SafetySend allows you to meet HIPAA
electronic compliance requirements by providing a secure
network to transmit email, documents, audio files, video
files, imaging files and more to anyone who can access an
email address. This document defines the procedures
required by HIPAA law and explains how the SafetySend VPN
allows you to meet those requirements.
(a) General requirements. Covered entities must do the
following: This utility addresses the communication and
document transmission system. The entity is required to
address the specific work station(s).
|
HIPAA REQUIREMENTS |
HOW
SAFETYSEND UTILITY ALLOWS DOCUMENTED
COMPLIANCE
|
|
(1)Ensure the
confidentiality, integrity, and availability
of all electronic protected health
information the covered entity creates,
receives, maintains, or transmits.
|
Use of a secure electronic method to
transfer PHI from sender via interim custody
and delivery. Validate transfer of custody
to authenticated recipient at each interval.
Provide remote storage of PHI in secure
fashion in an uncorrupted form; transmission
is required via encrypted channel to a
verified recipient. |
|
(2) Protect
against any reasonably anticipated threats
or hazards to the security of such
information.
This
specification is a reasonable and
appropriate safeguard in its environment,
when analyzed with reference to the likely
contribution to protecting the entity's
electronic protected health information;
|
1. SafetySend Authentication is required to
access any secured data on the system.
2. Each data exchange is verified by the
system during a documents transfer of
custody and summarily applied to an
accessible audit trail. This dynamic
authentication method is established by the
creation and use of a personal password
system including generation of temporary
passwords to assigned known recipients.
3. A timed "log out" from the work station
and communication link is included to
protect against unauthorized system access
at defined intervals or by manual exit.
4. The communication system provides
automatic virus filtering and updating; Spam
filtering; spyware removal on demand. |
|
(3) Protect
against any reasonably anticipated uses or
disclosures of such information that are not
permitted or required under subpart E of
this part. |
The SafetySend work communication system
requires user authentication upon each timed
entrance to the secure communication system. |
|
(4) Ensure
compliance with this subpart by its
workforce. |
If the custody is held by or communication
is done by other than a sole practice
business associate:
A sanction process can be established by the
System Administrator to the covered entity;
compliance is under purview of entity
designated "System Administrator". Executed
at the direction of the System
Administrator. |
|
(b) Flexibility
of Approach. |
|
|
(1) Covered
entities may use any security measures that
allow the covered entity to reasonably and
appropriately implement the standards and
implementation specifications as specified
in this subpart. |
* If the regulations change, the business
associate must modify activities to comply.
SafetySend implements the communication
changes – The entity is responsible for
'work station' implementation.
* Work procedures must be adaptable to
evolution of HIPAA regulation with or
without need for software upgrades to
individual user terminals or computers.
Adaptations are implemented throughout the
system to all users.
* Changes or modification of HIPAA regulation
are implemented for all client users.
|
|
(2) In deciding
which security measures to use, a covered
entity must take into account the following
factors: |
|
|
(i) The size,
complexity, and capabilities of the covered
entities |
How scalable is the communication system?
SafetySend is scalable to well in excess of
100,000 client users per Domain. |
|
(ii) The
covered entity's technical infrastructure,
hardware, and software security
capabilities. |
SafetySend does not rely on client hardware
or software and are the updates integrated
in a timely manner established specifically
for this purpose? |
|
(iii) The costs
of security measures |
SafetySend costs are reasonable and customary
for the market without undue hardship to the
covered entity and business associate |
|
(iv) The
probability and criticality of potential
risks to electronic protected health
information |
The SafetySend system reduces the risk of
loss probability with identified controls of
access and untraceable dissemination. Access
is limited; transmissions are auditable;
receipts are auditable; users are
authenticated and identifiable. |
|
§ 164.308
Administrative Safeguards. |
|
|
A covered
entity must, in accordance with § 164.306: |
Covered entities and their business
associates must conform to § 164.306 |
|
(1)(i)
Standard: Security management process.
Implement policies and procedures to
prevent, detect, contain, and correct
security violations. |
SafetySend security procedures are
implemented and designed to detect and
record attempts at unauthorized access and
immediately notify network administrators of
excessive password violations, attempted
transfer of computer viruses, containment of
potentially harmful files and renders
activities to a security log. Individual
tools are made available to each user for
the detection and removal of viruses,
spyware and other compromising software. |
|
(A) Risk
analysis (Required). Conduct accurate and
thorough assessment of the potential risks
and vulnerabilities to the confidentiality,
integrity, and availability of electronic
protected health information held by the
covered entity. |
The SafetySend communication network: allows
only authenticated users; provides
continuous encryption of internal and
external transmission of PHI; conduct daily
modification of intrusion and invasion by
outside parties by conducting modification
of code algorithms to negate intrusion.
|
|
(B) Risk
management (Required). Implement security
measures sufficient to reduce risks and
vulnerabilities to a reasonable and
appropriate level to comply with §
164.306(a) |
* SafetySend require two levels of
authentication initiate user identification;
multi-challenge verification to change
password.
