Skip to content

Way To Health HIPAA Compliance Policies

Penn Medicine Way To Health ("W2H") is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its Customers. As a patient engagement and health research technology organization, W2H strives to maintain compliance, proactively address information security, mitigate risk for its Customers, and assure known breaches are completely and effectively communicated in a timely manner. The following documents address core policies used by W2H to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for W2H Customers.

W2H provides secure and compliant software to administer behavioral change and patient engagement programs. Customers utilize the hosted software and infrastructure from W2H to research and deploy evidence-based approches to engage patients in their health. W2H makes every effort to reduce the risk of unauthorized disclosure, access, and/or breach of Customer data through network (firewalls, dedicated IP spaces, etc), server settings (encryption at rest and in transit etc), and application security requirements (password strength rules, account roles/privileges, etc).

W2H does not act as a covered entity but rather as a provider of services to covered entities and other organizations. Certain aspects of our compliance are inherited from our hosting provider, Azure or Penn Medicine Academic Compute Services (PMACS), part of Penn Medicine Corporate IS as appropriate. More details about Azure's HITRUST and HIPAA compliance posture is available for review here. Penn Medicine's policies and procedures are also incorporated into this document as relevant given that W2H operates within the Penn Medicine umbrella.

Certain aspects of compliance cannot be inherited. Because of this, W2H, in order to achieve full compliance or HITRUST Certification, has implemented certain organizational policies.

Mappings of HIPAA Rules to W2H controls are covered in ยง2.

This policy was last updated on June 11, 2025

Back to top