How BrainHQ Keeps User Data Secure
BrainHQ group administrators want to keep information about their group members secure - and BrainHQ is designed to do exactly that.
You can read an overview of BrainHQ’s security measures at our security page. These policies and procedures protect all of our BrainHQ users, including group members. We comply with the HIPAA technical safeguards, and each year, we undergo a security audit following the SOC-2 standard to check our work and confirm that our security policies and procedures are working as designed to protect BrainHQ user data.
For group administrators who want extra assurance, BrainHQ Enterprise customers can receive our SOC-2 audit report, request that we fill out additional security questionnaires, and request that we sign a HIPAA Business Associate Agreement (BAA).
For group administrators who want to operate their group with a minimum of personally identifiable information (PII) in the BrainHQ system, we offer instructions about how to manage your group to achieve this goal.
Operating a BrainHQ Group with Minimal PII
Certain BrainHQ group administrators prefer to operate their group with a minimal amount of personally identifiable information (PII) about their group members in BrainHQ. There are several steps to achieve this goal, and some important notes about what PII can - and cannot - be prevented from entering and being stored in BrainHQ.
Steps to take:
- Create member accounts with anonymous email addresses: Every BrainHQ user account must have a unique email address. However, this does not have to be a functioning email address, or even a real email address - it just has to look like an email address. You can create group member accounts with anonymous or “fake” email addresses (as long as each email address is unique) to prevent the real email addresses of your users from entering and being stored with BrainHQ. Please note that if you choose to use anonymous email addresses, your users will log in to BrainHQ with the email address that you provide, will not receive email from BrainHQ (for example, the weekly update emails), and will not be able to reset their passwords (because password reset requires us to send an email to the email address of record). If you need to reset the password of a user, please contact us as email@example.com. We also strongly recommend that you keep track of the anonymous email address you use for each user in a secure manner, so that when you view a user account in the group portal, you will be able to identify the real person associated with the anonymous email address..
- Create member accounts with pseudonyms: Every BrainHQ user account must have a first name and a last name. However, these do not have to be actual names of your group members. You can use a pseudonym. Please note that if you use a pseudonym, there may be situations where BrainHQ addresses your group member by the pseudonym (for example, in their BrainHQ profile). We also strongly recommend that you keep track of the pseudonym you use for each group member in a secure manner, so that when you view a member account in the group portal, you will be able to identify the real person associated with the pseudonym.
Limitations to minimizing PII entering the BrainHQ system
- IP addresses: BrainHQ is a cloud-based system, which means that the IP address of every user is transmitted to BrainHQ. This allows BrainHQ to send and receive information to your user - even for an account using an anonymous email account or a pseudonym. BrainHQ only uses the IP address while a user is actively using BrainHQ, and does not store a permanent record of the IP address.
- Administrator accounts: Group administrator accounts should be set up with the full name of the administrator and their work-related email address. This is required for us - and you - to comply with HIPAA auditability requirements. If you use an anonymous or “fake” email address or a pseudonym for your administrator accounts, we will not be able to determine which real person has taken administrator actions performed under the administrator account (for example, if an administrator views or edits user data) in the event that an audit is required. For this reason, we require that group administrator accounts be unique to each group administrator, and use the administrator’s real name and work-related email address.