Compliance

To appropriately protect its customer’s sensitive information, and to comply with HIPAA administrative requirements, Clinicate has adopted the various privacy and information security policies set forth in this document.

The following security safeguards and requirements are divided into three categories:

Technical
The Security Rule defines technical safeguards as “the technology and the policies and procedures for its use that protect electronic health information and control access to it.”

Physical
The Security Rule defines physical safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

Administrative
The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”

Technical Safeguards

Access Control
Section 164.312(a)(1)
Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.

Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity.

– All Clinicate users create a unique email address and password to login to the Clinicate system and users maintain their own passwords. Users are strictly prohibited from sharing identifications and passwords. Violations of this prohibition can results in termination of use of the system. Any authorized user must log out of their workstation or mobile device when not occupying it.

Emergency Access Procedure
Establish (and implement as needed) policies and procedures for obtaining necessary ePHI during an emergency.

– Clinicate maintains its policy of a 99.95% guaranteed uptime but we understand that there may be times and circumstances that are beyond our control. During times of emergency, the Clinicate Security Officer will work subcontractors to determine the nature of the emergency and the steps necessary to provide services in an emergency. At times when only mobile services are unavailable due to network connection issues, users have the ability access data via our web portal.

Automatic Logoff
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

– Web users are required to log in with their unique email and password to enter the system and after 30 minutes of inactivity, they must re-enter their unique email and password. Mobile users are required to initially login with their unique email and password. After 30 minutes of inactivity, mobile users must provide a personal identification number (PIN) to re-enter the system. Every 24 hours, mobile users are required to log back in with their unique email and password.

Encryption and Decryption
Implement a mechanism to encrypt and decrypt ePHI.

– Clinicate utilizes 256 bit Secure Sockets Layer (SSL) encryption to protect all transmission of data, including sensitive health information. All Clinicate data stores sit behind a firewall that implements procedures that prevent access by unauthorized users. Additionally, Clinicate encrypts all passwords needed to retrieve data stored, including sensitive health information.

Audit Controls
Section 164.312(b)
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

– Clinicate has hardware, software, and procedural auditing mechanisms implemented on information systems that contain or use ePHI. Clinicate also records and examines specific network activity in order to further protect our users and their sensitive health information. Specific events are tracked, maintained, and reviewed on a weekly basis for trends or any other indications of unauthorized access or other security events. Logs of these events are stored indefinitely.

Person or Entity Authentication
Section 164.312(d)
Implement policies and procedures to verify that a person or entity seeking access to ePHI is the one claimed.

– Clinicate uses specific authentication methods to confirm that only properly authenticated persons or entities access ePHI. This consists of a set of methods and processes including user ID’s. PIN systems, and security token systems. Clinicate also logs unsuccessful login attempts and accounts are disabled after 5 unsuccessful attempts.

Transmission Security
Section 164.312(e)(1)
Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network.

Integrity Controls
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.

Encryption
Implement a mechanism to encrypt ePHI whenever deemed appropriate.

– To secure against unauthorized access, Clinicate uses the Secure Sockets Layer (SSL) handshake protocol with 2048-bit RSA Cryptosystem for all web and mobile data transmission.

Physical Safeguards

Facility Access Controls
164.310(a)(1)
Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

– Clinicate takes appropriate steps to protect the confidentiality, integrity, and availability of its information systems by preventing unauthorized physical access, tampering, and theft to the systems and to the facilities in which they are located, while ensuring that properly authorized physical access is allowed.

Workstation Use
Section 164.310(b)
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI.

Workstation Security
Section 164.310(c)
Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users.

– Clinicate takes appropriate steps to prevent unauthorized access to information systems containing Electronic Protected Health Information (ePHI) with respect to workstations utilized by Clinicate personnel. A detailed set of policies and procedures on workstation use and security are in place internally.

 Administrative Safeguards

Workforce Security
Section 164.308(a)(3)
Implement policies and procedures to ensure that all employees have access to ePHI as appropriate for their duties, and to prevent those employees who do not have access from obtaining access to ePHI.

– Clinicate grants access to electronic Protected Health Information (ePHI) only to appropriate workforce members and takes steps to prevent those workforce members who do not need access to ePHI from obtaining such access. Clinicate maintains appropriate procedures to ensure that all members of the workforce have appropriate access to ePHI.

Contingency Planning
Section 164.308(a)(7)
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI (e.g., fire, vandalism, system failure, and natural disaster).

– Clinicate maintains a contingency plan that includes procedures for responding to an emergency or other occurrence (for example fire, vandalism, system failure, or natural disaster) that damages systems and/or applications containing ePHI. While most emergency operations are handled by Clinicate’s service providers, Clinicate shall take steps as necessary to ensure the confidentiality, availability, and integrity of ePHI.

Business Associate Agreement and Other Contract Arrangements
Section 164.308(b)(1)
Maintain written contracts that reflect business associate requirements

– A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate.  A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. Clinicate is a business associate and its healthcare provider users are covered entities. Clinicate also maintains business associate agreements with its subcontractors who may maintain, received, or transmit protected health information on behalf of Clinicate.

Summary

The Health Insurance Portability and Accountability Act of 1996, known as “HIPAA,” is the principal federal regulatory regime governing the use, protection, and disclosure of patient information. While not all patient information is subject to HIPAA, most is. Because Clinicate stores and processes patient information that usually is subject to HIPAA, Clinicate is required to comply with a number of requirements under the law. Clinicate also is required to enter special contracts, called “business associate agreements” or “BAAs,” with its healthcare provider customers that obligate Clinicate to take a number of steps regarding safeguarding the information and making sure it is used and disclosed (both within Clinicate and with third parties) only for limited purposes. In this regard, HIPAA considers Clinicate a “business associate” to its healthcare provider customers, which are referred to as “covered entities.” HIPAA is enforced by the U.S. Department of Health and Human Services (HHS).

In 2009, Congress passed the American Recovery and Reinvestment Act (ARRA). Title VIII of ARRA, called the Health Information Technology for Economic and Clinical Health Act (HITECH), amended HIPAA in various ways and included federal security breach notification requirements. Those requirements were further codified in a Breach Notification Rule.n In January of 2013, HHS issued a comprehensive final rule, referred to as the Omnibus Final Rule that implemented the statutory provisions of HITECH. The Omnibus Final Rule also included modifications to the Breach Notification Rule originally published in 2009. Most significantly, the Omnibus Final Rule made business associates, like Clinicate, directly liable for compliance with certain of the HIPAA Privacy and Security Rules’ requirements.

Clinicate takes the privacy and security of all of its sensitive health information very seriously. Information set forth in this document, and through our privacy and information security compliance program, outlines the steps that we take to assure that your information is safe and secure. Clinicate’s goal is to provide a safe and secure environment to help improve patient care and clinical outcomes.

If you have any questions, you may contact us at:

Clinicate, LLC
Attention: Compliance
1441 Canal St, Suite 417
New Orleans, LA 70112
info@clinicate.com

 

Back to Top