Never Take Chances With HIPAA Compliance.
The main reason to protect patient information is because it is the ethical thing to do. Beyond that, the fines are unimaginable. Any missteps could cost your practice a fortune. Secure your forms today with HavePatients HIPAA-Compliant Site Forms.
↓ Imporant technical information! ↓
Confidentiality & availability of e-PHI
We cover this by ensuring no archive or ledger in the server is kept or maintained. The form is submitted directly to your destination address over a TLS/PGP network using a SHA-256 security encryption and once deleted from the destination is gone forever – whomever has access to this designated address will be the responsibility of the Practice.
Identify & Protect against threats to security or integrity of information
Our protocol for DDoS (brute force) protection and prevention of SQL Injection (database dumps) protects the information and the integrity of your entire site/instance.
Protect against reasonably anticipated, impermissible uses or disclosures
Since we keep no database or record of the submissions – we are protected since there is no chance for impermissible use or disclosure.
Ensure compliance by their workforce.
Security rule defines “confidentiality” to mean that ePHI is not available or disclosed to unauthorized persons. As a practice you will need to be cautious of where you decide you want the information to end up from the form fill and be certain no person without a reason to have it gains access to this location.
Hardware requirements do not apply since our transmission of data occurs in cloud computing and virtual environments. No physical hardware is used on our end for computing, memory, network, or storage.
Risk Analysis and Management
The Admin Safeguards provisions in the Security Rule require us to perform risk analysis as part of the security management.
We cover the risk and management portion of this by having the security monitoring on 24/7 as well as the constant health checks (every 60 seconds). This allows us the ability to evaluate likelihood and impact of potential risks – implement appropriate security measures to address the risks – and document why those particular protocols are followed.
Access Control – our environments are only accessible from the outside via a key pair that is generated at the time access is required – without the keypair you will not be able to access the back-end of the environment.
Audit controls – hardware doesn’t apply, software is managed under Amazon Web Services health checks, and plugins are used to monitor the access to the website itself where the e-PHI is originating, but again never stored.
Transmission Security – we operate with a private IP address that is never shared – the environment doesn’t allow for outbound mail and stores no email record – all data transmission is covered by both TLS and PGP networks as necessary for encryption and deciphering messages depending on the needs of the practice.