HIPAA COMPLIANCE STATEMENT
PatientCalls.com provides customers with the tools, services, and products to facilitate compliance with HIPAA regulations.
Texting in Healthcare
HIPAA is the Health Insurance Portability and Accountability Act of 1996, which amends the Internal Revenue the speed, convenience, and reliability of text messaging has become the #1 form of communication in the United States, however, standard text messaging using the common Short Message Service (SMS) available on most phones is not secure and does not comply with HIPAA requirements. In 2011, the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) issued a directive effectively banning the use of SMS for physician’s orders. With over 80% of physicians now using smartphones, the limitations placed on text messaging posed a serious problem for organizations as physicians demand a communication solution that offers the same speed and simplicity of SMS text messaging.
Does PatientCalls.com facilitate support for HIPAA requirements?
All businesses, regardless of their size, which engage in the handling, maintenance, storage, or exchange of private health or patient-related information, are subject to HIPAA. Health care organizations and technology partners, such as PatientCalls.com are committed in their efforts to ensure the confidentiality, integrity, and availability of all protected electronic information.
PatientCalls.com provides the health care enterprise a suite of security mechanisms to ensure the highest standards of patient confidentiality and overall data protection with regards to PHI and in accordance with HIPAA
HIPAA SECURITY STANDARDS
Security standards are divided into the following categories: administrative, physical, and technical safeguards.
Administrative Safeguards
- Documented, formal practices to manage the selection and implementation of security measures that protect information and guide the conduct of personnel in relation to the protection of information.
Physical Safeguards
- Practices to manage the protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion.
Technical Safeguards
- Processes that are put in place to protect and to control information access and data that is stored and transmitted over a communications network. PatientCalls.com assists organizations, not only with technical safeguards, but also with administrative and physical safeguard responsibilities under the HIPAA regulations.
The following chart summarizes the HIPAA specifications that can be supported by PatientCalls.com to complement a full security environment. Each set of safeguards is comprised of a number of standards, which generally consist of several implementation specifications that are either required (R) or addressable (A). An “implementation specification” is a detailed instruction for implementing a particular HIPAA Security Rule standard. While required specifications are mandatory – as the name suggests – addressable specifications must also be implemented if reasonable and appropriate under the circumstances. Addressable specifications are not optional. If the entity chooses to implement an addressable specification based on its risk assessment, it must document the rationale supporting that determination and, if reasonable and appropriate, implement an equivalent alternative measure.
HIPAA SECURITY STANDARDS AND IMPLEMENTATION SPECIFICATIONS
Abbreviated technical Safeguards Note:
(R) Required
(A) Addressable
- Access Controls (R)
- Unique User Identification (R)
- Emergency Access Procedure (R)
- Encryption & Decryption (A)
- Audit Controls (R)
- Notification and Archiving (R)
- Integrity (R)
- Mechanism to Authenticate ePHI (A)
- Transmission Security (R)
- Encryption (A)
- Physical Safeguards
- Facility Security Plan (R)
- Access Controls and Validation Procedures (R)
- Administrative Safeguards Note: (R)
- Required (A)
- Addressable Security Management Process (R)
- Risk Management (R)
- Information Access Management (R)
- Access Authorization (A)
- Contingency Plan (R)
- Data Backup Plan (R)
- Disaster Recovery Plan (R)
- HIPAA Security Rule Evaluation (R)
Although PatientCalls.com may be viewed as having the capabilities to assist only with the technical safeguards established by the HIPAA Security Rule, our technology and tools can also help with both administrative and physical safeguards, as outlined in the following pages. HIPAA security compliance is not achieved with a single piece of hardware, software, or process. All IT technologies and processes must be working in accordance to create an absolute and complete secure environment. Each security practice must be considered within an entity’s own technological environment once completing a full risk assessment. The following is a summary list of the HIPAA Security Rule standards and implementation specifications.
TECHNICAL SAFEGUARDS
The following outlines the general processes used to protect data and to control access to ePHI. They include authentication controls to verify sign-on’s and transmission security (such as data encryption) to protect the integrity and confidentiality of data.
Note: (R) Required, (A) Addressable
- Access Control (R)
- 164.312(a)
- (1) Implement policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.
- Unique User Identification (R)
Requirement | Assign a unique name and/or number for identifying and tracking user identity entity.
Specific Question:Does your organization require the use of unique user names for all workstations users?
[No sharing of accounts.] Each PatientCalls.com System ID can be associated with either a user’s unique email address or phone number.
PatientCalls.com’s Information Security policy does not allow the sharing of accounts. Also, based on your role either as a system admin or end-user, a specific user name is assigned to each individual provisioned on our mobile messaging platform. Again, any system ID (admin or user) is also paired and matched with an email address, phone number or device ID of their phone.
