HIPAA Compliance

HIPAA Compliance
‍

MMNT’s Milton platform is built on a secure foundation. This document describes how the user data is protected on this platform while the data flows through various components and how the data is handled at various points and also at the storage level where the data at rest is secured.

Three main components used in building Milton play a part in securing the data in Milton.
‍

1. Cloud Infrastructure, primarily AWS

2. Software components built by MMNT engineering teams that go into Milton

3. Third-party services such as Azure OpenAI APIs that Milton uses
‍
‍

This document describes a high-level view of how these parts contribute to Milton’s overall HIPAA compliance. User data is handled and passed through these systems. There are two separate flows.
‍

1. User/member interaction with Milton

2. A provider/coach interaction with Milton Portal.
‍
‍

User/member interaction with Milton
‍

A user sends messages to Milton with a telephone number. That message goes through telecommunications networks, and then Milton receives it.
After receiving the message, Milton processes it, constructs a prompt message, and invokes the MMNT-built API called HIPAA-compliant Azure Services API.
The resulting message is formatted and sent to the user's phone via AWS Pinpoint API.
‍

A provider/coach interaction with Milton Portal
‍

A provider who buys Milton as a SaaS product signs into the Milton Provider Portal.
They can add/delete members and do administration tasks.
They can view data related to individual members/patients.
‍

Third-Party HIPAA Compliance
‍

Milton uses the following 3rd Party services. Each of these services has its own HIPAA document that explains its compliance.
‍

AWS Infrastructure
AZURE LLM APIs for AI Services
AWS Service for SMS Text messaging
‍

In addition to these individual documentation, MMNT also has BAA agreements with these companies that address HIPAA compliance.

‍

Data Protection at Rest
‍

Milton platform runs on AWS cloud infrastructure for data storage. RDS databases that store data have encryption at rest. AWS RDS systems are HIPAA compliant. Please refer to the AWS HIPAA documentation^2,5 for further details.
‍

Data Protection in Motion
‍

Connections between components are based on SSL/TLS standards. They authenticate communication endpoints before communication is authorized. During the communication, all the data that flows through the connection is encrypted using SSL/TLS standards. Please refer to Encrypting File Data with Amazon Elastic File System for more details on AWS support for data in motion.
‍

Data Access Controls & Governance
‍

Data is protected in motion and at rest on the Milton platform. We have strong controls on who has access to production data via strict controls. Any person needing access needs to get approved based on the role of the person and the scope of the access privileges. Only a limited number of people are allowed. MMNT has a well-established approval process for data access controls and approvals. Infrastructure level access control in AWS is controlled through IAM and subaccounts. Access to the portal is controlled via account-level controls at the user level. A portal user (coach/provider) can only access the data of his members and can not access any other members.
‍

Business Process Around Data
‍

MMNT has engaged a 3rd party company, Compliancy Group, to perform audits of business processes and data handling compliance with HIPAA requirements. MMNT employees also underwent required training to meet the compliance requirements.
‍

Tracing and Auditing of Data Access
‍

All-access to data stored in Milton creates a record and is stored in a persistent data store for auditing and traceability. Each such access records who accessed the data, when it was accessed, and what data elements and tables were accessed. This will create a full history of the data usage that can be retrieved for any compliance audit requests. We also have tracing of any breach of data by anyone who is not authorized to access the data.
‍

‍