1. Introduction
Luma Health, Inc (“Luma”) is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As providers of compliant, mobile communication platform used by clinics, Luma strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by Luma to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for Luma Customers.
Luma Health’s leadership team sets the tone from the top and ensures that adequate resources are available to maintain an effective Information Security Management System.
The objective of Luma Health’s Information Security Management System is continued compliance with applicable frameworks and regulations such as HIPAA and HITRUST, and continuous improvement.
Luma provides a messaging platform.
1.1 Messaging Platform
Customers using the messaging platform allows delivery of messaging over three different channels including SMS, email, and voice (“Messaging Channels”) and allows visualization of data sending messaging through a web portal. Messaging Channels are only intended for conveying information between Customers and their patients not containing ePHI. Customers are given access to Secure Message service for sending PHI.
1.2 Compliance Inheritance
Luma utilizes AWS for hosting whose privacy documentation can be found on their site at AWS Privacy. Luma does not have physical access to the servers being used. Luma’s messaging platform is deployed entirely on the AWS platform.
Luma signs business associate agreements (BAAs) with its Customers. These BAAs outline Luma obligations and Customer obligations, as well as liability in the case of a breach. In providing infrastructure and managing security configurations that are a part of the technology requirements that exist in HIPAA and HITRUST, as well as future compliance frameworks, Luma manages various aspects of compliance for Customers. The aspects of compliance that Luma manages for Customers are inherited by Customers, and Luma assumes the risk associated with those aspects of compliance. In doing so, Luma helps Customers achieve and maintain compliance, as well as mitigates Customers risk.
Luma does not act as a covered entity.
Certain aspects of compliance cannot be inherited. Because of this, Luma Customers, in order to achieve full compliance or HITRUST Certification, must implement certain organizational policies. These policies and aspects of compliance fall outside of the services and obligations of Luma.
Mappings of HIPAA Rules to Luma controls and a mapping of what Rules are inherited by Customers are covered in §2.
1.3 Requesting Audit and Compliance Reports
Luma, at its sole discretion, shares audit reports with customers on a case by case basis. All audit reports are shared under explicit NDA in Luma format between Luma and party to receive materials. Audit reports can be requested by Luma workforce members for Customers or directly by Luma Customers.
The following process is used to request audit reports:
- Email is sent to support@lumahealth.io. In the email, please specify the type of report being requested and any required timelines for the report.
- Member of the Customer Success team will log a task with the details of the request into the Customer Success (under Requests) on ClickUp. ClickUp is used to track requests status and outcomes.
- Luma will confirm if a current NDA is in place with the party requesting the audit report. If there is no NDA in place, Luma will send one for execution.
- Once it has been confirmed that an NDA is executed, Luma staff will move the request to “In Progress”.
- The Luma Security Officer or Privacy Officer must Approve or Reject the request. If the Request is rejected, Luma will notify the requesting party that we cannot share the requested report.
- If the Issue has been approved, Luma will send the customer the requested audit report and complete the task for the request.