Data Security & Privacy

Is my data secure?

• Luminello was built by mental health professionals for mental health professionals and their patients/clients, so we get how important security and privacy is – we use Luminello in our practices everyday!
• Our entire EMR/EHR platform is HIPAA-compliant and we’ll put that in writing for providers in a business associate agreement (BAA).
• Luminello encrypts all data, including all communication between patients/clients and clinicians.
• No patient/client health information is stored on your computer or phone – so there is no HIPAA penalty if your phone or computer is lost/stolen/hacked.
• Additional state-of-the-art technology is used to protect against hackers, as well as physical protection of data servers and administrative policies that strictly govern access.
• Your notes are auto-saved as a draft every two minutes, just like Gmail and other commonly used web applications.
• All saved data is backed up continually, off-site.
• Our servers are constantly being monitored for uptime, responsiveness, and data security.
• Your credit card information, and that of your patients/clients, is stored by our trusted credit card partner, in compliance with PCI standards.
• We offer 2-factor authentication if you wish to add another layer of security to your account access.

Is my data private?

• We do not, and will never, sell identifiable patient/client data.
• Charts can only be viewed by authorized clinicians and their designees.
• Patient/client accounts are no-cost and ad-free.
• Paid clinician subscriptions are ad-free.
• We pledge to abide by our privacy policy. And feel free to contact us if you have any further questions.

Data retention policy

As a company founded by clinicians for clinicians, protecting the privacy and integrity of your and your patients’/clients’ data is of the utmost importance. If you request to cancel your account, we will take the following steps with those principles in mind, and by our terms of service:

• We maintain your records while you are an active Luminello user and for at least 12 months after that.
• You may request to have your data deleted at any time. We require that you first download all your account info, and confirm to us you have done so, before proceeding, and that you waive all liability for us honoring your request.
• Please note our partners may have different data retention policies, which are subject to change. If you have questions about those, please contact them directly.

Do I need to be HIPAA compliant?

• Yes, even “mom and pop” solo practitioners have to be compliant and implement solutions that meet the minimum requirements.
• Aggrieved patients can easily file complaints on the US HHS website – no lawyer or knowledge of the medical board is needed.
• The HHS conducts thousands of random audits per year.
• HIPAA is arguably the standard of care.
• One breach – even one that is not your fault, like losing your iPhone or your email getting hacked – may lead to an investigation of all possible breaches – and a data security audit of your entire practice.

What is the worst-case scenario if I’m not HIPAA compliant?

• The fines for HIPAA non-compliance are up to $1.5 million per year.
• Other expenses include investigation costs, serving notice to patients, potential licensing board fines, and having to provide identity protection coverage.
• One data security breach of protected health information can ruin your business reputation.

If I don’t take insurance, I don’t have to be HIPAA compliant, right?

• HIPAA is arguably the standard of care for all mental health providers, thereby making this exemption moot.
• State data privacy laws are becoming even more stringent and have no such exemption.