We take security and privacy seriously
Is my data secure?
- Luminello was built by mental health professionals for mental health professionals and their patients/clients, so we get how important security and privacy is – we use it in our practices everyday!
- Our entire EMR/EHR platform is HIPAA-compliant and we’ll put that in writing for providers in a business associate agreement (BAA).
- Luminello encrypts all data, including all communication between patients/clients and clinicians.
- No patient/client health information is stored on your computer or phone – so there is no HIPAA penalty if your phone or computer is lost/stolen/hacked.
- Additional state of the art technology is used to protect against hackers, as well as physical protection of data servers and administrative policies that strictly govern access.
- Your notes are auto-saved as a draft every two minutes, just like gmail and other commonly used web applications.
- All saved data is backed up continually, off-site.
- Our servers are constantly being monitored for uptime, responsiveness and data security.
- Your credit card information, and that of your patients/clients, is stored by our trusted credit card partner, in compliance with PCI standards.
- We offer 2-factor authentication if you wish to add another layer of security to your account access.
Is my data private?
- We do not, and will never, sell identifiable patient/client data.
- Charts can only be viewed by authorized clinicians and their designees.
- Patient/client accounts are no-cost and ad-free.
- Paid clinician subscriptions are ad-free.
- We pledge to abide by our privacy policy. And feel free to contact us if you have any further questions.
Data retention policy
As a company founded by clinicians for clinicians, protecting the privacy and integrity of you and your patients/clients’ data is of the utmost importance. If you request to cancel your account, we will take the following steps with those principles in mind, and in accordance with our terms of service:
- We will place your account in our “free for life” plan so that you may always have access to your data.
- Due to varying state and federal requirements for data retention, we maintain records for seven years from the date they were last modified. If you wish to have records removed before then, we require that you first download all your charts, and acknowledge to us that you have done so, and that you waive all liability for us proceeding. Then, we will anonymize all applicable Luminello records in your account, rendering them undecipherable to you, us, and/or any 3rd party. Thus, we highly recommend you first download all your records, as those will no longer be available from Luminello at all for continuity of care, insurance audits, legal defense, etc.
- Please note our partners may have different data retention policies, which are subject to change. If you have questions about those, please contact us.
Do I really need to be HIPAA compliant?
- Yes, even “mom and pop” solo practitioners have to be compliant and to implement solutions that meet the minimum requirements.
- Aggrieved patients can easily file complaints on the US HHS website – no lawyer or knowledge of medical board needed.
- The HHS conducts thousands of random audits per year.
- HIPAA is arguably the standard of care.
- One breach – even one that is not your fault, like losing your iPhone or your email getting hacked – may lead to an investigation of all possible breaches – and a data security audit of your entire practice.
What is the worst-case scenario if I’m not HIPAA compliant?
- The fines for HIPAA non-compliance are up to $1.5 million per year.
- Other expenses include investigation costs, serving notice to patients, potential licensing board fines, and having to provide identity protection coverage.
- One data security breach of protected health information can ruin your business reputation.
If I don’t take insurance, I don’t have to be HIPAA compliant, right?
- HIPAA is arguably the standard of care for all mental health providers, thereby making this exemption moot.
- State data privacy laws are becoming even more stringent and have no such exemption.