emWave PRO HIPAA statement
May 25, 2018
The emWave PRO program is a personal stress education system. There isn't any built-in security or encryption; however, the program is used in professional and organizational settings where a variety of strategies are used to meet HIPAA requirements:
- Secure the computer that has the emWave PRO program installed physically and/or through log-in passwords so that only appropriate personnel can access the program and user data.
- Create a separate password-protected user account on the computer for each user which contains their own private database file. New database files are created automatically for each new user by the emWave PRO program.
- On a shared computer, store the database files in a location that requires a password to access. The emWave PRO program provides the ability to create multiple database files. One database file could be created per user and stored in their individual protected file space on a remote server. Users open and utilize their personal database file when using the emWave PRO program.
- Use coded identifiers instead of first name and last name. Either users create their own identifier, or the provider maintains the de-identification code outside the database, and keeps it confidential. If the user identification field in emWave PRO is coded in this way, the data in the product database meets the HIPAA requirements for de-identified information. Although users will be able to see information relating to other users, they will have no way of connecting that information to other users, and their ability to see this information will not violate HIPAA. This was the approach taken by the Department of Defense in granting a Certificate of Networthiness for the emWave PRO product.
- Some organizations print to paper or PDF each session screen and file it with patient charts, and do not store any data.