WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE



Similar documents
HIPAA Compliance Guide

HIPAA Information Security Overview

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Compliance Guide

Healthcare Compliance Solutions

Datto Compliance 101 1

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Security Alert

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Security Checklist

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

VMware vcloud Air HIPAA Matrix

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Enterprise Fax Functionality from a No-Compromise Cloud Fax Solution

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Privacy & Security White Paper

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

How Managed File Transfer Addresses HIPAA Requirements for ephi

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

How To Write A Health Care Security Rule For A University

HIPAA Security Series

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security Rule Compliance

CLOUD FAX SOLUTIONS BUYER S GUIDE

CHIS, Inc. Privacy General Guidelines

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

C.T. Hellmuth & Associates, Inc.

efolder White Paper: HIPAA Compliance

Security Considerations

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA/HITECH: A Guide for IT Service Providers

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

An Effective MSP Approach Towards HIPAA Compliance

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Overview of the HIPAA Security Rule

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

Security Is Everyone s Concern:

HIPAA Security COMPLIANCE Checklist For Employers

Procedure Title: TennDent HIPAA Security Awareness and Training

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Krengel Technology HIPAA Policies and Documentation

My Docs Online HIPAA Compliance

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA ephi Security Guidance for Researchers

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA: In Plain English

HIPAA Security Matrix

Montclair State University. HIPAA Security Policy

State HIPAA Security Policy State of Connecticut

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

An Introduction to HIPAA and how it relates to docstar

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA and HITECH Regulations

OCR UPDATE Breach Notification Rule & Business Associates (BA)

New HIPAA regulations require action. Are you in compliance?

HIPAA Compliance: Are you prepared for the new regulatory changes?

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Security Education. Updated May 2016

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

HIPAA. considerations with LogMeIn

Information Security Policy Manual

HIPAA and HITECH Compliance for Cloud Applications

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper. From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Security and HITECH Compliance Checklist

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

HIPAA/HITECH Compliance Using VMware vcloud Air

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Transcription:

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from doctors, patients, pharmacies, laboratories, healthcare providers and insurance companies. These documents are often urgent and confidential. Secure, timely and reliable delivery is essential for patient-focused and cost-conscious healthcare organizations. WHAT IS HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) has changed the way healthcare organizations send, receive and store confidential information. HIPAA establishes regulations for the use and disclosure of an individual s Protected Health Information (PHI). To achieve HIPAA compliance, healthcare providers (known as covered entities ) must improve the efficiency of document transmission, while ensuring the security and confidentiality of information. Under the security standards of HIPAA, covered entities must implement administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic health information. The healthcare industry works with an array of healthcare solution providers and outsourcers (known as business associates ). HIPAA s business associates that serve a healthcare provider or institution are subject to audits by the Office for Civil Rights (OCR) within the Department of Health and Human Services and can be held accountable for any data breach and penalized for noncompliance. XMEDIUSFAX CLOUD AND HIPAA COMPLIANCE With over 10 years of experience within the healthcare industry, XMediusFAX has helped numerous medical clinics rationalize and secure their fax services, in order to meet HIPAA compliance. XMediusFAX digitizes processes and stores fax documents. While eliminating manual processes and paperwork, XMediusFAX provides security, accountability and traceability. Sagemcom can be defined as a business associate (BA), performing a service for a covered entity, which is why we oblige our HIPAA regulated customers to enter into a BA agreement with us. This demonstrates our commitment to compliance and ensures peace of mind for our customers that use the XMediusFAX Cloud service. XMediusFAX Cloud is committed to helping covered entities become compliant with HIPAA regulations, through the core set of safeguards: Administrative, Physical and Technical. With these regulations in mind, a HIPAA business associate must demonstrate the different procedures and measures put in place to help its clients (covered entities) reach HIPAA compliance.

ADMINISTRATIVE SAFEGUARDS HIPAA policies describe Administrative safeguards as administrative actions, policies and procedures used to manage the selection, development, implementation, and maintenance of security measures to protect Electronic Patient Health Information (ephi) and to manage the conduct of the organization s workforce in relation to the protection of that information. Sagemcom implements all the administrative safeguards on its company policies, employees and finally its client base: 1. Business Associate Contracts A business associate contract is required by Sagemcom for any organization that requires HIPAA compliance. 2. Assigned Security Responsibility Sagemcom has a security officer in place to help enforce and implement HIPAA compliance across its network and infrastructure. 3. Workforce Security Sagemcom allows only a limited number of highly trained workforce members to access secure and confidential data. 5. Security Awareness and Training All members of Sagemcom staff have Level I HIPAA training. 6. Security Incident Procedures Sagemcom has a well-established detection, reporting and resolving procedure for any security breaches. 7. Contingency Sagemcom offers organizations multiple ways to ensure their data is not lost by implementing a collective contingency plan. 4. Information Access Management Sagemcom will only allow authorized members to access secure data under strict and limited circumstances exclusively on behalf of the client.

