HIPAA REQUIREMENTS
|
HOW SAFETYSEND MEETS THOSE REQUIREMENTS
|
(1)Ensure
the confidentiality, integrity, and availability of all electronic
protected health information the covered entity creates, receives,
maintains, or transmits.
|
Allows the covered entity a secure method to transfer
PHI from sender via interim custody and delivery. Validates
transfer of custody to authenticated recipient at each interval.
Provides remote storage of PHI in secure folders in an uncorrupted
form; transmission is via encrypted channel to a verified recipient.
|
(2) Protect
against any reasonably specification is a reasonable and appropriate
safeguard in its environment, when analyzed with reference to the
likely contribution to protecting the entity's electronic protected
health information;
|
Authentication is
required to access any secured data on the system. Each data
exchange is verified by the system during a documents transfer of
custody and summarily applied to an audit trail. This dynamic
authentication method is established by the creation and use of a
personal password system including generation of temporary passwords to
assigned known recipients. Timed “log out” protects against
unauthorized system access at defined intervals or by manual
exit. System provides automatic virus filtering and updating;
Spam filtering; spyware removal on demand.
|
(3) Protect
against any reasonably anticipated uses or disclosures of such
information that are not permitted or required under subpart E of this
part.
|
Requires
user authentication upon each timed entrance to the secure
communication system
|
(4) Ensure
compliance with this subpart by its workforce.
|
Sanction
is established by the covered entity; compliance is under purview of
entity designated “system administrator”. Executed at the direction of
the System Administrator.
|
(b)
Flexibility of approach.
|
|
(1) Covered
entities may use any security measures that allow the covered entity to
reasonably and appropriately implement the standards and implementation
specifications as specified in this subpart.
|
Adaptable
to evolution of HIPAA regulation without need for software upgrades to
individual user terminals or computers. Adaptations are implemented
throughout the system to all users. Changes or modification of HIPAA
regulation are implemented for all client users as they become law.
|
(2) In deciding
which security measures to use, a covered entity must take into account
the following factors
|
|
(i)
The size, complexity, and capabilities of the covered entity.
|
Scalable to over
100,000 users in each domain or larger size of operation when adapted
without regard to the number of authorized and authenticated users.
Message, document and image size are unrestricted.
|
(ii) The covered
entity's technical infrastructure, hardware, and software security
capabilities.
|
Does
not rely on the hardware or software of the covered entity - operates
on proprietary code and secure servers established specifically for
this purpose.
|
(iii) The costs
of security measures
|
Clients
are not charged for increased security upgrades or modifications on an
individual basis. System upgrades, security
improvements
and changes in functionality are implemented at the secure server
application and immediately applied throughout the system
|
(iv) The
probability and criticality of potential risks to electronic protected
health information
|
Reduces
the risk of loss probability with identified controls of access and
untraceable dissemination. Access is limited; transmissions are
auditable; receipts are auditable; users are authenticated and
identifiable.
|
§ 164.308
Administrative safeguards.
|
|
A covered entity
must, in accordance with
§ 164.306:
|
SafetySend
conforms to § 164.306
|
(1)(i) Standard:
Security management process. Implement policies and procedures to
prevent, detect, contain, and correct security violations.
|
Security
procedures are designed to detect and record attempts at unauthorized
access and immediately notify network administrators of excessive
password violations, attempted transfer of computer viruses,
containment of potentially harmful files and renders activities to a
security log. Individual tools are made available to each user
for the detection and removal of viruses, spyware and other
compromising software from our main menu.
|
(A) Risk analysis
(Required). Conduct accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health information held by the
covered entity.
|
The
secure network is only available to it’s authenticated users; provides
continuous encryption of internal and external transmission of PHI;
conducts daily modification of intrusion and invasion by outside
parties by conducting modification of code algorithms to negate
intrusion. SafetySend also provides additional detection tools to
assess potential security vulnerabilities of each individual computer
|
(B) Risk
management (Required). Implement security measures sufficient to reduce
risks and vulnerabilities to a reasonable and appropriate level to
comply with § 164.306(a)
|
Requires
two levels of authentication initiate user identification;
multi-challenge verification to change password. The use of proprietary
code; application of processing algorithms, virus filters, and secure
firewall are updated no less than once per day.
