Frequently Asked Questions
I am trying to register but I keep seeing a circle with an arrow through it & am unable to register.
I am unable to save my registration information.
How can I add a new question to the intake form?
How do I save the questions I have selected in the intake form?
Items you select or questions/text that you add to the intake form are saved automatically.
How do I change to another Google calendar?
Contact email@example.com and we will assist.
When I send the intake form to my client is that HIPAA compliant?
Can I complete the intake form with my client?
Yes. On the client dashboard tou can click to complete the client intake form together with the client.
What do S & A symbols mean on the client session appointment?
How do I set-up outcome measures for my client?
Click on the menu bar. Click “Set Up Outcome Measures”. Choose up to five (5) outcome measures from our library or click the + icon and add your own. The outcome measures will appear in your session notes.
What are generic plans?
How to I add my own content to the lists in the management plans?
Click on the menu bar in the top right corner of the app. Click on ‘Set Up Plan Components’.
Here you can delete or add components.
How do I add a session note for a client?
Can I edit my session notes after they have been saved?
You cannot change a session note once it has been saved. However you can add additional notes that will be dated stamped once you save them.
What are some of the security measures protecting data & information in Zmaaya?
The following security standards are applied to the Zmaaya platform:
- user ID & password protection for log in by subscribers
- Two factor authentication (2FA) for subscriber log in
- Time out for idle use
- All client data is encrypted in the back end
- Zmaaya is housed on the Amazon servers in the US
- the Zmaaya intake form is sent as a link via email. When the link is clicked the intake form opens on our servers. That means that no personal, private or confidential information is ever sent over email.
- the intake form link sent to clients expires after 48hrs. This reduces the risk of the email being opened by an unintended person.
- As a company we have our own internal Standard Operating Policies and Procedures for investigating & reporting data breach
Is my data stored and transmitted securely in Zmaaya?
Your data is encrypted both in transit (between the browser and our servers) and also at rest (when stored on our servers).
- We use AES-256 bit encryption while transferring your data to/from our servers.
- We encrypt and store data on our servers using the AES 256-bit encryption.
AES-256 is the industry standard for storing and transferring sensitive data. All backups of your data are also encrypted using AES-256 bit encryption.
We use TLS 1.2 to encrypt your data both between your browser and our servers and between our servers and other internal networks.
Is any of my data stored or processed using cloud-based services?
Yes, we use Amazon Web Services (AWS) and Box.com to store your data in the cloud.
What third-party service providers does Zmaaya use to store my data?
We use Amazon Web Services and Box.com to store your data in the cloud. Our core infrastructure is hosted using these two services. We have Business Associate Agreements (HIPAA BAA) and Data Processing Agreements which requires these providers to meet the highest level of security and privacy for storing personal health information.
What data is stored using these providers?
Any documents you upload to Zmaaya will be stored in AWS. Any generated PDFs for completed forms, archived notes and protocols will also be stored here.
We use Box.com to facilitate our "Document Preview" feature within the portal. This allows PDFs, Word Docs and other document types to be viewed directly from the website without having to install 3rd party extensions or download files to your computer.
Do you have agreements with these third-party cloud providers?
We have HIPAA Business Associate Agreements and GDPR Data Processing Agreements with vendors which store and process data on our behalf.
How is my data protected from unauthorized access?
We have access controls, role-based authorization and IP whitelisting in place to restrict unauthorized access to cloud data.
Both AWS and Box.com adhere to strict SSAE 18 auditing and reporting standards for managing access to data stored in their systems.
Do these cloud service providers have the ability to permanently delete my data?
Yes, these providers are mandated to provide options (which we utilize) to completely wipe data from their servers.
What happens to my data in the event of a natural disaster?
Data is replicated across multiple redundant servers within our environment which mitigates the risk of loss of connectivity with one or more nodes (this guidance is specific to our AWS infrastructure - database and file servers).
How will I be notified of changes in third-party providers who will have access to my data?
Can I export my clients' data?
You can export client data by following the instructions here by making a written request to firstname.lastname@example.org
Your export will be provided as a CSV file which includes spreadsheets of data included in the client file and documents associated with your client.
Data you or your clients have created/uploaded to Zmaaya will be wiped completed from our system after 30 days either via automated batch processes or data retention rules defined in our infrastructure. For example:
- we have policies defined to limit database backups to a maximum of 30 rolling days.
- we run a nightly batch process to purge accounts (and related data) which have been marked for deletion by practitioner or client
Can I request a record of all accesses and transfers of personal health information associated with my clients?
We can provide a record of access/transfer of your clients' health information at your request. In general, we will only access your health information at your request to assist with troubleshooting issues related to your use of the system.
Can I be provided with a threat risk and privacy impact assessment of services provided through Zmaaya?
We can provide summarized reports of our regular vulnerability assessments. We generally conduct these assessments once per quarter and with the release of major features.
What policy do you have in place in the event of a data breach?
In the event of a data breach we will follow these procedures:
- Access to affected systems will be locked down
- Access credentials will be updated
- We will access the access logs and activity logs to determine the scope and impact of the breach
- Steps will be taken to determine how the breach occurred
- We will define steps to remediation (i.e. wipe data, update software code, increase logging)
- We will communicate data breach to affected parties via email
We will provide notice of breaches of security or privacy to affected parties within 72 hours