Joon Health | HIPAA Compliance Center

Welcome to the Joon Health HIPAA Compliance Center. Joon Health is a digital therapeutic company created with the goal of building positive pediatric behavioral health outcomes. We believe deeply in transparency and the need for secure practices in this continuously evolving industry.

This page acts as an overview to demonstrate our commitment to compliance and security. Here you can find our certifications and view high level details on controls and protocols that we adhere to.

Infrastructure Security

Encryption key access restricted
The company restricts privileged access to encryption keys to authorized users with a business need.
Unique account authentication enforced
The company requires authentication to systems and applications to use unique username and password.
Production application access restricted
System access restricted to authorized access only
Production database access restricted
The company restricts privileged access to databases to authorized users with a business need.
Access revoked upon termination
The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.
Infrastructure performance monitored
An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.
Network standards maintained
The company's network standards are maintained based on industry best practices, and reviewed at least annually.
Physical Access Controls
Secure physical access to ePHI storage areas are in place in order to prevent unauthorized entry.
Environmental Controls
Protocols in place to protect electronic systems from environmental hazards and unauthorized intrusion
Equipment Controls
Protocols in place to manage the receipt, movement, and disposal of electronic media to ensure data security

Organizational Security

Company inventory maintained
The company maintains a formal inventory of company system assets and is updated real-time.
Anti-malware technology utilized
The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.
Confidentiality Agreement acknowledged by contractors
The company requires contractors to sign a confidentiality agreement at the time of engagement.
Confidentiality Agreement acknowledged by employees
The company requires employees to sign a confidentiality agreement during onboarding.
Password policy enforced
The company requires passwords for in-scope system components to be configured according to the company's policy.
Security awareness training implemented
The company requires employees to complete security awareness training upon hire and at least annually thereafter.
Established HIPAA compliance team
A team has been deemed responsible for implementing and maintaining HIPAA compliance efforts.
Employee sanctions in place
The company enforces sanctions against employees who fail to comply with privacy policies.
Signed Business Associate Agreements
The company ensures that all partners and vendors comply with HIPAA regulations through formal agreements

Product Security

Data encryption utilized
The company's datastores housing sensitive customer data are encrypted at rest.
Control self-assessments conducted
The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.
Data transmission encrypted
The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.
Vulnerability and system monitoring procedures established
The company's formal policies outline the requirements for the following functions related to IT / Engineering: 1) vulnerability management, and 2) system monitoring.
Application user authentication
The company has implemented mechanisms to authenticate ePHI access by each user.
Emergency access procedures
The company established procedures for obtaining necessary ePHI during an emergency.
Automatic logoff mechanisms
The company has implemented electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Internal Security Procedures

Configuration management system established
The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.
Change management procedures enforced
The company requires changes to software and infrastructure components of the service to be authorized, documented, tested, reviewed, and approved prior to being implemented in the production environment.
Production deployment access restricted
The company restricts access to migrate changes to production to authorized personnel.
Whistleblower policy established
The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.
Organization structure documented
The company maintains an organizational chart that describes the organizational structure and reporting lines.
Roles and responsibilities specified
Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.
Support system available
The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.
Access requests required
The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.
Third-party agreements established
The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.
Risk analysis and management established
The company conducts regular assessments to identify risks to the confidentiality, integrity, and availability of ePHI.
Security incident procedures documented
The company developed and implemented procedures to address security incidents.
Contingency planning protocol set up
The company ensures backups and emergency operations plans are in place for ePHI systems.

Data & Privacy

User data deleted upon request
The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.
Minimum necessary use and disclosure
The company has Implemented procedures for using and disclosing only the minimum amount of ePHI necessary.
Established patient access rights
The company has established procedures for patients to review, obtain, and request amendments to their ePHI.