PHYSICAL SAFEGUARDS HIPAA policies describe Physical safeguards as physical measures, policies and procedures to protect the organization s electronic information systems, related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Sagemcom works with two Tier-1 data centers that have been designed for their top level physical security in an extremely controlled environment with limited physical access to the servers where secure data is housed and transmitted. To safeguard all facilities, systems, and equipment used to store electronic protected health information (ephi) against unauthorized physical access, tampering, or theft; Sagemcom implements the following: 1. Contingency Operations Sagemcom s data center provider allows only authorized physical facility access during emergencies to support restoration of data under the Disaster Recovery Plan. 2. Access Control and Validation Sagemcom s data center provider controls and validates workforce member access to facilities based on their role or function. 3. Physical Access Records Sagemcom logs physical access to any facility containing ephi-based systems. Examples of facilities requiring physical access records are computer and system rooms. 4. Maintenance Records Sagemcom data center provider ensures document maintenance, repairs and modifications to the physical security components of the facility including locks, doors, and other physical access control hardware. 5. Workforce Access Controls Sagemcom s data center provider also validates workforce member access to all facilities used to house ephi based systems. 6. Visitor Access Controls Sagemcom s data center provider controls, validates, and documents visitor access to any facility used to house ephi based systems. Visitors include vendors, repair personnel, and other nonworkforce members. Sagemcom s XMediusFAX Cloud enforces service access to its portal by implementing and assisting its users with best practices on HIPAA compliant procedures for workstation 1 access, use and control such as: Strict password policies Workstation privacy and protection policies Information storage policies Workforce access policies 1 It is important to note that the term workstation means any electronic computing device, such as a desktop computer, laptop, PDA, etc.

TECHNICAL SAFEGUARDS Implementing Technical safeguard policies are the third and final tier in ensuring that an organization is 100% secure and protected when faxing communications containing confidential information such as PHI, financial and legal documents transmitted electronically over open networks. HIPAA policies describe technical safeguards as a set of technology and policy procedures that protect ephi and control access to it. Although there are no rules or specific requirements for the types of technologies to be implemented for compliance, Sagemcom as a covered entity has taken the utmost precautions to determine which security measures and specific technologies are reasonable and appropriate for the implementation of its XMediusFAX Cloud solution for all its clients. Many of Sagemcom s clients may not have the manpower and resources to audit and implement a secure and HIPAA compliant environment. As a partner and HIPAA Business Associate, Sagemcom helps its customers reach compliance by implementing collectively the following five technical safeguard standards: 1. Access Controls 2. Audit Controls 3. Integrity 4. Person or Entity Authentication 5. Transmission Security Access Controls: HIPAA policies describe Access Controls as the management of users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access Controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules. XMediusFAX Cloud helps organizations meet their HIPAA requirements by requiring each workforce member to have a unique user identifier; XMediusFAX Cloud controls user access to a single account. No duplicate emails may exist on the Cloud service. XMediusFAX Cloud also assigns both administrator and user roles within the solution. Only administrators may have full control and access to the entire solution and may invite and remove user access as they see fit. Audit Controls: HIPAA describes Audit Controls as the following: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. XMediusFAX Cloud activity is available for full auditing by all our clients for their specific information via the fax retention policy or if fax retention is not selected then Meta data of all fax transactions is logged to verify activity. Integrity: HIPAA describes Integrity as the property that data or information have not been altered or destroyed in an unauthorized manner. Sagemcom works with its clients to help them implement policies and procedures to protect electronic protected health information from improper alteration or destruction, via such methods as secure FTP routing or routing to document management solutions such as SharePoint for archiving and access control within the client network.

Person or Entity Authentication: HIPAA describes Person or Entity Authentication as the following: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. XMediusFAX Cloud has secure service login and enables only service administrators to assign and invite new users to the cloud faxing solution. Transmission Security: The final standard listed in the technical safeguard s section is Transmission Security. This HIPAA policy is described as the following: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. XMediusFAX Cloud utilizes major security protocols to ensure maximum protection: HTTPS for all Internet connectivity. FTPS, SCP and SFTP to route fax image files to customer folder destinations. SSLIOP is used by SendFAX (Windows Thick Client) to submit faxes. TLS encryption is available for e-mail communication. XMediusFAX Cloud also uses Access Tokens (randomly generated keys) to provide applications access to system services to manage users, query the user directory and send and manage faxes. Tokens are required for AD Synchronization and submitting faxes via Ricoh ESA, Xerox EIP and Web Services. All data is encrypted at the hard drive controller. All fax images and fax transmission metadata are fully encrypted. Sagemcom s third-party payment processor that processes the billing transactions and retains information on XMediusFAX Cloud customers is PCI Level1 compliant. Credit card information is never accessed or processed by XMediusFAX Cloud. SUMMARY With XMediusFAX Cloud, there are no obstacles to processing confidential and sensitive documentation through our cloud faxing solution. Not only has the solution been designed for the most secure policies but Sagemcom also works with the clients to help them implement HIPAA policies into their workplace. Though there are no strict guidelines on how any one organization should implement compliance; as an official business associate Sagemcom is constantly evaluating and improving the methods in which they instill the Administrative, Physical and Technical safeguards to ensure maximum protection for their clients. All rights reserved. The information and specifications included are subject to change without prior notice. Sagemcom Documents tries to ensure that all information in this document is correct, but does not accept liability for error or omission. Non contractual document. XMediusFAX is a registered trademark of Sagemcom Documents. Simplified joint stock company - Capital 8.479.978 Euros - 509 448 841 RCS Nanterre. Distributor/Reseller: 5252 de Maisonneuve Blvd. West, suite 400 Montreal, Quebec H4A 3S5 Canada Telephone : +1 514-787-2100 Fax : +1 514-787-2111 Toll-free (U.S./Canada) : 1-888-766-1668 xmediusfax.sagemcom.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information