Data Security & Integrity
PathHub takes data security and integrity for its software products very seriously. In summary all our client's data is hosted with:
- HIPAA & HITECH Compliant US Servers
- Data Encryption
- Offsite Backups
- Multi-tier Authentication
- Private Hosted Environment
- SSL Certificates
- SSAE 18 Certificate
- Business Associate Agreement
PathHub has multiple layers of protection, including encryption in transit between company servers and client’s devices, and at rest on servers, providing a reliable and stable infrastructure. Mandatory compliance with HIPAA, HITECH and Sarbanes-Oxley both for PathHub and its associates, whilst standards such as the ISO 9000 are an assurance that systems and procedures are in place for effective process management. It is to be noted that PathHub is a software platform with no input or ability to affect the healthcare decisions undertaken by its clients in regards to their patients, it is not a medical device and no feature or process of the software can affect the outcome of a patient’s treatment plan without the specific input from an authorized medical professional.
PathHub users are able to access data on the web using both computers and mobile devices with same high security for access.
Security begins at the access point, with multi factor authentication and password control for validation. Forced password changes are implemented at manageable intervals. We are on constant vigil for data threat risks and update our authentication methods as any new technology becomes available.
Servers process files from an application, splitting each transmission into blocks, encrypting each block and synchronizing only blocks which have been modified between revisions. To protect data in transit PathHub uses secure Sockets Layer (SSL)/Transport Layer Security (TLS), creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption.
Clients data is stored in encrypted blocks, and an additional layer of encryption is provided for all file blocks at rest. Files are encrypted using 356-bit Advanced Encryption Standard. Metadata is kept in its own storage separate from the blocks, this enables high performance and availability standards. PathHub has a subscriber-controlled feature for long term data whereby all patient identifier fields can be removed, leaving only the originating patient record numbers, this feature can go a long way towards diminishing for and risks associated with electronic PHI.
Perfect Forward secrecy
For modern browsers, we support perfect forward secrecy. By implementing perfect forward secrecy, we’ve made it so our private SSL key can't be used to decrypt past Internet traffic.
PathHub data is housed at fully compliant 24/7 managed and monitored servers located in the US. Our server hosting partners have the highest standards and protocols for data safety and security, with both physical and virtual threat contingencies in place.
PathHub saves 30-day history and allows clients to restore for up to 30 days.
PathHub rigorously tests data security and protocols to identify any vulnerabilities, working with partners such as internet security experts and the data centers where our servers are hosted.
PathHub is committed to ongoing training with clients to ensure good data security practices do not lapse over time.
Privacy and Security
Federal laws require persons and organizations, including business associates, handling personal health information, have policies and security safeguards in place to protect patient data. PathHub is committed to ensuring it, and its business associates, comply with HIPAA and HITECH in regards to the protection and confidential handling of protected health information.
PathHub meets its obligations by periodically reviewing its Compliance Policy and conducting audits for:
- Security Risk Assessment
- Privacy Assessment
- Administrative Assessment
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. HIPAA:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
- Reduces health care fraud and abuse;
- Mandates industry-wide standards for health care information on electronic billing and other processes; and
- Requires the protection and confidential handling of protected health information
Protection and Confidential Handling of Health Information
The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.
The 18 HIPAA Identifiers
The HIPAA privacy rule sets forth policies to protect all individually identifiable health information that is held or transmitted. These are the 18 HIPAA Identifiers that are considered personally identifiable information. This information can be used to identify, contact, or locate a single person or can be used with other sources to identify a single individual. When personally identifiable information is used in conjunction with one’s physical or mental health or condition, health care, or one’s payment for that health care, it becomes Protected Health Information (PHI).
If a communication contains any of these identifiers, or parts of the identifier, such as initials, the data is to be considered “identified”. To be considered “de-identified”, ALL of the 18 HIPAA Identifiers must be removed from the data set. This includes all dates, such as surgery dates, all voice recordings, and all photographic images.
HIPAA Privacy rule protects individually identifiable health information of deceased individuals for 50 years following the date of death. If the research will include any identifiers linked to living persons or involves accessing death records maintained by the State Registrar, local registrars, or county recorders, the project must be approved in advance.
HITECH Act Definition
The HITECH Act – or Health Information Technology for Economic and Clinical Health Act – is part of an economic stimulus package introduced during the Obama administration: The American Recovery and Reinvestment Act of 2009 (ARRA). The Act was signed into law by President Barack Obama on February 17, 2009.
What are the Goals of the HITECH Act?
The HITECH Act was created to promote and expand the adoption of health information technology, specifically, the use of electronic health records (EHRs) by healthcare providers.
The Act also removed loopholes in the Health Information Portability and Accountability Act of 1996 (HIPAA) by tightening up the language of HIPAA. This helped to ensure that business associates of HIPAA covered entities were complying with HIPAA Rules and notifications were sent to affected individuals when health information was compromised.
Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules.
HITECH and HIPAA, are separate and unrelated laws, but they do reinforce each other in certain ways. For example, HITECH stipulates that technologies and technology standards created under HITECH will not compromise HIPAA privacy and security laws.
HITECH also requires that any physician or hospital that attests to meaningful use must have performed a HIPAA security risk assessment as outlined in the Omnibus Rule, or the 2013 digital update to the original 1996 law.
Another example: HITECH established data breach notification rules; HIPAA's Omnibus update echoes those rules and adds details, such as holding healthcare providers' business associates accountable to the same liability of data breaches as the providers themselves.
Business associates and business associate agreements
The HITECH Act requires business associates to comply with the HIPAA Security Rule with regards to ePHI and to report PHI breaches. Business associates must also comply with HIPAA Privacy Rule requirements that apply to covered entities when the associates act on the behalf of those entities.
ISO is an independent, non-governmental international organization with a membership of 164 National-Standards Bodies.
Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges.
The ISO 9000 family addresses various aspects of quality management and contains some of ISO’s best known standards. The standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved.
Uralensis Innov8 is certified for ISO 9001:2015. Certificate Number : SNR 31245739/98/Q Rev: 001. Certification date 21st July 2018.
ISO 9001:2015 sets out the criteria for a quality management system and is the only standard in the family that can be certified to (although this is not a requirement). It can be used by any organization, large or small, regardless of its field of activity. In fact, there are over one million companies and organizations in over 170 countries certified to ISO 9001.
This standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement.
Using ISO 9001:2015 helps ensure that customers get consistent, good quality products and services, which in turn brings many business benefits.
Further information can be read at https://www.iso.org/