At Clio, we are committed to ensuring that the data you store and process is always protected.
Clio has successfully completed an internal HIPAA attestation examination, which means that we now help our customers fulfill their Protected Health Information (PHI) obligations as we store and process data in a manner consistent with HIPAA standards.
If your law firm is required to be HIPAA compliant, we can enter into a Business Associate Agreement (BAA) with your organization and help you better support your clients while protecting any ePHI data you possess.
Will all users on an account need a HIPAA add-on?
Yes. Each user account must be configured with a HIPAA add-on for the BAA to be applicable if the account has been identified to contain PHI.
How is the HIPAA add-on different from Clio's subscription plans?
Law firms entering into a BAA have written assurances that Clio will support their specific reporting requirements when it comes to PHI. These agreed obligations differentiate the HIPAA add-on from Clio's subscription plans.
Can I get the HIPAA add-on outside of the United States?
No. The HIPAA offering is only available for customer accounts hosted in the United States due to the applicability and jurisdiction of the Department of Human and Health Services.
Can I redline or edit the Clio BAA?
No. The Clio BAA complies with all of the mandatory language and is taken directly from the HIPAA regulations. Any additional terms and conditions that might be sought by a customer would be unrelated to HIPAA and over and above what it required to comply with the Standards for Privacy of Individually Identifiable Health Information found at 45 CFR Part 160 and Part 164, Subparts A and E (collectively, the “Privacy Rule”). As such, Clio will not accept any edits to the BAA.
Is Clio HIPAA Certified?
There is no official HIPAA certification. Clio completes an annual self assessment of our processes, configuration and control mechanisms to validate our compliance with the legislation. HIPAA plans and other Clio offerings include the following protection mechanisms:
- Data encryption in transit and at rest.
- Restricted physical access to production servers.
- Strict logical system access controls.
- Mirrored data center facilities with daily backups to mitigate disaster situations.
- Configurable administrative controls available to the customer:
- Grant explicit authorization to customer files to read, download, and edit.
- Monitor access.
- Reporting trail of account activities on both users and content.
- Formally defined and tested breach notification policy.
- Training of employees on security policies and controls.
- Highly restricted employee access to customer data files.
- 99.9% uptime Service Level Agreement.