Adaptive Telehealth Takes HIPAA Compliance Very Seriously
There is a lot of confusion in the marketplace about HIPAA compliance and telemental health software. Technically speaking, software cannot be HIPAA compliant because software itself is not a "Covered Entity" (which is a person or organization). When a software states they are "HIPAA Compliant" they are most often referencing their encryption of data and their willingness to sign a Business Associate Agreement (BAA). HIPAA compliance involves much more than encryption and a BAA. It is a comprehensive program of adminstrative, physical and technological controls (encryption is just one) that work together to protect the electronic Protected Health Information under the Final HIPAA Omnibus Rule.
Adaptive Telehealth goes way beyond many other software companies to provide for your HIPAA security. Our HIPAA security is headed by Jay Ostrowski, a HIPAA compliance expert who has created trainings in HIPAA compliance for telemental health for SAMHSA, HRSA, the Telehealth Resources Centers, NBCC and CCE.
If you are in need of assistance with the provider side of HIPAA-compliance, we are available to assist you.
Here are some of HIPAA security measures of Adaptive Telehealth:
- Data Center Entry: Dual-factor authentication - In order to enter the data center, a person must have prior authorization from management, be on the approval list, have the approved access code, two forms of personal identification and their identify confirmed using the biometric fingerprint scanner.
- Visitor logging and auditing - The entries in the logbook must directly match the video surveillance tapes. An independent audit confirms the match of visitor logs with the video archives.
- Video surveillance - Video logs kept for 90 days.
- Procedure Documentation - Documentation for the procedure to allow access by unannounced visit, phone call, or email.
- Annually, the data center undergoes a HIPAA audit by a 3rd party and has passed with 100% compliance rating. Audits are performed using the OCR Audit Protocol.
- Annual Risk Assessment
- Annual data center HIPAA audit by a 3rd party (passed with 100% compliance rating).
- Audits are performed using the OCR Audit Protocol.
- Assigned Security Responsibility via corporate privacy officer
- Required annual HIPAA staff training
- Corporate information access management policies and procedures
- Security incident procedures and Breach Notification Plan
- Contingency data access plan
- Regular risk evaluation, risk mitigation plans and monitoring processes
- Business Associate Agreement with contracted users
- Disaster preparedness and disaster response
- All electronic Private Health Information (ePHI) is protected by several means including:
- Access Control - Unique user identification, emergency access procedure,
- Automated logout after 10 minutes of inactivity.
- Centralized logging; OS change management and patch management
- IPS/IDS Protection
- 256 bit encryption in-transit and integrity controls
- Data encryption at rest
- Password requirement: 8 digits, symbol, upper case, lower case and number
- Automatic logoff after 10 minutes of inactivity
- Audit controls
- Antivirus and anti-malware
- OS patch and change management
- Dedicated HIPAA-compliant Firewall
- Web application firewall
- Dual factor VPN for root access
- Daily Offsite backup• Daily file-level backup with 14 day retention to an alternate data center of the same type and security protections
- Back up data: Encryption at-rest and 256 bit encryption in-transit to backup site