A Comprehensive Look at AllOne Health’s Commitment to Privacy

September 07, 2023

Mental health is top of mind for large employers, according to the 2024 Large Employer Healthcare Strategy Report, and employers are specifically looking at ways to improve access to care, reduce cost barriers, and provide more options for support.

When evaluating a partnership with an EAP or mental health platform provider, however, it is increasingly important to closely examine privacy policies, data protection, and any conflicts of interest that may compromise the clinical integrity of mental health care provided.

5 Questions to Ask an EAP or Mental Health Platform Provider:

  1. Do you know where your data is stored and how well it is protected?
  2. Does your vendor have a privacy and security officer, P&S policies, or any other designations?
  3. Is your vendor audited yearly by an outside firm to make sure that policies and processes are followed?
  4. Do they monitor their systems for attacks from the outside?
  5. How do they handle breaches?

Why Privacy Matters in EAP and Mental Health Benefits

The Public Health Emergency (PHE) ended on May 11, 2023, and there is new government scrutiny on the privacy and security of mental health apps.

Oftentimes mental health apps and platforms do not fall under HIPAA jurisdiction and do not have to comply with or follow HIPAA privacy, security, and breach notice rules. As a result, users’ data protection only goes so far as the mental health app’s privacy policy, often drafted in-house with intentionally vague language and parameters. The primary concern now is that mental health apps are being used to access personal health information and sensitive data, and then selling this patient data to third-party advertisers for marketing purposes using online tracking technologies. 

The latest reports from the Office of Civil Rights (OCR) presented to Congress in February 2023 revealed that between 2017 and 2021, complaints about violations of HIPAA increased 39% and large breaches reported increased 58%. OCR received 609 notifications of events affecting 500 or more individuals that reached approximately 37.2 million individuals in total.

AllOne Health is a trusted partner, uses personal data responsibly, and does not sell personal data for monetary or other considerations. Any organization that partners with AllOne Health and our family of companies can trust that the protection of customer data is the highest priority. AllOne Health’s security program is built and managed by a team of IT professionals and includes robust organizational, physical, and technological controls and comprehensive risk management.

Verified Compliance

AllOne Health is compliant with the ISO 27701 and SOC-2, Type 1 privacy frameworks regarding the collection, use, and retention of Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) that is processed by AllOne Health.

HIPAA-Compliant and Secure

AllOne Health complies with and operates within the framework of Health Insurance Portability and Accountability Act (HIPAA) regulations, ensuring that all contact and interactions remain confidential.
Our secure communication channels and robust data encryption protocols provide an extra layer of protection, safeguarding personal information and sensitive data from unauthorized access.

Industry-Leading Certifications and Accreditations

When evaluating EAPs and mental health providers, look closely at their accreditations for security measures. Regularly conducting internal and external audits results in accredited designation, and AllOne Health has achieved the following:

  • AICPA SOC (Service Organization Control) Certification: This certification signifies that AllOne Health has undergone a thorough examination of systems, processes, and procedures by an independent auditor.
  • A-LIGN ISO 27701 Certified: ISO 27701 is a comprehensive standard for privacy information management systems and attests to AllOne Health’s safeguarding privacy and protecting personal data.
  • USFCR Verified Vendor: Verification as a vendor by the United States Federal Contractor Registration (USFCR) signifies that AllOne Health maintains the highest levels of integrity, security, and compliance.

Access Control

AllOne Health relies on role-based access controls to limit access to information only to those who are both authorized to access data of a given classification but also to those who need to know.

Strong Authentication

Multi-factor authentication is enforced for all remote connections and single sign-on is enforced where possible.

Secure Configuration

Standard users have no administrative access to any AllOne Health system and all local administrator accounts are disabled.

Risk Posture

AllOne Health leverages a qualitative and quantitative risk management process that considers the confidentiality, integrity, and availability (CIA) of information controlled by the company, with regularly conducted risk assessments.

Third-Party Risk Management

AllOne Health performs a security review on all third-party suppliers on a regular, periodic basis. Suppliers must provide evidence of their own security certifications or provide an overview of their current security program to AllOne Health to maintain the business relationship.

Communication, Training & Testing

AllOne Health mandates quarterly awareness training for all employees and includes guidance on information handling and data security obligations, with regular testing.

Underlying AllOne Health’s security measures is a commitment to bringing the highest-quality clinical care and whole health support to our client organizations, their people, and their family members. Ensuring confidentiality and privacy at every touchpoint is one of the many ways AllOne Health works to break the stigma around mental health, improve access to care, and achieve our mission: “combining compassionate care, expertise, and innovative technologies to unleash the full potential of individuals and organizations.”

If you’re looking for an EAP partner that provides all the latest advancements in virtual mental health care support, backed technology you can trust, certified security, and 50 years of clinical expertise—reach out to AllOne Health to request a quote today.