* The use encryption code; application of
processing algorithms, virus filters, and
secure firewall are updated no less than
once per day. |
|
(C) Sanction
policy (Required). Apply appropriate
sanctions against workforce members who fail
to comply with the security policies and
procedures of the covered entity. |
A sanction policy must be established by the
business associate or covered entity on the
communication system – termination or
suspension is established by entity "system
administrator". In the case of an
individual client or the identified
violation by a client user within the
entity, the individual is responsible for
compliance with the policies and procedures.
that are in concert with HIPAA. Violation
of those policies and procedures constitutes
immediate suspension of privileges of use. |
|
(D) Information
system activity review (Required). Implement
procedures to regularly review records of
information system activity, such as audit
logs, access reports, and security incident
tracking reports. |
SafetySend provides system activity review
under an "audit trail" by retained history
of "secure" transmissions outside the system
as well as equal history transmissions
within the system. |
|
(2) Standard:
Assigned security responsibility. Identify
the security official who is responsible for
the development and implementation of the
policies and procedures required by this
subpart for the entity. |
The entity designates their "System
Administrator" who becomes the assigned
responsible party. This system
administrator has access to review, modify
or suspend user privileges. |
|
(3)(i)
Standard: Workforce security. Implement
policies and procedures to ensure that all
members of its workforce have appropriate
access to electronic protected health
information, as provided under paragraph
(a)(4) of this section, and to prevent those
workforce members who do not have access
under paragraph (a)(4) of this section from
obtaining access to electronic protected
health information. |
Specific access is authorized by the System
Administrator. Non Access and Sanction
policy is established by the covered entity
– termination or exclusion is established by
entity "system administrator". Authorized
access requires two levels of authentication
initiate client user identification; dual
identity verification to change password |
|
(ii)
Implementation Specifications: |
|
|
(A)
Authorization and/or supervision
(Addressable). Implement procedures for the
authorization and/or supervision of
workforce members who work with electronic
protected health information or in locations
where it might be accessed.
|
Authorization is addressed in (2) & (3)(i)(a)(4) |
|
(B) Workforce
clearance procedure (Addressable). Implement
procedures to determine that the access of a
workforce member to electronic protected
health information is appropriate.
|
System Administrator establishes clearance
procedure and authorizes access to system.
Individual client users self administrate. |
|
(C) Termination
procedures (Addressable). Implement
procedures for terminating access to
electronic protected health information when
the employment of a workforce member ends or
required by paragraph (a)(3)(ii)(B) of this
section. |
* Multiple entities and business associates
working together must have a Non Access and
Sanction policy is established in behalf of
the covered entity – termination or
exclusion is established by entity "system
administrator".
* Authorized access to must require two levels
of authentication initiate client user
identification; dual identity verification
to change password.
* System Administrator must have authority to
deny access to any user. In the case of an
individual client or the identified
violation by a client user within the
entity, the individual is responsible for
compliance with the policies and procedures
of the business associates that are in
concert with HIPAA.
* Violation of those policies and procedures
constitutes suspension of privileges. |
|
(4) (i)
Standard: Information access management.
Implement policies and procedures for
authorizing access to electronic protected
health information that are consistent with
the applicable requirements of subpart E of
this part |
The System Administrator must implement
policies and procedures are consistent with
subpart E. |
|
(ii)
Implementation Specifications: |
|
|
(A) Isolating
health care clearinghouse functions
(Required). If a health care clearinghouse
is part of a larger organization, the
clearinghouse must implement policies and
procedures that protect the electronic
protected health information of the
clearinghouse from unauthorized access by
the larger organization. |
SafetySend allows "blocking" from
unauthorized access by the "larger
organization". |
HIPAA is the acronym for the Health Insurance Portability
and Accountability Act of 1996. The Centers for Medicare &
Medicaid Services (CMS) is responsible for implementing
various unrelated provisions of HIPAA, therefore HIPAA may
mean different things to different people. HIPAA requires
health providers, business associates, and health plans to
adopt standards for electronic administrative and financial
transactions. Use of these standards could generate billions
of dollars in savings for both the government and the
private-sector healthcare industry.
The Administrative Simplification provisions of the Health
Insurance Portability and Accountability Act of 1996 (HIPAA,
Title II) require the Department of Health and Human
Services to establish national standards for electronic
health care transactions and national identifiers for
providers, health plans, and employers. It also addresses
the security and privacy of health data. Adopting these
standards will improve the efficiency and effectiveness of
the nation's health care system by encouraging the
widespread use of electronic data interchange in health
care.
Title I of the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) protects health insurance
coverage for workers and their families when they change or
lose their jobs
Complying with HIPAA is challenging because this regulation
affects so many areas, including standards for transactions,
rules for data privacy/security, standards for clinical
records and more.
The Department of Health and Human Services has
responsibility for HIPAA enforcement rule. Current
enforcement is "complaint based" and under a revision for
transition to investigation. The proposed rule replaces an
interim enforcement rule published two years ago that
primarily covered steps the government would take to impose
civil fines for violations of non-privacy HIPAA rules. Many
provisions of the interim rule are included in the proposed
rule, but the scope of the proposed rule is much larger.
