Most popular search results

Gmail

Gmail

The free version of Gmail that most people use is not HIPAA compliant on its own, but Google’s G Suite can be HIPAA compliant. G Suite includes Gmail, Google Calendar, and Google Drive, just like the free version, but it also includes security features that, once configured, make G Suite HIPAA compliant. Once you’ve made your G Suite account HIPAA compliant, your connected Gmail account will be HIPAA compliant as well. Gmail is the most widely used email service around, with 1.5 billion users worldwide, an increase of 500 million users just since 2016. The ubiquity and familiarity of Gmail make it an appealing option for healthcare companies. HIPAA sets strict standards for protecting patient confidentiality and health information. Sending HIPAA-compliant emails requires training staff to use technological safeguards. Your email provider may follow HIPAA regulations, but that doesn’t automatically make your emails secure.Every employee must understand how HIPAA applies to their email. Your staff needs training in everything from encrypting sensitive emails to ensuring they’re sent to authorized recipients. Ongoing training is necessary as healthcare workers are often targeted by phishing and other email attacks. Recent breaches have compromised the sensitive personal data, such as Social Security numbers and financial account information, as well as the PHI of hundreds of thousands of patients. Continuous training improves the chances your employees will thwart phishing scams before they cause any damage. Your business needs a straightforward, step-by-step process to help staff comply with both HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Now that we’ve considered the importance of strong training and policies, it’s time to take a look at the technical side of things. You need a signed business associate agreement (BAA) with every third party that could access the PHI in your custody. Using an email provider is no different. A BAA ensures that your business associate understands how they can use PHI and what security measures are required. The fundamental risk of transmitting PHI via email is that unauthorized people could gain access to that data. HIPAA-compliant email services should have strong security features or allow third-party plugins that provide the needed security. Access must be restricted to only those who need the information. Never print emails that contain PHI. These emails should be visible only to the sender and the recipient. Using end-to-end encryption and access controls ensures that ePHI doesn’t fall into the wrong hands. Google will sign a BAA with healthcare companies that use G Suite but not until all security protocols are in place. Using G Suite to transmit or store PHI before you have the BAA is a HIPAA violation.
Teamviewer

Teamviewer

Teamviewer is a HIPAA-compliant remote access solution that allows users to access devices no matter where they are.Security is a key objective for Teamviewer. The company has received multiple security certifications from A-LIGN, a provider that helps businesses implement HIPAA-compliant security features.All of Teamviewer’s remote support, remote access, and online collaboration features maintain the level of privacy and security necessary for HIPAA compliance. This includes end-to-end encryption, which is why many companies trust Teamviewer.HIPAA has strict standards for the privacy and confidentiality of patient information. When using computers, networks, and mobile devices for PHI, all access and management must follow HIPAA regulations. Additionally, every employee must receive regular HIPAA training. Teamviewer’s security and privacy practices meet HIPAA compliance standards.Before using Teamviewer with PHI, you must get a signed BAA from the company. Since Teamviewer is a third party that could access PHI on your computers and devices, the BAA ensures that protections are in place if Teamviewer exposes PHI. The potential risk involved in remote access opens up the possibility of unauthorized access to PHI. Teamviewer mitigates this risk using encryption and security features to protect information. Submit an inquiry to Teamviewer customer service for assistance in obtaining the BAA. A signed BAA might be available only for organizations that meet a specific spending threshold. The company reviews each situation on a case-by-case basis, so you must contact Teamviewer to discuss a BAA. It’s a HIPAA violation to use Teamviewer before you have a signed BAA in place.
Salesforce

Salesforce

The Salesforce platform can be set up to meet HIPAA compliance standards through certain features that help keep Patient Health Information (PHI) secure in the cloud. Salesforce complies with the HIPAA Security Rule, including administrative, physical, technical, organizational, and documentation safeguards to protect PHI.Customers can meet strict HIPAA security requirements using customer-controlled security features through Salesforce Covered Services. Additionally, Salesforce has core security safeguards such as data encryption in transit, ongoing monitoring for security violations, and audit logging to identify changes in activity. Customer administrators can use configurable tools to- Define permission sets that govern the visibility of data- Maintain strict password security- Monitor field level history- Set security rules to manage data access- Define a company-wide sharing model and role hierarchyIn addition to permission sets, customers can define user profiles to limit data record access to authorized employees. It’s a good idea to use the premium set of Salesforce features known as “Salesforce Shield.” These features provide extra monitoring, encryption, and auditing. You might need to enable other features or additional services to ensure the protection of PHI when information is in transit.If you’re planning to use Salesforce for patient information, reach out to your account representative for a signed Business Associate Agreement (BAA). The account representative can also advise you on specific features and settings for HIPAA compliance.
Google Sheets

