Hipaa Compliance
Hipaa Compliance


Background and HIPAA Requirements

Maintaining the privacy and security of medical records is an extremely important duty and indeed one that is mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The HIPAA Privacy Rule requires covered entities (health plans, healthcare clearinghouses and healthcare providers) to make reasonable efforts to limit the use or disclosure of, and requests for protected health information (PHI) to the minimum necessary to accomplish the intended purposes. The uses of PHI are limited to those related to treatment, payment and healthcare operations (TPO).

Covered entities are further required to contractually bind other entities (Business Associates) with whom they share Protected Health Information to ensure that those entities also comply with restrictions related to PHI.

SNSdsl Commitment

SNSdsl is committed to ensuring that all necessary policies, procedures and safeguards are in place at all times to comply with HIPAA Privacy Rule requirements in the handling of protected health information in all areas of the company and with any and all business associates or sub-contractors that are permitted access to PHI.

Policies & Procedures

HIPAA Security Policies and Procedures fall into the following three categories:

  • Business Practices
  • Workflow & Application Security
  • Data Center Physical & Electronic Security

I. Business Practices

HIPAA Compliance Management: SNSdsl has established a HIPAA Compliance Management Committee consisting of the CEO, and department level managers of the company. This committee is responsible for defining and enforcing compliance procedures and processes.

HIPAA Training: All employees of the company attend formal training to ensure they understand the security requirements and are equipped to comply with all policies and procedures.

Confidentiality Agreements: All employees of the company are required to sign a confidentiality agreement and non-disclosure agreement relating to PHI.

Business Associate Agreements with Contractors: All contractors of the company with access to PHI must enter into a business associate agreement that requires full compliance with all HIPAA requirements and all SNSdsl privacy safeguards. In particular:

  • No contractor of the company is permitted to further sub-contract work for the company where PHI is involved.
  • All contractors must employ in-office staff and PHI may not be removed from office premises under any circumstances.
  • All staff of contractors with access to PHI must sign confidentiality and non-disclosure agreements that bind them to comply with HIPAA privacy rules.

II. Workflow and Application Security:

The SNS Transcribe product includes the use of handheld digital recorders for voice capture. These voice files are electronically transmitted directly to SNSdsl data center servers from customer sites using the proprietary SNS Transcribe desktop application running on local PCs. The SNS Transcribe application includes password-protected authentication prior to any transmission of files to or from SNSdsl servers.

The proprietary SNS Transcribe desktop application applies 128-bit encryption to all files prior to any file transmission via the public Internet to the SNSdsl data center servers.

All use of the SNS Transcribe or SNSdsl web applications is forced to occur using the HTTPS protocol (SSL secure socket layer) with 128-bit encryption strength. Attempts to access the application without SSL are redirected.

Voice files are transmitted from SNSdsl data center servers to production work centers via 128-bit SSL-secured web applications.

During the processing of voice files to completed transcribed documents, only medical transcriptionists (MT) and quality control (QC) personnel are permitted access to files. Processes are in place to prevent unauthorized electronic transmission of these records to other parties. For example:

  • Access to the production floor is strictly limited to authorized personnel.
  • User authentication via unique user logins and passwords are required to access any file containing PHI.
  • Audit trails identifying all users who have accessed or edited PHI are maintained.
  • All floppy disk drives and USB ports are disabled to prevent copying of files to unauthorized media.
  • Internet access is limited and monitored.
  • The production process is operated as a paperless environment and network printer access is limited restricted.
  • All printed materials are shredded after their useful life, typically less than 24 hours.
  • All files containing PHI are removed from production floor PC's and servers after successful transmission to the SNSdsl data center servers.

Completed transcribed documents are returned to SNSdsl servers from transcription work sites using the 128-bit SSL encrypted protocol.

Customers retrieve completed files using the proprietary SNS Transcribe desktop application.

II. Data Center Physical & Electronic Security:

This category includes safeguards to protect physical computer systems and related buildings and equipment from intrusion as well as fire and other environmental hazards. The use of locks, keys, and administrative measures used to control access to computer servers and facilities are also included.

SNSdsl servers and databases are housed in state-of-the-art data centers with geographic redundancy.

The data center facilities provide a secure, climate-controlled environment that is operational 24 hours a day, 7 days a week, and 365 days a year.

The data center is physically secured and requires the use of special electronic access codes to enter. Keys are only issued to individuals authorized by the HIPAA compliance committee.

Logs of all entry and exit from the facility are automatically maintained. The data center facilities are equipped with climate control systems, fire detection and suppression systems, and backup UPS and generator.

All SNSdsl servers and databases are located on a secured internal network that is protected by state-of-the-art Cisco Secure PIX Hardware Firewalls.

SNSdsl uses Microsoft SQL Server 2000 databases and implements the SQL Server Security Model. In summary, this model addresses security at multiple layers including securing access to the server, securing access to the database, securing access to database objects, and securing access through application roles.

Access to the SNS Transcribesystem is limited to registered users. Users must provide their username and password to gain entry.

A complete access audit trail is maintained including user session information. All database transactions are logged.