- Emergency Access Procedure (R)
Requirement | Establish (and implement as needed) procedures for obtaining necessary ePHI during an emergency.
Specific Question:In the event normal communication methods are unavailable, such as during an emergency, will the client be able to obtain necessary ePHI information as needed?
Emergency access procedures are necessary when normal procedures for messaging access, mobile device in particular, may not be feasible due to data connection availability from the mobile carrier. In that case, PatientCalls.com clients can use the Web Client to send and receive messages. If “normal communication” (via user’s personal mobile device) is either inaccessible or unavailable, ePHI information can still be obtained. Each user will have ancestor Web Client given the availability of a PC or workstation with an internet connection. Via a web browser, users can log into a secure portal using their existing credentials sotto retrieve message data and/or send out any new messages.
- Audit Control (R) 164.312(b)
Requirement | Implement hardware, software, and/or procedural mechanisms that record and examine activity in any system that contains or uses ePHI.
- Notification and Archiving (R)
Specific Question:Does your organization have procedures and/or mechanisms to track and record activity on systems containing ePHI and customer data?
With PatientCalls.com, notification indicators display when a message has been received and opened. Further message activity can be retrieved by implementing our open interface into most standard archiving solutions. PatientCalls.com can configure logging and auditing on our SaaS-70type II platform. In additional, PatientCalls.com can also provide a direct feed from our servers to our clients of all message activity. PatientCalls.com provides message delivery status and audit controls. In order to provide traceable, detailed delivery and receipt information. The PatientCalls.com application clearly indicates when the message was received on the device and when the recipient opened it. Additional tracking is also provided through archiving procedures. PatientCalls.com allows full flexibility to leverage existing deployed solutions for archival, retrieval, and monitoring.
- Integrity (R)
- 164.312(c)(1) Implement policies and procedures to protect ePHI from improper alteration and destruction. Mechanism to Authenticate ePHI (A)
Requirement | Implement electronic mechanisms to corroborate that ePHI have not been altered.
Specific Question:Does your organization have procedures and tools to protect electronically transmitted ePHI from unauthorized access and/or modification?
Messages sent via PatientCalls.com cannot be copied or forwarded thus protecting the integrity of the message and preventing harmful unnecessary data exposure. All electronically transmitted data (ePHI and related) is encrypted using SSL encryption (128/256-bit). Data-at-rest on the mobile devices is also AES encrypted. Messages cannot be copied, pasted, or forwarded therefore enhancing standard security and privacy controls that support message data integrity. Messages are tightly encapsulated and can be configured to travel only within a defined private network.
Transmission Security 164.312(e)(1) Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communication network.
Encryption and Decryption (A) Requirement | Implement protection of data-at-rest and data-in-motion.
Specific Question:Are controls and procedures in place to encrypt and decrypt data at rest, in transit, and in storage?
PatientCalls.com uses a combination of Secure Sockets Layer (SSL) protocol to create a uniquely encrypted channel for private communication of health care data in motion. This is followed by Advance Encryption Standard (AES) encryption for data–at–rest. PatientCalls.com thus provides total coverage for moving any type of sensitive data to/from mobile devices through its secure messaging platform.
ADMINISTRATIVE SAFEGUARDS
In general, this section of the HIPAA Security Rule describes administrative procedures that include formal practices governing the implementation of security measures and the conduct of personnel.
Security Management Process (R) 164.308(a)(1)(i)
Requirement | Implement policies and procedures to prevent, detect, contain, and correct security violations.
Risk Management/Analysis (A)
Requirement | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Specific Question:Are risk assessments regularly performed?
All relevant information technology and computing resources are identified, diagramed and documented. yes, both internal and external risk assessments are regularly per formed to identify risks and vulnerabilities that may impact the client’s PHI/ePHI data. Both our application and hosting environments have been assessed for risk and vulnerabilities. Important to note is that, based on our model of data retention as messages are processed through our secure mobile messaging platform, our client’s PHI/ePHI data exposure is very limited or almost none. Based on the life span setting (TtL) of messages sent, once a message is deleted,the message is deleted from the sender’s device,the recipient’s device and all servers. Our controls are designed to support the value of sensitive data, in that, it should be removed when necessary versus managing message storage endlessly on mobile devices thus creating huge data exposure risk across every mobile phone device in your organization.this also has reduced Discovery efforts as well.
Information Access Management (R) 164.308(a)(4)(i)
Requirement | Implement policies and procedures for authorizing access to ePHI that are consistent with the entity’s determinations under the HIPAA Privacy Rule.
Specific Question: Has your organization implemented policies for ensuring the confidentiality and privacy of customer data?
