Health Care HIPAA Records Protection
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) states that all healthcare organizations must take steps to simplify and standardize electronic data exchange and protect the confidentiality and security of all electronic health data managed by the organization. While data must remain accessible to authorized users and auditors, patient privacy and security must be adequately protected. Any unauthorized transfer of data that identifies an individual patient is in violation of the privacy requirements under HIPAA.
Global Relay Archive technology enables healthcare organizations to easily store and retrieve electronic communications in any format while maintaining stringent security standards. Global Relay Archive, Compliance Reviewer, and IM Interpreter are specifically engineered to provide a total compliance solution for health organizations subject to HIPAA.
Global Relay Archive, Global Relay's message archiving and compliance system, captures and archives an authentic and complete record of all electronic business communications in a secure but easily accessible offsite storage system. Compliance features include:
- Message Capture of email, attachments & IM
- Archives messages for retention term defined by organizations deletion policies
- Access includes web-based instant access for all employees to their messages
- Tamperproof protection of data on dedicated WORM (Write Once, Read Many) drives
- Offsite, mirrored, single instance storage in East/West Coast Data Centers
- Indexes & serializes messages, Bcc & Distribution Lists, metadata & audit trails
- Search & retrieval of any message in seconds using Google-like search engine
- Security & encryption of systems, networks & messages
- Migration of legacy data (.pst files, backup tapes) to archive
- Retention Term flexibility for Litigation Holds & regulatory audit investigations
How does Global Relay Archive work? All email, attachments and IM and are securely captured and centrally unified together with imported legacy email and .pst files, in Global Relay Archive for rapid online search, retrieval & monitoring. With secure web-based access and real-time indexing powered by search engine technology, every employee and Compliance Officer has the ability to find any current or historical message in seconds. Read More »
How do we protect your data? All data archived with Global Relay has end-to-end security and is stored in a compressed, multi-level encryption algorithm system using military-grade AES and RSA encryption.
- servers forward messages to archive via a secure connection with username and password authentication
- archive access requires 256-bit secure browser
- all remote message synchronization is transferred via hardware VPN
- all messages double encrypted with NSA-level AES & RSA secure encryption algorithms
- archived messages remain in encrypted form and are only decrypted when an authorized user conducts a search via a secure web browser
- all internal data transfer and processing utilizes encrypted pipes
- messages stored in non-rewriteable, non-erasable WORM format
- maintains a copy of all data on a minimum of four storage systems simultaneously
The Compliance Reviewer, Global Relay's monitoring system, provides health care organizations with a turn-key, flexible, online supervisory system with advanced monitoring, filtering and eDiscovery features enabling enforcement of your firm's email & IM policies for compliance, proper usage and corporate governance. Compliance features include:
- Scan & Monitor email, attachments & IM from Global Relay Archive
- Content Filtering with company-defined rules to identify prohibited content
- Advanced Analysis with Boolean logic, criteria lists, proximities & action alerts
- Random Sampling of each employee's messages customized by percentage & user
- Keyword Search results are highlighted within the message for quick discovery
- Full Review of messages & attachments, or bulk review of headers only
- Reviewer approval, rejection, escalation based on action icons & defined notes
- Multi-tiered Review structure for review escalation to Super Reviewers
- Wizard Commands for pre-defined, single-click compliance using folders, flags, priorities & labels
- Exclude Words, phrases or email accounts (e.g. disclaimers, attorney-client privileged mail, newsletters) from Flagging Rules
- Access Rights of authorized Reviewers governed by customized security rules
- Notifications of compliance violations by email or IM
- Audit Trail with detailed time history of reviews and related actions taken
- Web-based Control Center to modify surveillance & monitoring procedures
How does the Compliance Reviewer work? Using powerful search engines, the Compliance Reviewer is able to retrieve your firm's messages from Global Relay Archive and apply easy-to-use, company-defined filters and Wizard Commands for efficient review and monitoring of all archived email and IM messages. Messages of any user are analyzed on import and flagged for review if violations are detected as follows:
- real time filtering for keyword or phrase violations (start-up list provided)
- specific query using flexible search criteria
- advanced rule-based keyword & phrase proximity analysis
- random sampling (by User, User Group, or firm-wide, using percentages).