|
(C) Sanction
policy (Required). Apply appropriate sanctions against workforce
members who fail to comply with the security policies and procedures of
the covered entity.
|
Sanction
policy is established by the covered entity on the SafetySend system –
termination or suspension is established by entity “system
administrator”. In the case of an individual client or the
identified violation by a client user within the entity, the individual
is responsible for compliance with the policies and procedures of
Safety Send, Inc. that are in concert with HIPAA. Violation of
those policies and procedures constitutes immediate suspension of
privileges to use the SafetySend system.
|
(D) Information
system activity review (Required). Implement procedures to regularly review
records of information system activity, such as audit logs, access
reports, and security incident tracking reports.
|
Provides
system activity review under an “audit trail” by retained history of
“secure” transmissions outside the SafetySend system as well as equal
history transmissions within the SafetySend system.
|
(2) Standard:
Assigned security responsibility. Identify the security official who is
responsible for the development and implementation of the policies and
procedures required by this subpart for the entity.
|
The
entity designates their “System Administrator” who becomes the assigned
responsible party. This system administrator has access to
review, modify or suspend user privileges.
|
(3)(i) Standard:
Workforce security. Implement policies and procedures to ensure that
all members of its workforce have appropriate access to electronic
protected health information, as provided under paragraph (a)(4) of
this section, and to prevent those workforce members who do not have
access under paragraph (a)(4) of this section from obtaining access to
electronic protected health information.
|
Specific
access is authorized by the System Administrator. Non Access and
Sanction policy is established by the covered entity – termination or
exclusion is established by entity “system administrator”.
Authorized access requires two levels of authentication initiate client
user identification; dual identity verification to change password
|
(ii)
Implementation specifications:
|
|
(A) Authorization
and/or supervision (Addressable). Implement procedures for the
authorization and/or supervision of workforce members who work with
electronic protected health information or in locations where it might
be accessed.
|
Authorization
is addressed in (2) & (3)(i)(a)(4)
|
(B) Workforce
clearance procedure (Addressable). Implement procedures to determine
that the access of a workforce member to electronic protected health
information is appropriate.
|
System
Administrator establishes clearance procedure and authorizes access to
system. Individual client users self administrate.
|
(C) Termination
procedures (Addressable). Implement procedures for terminating access
to electronic protected health information when the employment of a
workforce member ends or required by paragraph (a)(3)(ii)(B) of this
section.
|
Non
Access and Sanction policy is established by the covered entity –
termination or exclusion is established by entity “system
administrator”. Authorized access to SafetySend requires two
levels of authentication initiate client user identification; dual
identity verification to change password. System Administrator has
authority to deny access to any user. In the case of an
individual client or the identified violation by a client user within
the entity, the individual is responsible for compliance with the
policies and procedures of Safety Send, Inc. that are in concert with
HIPAA. Violation of those policies and procedures constitutes immediate
suspension of privileges to use the SafetySend system.
|
4)(i) Standard:
Information access management. Implement policies and procedures for
authorizing access to electronic protected health information that are
consistent with the applicable requirements of subpart E of this part
|
SafetySend
policies and procedures are consistent with subpart E.
|
(ii)
Implementation specifications:
|
|
(A) Isolating
health care clearinghouse functions (Required). If a health care
clearinghouse is part of a larger organization, the clearinghouse must
implement policies and procedures that protect the electronic protected
health information of the clearinghouse from unauthorized access by the
larger organization.
|
SafetySend
does not operate as a clearinghouse.
|
(B) Access
authorization (Addressable). Implement policies and procedures for
granting access to electronic protected health information, for
example, through access to a workstation, transaction, program,
process, or other mechanism.
|
Access
to all PHI in the system requires two levels of authentication; proper
user identification and password; dual identity verification to change
password. The use of proprietary code; application of processing
algorithms, virus filters, and anti hacking shields are updated no less
than once per day.
|
(C) Access
establishment and modification (Addressable). Implement policies and
procedures that, based upon the entity's access authorization policies,
establish, document, review, and modify a user's right of access to a
workstation, transaction, program, or process.
