The Health Insurance Portability & Accountability Act of 1996 (HIPAA) is a federal program that requires that all medical records and other individually identifiable health information used or disclosed, whether electronically, on paper, or orally, are confidential. This Act gives the Patient the rights to understand and control how patients’ health information is used. HIPAA penalizes entities that misuse personal health information. In general, to be HIPAA-compliant, a website must at a minimum ensure that all protected health information (ePHI) adheres to the following rules:
- Transport Encryption: Is always encrypted as it is transmitted over the Internet
NeighborsTelehealth.com has taken steps to ensure that the site is secure and protected by Secured Socket Layers (SSL) and the site is accessed via https://) only. Pages that collect or display protected health information, or which is used for logging users in, or which transmits authorization cookies, etc., are protected by SSL and are not accessible without proper security. The use of SSL meets HIPAA’s data transmission security requirement in terms of communications between the end user and the website. The encrypted data allows authorize personnel to decrypt and view secure messages over a secure channel from anywhere.
- Backup: Is never lost, i.e. should be backed up and can be recovered
NeighborsTelehealth.com ensures that all Protected Health Information (PHI) stored within the website or collected from the website is backed up and can be recovered in case of an emergency or accidental deletion. The PHI stored in backups is also protected with security, authorization controls, etc.
- Authorization: Is only accessible by authorized personnel using unique, audited access controls
NeighborsTelehealth.com ensures that access to the protected health information that resides on the website is kept in proper control for authorized individuals only and that the logins and the data accesses remain auditable.
- Integrity: Is not tampered with or altered
NeighborsTelehealth.com. keeps patient information encrypted and/or digitally signed using SSL encryption of stored data and all integrated web forms use special scripts to encrypt the submitted forms. Secured Socket Layers (SSL) with many configuration nuances defines the specific encryption algorithm like the secure hashing (message fingerprinting/ authentication).
- Storage Encryption: Should be encrypted when it is being stored or archived
NeighborsTelehealth.com also ensures that the data that is being stored and/or archived is also encrypted – at rest. It is only accessed/decrypted by people with the appropriate keys and authorization. In other words, the user's data makes backups secure, protects data from access by unauthorized people, and generally protects the data even when in storage with proper storage encryption techniques.
- Disposal: Can be permanently disposed of when no longer needed
NeighborsTelehealth.com, insures that all data that is backed up and/or archived is properly disposed with concise expiration dates for the data to automatically delete. The stored data stored at rest remains encrypted at all times
- Business Associates Agreement: Is entered into with all outside vendors
NeighborsTelehealth.com insures that all signed Business Associate Agreements are in place. The agreements ensures that vendors will follow the HIPAA security rule requirements with respect to data and servers provides an infrastructure is HIPAA compliant.
A Notice of HIPAA Privacy Practices containing a complete description of the uses and disclosures of health information is provided below:
NeighborsTelehealth.com maintains SSL Certificates and HTTPS standards for all web-based access to PHI. The software portal exceeds encryption standards by securing data with FIPS 140-2 certified 256 bit advanced encryption standard. The user authentication and automatic inactivity logoff’s are in compliant with the National Institution of Standards and Technology Special Publication 800-63 and HIPAA Part 164. In addition, in accordance with the HIPAA de-identification standard patients must authenticate two identification methods when submitting an online visit request, Furthermore, it contains:
- Private firewall services with virtual private networks
- Production servers are separate from database servers and web servers
- There is offsite backup or IT disaster recovery methods
- Private IP addresses
- Antivirus solutions
- Operating system patch management, and
- Policies in place to address data transmission over the Internet through e-mail, private networks and private clouds and HIPAA Privacy Practices
The technology platform uses encryption in transit and at rest which prevents unauthorized access to transmissions of data.
Another method used to safeguard patient privacy is the peer-to-peer networking, which conceals the internet connection along with the identities and locations of all participants and reduces the chance of accidental or intentional data breaches.
Limited Data Storage
The video transmissions involved in a telemedicine visit is not currently stored, but at request, can be stored in the HIPAA compliant servers.
Business Associate Agreement
As a technology vendor that provides solutions for medical practices are generally considered “Business Associates” under HIPAA guidelines. The vendor and provider must enter into an agreement that extends the responsibility to comply with all HIPAA rules.