Global Relay Archive & Compliance Reviewer Audit Tools are designed to facilitate efficient responses to regulatory audits and evidentiary requests. Global Relay has successfully assisted hundreds of regulated firms during their audits and regulatory investigations. Currently, Global Relay participates in approximately 3 to 6 customer audits per week.
- Search & retrieval of any message in seconds using Google-like search engine
- Audit Request response within minutes using online search and eDiscovery tools
- Statistics & reporting on Compliance Officer reviews & related actions taken
- Legal Compliance in-house specialists to assist during audits
- Case Management via folder system with shared folders (e.g. external attorney review)
How do Global Relay's Audit Tools assist with an Audit? Global Relay provides flexible and efficient methods to produce records according to the specific criteria of the audit request. Messages are made readily available for examination either by:
Online review of messages via an "auditor account" in Global Relay Archive
- create online search parameters based on Audit request
- restrict access to the exact scope of the audit (by date, user, subject etc.)
- assign Auditors temporary online review privileges
- block attorney-client privileged, personal or restricted messages
- generate an automatic audit trail of Auditor's review (ie: audit the Auditor!)
- side benefit of data no longer in Auditor's possession once audit is complete
Compilation of data for delivery to regulatory auditors
- fast discovery, consolidation and organization of data for export & delivery
- compile requested information on regulator-qualified media such as DVD or CD
Frequently Asked Questions
- What is HIPAA?
Passed into law in 1996, HIPAA (Health Insurance Accountability and Portability Act) seeks to establish standard mechanisms for electronic data interchange, security and confidentiality of all healthcare related data.
- What are the Archiving & Compliance Requirements?
There are two main compliance components under the Administrative Simplification Provisions (HIPAA, Title II); the Privacy Rule and Security Rule:
- The Privacy Rule addresses the way in which organizations can use, disclose and transmit health information. The Privacy Rule seeks to protect against the unauthorized disclosure of all "individually identifiable health information" held or transmitted by an organization or its business associate, in any form or media, whether electronic, paper, or oral.
- The Security Rule requires organizations to ensure that all electronic protected health information they create receive, maintain, or transmit is kept confidential, safe, and available. These requirements are organized into three categories: administrative safeguards, physical safeguards and technical safeguards.
- What is the significance of HIPAA?
HIPAA provides patients with greater control over how their personal health information is used and disclosed. Organizations are obliged to establish policies and procedures to protect the confidentiality of protected health information about their patients.
- Who Must Comply?
Every health care provider who electronically transmits health information in connection with certain transactions must comply with the HIPAA's Privacy Rule. The Privacy Rule applies to health care providers who electronically transmit the transactions or who use a billing service or other third party to do so on its behalf.
Affected organizations include healthcare providers, health plans, public health authorities, healthcare clearinghouses, self-ensured employers, life insurers, information systems vendors, various service organizations, and universities.
- What are the repercussions of non-compliance?
Depending on the violation, non-compliance with HIPAA can result in civil or criminal penalties, including monetary fines or a period of imprisonment.
For general non-compliance, a civil penalty of $100 per person per violation may be imposed. This may increase to up to $250,000 per person per violation in a calendar year. Where confidential health information is disclosed under false pretenses, criminal penalties of $50,000 and one year imprisonment may be incurred. This can increase to up to $250,000 and ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.
- Where can this Legislation be found?
Performing comprehensive due diligence on Software-as-a-Service vendors is a responsibility and a best practice.
Global Relay can assist with the due diligence process. Global Relay's internal controls are verified by KPMG in a document entitled, "KPMG Report on Global Relay's Business, Operational & Security Controls". The report provides assurances and transparency into the high standards of Global Relay's internal controls, and how these truly differentiate Global Relay.
Specifically, the KPMG Report provides unique and extensive validation of Global Relay's security, business and operational controls related to:
- Physical Security - and safeguards governing data protection and data center controls.
- Change Management - Frameworks for guiding software development releases, operations and change control.
- Network Security & Availability - System architecture, redundancy, access and security.
- Global Relay Archive & Compliance Reviewer - Inbound message processing, secure storage, data center replication and end-user access.
- Data Import, Extraction & Destruction - Policies, procedures and methodologies for securely handling customer data.
- Security Policies & Standards - Policies & standards governing privacy and confidentiality.
- Personnel Policies & Procedures - Employee life-cycle management.
To learn more about this report and how Global Relay can assist your firm with due diligence, contact us today.