Google Sheets

Google Sheets is part of G Suite, which uses high-level encryption to protect patient health information (PHI). Google doesn’t access the PHI in Google Sheets but still needs to sign a BAA since this data is stored on Google servers. Google will sign an agreement with businesses that use G Suite services such as Google Sheets, Google Docs, Google Slides, Google Drive, and Google Forms.While Google Sheets offers HIPAA-compliant security features, covered entities are responsible for maintaining the right security settings. Your healthcare organization must configure Google Sheets to be HIPAA compliant.Admin console logs and reports are an important part of HIPAA-compliant security for Google Sheets and all other apps in G Suite. Use these tools to monitor user collaboration, examine security risks, track sign-ins, and analyze activity. Administrators can set alerts for activities like suspicious login attempts, suspending users, activating a suspended user, adding a new user, changing a password, and granting or revoking admin privileges.In Google Sheets, administrators set visibility and access permissions for both files and folders. These settings also manage the sharing and editing capabilities of collaborators.When using Google Apps, administrators can separate user access for team members who manage PHI. This feature allows an administrator to activate or deactivate specific services for users. For example, since Google+ and YouTube aren’t HIPAA compliant, administrators should turn off these apps. Also, consider disabling third-party applications and add-ons from third-party developers.
Carbonite

Carbonite

Carbonite uses internal privacy and security provisions to safeguard medical information. These services support HIPAA requirements, as long as healthcare customers sign a Business Associate Agreement.HIPAA requires business associates to implement risk management measures that protect the integrity, confidentiality, and availability of patient information. Carbonite meets this standard through real-time monitoring, a secure firewall, encryption, a vulnerability management program, and a formal incident response process for information security threats.Physical security measures include restricted access at Carbonite’s facilities, so only authorized employees, third parties, and visitors can enter. Twenty-four-hour security includes both interior and exterior cameras as well as an alarm system and an electronic card access control system.Additionally, Carbonite restricts access to software programs, allowing only authorized employees access. When a customer needs to dispose of data, authorized individuals wipe the drive, then complete a full write of the drive and a full read to ensure it is blank.Carbonite uses vendors that maintain HIPAA-compliant practices, ensuring the same privacy standards for all Carbonite services.You must have a Carbonite Safe Pro subscription for HIPAA compliance. The BAA provides contractual assurances that Carbonite understands and implements strategies for safeguarding PHI. Carbonite Safe Pro also gives administrators access to view user activity and logins.Since HIPAA regulations can be challenging to navigate, Carbonite provides a HIPAA handbook to guide customers in keeping their backups HIPAA compliant.
RingCentral

RingCentral

RingCentral is a HIPAA-compliant option that healthcare organizations can use to transmit and store patient health information. As a cloud service provider, RingCentral takes a proactive approach in ensuring privacy and safety for all communications.The service boasts a “seven layers of security” approach to securing data that transfers through their services. These seven layers include physical, network, data, host, business process, application, and enterprise-level security measures.Available HIPAA security measures include transmission security in the form of transport layer security (TLS) and secure real-time transport protocol (SRTP). This encryption means that information is secure at rest and when in motion. Infrastructure security uses vulnerability scans, firewalls, user authentication, and intrusion detection. Additionally, RingCentral data centers have state of the art security protocols with onsite guards and electronic prevention systems.Healthcare customers must implement proper security measures using the features listed above. Employee training is another important element to ensure the team is using these cloud services in a HIPAA-compliant manner.When a healthcare organization uses these services with patient health information, RingCentral is classified as a business associate. Therefore, healthcare organizations using RingCentral services must obtain a signed business associate agreement (BAA). RingCentral offers its own BAA, which customers can obtain by contacting their personal representative.
Sharepoint

Sharepoint

Sharepoint provides necessary administrative and technical features to meet HIPAA compliance. Some of these features include access control for users, audit control, logs, and encryption. Threat awareness resources make it easy to access real-time reports about information access and usage.Sharepoint is a Microsoft service. The Microsoft website states that Sharepoint online is HIPAA compliant when paired with Office 365 Enterprise. While Microsoft ensures it meets its responsibilities as a business associate, users are responsible for configuring the platform correctly.A variety of security add-ons are included for Office 365 Enterprise users, such as advanced threat protection, security management, advanced compliance, and threat intelligence. Licensing includes anti-malware, Windows Defender, Cloud App Security (CAS), Azure AD Identity Protection, Azure Security Center, Azure Advanced Threat Protection, and more.If you are a HIPAA covered entity, then you must follow HIPAA regulations. For example, you must control how data is shared, used, published, and updated. Always classify sensitive data to ensure monitoring, protection, and appropriate access controls for storage and information transit.Microsoft is willing to sign a Business Associate Agreement (BAA) for organizations that use Sharepoint for patient health information. This BAA is for Office 365 Enterprise, which also covers Sharepoint Online. Without this signed BAA, HIPAA-covered entities shouldn’t use this platform for protected health information.If you configure and use Sharepoint correctly and obtain a BAA, then this service can be a HIPAA-compliant solution for information storage, management, and collaboration.
Virtru

