Our Approach to Data Security and Patient Consent

HIPAA, GDPR, and Cloud Processing Addenda

Navigating the complex terrain of healthcare regulations requires diligence and a proactive approach. Kepler operates in strict compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR), ensuring our practices meet and exceed international standards for data protection. To bolster our commitment, we've signed Cloud Processing Addenda with our cloud service providers. These agreements underscore our dedication to employing over-conservative security rules with Google Cloud to encrypt patient and clinician data at rest and in transit. Every action, from reads and writes to deletions, is safeguarded, ensuring the highest level of data security.

PHI Deidentification Algorithms

Our approach to protecting Patient Health Information (PHI) is both meticulous and innovative. By employing advanced deidentification algorithms, we strip 18 PHI entities from all recorded conversational transcripts and manually typed notes. This process ensures that raw audio recordings are never stored, eliminating the risk of sensitive information being accessed unlawfully. Our algorithms are designed to meticulously parse and remove any information that could potentially identify a patient, from names and locations to dates and times, before the data ever reaches our servers.

Patient Consent Models and BAAs with Organizations

Understanding the importance of informed consent, Kepler provides an out-of-the-box informed consent modeling template, validated by our partner national group practice centers. This template is designed to debrief patients on our data security policies and their autonomy to withdraw consent at any time. Our Business Associate Agreements (BAAs) with healthcare organizations establish our obligation to notify them and the U.S. Department of Health and Human Services (HHS) in the event of a breach. They also mandate regular security audits, ensuring our practices remain at the forefront of data security and patient privacy.

End-to-End Encryption

At the heart of our security measures is our commitment to end-to-end encryption. We encrypt data during reads, writes, and deletion tasks using Transit Layer Security (TLS), ensuring that our cloud providers have no access to any identifiable patient data. This level of encryption guarantees that patient data cannot be traced back to any individual, providing an additional layer of security and privacy. Our strict access rules further ensure that even our developers cannot read patient data unless expressly permitted by the practitioner for troubleshooting or data recovery purposes.

AI Ingestion of Data

Kepler harnesses the power of AI to provide real-time insights and support to therapists, but we understand the concerns practitioners may have regarding the processing of sensitive data. We want to reassure our users that data encryption and deidentification are executed before the data even reaches our AI models. Server-side security measures ensure that model inferences are protected from unauthorized access, keeping the data secure from malicious actors. Our AI processes are designed with privacy in mind, ensuring that the insights we provide are derived in a secure and responsible manner.

Freedom to Delete Data and Accounts

We work with clinicians to only retain data when they've explicitly expressed to do so, and in the event that a practitioner's account is deleted, we delete any and all data they are tagged in. More importantly, we provide robust data deletion options to destroy AI-generated insights and raw notes.

Conclusion

The digital transformation of healthcare presents an opportunity to enhance the delivery of care through innovative technologies. However, this transformation comes with the responsibility to protect the sensitive data that patients entrust to us. At Kepler, we take this responsibility seriously. Our comprehensive approach to data security, from adhering to HIPAA and GDPR regulations to implementing advanced encryption and deidentification techniques, demonstrates our unwavering commitment to protecting patient privacy. Through our informed consent models, rigorous security audits, and transparent communication with healthcare partners, we aim to set a new standard for data security in digital health. As we continue to evolve our platform, our focus on safeguarding patient data remains steadfast, ensuring that we can provide valuable insights to therapists while maintaining trust.