HIPAA / HITECH Overview of Capabilities and Protected Health Information

Similar documents
Policy and Procedure: SDM Guidance for HIPAA Business Associates

The simplified guide to. HIPAA compliance

Data Backup and Contingency Planning Procedure

efolder White Paper: HIPAA Compliance

Putting It All Together:

[DATA SYSTEM]: Privacy and Security October 2013

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

HIPAA Security and Privacy Policies & Procedures

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA FOR BROKERS. revised 10/17

Introduction to AWS GoldBase

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Federal Security Rule H I P A A

Cloud & Managed Server Hosting for Healthcare Professionals

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

WHITE PAPER. Title. Managed Services for SAS Technology

10 Considerations for a Cloud Procurement. March 2017

HIPAA Compliance Checklist

Healthcare Privacy and Security:

Layer Security White Paper

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Virtua Health, Inc. is a 501 (c) (3) non-profit corporation located in Marlton, New Jersey ( Virtua ).

HIPAA Compliance and OBS Online Backup

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Therapy Provider Portal. User Guide

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

All Aboard the HIPAA Omnibus An Auditor s Perspective

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Village Software. Security Assessment Report

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Watson Developer Cloud Security Overview

Data Compromise Notice Procedure Summary and Guide

ADTRAN: Real Solutions. Healthcare

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

Employee Security Awareness Training Program

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Privacy, Security and Breach Notification

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Federal Breach Notification Decision Tree and Tools

UTAH VALLEY UNIVERSITY Policies and Procedures

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

ecare Vault, Inc. Privacy Policy

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

Electronic Communication of Personal Health Information

Information Security at Veritext Protecting Your Data

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

HIPAA and HIPAA Compliance with PHI/PII in Research

Data Processing Agreement

NRG Oncology and VisionTree Optimal Care (VTOC) Frequently Asked Questions

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

How Managed File Transfer Addresses HIPAA Requirements for ephi

HIPAA Security Manual

HIPAA COMPLIANCE FOR VOYANCE

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

Information Technology Standards

LBI Public Information. Please consider the impact to the environment before printing this.

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Google Cloud & the General Data Protection Regulation (GDPR)

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services


The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

UWC International Data Protection Policy

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

NOTICE OF PRIVACY PRACTICES

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Emsi Privacy Shield Policy

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Virginia Commonwealth University School of Medicine Information Security Standard

The HIPAA Omnibus Rule

The Nasuni Security Model

Security and Privacy Governance Program Guidelines

SECURITY & PRIVACY DOCUMENTATION

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA COMPLIANCE AND

HIPAA For Assisted Living WALA iii

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

INFORMATION ASSET MANAGEMENT POLICY

ACCEPTABLE USE OF HCHD INTERNET AND SYSTEM

Terms & Conditions. Privacy, Health & Copyright Policy

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Complete document security

Cloud Communications for Healthcare

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Maintain Data Control and Work Productivity

Deep Freeze Cloud. Architecture and Security Overview

01.0 Policy Responsibilities and Oversight

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Avanade s Approach to Client Data Protection

8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID

Transcription:

HIPAA / HITECH Overview of Capabilities and Protected Health Information August 2017 Rev 1.8.9 2017 DragonFly Athletics, LLC

2017, DragonFly Athletics, LLC. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents DragonFly s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of DragonFly s products or services, each of which is provided as is without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions or assurances from DragonFly, its affiliates, suppliers or licensors. The responsibilities and liabilities of DragonFly to its customers are controlled by DragonFly s agreements, and this document is not part of, nor does it modify, any agreement between DragonFly Athletics and its customers.

DragonFly Athletics provides a premier mobile communication platform, focused on the Student Athlete Ecosystem. DragonFly is delivered via mobile smartphones, mobile tablets, and a website. Mobile tools have become critically important in today s world. Studies show that people who leave a purse or wallet at home may not return for it. However, if a smartphone is left at home, chances are one will return for it. With so much of our lives tethered to these devices there is now a great opportunity to utilize this technology to improve Student Athlete Health. The Student Athlete (SA) Ecosystem contains many people who work to help athletes perform at their top levels. Commonly, as part of these services, the Athletic Trainers, Coaches, and Administrators who work with athletes must treat injuries sustained on the field of play. These injuries range from insignificant bumps and bruises to, on occasion, severe medical emergencies; requiring the coordination of Emergency Technicians, Physicians, hospital staff, Physical Therapists, and many other health care professionals. Likewise, parents play an equally vital role in this process. Through timely communication, it is easier for care providers to leverage parent s inherent influence on student athletes. The need for and complexity of communication between all parties in the SA Ecosystem has grown in recent years as Athletic Trainers have increasingly become the first points of contact, not only for sports related care, but also for a host of medical and psychological issues. Increasingly, the Athletic Trainer represents the only health professional with whom many athletes have meaningful contact. DragonFly recognizes the many roles that various parties play in the SA Ecosystem. Oftentimes, these parties share duties and responsibilities in the care ecosystem. Some care providers may be employed by high schools or the collective school system, while others are independent third party employees, providing care on school premises. On occasion, a provider may be unrelated to the primary organization, yet provide care due to away games or tournament play. Injuries requiring even the most basic of care, such as tape or ice, are often performed in front of thousands of spectators. This public delivery of care can quickly blur lines in terms of what is considered protected health information. From the beginning, DragonFly made the choice to build a system with the assumption that ALL information contained within would be considered Protected Health Information (PHI). At its core, DragonFly MAX strives to protect the confidentiality of health information by restricting PHI access to only those who have appropriate authorization. DragonFly HIPAA Risk Based Security Program Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of U.S. laws that protect the security and privacy of health information held by Covered Entities. The term P a g e 1

