We treat the privacy and security of your PHR Data with the utmost importance and respect. As such, we take extensive precautions to secure and protect your information from unauthorized access, disclosure, or use.


How does The Health Portability and Accountability Act (HIPAA) control the use and security of your health information?

HIPAA does not control your use of your health information. HIPAA grants you the legal right to view and access your legal health record. It is a set of federal rules designed for health care providers, health insurance companies and other identified “covered entities” that control who can look at and receive your health information.  HIPAA regulations also ensure that your privacy is protected to the greatest extent, with best practice policies and safeguards in place to minimize any exposure or misuse.


Must Hugo comply with HIPAA?

No, we are working on behalf of health care consumers who are exercising their legal right to obtain, aggregate and use their own health information. Because we are not what the federal government considers a “covered entity”, Hugo is not subject to HIPAA regulations.


Just because Hugo is not legally required to be HIPAA compliant does it still meet its security standards?

YES! We respect your privacy and understand the importance of securing your information. Therefore we choose to meet the highest possible standards to earn your trust. We meet the technical, physical and administrative safeguard requirements defined by the HIPAA Security Rule to be considered “safe” with regards to privacy protection. 

In addition to following HIPAA security recommendations, Hugo adheres to the FTC's Security by Design Guidelines:

  • Data security is carefully considered for each component of the Hugo platform
  • Data is encrypted both in transit and at rest
  • Hugo is protected from common vulnerabilities
  • Our team stays current with knowledge of new vulnerabilities and keeps software appropriately updated

NETWORK PROTECTION. Hugo’s servers and supporting systems are protected from hackers and network intrusion using firewalls and other leading security measures.

CONTROLLED EMPLOYEE ACCESS. Certain Hugo employees and system administrators may need to access the Hugo system to provide operational / administrative support. Access rights are strictly controlled and access is only granted to those who require it to support the Hugo system and its users. All Hugo employees and subcontractors are required to sign confidentiality agreements and must undergo periodic HIPAA privacy and security training. Access to the system is only granted after validation of the user’s identification credentials, assigned role and system permissions.

USER PASSWORDS. Users must enter their username and password to be granted access to the Hugo system. These credentials are created by users upon registration and new account creation. Administrators will not have access to user passwords and passwords can only be reset by following a link sent by email upon user request.

ENCRYPTION. Encryption provides a secure way for users to exchange information with web sites via their web browsers by “scrambling” the information as it is submitted.  This makes it unusable to anyone who does not possess a protected decryption key to “unscramble” the information. Hugo provides encryption for user interactions through Secure Socket Layer (SSL) technology using a robust 256 bit encryption key. Hugo also leverages industry best practice encryption standards (e.g. S/MIME, X.509 certificates, TLS) whenever health information is transmitted in or out of Hugo.

PHYSICAL SITE SECURITY. The Hugo servers and supporting systems are physically secured and protected in Amazon Web Services' world class data centers in the United States. Access to the physical systems is carefully controlled by security measures including multiple levels of authentication requirements (e.g. user keys, biometrics), security guard and registry check-in requirements, and state of the art security monitoring and alerting systems.

TRACKING ACCESS AND DISCLOSURES. According to HIPAA standards, Hugo logs pertinent details anytime health information is viewed edited or exported in order to ensure the integrity of the system.