This policy sets forth guidelines for securing and maintaining the confidentiality, integrity, and availability of electronic information as required by Practifly (hereinafter called “Practifly”) policies and the Administrative Simplification requirements contained in the federal Health Insurance Portability and Accountability Act (referred to as the “Security Rule”).



 This Statement of Security Practices describes the data protection policies and processes that Practifly ("Practifly") follows for the provision of its products and services.

See also Practifly's Privacy Policy, which along with this Security Policy constitutes our agreements with and commitments to organizational and individual customers.Practifly values the trust that its customers place in us. We take seriously our responsibility to protect customer's information, and we strive for transparency around our information security practices. This document describes those efforts.


Overall Approach

We implement a spectrum of physical, technical, and administrative security safeguards for data we collect, use, and disclose about individual customers and the organizations with which they may be affiliated. We regularly assess our security practices and continuously monitor the infrastructure that delivers our products and services for threats, vulnerabilities, and possible attacks.


Physical Security

Practifly’s servers and supporting technical infrastructure are hosted in the highest level of secured data centres (Tier-4 rated). These hosting facilities provide full, 24/7 physical security with respect to personnel access and protection of equipment capacity, including connectivity, electrical, and environmental-control infrastructure redundancies. All our core infrastructure and data storage are in the United States.

Practifly personnel work (and house their personal workstation/computing devices) in environments that generally provide appropriate physical and technical security. Such security is continually reviewed.


Technical Security

1. Access Control

Access to Practifly’s core infrastructure is only permitted through secure connectivity (e.g., VPN) and, where deemed appropriate, requires multi-factor authentication. Our password policy for such systems includes risk-mediated length, complexity, expiration, reuse, and lockout/timeout requirements. Less stringent controls are required for all customer accounts. Organizations using Single Sign On determine their own password requirements. Practifly grants access to its core infrastructure and data on a need-to-know/need-to-use basis using least-privilege rules reviews infrastructure and data access permissions continually, and revokes access immediately after the employee or contractor termination. All contractors with access to Practifly data are required to execute agreements that ensure compliance with Practifly’s security program and applicable laws.

2. Encryption

Practifly’s systems encrypt data in transit using secure cryptographic protocols. Where appropriate, given the sensitivity, some data is also encrypted at rest. Additional application-level encryption is also applied for storage or transfer when appropriate to the data sensitivity at issue.

3. Logging and Monitoring

Practifly’s systems record transaction information to log repositories for troubleshooting, security reviews, and ongoing analysis. Logs are preserved in accordance with industry standards and, where applicable, legal-regulatory requirements.

On request, we will provide customers with reasonable assistance and access to log copies or summaries in the event of a security incident affecting their accounts or the accounts of affiliated individuals whom they sponsor.

Administrative Security

​1. General Compliance

​Practifly’s infrastructure and the policies and standard operating procedures governing its use are designed for compliance with generally accepted industry standards and applicable legal-regulatory requirements.

2. Security Policies and Procedures

Practifly maintains, regularly reviews, and as necessary, updates its information security policies and associated standard operating procedures. Practifly’s information security policies and procedures are based on, among other sources, the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework and HITRUST.

3. Human Resources Management

​Practifly conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws). We require employees, contractors, and other affiliates of third-party partners to sign non-disclosure agreements appropriate to their level of access. Persons with access to sensitive Practifly data must acknowledge information security policies and procedures and complete periodic (re)training on these as appropriate to their job-specific responsibilities.

4. Asset Management

Practifly’s asset management includes identification, classification, retention, and as necessary, secure disposal of information and information-holding assets. Company-issued devices are equipped with appropriate encryption and antivirus software, among other protections.

5. Code Development and Change Management

​Practifly’s systems and programming teams employ secure coding techniques and best practices, including a focus on priority vulnerabilities and countermeasures. Development/testing and production environments are separated. Code changes are thoroughly tested and logged for quality, performance, audit, and forensic purposes before deployment into production.

6. Risk and Vulnerability Management

​Practifly’s risk and vulnerability management efforts include, but are not limited to, classification of data by type and infrastructure for storage and transfer to assure appropriate security protections; identification and remediation of identified security vulnerabilities on servers, clients (workstations), network equipment, and applications; and periodic review of all practices. All environments, including development, test, and production instances, are periodically assessed for vulnerabilities by our personnel and, where appropriate, by trusted third parties. Critical patches are applied to servers and workstations on a priority basis and as appropriate for all other (non-critical) types of patches.

7. Incident Management

​Practifly’s security policies and procedures include incident management, which covers initial response, investigation, customer notification (see next), and remediation.

8. Breach Notification

​Despite best efforts, no method of transmission over the Internet and no method of electronic storage can be perfectly secure. We cannot guarantee absolute security. However, if Practifly learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are designed to be consistent with our obligations under applicable country (U.S.) state and federal laws and regulations and industry rules or standards. We are committed to keeping our customers fully informed of any matters relevant to their accounts' security and providing customers with all information necessary to meet their own organizational and legal-regulatory reporting obligations.

9. Business Continuity

Practifly's server and other infrastructure design include hosting environments at dispersed data centre locations to ensure business continuity. Transitions between these environments are tested.

Practifly's databases are continuously copied to backups stored at different U.S. locations. Backup data are encrypted as appropriate to the sensitivity and the storage medium and stored in secure environments to assure their confidentiality and integrity, and they are tested periodically to ensure the availability of the data they contain.

10. Customers' Security Responsibilities

Keeping data secure also requires that subscribing organizations and individual users follow appropriate information security practices as well. These steps can include but are not limited to using sufficiently complex passwords for accounts and storing them safely, changing them as appropriate, not sharing account credentials with other persons, and reporting to us immediately if there is a reasonable basis to believe any account or its associated information has been compromised.

Each organization and user must also ensure that there are sufficiently robust security protections on their own systems, such as by keeping server and personal computer/workstation software current (operating system and web browser updates, for example); installing anti-virus and other protective software; and keeping devices physically secure. Organizations with which users are affiliated typically have information security resources to assist or provide advice about these measures, and those should be leveraged when appropriate.

Contact Us

​We welcome your comments or questions. You may contact us at:
Privacy Concerns:
Security Concerns:

Telephone: +1-510-288-8181
6701 Koll Center Pkwy, Ste 340
Pleasanton, CA 94566


Book Your Customized Demo Now

See how Practifly’s product and solutions can help you grow your medical practice and take care of all your digital needs

Book a Demo