covered entity refers to three specific groups: health plans, health care clearinghouses, and healthcare providers that transmit health information electronically. High schools are generally not considered Covered Entities in the context of HIPAA. However, other regulations, such as FERPA (The Family Educational Rights and Privacy Act of 1974), provide similar guidelines over Student Athlete data. Your organization should determine if it is considered a Covered Entity. For covered entities, DragonFly offers the option to sign a Business Associates Agreement. See the DragonFly HITECH Security section below for more details. DragonFly includes many features and precautions to protect PHI and assist covered entities with HIPAA related governance. These features include: Physical Security DragonFly s service infrastructure is hosted in secure facilities by Amazon Web Services (AWS). AWS operates numerous state-of-the-art Data Centers around the United States, which provide military grade, physically restricted access to all infrastructure components hosting PHI. Authorized employees of the data center must pass two factor authentication to gain access to the data centers, no less than 3 separate times prior to entering. No PHI is stored at DragonFly offices or on the computers, smartphones, tablets or other device of DragonFly employees. All PHI is hosted inside AWS data centers. Mobile Devices A key DragonFly communication component is the ability to begin the care process instantly upon injury occurrence. Appropriate parties are notified immediately after care providers, typically an Athletic Trainer, initiate documentation from their smartphone. This process may even begin from the sidelines of an athletic venue. All data stored inside DragonFly, on smartphone and other mobile devices, is encrypted on the physical device utilizing the cryptographic components of modern smartphones using 256-bit AES encryption. Any mobile device can be remote wiped, such that the data on the device is permanently erased. Only data associated with the individual who is authorized on the mobile device is stored. P a g e 2

Technical Security DragonFly implements various policies and procedures to ensure access to the system is restricted to only authorized parties. Users must be added to the system and receive private authentication credentials known only to that specified user. For most users, physical access to mobile devices must be available when installing the system for the first time. DragonFly user sessions automatically time out after a certain amount of idle time, requiring the user to login to their device again. Users are required to pass two-factor authentication prior to gaining access to DragonFly. Each user account must be configured with a specific set of security parameters. For instance, Coaches are only allowed access to athletes associated with the sport he or she instructs. Athletic Trainers only have access to specific teams, for which they provide care. Parents have access only to their individual athlete. All access to any service in the DragonFly infrastructure is audit logged, providing a record of the requestor. These access logs are proactively monitored to detect unauthorized activity. Notifications sent via Text or In-App notification never contain PHI. All PHI is redundantly backed up daily. Multiple encrypted copies are maintained in georedundant availability zones of AWS data centers to protect against accidental destruction. Data Encryption All PHI transmitted in DragonFly is secured while in motion with TLS 1.2 security. Often, the term SSL is utilized to imply secure communications. However, SSL is being phased out industry wide, in favor of TLS. All PHI stored within DragonFly is encrypted utilizing 256-bit AES encryption when sitting on storage media, such as hard drives and backup devices. When infrastructure components are replaced, DragonFly utilizes procedures to destroy the devices and all data contained on the devices. P a g e 3

Firewalls All infrastructure components in the DragonFly system are protected by extensive firewalls. These firewalls are placed in multiple layers at points in our infrastructure to isolate our internal data processing systems from the components of our infrastructure, which communicate with end users. Firewalls are configured to be maximally restrictive. Administrative Policy Only Employees needing access to PHI are granted access, and only to the minimum extent necessary to complete their tasks. This access is only for the operation and maintenance of the DragonFly infrastructure by Engineering staff. All employees who may typically come into contact with PHI are required by DragonFly to sign confidentiality agreements and Non-Disclosure Agreements. Employees must participate in HIPAA awareness training concerning how DragonFly protects sensitive data. Access to all DragonFly Infrastructure within AWS is logged. Employees, when required and necessary, use Secure Shell tools implementing TLS 1.2 encryption to access infrastructure components at the AWS data center. Peer-review of activity is required for employees of DragonFly. When work is being performed there is a minimum of two individuals providing peer oversight. DragonFly HITECH Security Program Summary The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the American Recovery and Reinvestment Act of 2009 (ARRA) confer additional responsibilities to Business Associates who have access to Covered Entities Protected Health Information. Business Associates Agreement In some cases, DragonFly may qualify as a Business Associate. At the customer s request (if the customer is a covered entity), DragonFly will sign a Business Associate Agreement, acknowledging that: 1. DragonFly will act as the custodian of the customer s PHI data (because DragonFly manages the hosting infrastructure) P a g e 4

2. Certain DragonFly employees have access to the data on an as-needed and Minimum Necessary basis 3. DragonFly will protect the privacy, confidentiality, integrity, and availability of that data, and will safeguard the PHI from unauthorized access and disclosure DragonFly Infrastructure Partner Amazon Web Services DragonFly has chosen Amazon Web Services as our partner in providing a secure, managed infrastructure for our back end systems, which permits the delivery of the DragonFly system. DragonFly has entered into a Business Associates Agreement with Amazon Web Services, providing certified HIPAA compliant and capable infrastructure components. Amazon provides Security of the Cloud, which ensures that the services we utilize under our BAA agreement protect all PHI transmitted and processed through their infrastructure. More about the extensive details of AWS HIPAA certifications may be found at the following resources. https://aws.amazon.com/compliance/hipaa-compliance/ https://aws.amazon.com/compliance/shared-responsibility-model/ https://d0.awsstatic.com/whitepapers/compliance/aws_hipaa_compliance_whitepaper.pdf P a g e 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback