Security & Privacy

OurCareDirect takes your privacy and security seriously. OurCareDirect is compliant with the Health Information Portability and Accountability Act.

OurCareDirect HIPAA Privacy and Security Specifications

Under HIPAA, OurCareDirect qualifies as a “business associate.” A business associate is defined by HIPAA as an entity that accesses, uses, processes, or discloses PHI on behalf of a covered entity for a service described in the HIPAA regulations. As such, OurCareDirect must:

1. Abide by the limitations on the use and disclosure of PHI set forth in agreement with partners.

At this time, OurCareDirect only uses PHI to filter services based on the eligibility requirements of the particular service provider. This process does not involve the disclosure of PHI. OurCareDirect only discloses PHI when a referral for case management is accepted by a second case management organization. For example, suppose a healthcare provider creates a profile for a clinic patient in OurCareDirect and then refers that patient to an outside case management organization for case management services. Upon accepting the referral, the case management organization will have access to the patient’s profile, which contains PHI. This necessitates the completion of the OurCareDirect Authorization for the Release of PHI.

2. Not use or further disclose PHI other than as permitted or required by the agreement or as required by law.

Currently OurCareDirect does not disclose PHI except in the situation described above. When a case manager initiates a referral to a service provider, the service provider only has access to the patient’s contact information.

3. Use appropriate safeguards to prevent misuse or disclosure of PHI.

“Appropriate Safeguards” can be broken down into administrative, physical, and technical safeguards. Since we are using Microsoft’s Azure service, the administrative and physical safeguards are, with one exception, implemented by the Azure platform at the server level.

The exception to this is the development environment. OurCareDirect is developed in a separate environment from the application that contains PHI. This means that our junior developers do not have access to the PHI contained in our database. All updates and features are developed and tested in this separate environment before they are deployed to the production server by our senior developer, Sean Merron, who has received HIPAA training and executed a HIPAA agreement.

OurCareDirect is responsible for the implementation of certain technical safeguards to protect the PHI contained within the application.

A. Administrative Safeguards

i. Security Management Process: Provided at the server level by Microsoft Azure.

ii. Security Awareness Training: Provided at the server level by Microsoft Azure.

B. Physical Safeguards

i. Facility Access Controls: Provided at the server level by Microsoft Azure.

ii. Device and Media Controls: Provided at the server level by Microsoft Azure.

C. Technical Safeguards

i. Access Control: Access control is further sub-divided into server-level control and application-level control. Server-level control is restricted to our developer Sean Merron. Application level administrative control is restricted to OurCareDirect staff. Application level user control is restricted through the following mechanisms.

ii. Organization Level Control – The addition of an organization to the OurCareDirect database requires administrator approval. Before an organization can be approved for addition to the OurCareDirect database, it must meet the following requirements.

a. Organizations must have a valid business license registered with the Commonwealth of Virginia. This does not apply to organizations that provide informational resources online.

b. Organizations must have a working phone number staffed during normal business operating hours. This does not apply to organizations that provide exclusively online informational services.

c. Pre-existing organization listings in the OurCareDirect database that are claimed by their operating provider must provide the following information.

– The first name, last name, address, and phone number listed in the OurCareDirect account of the person claiming the pre-existing organization must correspond with publicly available information for that organization.

– The person claiming the account must be reachable at the phone number listed in the business database maintained by the State Corporation Commission of the Commonwealth of Virginia. Alternatively, the organization must agree to a site visit by OurCareDirect employees.

iv. Transmission Security – This is achieved through the use of SSL encryption, which encrypts data during the transmission from the server to the browser.

4. Comply with requirements respecting individuals’ right to access, amend, and receive an accounting of disclosures of PHI.

OurCareDirect gives users access to the PHI stored on the site as well as a list of third parties with whom PHI is shared.

5. Return or destroy PHI upon termination of the agreement.

All users are allowed to terminate their account. PHI will be destroyed upon account termination.

If you have questions or would like more information about our security and privacy policies, please email