Arcos Security, Privacy & HIPAA Compliance
Overview

Patient Information

Arcos’ set of policies, procedures and practices are compliant with federal
(HIPAA) and local regulations to ensure security and privacy of patient
information.

Arcos’ procedures and practices include:

  • Information Technology Usage Controls
    • Access to computer systems restricted on a need-to-know basis,
      following the principle of least privilege
    • Storage controls, including the use of strong passwords, physical locks,
      two step verification features, automatic lock-out or log-out, unique user IDs, and
      encryption policies
    • Encryption requirements
    • Requirements to ensure sufficient redaction, de-identification or
      erasure of electronic and physical information
    • A combination of hardware and software controls
    • Antivirus, reporting and personnel separation procedures
    • Security testing
  • Administrative Safeguards
    • Appointed Security Officer and Privacy Officer
    • Security Management Process, including Management Reviews of
      security, privacy, confidentiality, integrity and availability risks and risk controls
    • Workforce security measures, awareness and training for employees as
      well as any independent contractors based on level of access
    • Training program created by a specialized HIPAA attorney (LLM-Health)
    • Sanction policy
    • Security incident procedures, including documentation and rapid
      investigation
    • Disaster and other event contingency plans
    • Policies for HIPAA Business Associate Contracts
    • Documentation Control
  • Physical Safeguards
    • Limited physical access to electronic information systems
    • Facility security plan and limited physical access to Arcos’ facilities
    • Security maintenance checks and records
  • Technical Safeguards
    • Access controls
    • Audit controls
    • Integrity controls
    • Authentication mechanisms
    • Transmission security measures, including use of HTTPS using at least
      TLS 1.2, requiring encryption, checks against modification and firewall use.

Website User Information

Privacy Policy

Your privacy, and your patients’ privacy, is important to Arcos. We collect the
smallest amount of information that we believe is necessary to ensure our
website users are getting the service they expect and to protect our website,
our servers and your patient data from unauthorized groups.

User Data & Information Collected
We protect your patient data by ensuring that only authorized users can view
your hospital’s data. To do that, we collect and store some user data. By
registering on our website, you provide and we collect your email address,
password, name, credentials, hospital and your hospital’s location. To keep
your password safe, we salt and hash your password, storing it encrypted in
our database. We keep your password and any patient data you enter safe
during transit by using encrypted, https secure data transfers, using the
highest level of TLS 1.3 or 1.2 that your browser offers. We use your email
address along with your password to verify that you are an authorized user.
We associate your email address with your hospital so that you have access to
your hospital’s patient records and others in your hospital has access to any
patient records you create for that hospital. Arcos may share your email
address, name, credentials and hospital with its customer service provider in
your country or region so they can follow up on customer service issues. We
follow country and regional requirements for storing user and patient
information in a particular country or region.

General Information
We collect IP addresses of visitors to our website. We use this information as a
way to protect our website and we may block visitors from certain IP addresses                                                                                                                                        for security purposes. We also use IP address and, if available,
associated city/state/country information to see where people are interested
in our software and products.

What do we not do?
We do not sell your user data. We do not share your user data with anyone
other than our customer service provider for you in your country or region.
We do not use your information for any kind of web browser tracking or
advertising.

Rights Reserved
If your hospital is using one of our products or services, we reserve the right to
publicly list your hospital as one of our customers. We reserve the right to
view and use your patient data for our own purposes, including, but not
limited to, improving the features and functionality of our software and
improving our ability to support healthcare operations. We reserve the right
to share de-identified data with researchers and other third parties, including
for publication and public presentations, after taking steps to de-identify the
hospital associated with the de-identified patient data. We are willing to
review and potentially sign your organization’s own data use agreement to
clarify Arcos’ limited use of patient data or user data. If we receive a law
enforcement or a court request for your user data or patient data, we may
share such data with the requestors. The requestor might forbid us from
notifying you in that situation.

Consent and Opting Out
When users register on our website, we ask them to agree to this privacy
policy. You may opt out of providing user data by not registering and opt of
providing any data by not using our website.

Our privacy policy may change from time to time without notice.

Arcos, Inc. is committed to implementing strong Security and Privacy
measures.

Please contact us with any questions via the Contact Us webpage.

Updated October 2020