PatientCalls.com’s solution enforces restricted access to help safeguard the integrity and proper use of ePHI. In addition, all of our employees, administration, and development are local. We do not use offshore outsourcing for service creation or delivery, thereby limiting the risk associated to access management. But again, any data’s life span (TTL) on our infrastructure is on a restricted time frame. Data is flushed regularly based on the life span setting. Once deleted, data is permanently removed. We are not a data storage company so we do not retain or keep data beyond the life span setting.
Access Authorization (A)
Requirement | Implement policies and procedures for granting access to ePHI.
Specific Question: Has your organization implemented procedures for granting employees access to customer data, while ensuring the ongoing protection of the information from inappropriate or malicious activities?
Yes, PatientCalls.com is a fast-maturing startup but our mission is to provide the controls and security that enterprise clients demand. Our policies and procedures limit or, in almost every case, restrict any access internally to ePHI data because we are only a “pass-through” for that data. We don’t process or analyze the data, just route it from source to destination. We do have an information security policy for the organization and are quickly maturing to meet our future goal of becoming ISO compliant. In turn, this will allow us as an organization to not only meet ISO requirements for security but Co Bit, NIST and HIPAA A as well. However, we ha veto balance this effort along with allocating resources to continue to build and mature our product offering. Through the steps we have taken to ensure strong access authorization controls, we feel we are progressive in terms of security posture given the size and scope of our company. Only approved users can retrieve client data in any sensitive area of our application, based on their role in the company. We regularly inspect the access rights of our IT staff, as well as monitor their activity. The level of data access is granted solely on the basis of the internal employee’s job function.
Data Backup Plan (R) 164.308(a)(7)(ii)(a)
Requirement | Implement policies and procedures to support execution of proper data backup plans.
Specific Question:Has your organization implemented procedures for ensuring the ongoing availability of customer information, while ensuring the integrity of the data?
Yes, PatientCalls.com believes that superior technology necessitates consciousness for security. With that, we strive to effectively promote and employ industry standards and best practices for our product’s implementation, utilization, and protocols. This is how we ensure confidentiality, availability, and integrity while the client’s data always remains secure. We have operating procedures and processes to allow for specific client requirements for data backup. We can configure this capability specifically for the client or provide them a feed so that it can be performed, managed, and stored by the client according to their electronic communication data retention policies.
Disaster Recovery Plan (R) 164.308(a)(7)(ii)(b)
Requirement | Implement policies and procedures to support execution of proper data recovery plans.
Specific Question:Has your organization developed procedures for restoring data in the event of a disaster or widespread emergency?
yes, based our Business Continuity Plan (BCP) and Disaster Recovery (DR) procedures we can work with our clients to restore data based on each client’s specific RTO (recovery time objective.) Depending on any specific needs, we can outline any additional processes to assure we can meet our client’s backup and restoration requirements. PatientCalls.com’s high availability infrastructure provides fault tolerance and redundancy.
HIPAA Security Rule Evaluation (R) 164.308(a)(8)
Requirement | Implement policies and procedures to support execution of proper data recovery plans.
Specific Question:Has your organization performed a self or external evaluation of your operations, in accordance with the HIPAA Security Rule?
Yes, as part of our policy to promote security and compliance to ISO, NIST and HIPAA regulations, we conduct self-evaluations yearly to measure progress and maturity in this area. We continue to improve both direct IT controls and any compensating control as needed to make sure we are always compliant with these regulations.
PHYSICAL SAFEGUARDS
This category focuses on the mechanisms required for the protection of physical computer systems, equipment and the buildings in which ePHI are stored.
Facility Security Plan (R) 164.310(a)(2)(ii)
Requirement | Implement policies and procedures to support strong controls for physical access controls.
Specific Question:Have procedures and controls been implemented to safeguard your facility(s) and equipment from unauthorized physical access or theft?
Yes, PatientCalls.com has a physical security policy that outlines procedures and controls to support unauthorized physical access or theft of any data in our office and data center locations. In fact, customer data is neither kept nor stored in our office environment. All message data securely routes directly through our tier-IV SaaS- 70type II hosted infrastructure.
Access Controls and Validation Procedures (R) 164.310(a)(2)(iii)
Requirement | Implement policies and procedures to support strong controls for physical access controls.
Specific Question:Have procedures been implemented to control and validate a person’s access to your facilities, especially data centers?
Yes, a pin code is required for building access and office access keys are only provided to key personnel fortnight access controls. All sensitive data contracts, HR documents, etc. are in locked file cabinets. Important to note is that NO client message data (PHI or other) actually resides at our office location (internal workstations, servers or laptops). Data center access controls follow SaaS-70type II standards and procedures as well as industry best practices.
ORGANIZATIONAL REQUIREMENTS
This category focuses on overall organizational requirements in order to understand general practices effecting business associate obligations and patterns.
