Please use the latest version of a supported browser with JavaScript enabled: Got it - don't show me this again
| SUPPORTED MOBILE BROWSERS | |
|---|---|
| ANDROID AND IOS |
|
| ANDROID ONLY |
|
| IOS ONLY |
|
| WINDOWS 10 MOBILE |
|
| SUPPORTED DESKTOP BROWSERS | |
| WINDOWS AND MAC |
|
| MAC ONLY |
|
| WINDOWS ONLY |
|
Last updated: 9th December 2016
HIPAA (Health Insurance Portability and Accountability Act) is United States legislation that provides data privacy and security provisions for safeguarding medical information.
HIPAA contains a Security Rule that establishes national standards to protect individuals' electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
The following tables list the HIPAA Security Rule requirements. Rows are colour coded to indicate our compliance as of the date at the top of this document.
| Compliant. |
| Not compliant. Solution identified and scheduled for implementation. |
| Not compliant. |
| Category | Requirement | Implementation |
| Access Control |
Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity |
medCrowd users may have multiple email addresses against a single account, however, each individual user also has a unique numeric ID assigned to them. medCrowd uses this number to identify and track users. |
| Access Control |
Emergency Access Procedure
Establish and implement procedures for obtaining necessary ePHI during an emergency. |
The medCrowd infrastructure is highly available with no single point of failure.
In the event of a loss of credentials, a forgotten password process exists which can be used to regain access. |
| Access Control |
Automatic Logoff
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. |
medCrowd will expire a session after 1 hour of inactivity or when the browser is closed. |
| Access Control |
Encryption and Decryption
Implement a mechanism to encrypt and decrypt ePHI. |
medCrowd encrypts all data, including ePHI, during transit (TLS) and at rest (AES-256). |
| Audit Controls | Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. | medCrowd has a full audit trail. |
| Integrity |
Mechanism to Authenticate ePHI
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. |
Electronic mechanisms are in place so that ePHI can only be altered or destroyed by the submitter. |
| Authentication | Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. |
All users are required to verify their email addresses prior to being able to use App.
If the user is in receipt of an invitation to join a conversation or team, then the email address provided, and verified, must exactly match the email address given by the inviter. |
| Transmission Security |
Integrity Control
Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. |
medCrowd uses TLS to prevent information from being tampered with in transit. |
| Transmission Security |
Encryption
Implement a mechanism to encrypt ePHI whenever deemed appropriate. |
medCrowd encrypts all data, including ePHI, during transit (TLS) and at rest (AES-256). |
| Category | Requirement | Implementation |
| Facility Access Controls |
Contingency Operations
Establish and implement procedures that allow facility access in support of restoration of lost data under a disaster recovery plan and emergency mode operations plan in the event of an emergency. |
medCrowd employees do not have physical access to the facility. Under the shared responsibility model, Amazon is responsible for the physical facility and we have executed a HIPAA Business Associate Agreement with Amazon. medCrowd uses multiple availability zones, database replication and real-time backups to complement its disaster recovery strategy. You can read more about that strategy in our Information Continuity policy. |
| Facility Access Controls |
Facility Security Plan
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. |
Under the shared responsibility model, Amazon is responsible for the physical facility and we have executed a HIPAA Business Associate Agreement with Amazon. |
| Facility Access Controls |
Access Control and Validation Procedures
Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. |
Under the shared responsibility model, Amazon is responsible for the physical facility and we have executed a HIPAA Business Associate Agreement with Amazon. |
| Facility Access Controls |
Maintenance Records
Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (e.g. hardware, walls, doors, and locks). |
Under the shared responsibility model, Amazon is responsible for the physical facility and we have executed a HIPAA Business Associate Agreement with Amazon. |
| Workstation Use | Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. |
medCrowd has no workstations at the ePHI facility. For information on workstations outside of the facility, please see our Physical Security policy. |
| Workstation Security | Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users. |
medCrowd has no workstations at the ePHI facility. For information on workstations outside of the facility, please see Physical Security policy |
| Device and Media Controls |
Disposal
Implement policies and procedures to address the final disposition of ePHI, and/or the hardware or electronic media on which it is stored. |
Under the shared responsibility model, Amazon is responsible for the physical facility and we have executed a HIPAA Business Associate Agreement with Amazon. medCrowd is in the process of executing a HIPAA Business Associate Agreement with Amazon which we expect to complete in November 2016. |
| Device and Media Controls |
Media Re-Use
Implement procedures for removal of ePHI from electronic media before the media are made available for re-use. |
Under the shared responsibility model, Amazon is responsible for the physical facility and we have executed a HIPAA Business Associate Agreement with Amazon. |
| Device and Media Controls |
Accountability
Maintain a record of the movements of hardware and electronic media and any person responsible therefore. |
Under the shared responsibility model, Amazon is responsible for the physical facility and we have executed a HIPAA Business Associate Agreement with Amazon. |
| Device and Media Controls |
Data Backup and Storage
Create a retrievable, exact copy of ePHI, when needed, before movement of equipment. |
