Menu


Search »

HIPAA Compliance

Healer Source is hosted at SoftLayer's Dallas Data Center. SoftLayer is a subsidiary of IBM and is HIPAA Compliant.
http://www.softlayer.com/data-centers
http://www.softlayer.com/compliance

§ 164.302 Applicability.

A covered entity must comply with the applicable standards, implementation specifications, and requirements of this subpart with respect to electronic protected health information.

§ 164.304 Definitions.

As used in this subpart, the following terms have the following meanings:

  • Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to "access" as used in this subpart, not as used in subpart E of this part.)
  • Administrative safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.
  • Authentication means the corroboration that a person is the one claimed.
  • Availability means the property that data or information is accessible and useable upon demand by an authorized person.
  • Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.
  • Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
  • Facility means the physical premises and the interior and exterior of a building(s).
  • Information system means an interconnected set of information resources under the same direct management control that shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people.
  • Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.
  • Malicious software means software, for example, a virus, designed to damage or disrupt a system.
  • Password means confidential authentication information composed of a string of characters.
  • Physical safeguards are physical measures.

§ 164.312 Technical safeguards.

A covered entity must, in accordance with §164.306: (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

(2) Implementation specifications:

(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

All users of Healer Source have a unique username (email address).

(ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Physical Security
SoftLayer's Data Centers feature closed-circuit video monitoring and 24x7x365 security patrols. Employee access is restricted by Proximity badges + Biometric Fingerprint scans.

From SoftLayer's website:
"Every location is hardened against physical intrusion, and server room access is limited to certified employees. All of our controls (inside and outside the data center) are vetted by third-party auditors, and we provide detailed reports for our customers' own security certifications."

Regulated Climate Control
SoftLayer maintains a redundant N+1 cooling infrastructure to guarantee stability in their data center pods. All equipment is regularly inspected and tested.

Uninterrupted Power
All SoftLayer data centers maintain multiple power feeds, fiber links, dedicated generators, and battery backup. They are built from industry-leading hardware and equipment, ensuring the highest level of performance, reliability, and interoperability.

(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Healer Source has automatic session logoff features. After an extended period of time, a user will be will be automatically logged off.

(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

Healer Source uses 256 bit encryption to secure private health data.

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Healer Source uses log files, along with tracking user activity for security auditing.

(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Only authorized Healer Source users have the ability to change information.

(2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Healer Source requires authentication before access is granted to health information.

(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

All communication is encrypted using 256-bit SSL for transmission.

(2) Implementation specifications:

(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

After a clinical note has been finalized and saved, it is not possible to modify or delete that clinical note.

 (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Healer Source uses 256 bit encryption to secure private health data.

Message Sent Successfully!