Virtru

Virtru provides HIPAA-compliant data protection services that encrypt email and files to protect confidential patient health information (PHI). HIPAA defines specific technical standards for data encryption, and Virtru meets or exceeds these standards at all times. Encryption protects files while they are in transit and at rest.Additionally, Virtru provides administrative controls for managing emails, photos, videos, PDFs, and Office files. You can manage authorization to allow or disallow users to access specific content and types of content. Tracking and monitoring features provide real-time protection for patient information.Other HIPAA-compliant security features include forwarding restrictions and the ability to revoke messages after they are sent. When sharing information between patients and colleagues, the content is always protected, private, and audit-ready.Virtru offers client-side email encryption if you’re using the plugin with on-device encryption. When creating information on the device, the protection occurs immediately (before distribution). Advanced controls allow end-to-end encryption, so patient information is always safe.Virtru can integrate end-to-end encryption in Gmail. Google will sign a BAA and ensure protection for content within your email account. But privacy control isn’t available when the data leaves the Gmail ecosystem. Virtru offers an extra layer of security to strengthen privacy controls after email leaves your inbox. When using Virtru and Gmail together, you must have a signed Business Associate Agreement (BAA) from both providers.All Virtru services meet or exceed technology standards required for HIPAA compliance. Virtru is willing to sign a (BAA) for customers on most of its paid plans. BAAs aren’t available if you are an unpaid user with a Personal Privacy account. If you need a signed BAA, purchase a paid plan and contact the support team to receive this HIPAA-compliant documentation. It usually takes one to two weeks to receive the countersigned document. You should not enter patient health information in the system until this document is signed.
ProtonMail

ProtonMail

Even though ProtonMail isn’t designed specifically for the healthcare industry, it offers security features healthcare organizations can use for protected health information (PHI). ProtonMail includes a HIPAA compliance statement on its website that assures HIPAA-covered entities the company will do its part to protect patient data.Privacy and security features include end-to-end encryption and zero access data management. The service uses 4,096-bit RSA encryption for all stored communications. World-class data centers provide physical security for all data backups. The server hardware is located in Switzerland where the servers use fully encrypted hard disks, including multiple password layers in case the hardware is removed from the data center.If a user’s device is stolen or lost, a remote wipe feature protects PHI. Account owner authorization gives healthcare organizations control over who can access the information. Automated virus checking and data backups are standard. There is also a sophisticated monitoring system.ProtonMail employees don’t have access to PHI. Since the encryption is zero access, ProtonMail employees can’t read a user’s encrypted data. As part of the employment contract, each employee signs a confidentiality agreement.At the end of a contract with ProtonMail, the company deletes all of an organization’s data from its servers. ProtonMail doesn’t store paper copies or printed reports in its facilities.ProtonMail offers a signed BAA for all accounts, including its free plan. Healthcare organizations can request a signed copy by emailing legal@protonmail.com and using the email subject line: “HIPAA BAA.”
23andMe

23andMe

23andMe isn’t HIPAA compliant because the Health Insurance Portability and Accountability Act (HIPAA) only applies to healthcare organizations and providers, such as physicians, insurance companies, hospitals, and applicable business associates. HIPAA doesn’t apply to private genetic testing and genealogy services, such as 23andMe and other similar businesses. These services aren’t considered covered entities.Current HIPAA privacy laws were in place before genetic privacy became a concern. HIPAA laws don’t protect personal data shared with genealogy testing providers. The collection of genetic information gives 23andMe more sensitive information than a healthcare provider or a doctor. Unfortunately, HIPAA doesn’t hold these genetic testing services to the same standard of confidentiality as covered entities.Few restrictions are in place outside of HIPAA to protect genetic data. For example, the government might access genetic information in private or public databases if national security is at risk. Individuals who contribute DNA to 23andMe could face law enforcement scrutiny if a relative’s genetic data provides probable cause in a criminal investigation. (23andMe only releases clients’ information to law enforcement upon receipt of a court order).23andMe also collects other information through social media and real-time tracking of online activity. The company uses this data for marketing. It also shares customer information for research, as long as customers consent to participate in its research efforts.