FunFangle

HIPAA Shared Responsibility

Effective Mar 1, 2019

Overview

FunFangle is a platform for on-site operations at camps, recreation facilities, and similar organizations. Some of these organizations collect health-related information such as allergy notes, medical conditions, and dietary restrictions. Protecting this data is a shared responsibility between FunFangle and the organizations that use our platform.

This page describes how that responsibility is divided, what FunFangle provides, and what your organization is responsible for.

FunFangle’s HIPAA Status

The Health Insurance Portability and Accountability Act (HIPAA) applies to Covered Entities (health plans, healthcare providers that transmit health information electronically, and healthcare clearinghouses) and their Business Associates (organizations that handle Protected Health Information on behalf of a Covered Entity).

Most organizations that use FunFangle, including school districts, camps, and recreation programs, are not HIPAA Covered Entities. Under federal law, student health records maintained by schools as part of the education record are governed by the Family Educational Rights and Privacy Act (FERPA), not HIPAA. This distinction is confirmed by joint guidance from the U.S. Department of Health and Human Services (HHS) and the U.S. Department of Education.

FunFangle is therefore not a HIPAA Covered Entity or Business Associate for the vast majority of its customers. However, FunFangle voluntarily applies HIPAA-aligned safeguards to all health-related data as a matter of policy, regardless of whether HIPAA legally applies.

What “HIPAA-Aligned” Means

When we say FunFangle is HIPAA-aligned, we mean that our platform implements safeguards that parallel the requirements of the HIPAA Security Rule and Privacy Rule, organized across three categories defined by HIPAA: administrative, physical, and technical safeguards.

FunFangle’s Responsibilities

As the platform provider (referred to as “Us” or “We” or “JP Greze” in the Software License Agreement), FunFangle is responsible for the following safeguards:

Technical Safeguards

  • Encryption at rest. All data at rest is encrypted using industry-standard encryption.
  • Encryption in transit. All data transmitted between your devices and FunFangle servers is protected by TLS encryption.
  • Role-based access controls. The platform supports role-based permissions to restrict access to health-related data.
  • Audit logging. Access to and modifications of health-related data are logged for accountability and review.
  • Organization isolation. FunFangle’s multi-tenant architecture uses logical data isolation, where each organization’s data is separated by key and every API request is scoped to the authenticated user’s organization.
  • Automatic session management. Sessions that are not actively used expire automatically.

Administrative Safeguards

  • Use limitation. Health-related data is used to provide the contracted service and is not used for marketing or unrelated secondary purposes.
  • Incident response. FunFangle has a documented incident response process with defined notification timelines. In the event of a data breach affecting your organization, we will notify you and provide the information needed to assess the impact.
  • Subprocessor management. Third-party services that handle customer data are bound by appropriate data protection terms. A current subprocessor list is available upon request.
  • Periodic security review. FunFangle conducts periodic security assessments and maintains a compliance gap register.

Physical Safeguards

  • Cloud infrastructure. FunFangle runs on Amazon Web Services (AWS), which maintains SOC 2 and ISO 27001 certifications. AWS aligns its HIPAA risk management program with FedRAMP and NIST 800-53, which are higher security standards that map to the HIPAA Security Rule. NIST supports this alignment and has issued SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which documents how NIST 800-53 aligns to the HIPAA Security Rule. Physical access controls, environmental protections, and redundancy are managed by AWS.

Your Organization’s Responsibilities

As the end user (referred to as “You” in the Software License Agreement), your organization is responsible for:

Access Management

  • User account provisioning. You control who has access to the platform and at what permission level. Only authorized personnel should be granted roles that can view health-related data.
  • Account deactivation. When staff members leave your organization or change roles, you are responsible for removing or adjusting their access promptly.
  • Credential security. You are responsible for ensuring that account credentials are kept confidential and not shared between individuals.

Workforce Training

  • Privacy awareness. Your staff who access health-related data should understand your organization’s privacy policies and the sensitivity of the information they handle.
  • Acceptable use. Your organization should establish and enforce policies for appropriate use of the platform, including rules about accessing health data only when necessary for job duties.

Policy and Compliance

  • Applicable law compliance. Your organization is responsible for understanding and complying with the laws that apply to you, whether FERPA, HIPAA, state student data privacy laws, or other regulations.
  • Data accuracy. You are responsible for the accuracy of health-related information entered into the platform.
  • Breach notification to individuals. If a data breach occurs that affects individuals in your organization, you are responsible for notifying those individuals as required by applicable law. FunFangle will notify your organization and provide the information needed to support your notification process.

Data Governance

  • Data minimization. You should collect only the health-related information that is necessary for your operations.
  • Retention and disposal. You are responsible for determining how long health-related data should be retained and for requesting deletion when it is no longer needed.

Organizations That May Be HIPAA Covered Entities

Some organizations may qualify as HIPAA Covered Entities for a portion of their operations. If your organization believes it is a Covered Entity and that the data you store in FunFangle may constitute Protected Health Information (PHI), please contact us to discuss whether a Business Associate Agreement (BAA) is required. We can work with you to put the appropriate agreements in place before go-live.

Questions

If you have questions about FunFangle’s data protection practices or need documentation for an RFP, audit, or compliance review, contact us.

This document describes FunFangle’s data protection posture as of the effective date above. It is not legal advice. Your organization should consult its own legal counsel to determine which laws and regulations apply to your specific situation. For the authoritative source on HIPAA requirements, refer to the U.S. Department of Health and Human Services HIPAA page.

← Back to Legal