Business Associate Pattern of Activity (R) 164.314 (a)(1)(ii)
Requirement | Understanding of policy and regulatory violations.
Specific Question: Have any HIPAA A Security Rule violations occurred during the last fiscal year?
No, PatientCalls.com has not had any violation of HIPAA Security Rules.
Business Associate Contracts (R) 164.314 (a)(1)(i)
Requirement | Understanding of BA Contracts.
Specific Question: Between client and your organization (aka: BA), will your organization satisfy the following Security Rule obligations:
Yes, we are prepared to satisfy all requirements related to Business Associate.
1.the BA will implement safeguards to reasonably protect ePHI that it receives or transmits on SJHS’ behalf.
2.the BA will ensure that anyone who it provides ePHI to agrees to implement reasonable safeguards to protect client’ data.
3.the BA will report to client of any security incidents, of which it becomes aware.
Will the client be authorized to terminate the contract if SJHS determines that the BA has violated a material term?
Even though we act only as a messaging channel, our SaaS-70 supported infrastructure is designed to facilitate secure and private messages from source to target users in your organization.
SUMMARY
Mobile messaging will continue to grow at a fast, consistent pace in the years to come and is primarily driven by two factors:
Consumer Demand
- Consumers’ demand for enhanced data from businesses with which they interact.
- The need for mobilization of the workforce increases.
- There is a greater need to reduce overall corporate costs.
- Companies require faster decision-making.
- The greater demand for employee efficiency.
- Requirements for better overall customer service increase.
The scarcity of primary care doctors is also forcing health care providers to look for ways to utilize mobile technology to increase efficiency, improve patient care and drive new business to their practice, without compromising on compliance with HIPAA standards.
PatientCalls.com took the initiative to enhance existing SMS and created a purpose-built solution for the health care sector that provides an easy-to-use, cost-effective, extremely secure and bi-directional mobile platform.
With PatientCalls.com for Business, it is now so much easier to communicate to emergency departments for procuring information and scheduling logistics. Even medical transcription companies are utilizing text messaging to expedite the process and route information effortlessly to the concerned physician at a moment’s notice. As an organization, PatientCalls.com values all aspects of security including its development of secure products, its people, and the supporting technology infrastructure.
Text Messages must be delivered only to the requesting recipient PatientCalls.com or Business provides message delivery status and audit controls. In order to provide traceable, detailed delivery and receipt information, the PatientCalls.com for Business application clearly indicates when the message was received on the device and when it was acknowledged by the recipient.
PatientCalls.com has recently started the process of establishing a security roadmap that leads to future ISO 27002 certification, on-going external 3rd party risk assessments and testing and as well as planning for execution on a formal HIPAA compliance, development, risk assessment, and audit programs. These programs have been initiated by the CEO and the executive team as part of PatientCalls.com’s commitment to overall security best practices and to making sure customers are confident in their ability to remain compliant to HIPAA and other regulations while deploying the PatientCalls.com Secure Mobile Messaging solution in their organizations. Secure Data Centers Data centers should be secure and regularly assessed for security controls through on-going risk assessments.
PatientCalls.com has partnered with industry leaders for data center services. Data centers are tier–IV, SaaS–70 type II Certified and as well ISO 27001 compliant, providing SL As at 99.95% for availability. Through this partnership, PatientCalls.com reinforces its core commitment to customers in regards to HIPAA Compliance through support for security, privacy, scalability, and redundancy.
Encryption
Encrypted to protect electronic health information from unauthorized access while being transmitted over electronic networks.
- PatientCalls.com uses a combination of “Secure Sockets Layer” (SSL) protocol to create a uniquely encrypted channel for private communication of health care data in motion. This is followed by “Advance Encryption Standard” (AES) encryption for data at rest. PatientCalls.com for Business thus provides total coverage for moving any type of sensitive data to and from mobile devices through its secure messaging platform.
- Archival, Retrieval, and Monitoring Requirements for Electronic Messaging – It is evident that data archiving, retrieval and monitoring will be a key element in any customer-centric SMS, text messaging solution for the health care industry. This is relevant for both security and regulatory purposes.
- PatientCalls.com or Business solution allows full flexibility to leverage existing deployed solutions for archival, retrieval, and monitoring. There is also the option to deploy with PatientCalls.com for Business and leverage its own capabilities for the required functions. PatientCalls.com for Business has robust archiving, retrieval, and monitoring capabilities that support not just the present-day compliance requirements for SMS, text messaging but future concerns as well. Layered on top of PatientCalls.com’s rich core architecture is an extensible framework that allows seamless integration into other solution providers for enhanced compliance capabilities.
Contact PatientCalls.com Sale steam
Phone: 866-333-7922
mail: [email protected]