Methodic Compliance Overview

Methodic infrastructure is compliant with the Health Insurance Portability and Accountability Act (HIPAA) and Family Education Rights and Privacy Act (FERPA).

Methodic complies with HIPAA Security Rule, which establishes technical specifications for applications that work with protected health information online. We ensure Protected Health Information (PHI) is encrypted in transit (TLS 1.2+) and at rest using industry-standard AES encryption. We also:

• Maintain detailed audit logs that record every time someone reads or accesses your data.

• Support disaster recovery by making periodic snapshots of the state of the database clusters, so the information can be used to recover the system in the event of a system failure.

• Provide administrators access controls to studies they own by assigning and revoking user or role-based permissions.

• Encrypt data with AES-256 using Amazon services such as Amazon EBS (Elastic Block Storage), which utilizes virtual hard drives encrypted with Amazon KMS (Key Management System)

Resources

• U.S. Dept. of Health and Human Services: Data Driven Justice and HIPAA FAQ

• Amazon Web Services (AWS) HIPAA Compliance

Can Methodic sign a Business Associate Agreement (BAA)?

Yes. We recommend using a BAA, in addition to a Qualified Service Organization Agreement (QSOA) if substance use data will be included.

To comply with laws around mental health and substance use data, we can sign a joint BAA and QSOA that includes provisions for 42 CFR Part 2.  Methodic also gives dataset owners full control over the permissions on their dataset and its properties, so they can hide PII data that could be used to identify an individual.

Resources

• U.S. Dept. of Health and Human Services: Sample BAA

• Substance Abuse and Mental Health Services Administration: Confidentiality FAQ

• NY Office of Alcoholism & Substance Abuse Services: Sample BAA + QSOA

How does Methodic comply with state-level confidentiality laws?

Laws vary from state-to-state, but we will do our best to answer questions about how we can work within your state. Please reach out to us at support@getmethodic.com.

Who owns the data once it has been integrated?

You have full ownership of your data once it’s integrated into Methodic.

Methodic provides a secure data sharing platform built on HIPAA security compliant infrastructure with AWS. Amazon AWS also complies with this policy, as stated in their AWS Data Privacy FAQ:

“Customers maintain ownership of their customer content and select which AWS services process, store and host their customer content. We do not access or use customer content for any purpose other than as legally required and for maintaining the AWS services and providing them to our customers and their end users. We never use customer content or derive information from it for marketing or advertising.”

In some situations, data sources or data providers may retain ownership rights of the data or require Methodic to take ownership of data due to their data use agreements. We will work with you to understand these requirements as they occur.

Resources

• Visit the AWS Data Privacy FAQ for more details on Amazon’s data privacy polices

The compliance standards and content of this page are subject to change.