Trust your sensitive data to Toloka with HIPAA compliance

Data privacy and security is always top of mind at Toloka. This year we've renewed our ISO/IEC 2700 status and extended it with ISO/IEC 27701 certification. However, companies that collect or label personal health information face stringent requirements for handling this sensitive category of data. We are happy to announce that Toloka is also compliant with HIPAA to safely manage health data.

This blog post will explore why HIPAA compliance is essential and how Toloka ensures maximum security.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a United States federal law formulated to protect the privacy and security of individuals' medical records and other personal health information. The law's main objective is to prevent healthcare fraud, ensure that all protected health information (PHI) is appropriately secured, and restrict access to health data to authorized individuals. Organizations that handle PHI must secure the data by implementing measures such as encryption, access control, authentication, audit trails, and more.

Under this law, Toloka plays the role of “business associate” — an entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Medical data labeling with confidence

Now that we've confirmed HIPAA compliance, you can trust Toloka with healthcare-related data labeling projects and rest assured that your data is safe. We have reviewed our security practices and conducted a mapping between HIPAA requirements and controls from ISO 27001 and 27701. Our procedure for projects involving PHI includes a consent form for data collection tasks and a Business Associate Agreement, as required by HIPAA regulations.

You can be confident that Toloka operates a secure platform for storing and transmitting sensitive categories of data while staying compliant with HIPAA policies.

How Toloka ensures maximum security

Personal health data can be extra sensitive. We focus on several important steps to protect PHI on the Toloka platform.

Annotator management

For data labeling tasks that involve PHI, we don't recommend using our public crowd of Tolokers. Instead, we carefully select annotators from our team of vetted experts and BPOs. Each annotator signs a non-disclosure agreement, where they agree to preserve the strict confidentiality of the data they handle and accept responsibility for non-compliance. We impose strict requirements for data management and monitor the data labeling process.

Access control

Our access control policy governs our internal operations. The policy follows the Principle of Least Privilege, ensuring that access is granted only when essential for specific tasks. The use of unique user IDs is mandated both internally and externally, with personalized accounts in Azure Active Directory. Employees use Single Sign-On (SSO) for authentication using Toloka credentials. In addition, Role-Based Access Control (RBAC) ensures that any action is granted only after permission verification.

Encryption

We always encrypt all personal data to prevent unauthorized access. All data entrusted to us is stored using Azure Encryption.

For a more detailed look at how we do privacy and security, please refer to our security center.