AppwoRx, LLC submits this statement of policy regarding HIPAA regulations and obligations. While HIPAA compliance is in part dependent on technology, HIPAA compliance is an overall organizational obligation that focuses on your procedural standards and procedural integrity (medical provider business practices). Therefore, HIPAA compliance for software requires a combination of secure/private technology and compliant business practices. AppwoRx provides clients with a software tool that is HIPAA compliant from a technology standpoint as detailed below. However, AppwoRx technology is only half of the inquiry – how client users use AppwoRx software within their medical practices must also be addressed. Each “Covered Entity” must make its own determination of the system use and its overall impact on business practices. Please feel free to call us if you have specific questions as to the interplay between our software and your business practices.
We exercise great care in providing secure transmission of your information to and from our mobile applications and cloud-based servers. All information is encrypted using Secure Socket Layer (256-bit SSL) encryption. This is 2x more secure than the 128 bit encryption required by HIPAA guidelines. Encryption provides a secure means to protect your information as it passes between our servers and your computer or mobile device.
AppwoRx utilizes SSH Key Authentication for all data transmissions. This authentication method is the only method that each version of the software (both client and server) is required to implement. This method expects each client to have a key pair (a pair of keys, properly generated using one of several asymmetric encryption algorithms, either RSA or DSA). The client first sends a public key to the server. If the server finds the key in the list of allowed keys, the client encrypts certain data packets using a private key and sends the packet to the server along with the public key.
Reports, Certifications, and Independent Attestations:
Our AWS (Amazon Web Service) servers have successfully completed multiple SAS70 Type II audits, as well as Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under Data Security Standard (DSS). In the realm of public sector certifications, AWS has received authorization from the U.S. General Services Administration to operate at the FISMA Moderate level, and is also the platform for applications with Authorities to Operate (ATOs) under the Defense Information Assurance Certification and Accreditation Program (DIACAP). Our servers are built in accordance with AWS HIPAA compliance standards. For more information on this structure, please see the AWS/HIPAA white paper: http://media.amazonwebservices.com/AWS_HIPAA_Whitepaper_Final.pdf
Our platform provides system administrators with role-based security required by both small organizations and large entities. It is the job of your system administrator to designate roles and positions of an individual and specify what information they will need to access. The administrator must then associate roles and positions with information needed and grant appropriate access. Below is a diagram showing how an organization may structure access using our software.
Accounting of Disclosures and Audit Trail Issues:
We are appointed by and contracted to the Covered Entity to assist in the payment process and are considered part of the treatment, payment, or health care operations (TPO). A Covered Entity is not required by HIPAA regulation to keep an accounting of anyone within their own organization who has received (or had access to) medical information. The accounting provision only covers “disclosures,” which are defined as the sharing of health information with someone outside of an organization that is not a part of the TPO. See Section 164.528(a) (right to accounting of disclosures) and Section 164.501 (definition of “disclosure”). The regulation specifically states that a Covered Entity does not have to keep an accounting of information disclosed to someone outside of the organization for the purposes of treatment, payment, or health care operations. See Section 164.528(a)(1)(i). The result of these exclusions are that a Covered Entity is required to account for only a narrow category of disclosures that primarily are not related to health care, such as those made to law enforcement personnel or pursuant to a request for documents in a lawsuit.
Our employees and contractors have occasional legitimate needs to access our data servers for purposes of system troubleshooting and maintenance. We ensure that such access is granted only to those who have such needs. All such individuals have signed confidentiality agreements and are continually made aware of their obligations regarding user information. Access is controlled via preassigned user accounts that require multiple levels of authentication. All staff members are periodically trained regarding security protection of their personal workstations.
Policies and Procedures:
We continuously evolve and update our internal information security policies and our business continuity and disaster recovery plans. We perform risk assessment, security audit, and system-test activities on an ongoing basis. Our employees and contractors receive frequent training and/or reminders regarding information security and protecting the confidentiality of your information.
Standards and Regulations:
We are committed to meet or exceed regulatory and industry self-regulatory guidelines regarding privacy, confidentiality, and information security. On an ongoing basis, we will review and adapt to statutes, regulations, formal private-sector standards, and informal policy guidelines as they apply. In particular, we will comply with all applicable provisions of the Health Insurance Portability and Accountability Act (HIPAA) rules for information security as they take effect.
IT Policy and Procedures:
To download our IT Policy and Procedures document click here.