Privacy and Security


As a health technology company focused on improving health outcomes and enabling patients to engage with and improve their medical literacy, disease management, behavioral health, and provider satisfaction, the privacy and security of your information is core to our mission. As such, Motivve Health is committed to being compliant with the requirements of HIPAA, States’ Law, and the HITRUST Common Security Framework (CSF).  We ensure the highest standards of integrity and best practices to maintain confidentiality regarding Protected Health Information (PHI) and Personally Identifiable Information (PII).

Regulatory and Framework Compliance

Innovation in healthcare requires trust.  Assuring the privacy and security of PHI and PII is at the core of our mission.

Motivve Health has designed its program to be fully compliant with the HIPAA/HITECH regulations, as updated by the Omnibus Rule. A 3rd party opinion of our compliance has been provided by Healthie Consulting in January 2019. Compliance is reviewed annually.

Motivve Health has adopted the HITRUST Common Security Framework (CSF). Motivve Health has completed a self-assessment (reviewed by HITRUST) and is in the process of earning a Validated Assessment (validated by a 3rd party auditor), by February 1st, 2019.

Continuous Improvement and Trust Validation

We approach compliance, like security, as a continuous improvement cycle.  Our Information Security Management Plan (ISMP) and our NIST SP 800-30 Risk Analysis drives our organizational policies, procedures, and standards, which in turn drives our workforce and IT awareness and training cycle.  We use a Secure Development Life Cycle (SDLC) process for application development and operational feedback to continuously refine and continuously improve our risk posture and mature our Compliance, Privacy and Security Programs.

Key operational security metrics are monitored continuously by our deployment provider, Aptible/Amazon Web Services and is audited regularly by their independent 3rd party auditors. Motivve Health is regularly audited as well for regulatory compliance, framework adoption and program maturity.

Attention to Detail

All traffic is encrypted in transit with SSL/TLS and other secure protocols.  All data is encrypted at rest with full key/data segregation.  We use only FIPS 140-2 validated cryptographic modules.

Data access is restricted to approved employees based on their job function.  Access is logged and stored for auditing and anomaly detection. Our hosting providers are regularly audited against SSAE 16 (SOC 2 Type 2), ISO 27001, NIST, HIPAA, HITRUST and other domestic and international regulations and frameworks.

Aptible: https://www.aptible.com/compliance/iso-27001-certification/
AWS: https://aws.amazon.com/compliance/programs/

All services that Motivve Health uses are hosted within a private sub-net, addressable only through a white-listed gateway with strong, two-factor authentication.

All services that KaChing users interact with are secured as well.

Per our Security Policy, we continually review our code for OWASP, CVE, and NVD-reported vulnerabilities.

Our systems are continually scanned for vulnerabilities and remediated quickly.

All data is stored exclusively in the U.S. at one of two AWS Data Centers (East and West zones).  High availability, virtualized systems assure resiliency while full nightly back-ups are made to ensure recoverability.

If you have questions about our program, please contact our Compliance Officer at: compliance@motivvehealth.com