry (PCI) compliance refers to the standards to protect credit card data developed and managed by the PCI Security Standards Council.
Kalix never stores credit card information directly. When patients enter their credit card details into Kalix, they are actually saving them directly to our third-party providers – Stripe or Square. Both Stripe and Square are certified as PCI Service Providers Level 1 – this is the most stringent level of certification available in the payments industry.
Your data is safe with us. We have the most rigorous security measures in place to protect your patient records. These include:
Empower My Practice
Kalix uses higher levels of encryption than the current standards, ensuring client records stay secure. All data is encrypted: In transit to and from the cloud using TLS (Transport Layer Security). In transit between Kalix and our third-party service providers. At rest (including all backup copies created by Kalix) using AES-256 encryption
Kalix keeps a snapshot of all modifications made to patient data. We record the time a change took place and the login that made the change. If a customer accidentally deletes saved information, we can recover it from a previous snapshot.
Daily operational procedures are followed to log and monitor data 24/7, looking for suspicious activities Incident response process procedures are in place for containing any breaches and notifying customers if any incident occurs.
Kalix has plans to address the recovery or continuation of technology infrastructure critical to our customers after a natural or human-induced disaster.
At Kalix, access controls are in place, meaning our staff cannot see PHI unless they are given the express permission of the account owner. Two Factor Authentication (2FA) is required with staff log into their work environment.
Kalix customers can send secure, HIPAA-Compliant messages, forms & documents.
Kalix's messaging and reminders feature limits PHI transmission to the minimum necessary. For example, only a patient's first name can be included in a message, not their full name or other identifying information.
Messaging can be opt-in only, requiring patients to consent before receiving messages via Kalix. Furthermore, patients can opt-out of receiving messages at any time.
Kalix does not send client forms or documents via email, text-to-voice, or SMS. Instead, it uses a secure web link and a randomly generated code to unlock them. The forms or documents are viewed and completed within Kalix in an encrypted environment
Kalix's email messages are encrypted in transit between Kalix and our third-party provider. Our HIPAA-compliant third-party email provider encrypts data at rest. When transmitting emails to patients and contacts, by default, our third-party provider uses TLS (Transport Layer Security). They also check the validity and legitimacy of the mail server's certificate.
Kalix's HIPAA-compliant faxing is achieved by using the SIP trunking protocol and encryption. This combination of features makes it possible to fax sensitive medical information without compromising the security of the information. HIPAA-compliant faxing is an essential part of maintaining the confidentiality of client information.
Kalix's SMS (text) and & text-to-voice messaging are encrypted in transit between Kalix and our third-party provider. For privacy and security, our third-party provider does not store a record of your text and voice messages within their system.
We offer bug bounties for new, responsibly disclosed issues. If you have found something, please contact us at email@example.com.
Privacy and security are built into the Kalix platform, giving private practices powerful features to manage staff access and keep patient data safe.Start My Free Trial
Kalix automatically records every login attempt to a Kalix account. These logs are available to account managers to monitor staff usage and identify any unusual behavior.
We require all customers to either register for a Kalix account using a verified email and password or single sign-on authentication (Google or Facebook). Two Factor Authentication (2FA) is available to provide an extra layer of security.
Each user in a group practice has their own login to Kalix and is instructed on the risk of sharing access. Kalix's pricing is based on practice volume rather than the number of staff. Hence, adding new users to a Kalix account does not cost more.
Kalix offers four user security roles to help account managers limit their staffs' ability to view & edit confidential information. Additional permissions can be customized per user, including access to patient documents, billing, and tasks.
Kalix protects customers against accidentally leaving their accounts accessible to others on their unattended computers. Kalix automatically ends sessions when customers are logged into Kalix but not actively using the program for a set period.
Our customers maintain ownership of their patient data. Kalix is just its custodian. And we guarantee that patient data stays safe and secure with us!
When a Kalix account is canceled, we keep the customer's client information for six months. After this time, the data is destroyed for security purposes. If records need to be kept for data retention purposes, Kalix's Backup feature allows a copy to be created.
Kalix has a strict policy that prohibits marketing to your clients. And will not sell your data to any third parties.
Kalix staff can only view customers' Kalix accounts and any entered client data after the account's owner has given them express permission. Kalix staff are also required to use two-factor authentication (2FA) for this access!
Whether you’re a solo or group practice, Kalix offers the right practice management solution and pricing plan that works best for your organization. With no commitments, no contracts, and free-to-cancel anytime, we help you scale your business at a cost that meets your needs.