Frequently Asked Questions:

Security

  • Are you HIPAA Compliant?

    We meet or exceed the physical, technical, and administrative security requirements of HIPAA and we continue to improve our ability to safeguard data and measure our state of compliance. For details, please read our Privacy Policy: https://xcures.com/privacy-policy/.

  • What does xCures do to protect security?

    The security of your data is of paramount importance to xCures. It begins when you sign an informed consent form (ICF) allowing xCures to request information from your treating institutions under the Patient Right of Access (compliant with 45 CFR 164.524). Data is sent securely from the treating institutions to xCures, where it is stored in an Electronic Data Capture (EDC) system, compliant with 21 CFR Part 11. EDCs that are Part 11 compliant meet the FDA’s criteria for security and accuracy for tasks such as clinical trials and regulatory submissions. 

    Access to personally-identifiable health information (PHI) is restricted to the patient, their health care providers, and only those xCures employees who need access for their jobs (all such employees take training in handling PHI). Some xCures employees, such as software developers, who need access to the format of the data to but not the content, can access a version of data in which all PHI has been removed and replaced with tokens, so as to protect a patient’s privacy. 

    All data at rest within the system (e.g., in files, in databases, etc.) is encrypted. All data in motion (e.g., being viewed in a web browser, or sent via email) is likewise encrypted in transit. This is done to protect privacy at all times. Tools like CAPTCHAs are used to prevent attacks on web portals by malicious actors.  In addition, we provide security training to all xCures employees regarding best security practices, and we monitor our infrastructure for signs of intrusion or hacking attempts.