|
Sanction
policy is established by the covered entity – termination or exclusion
is established by entity “system administrator”. In the case of
an individual client or the identified violation by a client user
within the entity, the individual is responsible for compliance with
the policies and procedures of Safety Send, Inc. that are in concert
with HIPAA. Violation of those policies and procedures
constitutes immediate suspension of privileges to use the SafetySend
system. SafetySend requires two levels of authentication to
initiate client user identification; dual identity verification to
change password.
|
(5)(i) Standard:
Security awareness and training. Implement a security awareness and
training program for all members of its workforce (including
management).
|
Users
are notified on no less than on an annual basis of the security
requirement of HIPAA and at such times as those security requirements
may be amended. Acknowledgement is required to avoid suspension of
access to SafetySend.
|
(ii)
Implementation specifications. Implement:
|
|
(A) Security reminders
(Addressable). Periodic security updates.
|
Daily
review and update of security components.
|
(B) Protection
from malicious software (Addressable). Procedures for guarding against,
detecting, and reporting malicious software.
|
Proprietary
code guards against malicious software and reports intrusion attempts
to the targeted user via constant monitoring and exclusion of malicious
software. Virus and Spam filters are constantly active.
|
(C) Log-in
monitoring (Addressable). Procedures for monitoring log-in attempts and
reporting discrepancies.
|
Requires
two levels of authentication to initiate client user identification;
dual identity verification to change password. An 8 digit – alpha
–numeric password is required to enter the system. Failure to enter
requires confidential answers to two levels of specific questions to
acquire a temporary password, then re-establishment of an active
password.
|
(D) Password
management (Addressable). Procedures for creating, changing, and
safeguarding passwords.
|
An
8 digit – alpha –numeric password is required to enter the
system. SafetySend requires two levels of authentication initiate
client user identification; dual identity verification to change
password. The use of proprietary code; application of processing algorithms,
virus filters, and anti hacking shields are updated no less than once
per day.
|
(6)(i) Standard:
Security incident procedures. Implement policies and procedures to
address security incidents.
|
Authentication
upon system entrance; verified change of custody by receipt by
established password or temporary password to known receiver; timed
“log out” of the system at 10 minutes automatically or by manual exit;
automatic virus filtering and updating; spyware removal on demand.
Users are notified of intrusion incident attempts. Non compliance
incidents by a user are suspended until suspension is released by
System Administrator.
|
(ii)
Implementation specification: Response and Reporting (Required).
Identify and respond to suspected or known security incidents;
mitigate, to the extent practicable, harmful effects of security
incidents that are known to the covered entity; and document security
incidents and their outcomes.
|
Suspends
and denies access by action of the System Administrator or upon notification
by the System Administrator to any users suspected of a security
incident. Individual client users are self administered under their own
responsibility. Should SafetySend be aware of a security incident;
access and use are suspended immediately or within one day of
notification being the extent practicable.
|
(7)(i) Standard:
Contingency plan. Establish (and implement as needed) policies and
procedures for responding to an emergency or other occurrence (for
example, fire, vandalism, system failure, and natural disaster) that
damages systems that contain electronic protected health information.
|
Contingency
plan for response to emergency or occurrence for safeguarding PHI.
Destruction or damage to user and/or entity computers does not destroy
or deny access to PHI data on SafetySend secure servers.
SafetySend operates as “backup” servers at a second location in the
even of loss or damage to primary client storage servers.
|
(ii)
Implementation specifications:
|
|
(A) Data backup
plan (Required). Establish and implement procedures to create and
maintain retrievable exact copies of electronic protected health
information.
|
Provides
storage of PHI backup files in retrievable “Secure Folders”.
SafetySend is the backup in two location sites for the entity or
individual client user.
|
(B) Disaster
recovery plan (Required). Establish (and implement as needed)
procedures to restore any loss of data.
|
Secure
backup servers at secondary locations retrieve data in the event of a
disaster. SafetySend is the backup in two location sites for the entity
or individual client user.
|
(C) Emergency
mode operation plan (Required). Establish (and implement as needed)
procedures to enable continuation of critical business processes for
protection of the security of electronic protected health information
while operating in emergency mode.
|
SafetySend
is an ASP system – thereby allowing continuation of operations from
alternate locations where Internet connections can be made.
