Adaptive Telehealth Takes HIPAA Compliance Very Seriously
There is a lot of confusion in the marketplace about HIPAA compliance and telehealth software. Technically speaking, the software cannot be HIPAA compliant because the software itself is not a “Covered Entity”. A covered entity is a person or an organization. When software states they are “HIPAA Compliant”, they are most often referencing their encryption of data and their willingness to sign a BAA.
HIPAA compliance involves much more than encryption and a BAA. It is a comprehensive program of administrative, physical and technological controls (encryption is just one). These controls mentioned work together to protect the electronic Protected Health Information (PHI) under the Final HIPAA Omnibus Rule.
Adaptive Telehealth goes beyond what many other software companies do to comply with HIPAA security. Adaptive Telehealth has been a leader in HIPAA compliance from its inception in 2013. The Adaptive Telehealth platform has passed extensive scrutiny from multiple state governments and healthcare organizations because of our administrative, physical and technical controls, privacy policies and security-minded corporate culture.
The founder, Jay Ostrowski, developed the platform in response to the lack of truly HIPAA-secure software platforms and regularly provides HIPAA compliance training SAMHSA grantees, HRSA grantees, and Telehealth Resource Centers. Adaptive Telehealth maintains the following compliance measures by default. We also add security measures for enterprise clients upon request in order to meet the risk requirements of each enterprise client.
Adaptive Telehealth servers are located in the United States in a SOC 2 Certified Data center that specializes in HIPAA compliance. Our servers are continuously monitored 24-7-365 by human security specialists and have multiple firewalls configured for added security. The servers are back-up daily to an offsite sister SOC2 certified data center. Data in all servers with PHI are encrypted in transit and at rest. Both server locations have redundant internet, and redundant power (diesel power generators with 30 day fuel reserves). Access to the physical servers requires several layers of security confirmation including, but not limited to biometric verification, fingerprint matching, and security codes.
Here are some of Adaptive Telehealth’s security measures:
- Data Center Entry: Dual-factor authentication In order to enter the data center, a person must have:
- Prior authorization from management
- Be on the approval list
- Have the approved access code
- Two forms of personal identification; and
- Their identity confirmed using the biometric fingerprint scanner.
- Visitor logging and auditing – The entries in the logbook must directly match the video surveillance tapes. An independent audit confirms the match of visitor logs with the video archives.
- Video surveillance – Video logs kept for 90 days.
- Procedure Documentation – Documentation for the procedure to allow access by unannounced visit, phone call, or email.
- Annually, the data center undergoes a HIPAA audit by a 3rd party entity. The data center has passed with a 100% compliance rating. Audits are performed using the OCR Audit Protocol.
- Business Associate Agreement signed
- Required annual HIPAA staff training, assessment, and regular staff security reminders
- Annual Risk Assessment conducted
- Audits are performed using the OCR Audit Protocol.
- Annual data center HIPAA audit by a 3rd party (passed with a 100% compliance rating).
- Disaster preparedness and disaster response plans, contingency data access plans
- Privacy Officer assigned security responsibilities
- Policies and procedures for information access controls (minimal use policy)
- Security incident procedures and Breach Notification Plan
- Regular risk evaluation, risk mitigation plans, and monitoring processes
- Business Associate Agreement with contracted users
All 18 types of electronic Private Health Information (ePHI) are protected by several means including:
- Access Control – Unique user identification, emergency access procedure,
- Automated log out after 10 minutes of inactivity and screen blanked after 5 minutes of inactivity
- Centralized logging; OS change management and patch management
- IPS/IDS Protection
- 256-bit encryption in-transit and integrity controls
- Data encryption at rest
- Data encryption in transit
- Password requirement: 8 digits, symbol, upper case, lower case, and number (can be increased)
- Antivirus and anti-malware updated regularly
- OS patch and change management
- Dual factor VPN for root access
- Daily offsite file-level backup with 14-day retention with the same type and security protections
- Back up data: Encryption at-rest and 256-bit encryption in-transit to a backup site
Contact us if you need assistance with the provider side of HIPAA Compliance.
Zoom Video Calls Using Adaptive Telehealth’s Self-Hosted Service Are HIPAA-Compliant
To make Zoom HIPAA-compliant, all Adaptive Telehealth Zoom video calls originate from the Adaptive Telehealth self-hosted version of Zoom when they originate from within Adaptive Telehealth.
The Zoom security configuration is unique to Adaptive Telehealth
Adaptive Telehealth worked with Zoom many years ago to modify the Zoom software on the Adaptive Telehealth HIPAA-compliant servers. We modified the receiving code at Zoom corporate office for the Adaptive Telehealth account. This is so that Zoom could still receive usage reports, but without also receiving electronic Protected Health Information (ePHI). With these modifications, no ePHI is sent to Zoom from Meeting Connector on Adaptive Telehealth servers. This took many months of development.
Our verification of this security came through packet sniffing to trace internet transmissions. We also made patient support calls to Zoom asking for assistance. We were told that they cannot help us because they cannot view our identity (our desired result). Adaptive Telehealth patients are supported through Adaptive Telehealth directly or by the customer if they choose.
Note that we do permit the sending of the IP and user identity of the provider to Zoom because this is not ePHI. These users can be supported by Zoom directly if they wish or through Adaptive Telehealth support.
This explanation is not meant to disparage Zoom. We like Zoom. Rather, it is important to know the extensive work Adaptive Telehealth has done to keep Protected Health Information from Zoom, Zoom’s marketing partners like Facebook, Google, or any other third party that do not have a Business Associate Agreement (BAA) with our customer.