At Neon, we take the security and privacy of your health information seriously. This guide is designed to help you understand how Neon complies with the Health Insurance Portability and Accountability Act (HIPAA) and what that means for you as a customer. Our Business Associate Agreement (BAA) outlines our commitment to safeguarding Protected Health Information (PHI) and complying with HIPAA regulations.

Neon’s HIPAA functionality is only available to customers who have signed a BAA with Neon.

What is HIPAA?

HIPAA is a federal law that sets national standards for the protection of health information. It requires businesses handling PHI to implement safeguards to ensure privacy and security.

Key HIPAA Terms You Should Know:

  • Protected Health Information (PHI): Any identifiable health-related data.
  • Covered Entity: Healthcare providers, plans, or clearinghouses that handle PHI.
  • Business Associate: A service provider (like Neon) that handles PHI on behalf of a Covered Entity.
  • Breach: Unauthorized access, use, or disclosure of PHI.
  • Security Rule: Safeguards to protect electronic PHI.
  • Privacy Rule: Rules governing how PHI is used and disclosed.

How Neon Protects Your Data

  1. Use and Disclosure of PHI
    • We only use PHI to provide our agreed-upon services and to meet legal obligations.
    • PHI is disclosed only as required by law or with proper authorization.
  2. Safeguards in Place
    • Administrative: Policies and training to ensure compliance.
    • Physical: Secure access controls to data storage areas.
    • Technical: Encryption and access controls for electronic PHI.
  3. Incident Reporting
    • We promptly report any unauthorized use or disclosure of PHI.
    • Breach notifications are provided within 30 days as per HIPAA requirements.
  4. Subcontractors and Agents
    • Any third parties we work with are required to adhere to the same data protection standards.
  5. We  provide transparency by listing our subcontractors at https://neon.tech/hipaa-contractors notifying customers of any changes if you sign up to notifications here.
  6. Customer Responsibilities
    • Customers must ensure that PHI is only stored in data rows as intended for sensitive data and should never be included in metadata, column names, table names, schema descriptions, or system-generated logs such as audit trails, query logs, or error logs.
    • Customers have the responsibility to configure a session timeout .
    • Customers need to avoid including PHI in support tickets or metadata fields.
  7. PHI Access and Amendments
    • Customers can request access to their PHI.
    • Any updates or corrections to PHI need to be carried out by the customer

Your Rights and What to Expect

  • Transparency: You can request details about how your PHI is being used.
  • Security: Our technical safeguards are designed to prevent unauthorized access.
  • Data Control: You retain ownership of your data; we are custodians ensuring its protection.

In Case of a Security Incident

If a security breach occurs, Neon will:

  1. Notify you within five business days of becoming aware of the incident.
  2. Provide detailed information about the breach.
  3. Take corrective actions to prevent future occurrences.

Frequently Asked Questions

Q: Can I request Neon to delete my PHI?
A: Yes, upon termination of services, we will securely delete or return your PHI.

Q: How does Neon ensure compliance with HIPAA?
A: We conduct regular internal audits and provide training to our employees to ensure adherence to HIPAA requirements.

Q: What should I do if I suspect a data breach?
A: Contact our security team immediately at security@neon.tech.

Contact Information

For any questions regarding our HIPAA compliance or to report an issue, please reach out to:

  • Email: hipaa@neon.tech

This guide provides a high-level overview of Neon’s HIPAA compliance efforts. For more details, please refer to our full Business Associate Agreement (BAA) or contact us directly via our support channels.