Under the shared responsibility model, Amazon is responsible for the physical facility and we have executed a HIPAA Business Associate Agreement with Amazon. |
| Category | Requirement | Implementation |
| Security Management Process |
Risk Analysis
Perform and document a risk analysis to see where ePHI is being used and stored in order to determine all the ways that HIPAA could be violated. |
As part of our ISO 27001 compliance, we have performed a qualitative information security risk and mitigation assessment following the ISO 27005:2011 risk management standard. |
| Security Management Process |
Risk Management
Implement sufficient measures to reduce these risks to an appropriate level. |
As part of our ISO 27001 compliance, we have performed a qualitative information security risk and mitigation assessment following the ISO 27005:2011 risk management standard. |
| Security Management Process |
Sanction Policy
Implement sanction policies for employees who fail to comply. |
Our Information Security Incident Management policy specifies that an employee breaching policy will be dealt with under the disciplinary process. |
| Security Management Process |
Information Systems Activity Reviews
Regularly review system activity, logs, audit trails etc. |
Abnormal activity is brought to the attention of our IT team as it occurs automatically. For more information, please see our Operations Security policy |
| Assigned Security Responsibility |
Officers
Designate HIPAA Security and Privacy Officers. |
HIPAA Security Officer: Paul Gardner HIPAA Privacy Officer: Paul Gardner |
| Workforce Security |
Employee Oversight
Implement procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee's access to PHI ends with termination of employment. |
Access to a medCrowd conversation which may or may not contain PHI is at the control of the conversation starter. Being an employee confers no additional privileges to a medCrowd account. For internal systems, please see the User Management section of our Information Access Policy. |
| Information Access Management |
Multiple Organizations
Ensure that ePHI is not accessed by parent or partner organizations or subcontractors that are not authorized for access. |
Access to medCrowd conversations is controlled by the conversation starter. Being a medCrowd subcontractor or being an affiliated organization confers no additional privileges. |
| Information Access Management |
ePHI Access
Implement procedures for granting access to ePHI that document access to ePHI or to services and systems that grant access to ePHI. |
Access to a medCrowd conversation, which may or may not contain ePHI, is controlled by the conversation starter. Procedures are in place which allow them to modify access at any time. Any access to ePHI, or a change of access control to ePHI, is stored in the audit trail. |
| Security Awareness & Training |
Security Reminders
Periodically send updates and reminders about security and privacy policies to employees. |
All new employees are required to complete a suite of training modules on joining the company. One of these modules is Information Security. Training is repeated for all employees every January. Completion of training is logged. For more information, please see our Training policy. |
| Security Awareness & Training |
Protection against Malware
Have procedures for guarding against, detecting, and reporting malicious software. |
All employee workstations are built from an image which includes anti-virus and anti-malware software. These tools keep themselves up to date and cannot be disabled by employees. For more information, please see our Operations Security policy. |
| Security Awareness & Training |
Login Monitoring
Institute monitoring of logins to systems and reporting of discrepancies. |
All medCrowd logins are logged. Suspicious activity is reported in real-time internally. |
| Security Awareness & Training |
Password Management
Ensure that there are procedures for creating, changing, and protecting passwords. |
All medCrowd users are required to create a password which can be changed at any time. The setting and changing of passwords is forced over a TLS connection. medCrowd does not store plain text passwords. The plain text is one-way hashed with a per user salt and only the resulting hash is stored. The only way to change a password if the current password is not known is via a reset process to a verified email address. medCrowd requires that passwords are of an appropriate strength. |
| Security Incident Procedures |
Response & Reporting
Identify, document and respond to security incidents. |
As part of our ISO 27001 compliance, we have a documented Information Security Incident Management Policy. |
| Contingency Plan |
Contingency Plans
Ensure that there are accessible backups of ePHI and that there are procedures to restore lost data. |
All data is backed up in real-time, encrypted, with a retention period of 30 days. |
| Contingency Plan |
Contingency Plans Updates and Analysis
Have procedures for periodic testing and revision of contingency plans. Assess the relative criticality of specific applications and data in support of other contingency plan components. |
We have assessed the criticality of specific systems, and built medCrowd to be fault-tolerant. We test this on a monthly basis. |
| Contingency Plan |
Emergency Mode
Establish and implement procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode. |
medCrowd was built to be fault-tolerant from the outset. We enter emergency mode regularly (emergency mode being defined as the outage of an application or database server), to ensure medCrowd continues to function. |
| Evaluations | Perform periodic evaluations to see if any changes in your business or the law requires changes to your HIPAA compliance procedures. |
We review our ISO-27001 ISMS annually or when a significant change occurs. |
| Business Associate Agreements | Have contracts in place with business partners who will have access to your PHI in order to ensure they will be compliant. Choose partners that have similar agreements with any of their partners to which they are also extending access. |
medCrowd has entered into a HIPAA Business Associate Agreement with Amazon. |