Public Summary Of Security Procedures Specific to HIPAA
What Information is protected?:
Protected Health Information. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”12 OCR Privacy Rule Summary 4 Last Revised 05/03
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
What are the data safeguards?
Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.70
For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes. See OCR “Incidental Uses and Disclosures” Guidance.
For more information go to http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf
Advisors Assistant Hosted Data Safeguards
- Servers are Rackspace, a secure facility. A SOC-2 report on Rackspace is available and can be sent directly from Rackspace.
- Advisors Assistant uses 3 factor security. Device verification, User ID, Strong Passwords.
- Data is protected by a commercial class firewall.
- Separate Intrusion protection is in place 24/7 and monitored by a special device behind the firewall and a human team.
- Commercial class virus protection is on servers with open incoming ports to internet.
- All SQL requests are encrypted before they leave the workstation AND are sent over SSL encrypted communications. (double encryption) This is designed to prevent injection attacks.
- Personal Identification data, such as Medicare #, TaxID, Passport Numbers, etc. are stored AES-256 encrypted.
- Role based security features allow database owners to limit access to specific information and limit users from exporting data.
- A Personal Notes feature limits access to the note to the person who created the note.
- Login attempts limited to 10.