Critical business processes can function without interruption as long
as Internet access is available.
|
(D) Testing and
revision procedures (Addressable). Implement procedures for periodic
testing and revision of contingency plans.
|
SafetySend
contingency plans are reviewed and revised on a regular basis
|
(E)
Applications and data criticality analysis (Addressable). Assess the
relative criticality of specific applications and data in support of
other contingency plan components.
|
SafetySend makes assessment of critical applications on
a regular basis.
|
(8)
Standard: Evaluation. Perform a periodic technical and non-technical
evaluation, based initially upon the standards implemented under this
rule and subsequently, in response to environmental or operational
changes affecting the security of the electronic protected health
information, that establishes the extent to which an entity's security
policies and procedures meet the requirements of this subpart.
|
SafetySend reviews all operational changes for
compliance prior to implementation and modifies to compliance in the
event of compliance changes quarterly and no less than three times per
year. All servers are under physical security as well as technical
security provided by proprietary code.
|
(b)(1) Standard:
Business associate contracts and other arrangements. A covered entity,
in accordance with
§ 164.306, may
permit a business associate to create, receive, maintain, or transmit
electronic protected health information on the covered entity's behalf
only if the covered entity obtains satisfactory assurances, in
accordance with § 164.314(a) that the business associate will
appropriately safeguard the information.
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
|
(2) This standard
does not apply with respect to— [application
of the part and subpart is determined by the covered entity]
|
|
(i) The
transmission by a covered entity of electronic protected health
information to a health care provider concerning the treatment of an
individual.
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
Facility Policies and Procedures are covered by client user.
|
(ii) The
transmission of electronic protected health information by a group
health plan or an HMO or health insurance issuer on behalf of a group
health plan to a plan sponsor, to the extent that the requirements of
§ 164.314(b) and
§ 164.504(f) apply and are met; or
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
Facility Policies and Procedures are covered by client user.
|
(iii) The
transmission of electronic protected health information from or to
other agencies providing the services at § is a health plan that is a
government program providing public benefits, if the requirements of §
164.502(e)(1)(ii)(C) are met.
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
Facility Policies and Procedures are covered by client user.
|
(3) A covered
entity that violates the satisfactory assurances it provided as a
business associate of another covered entity will be in noncompliance
with the standards, implementation specifications, and requirements of
this paragraph and § 164.314(a).
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
Facility Policies and Procedures are covered by client user.
|
(4) Implementation
specifications: Written contract or other arrangement (Required).
Document the satisfactory assurances required by paragraph (b)(1) of
this section through a written contract or other arrangement with the
business associate that meets the applicable requirements of §
164.314(a).
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
Facility Policies and Procedures are covered by client user.
|
§ 164.310
Physical safeguards. A covered entity must, in accordance with
§164.306:
|
|
(a)(1) Standard:
Facility access controls. Implement policies and procedures to limit
physical access to its electronic information systems and the facility
or facilities in which they are housed, while ensuring that properly
authorized access is allowed.
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
|
(2) Implementation
specifications:
|
|
(i) Contingency
operations (Addressable). Establish (and implement as needed)
procedures that allow facility access in support of restoration of lost
data under the disaster recovery plan and emergency mode operations plan
in the event of an emergency.
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
|
(ii) Facility
security plan (Addressable). Implement policies and procedures to
safeguard the facility and the equipment therein from unauthorized
physical access, tampering, and theft. (iii) Access control and
validation procedures (Addressable). Implement procedures to control
and validate a person's access to facilities based on their role or
function, including visitor control, and control of access to software
programs for testing and revision.
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
Facility Policies and Procedures are covered by client user.
|
(iii) Maintenance
records (Addressable). Implement policies and procedures to document
repairs and modifications to the physical components of a facility
which are related to security (for example, hardware, walls, doors, and
locks).
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures. Facility
Policies and Procedures are covered by client user.
|
(b) Standard:
Workstation use. Implement policies and procedures that specify the
proper functions to be performed, the manner in which those functions
are to be performed, and the physical attributes of the surroundings of
a specific workstation or class of workstation that can access
electronic protected health information.
|
Compliance
Guideline is available to Business Associate Clients and their Clients
as documentation of applied Compliance policies and procedures.
Facility Policies and Procedures are covered by client user.
|