HIPAA Compliance



ServiceHub Corporation has implemented policies, procedures and information systems to meet the regulatory mandates of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with a focus on key areas of practical application: (1) Authentication; (2) Authorization; and (3) Accountability.

How does HIPAA apply to ServiceHub?

ServiceHub is an Internet based software product used for scheduling and tracking activities of mobile health care providers, and does not actually manage or transmit medical files and similar information. It does, however, typically transmit limited patient information such as name and medical record number. Additionally, the organization using ServiceHub may choose to transmit service/billing codes and care giver specialties. The HIPAA Act requires protection of personal health information; therefore, ServiceHub secures all data it transmits for use in a health care environment.

How does ServiceHub meet these attributes?

Authentication

  1. Access Control: ServiceHub has access control for all users within an organization, full Windows security integration, and centrally managed security servers. All users must individually authenticate name, password and organization code prior to gaining any remote control access.
  2. Challenge/response authentication: Microsoft Internet Information Server (IIS) used in conjunction with Microsoft Internet Explorer (IE) includes the ability to use challenge/response authentication, a security mechanism in which a client computer uses its established user logon information to identify itself to the server computer. The user is not prompted to enter these user credentials. Instead, the information is available after the user first logs on to a Microsoft Windows based computer.
  3. Encryption: ServiceHub has varying user selectable levels of encryption, the highest of these exceeding current US Government standards (256-bit AES). All information transmitted by ServiceHub is encrypted.
  4. Data authentication: Data being transmitted is protected against changes en-route via 256bit SHA HMACs.

Authorization

  1. User Privileges: Once a user enters a valid username, password and organization code, the user is granted access to data in the system according to the authorized privileges specified in that user’s profile.
  2. Limited Patient Information: Only the necessary information to identify the patient and location is contained in the system and displayed to the user. The system does not have access to the details of the patient’s electronic medical record or other confidential information.
  3. Automatic logoff: Upon a timeout for inactivity or disconnect of a user session, ServiceHub is configured to log off the remote device.

Accountability

  1. User/Date Stamp: ServiceHub automatically includes a User/Date/Time stamp on all user transactions. This information can then be used to identify when and who accessed the system.
    ServiceHub Access Log: Once the transactions have been entered into ServiceHub, the access log can be used to track access to the patient’s case records.  ServiceHub Log files contain no information that could violate patient privacy, but contain only events and times that ServiceHub users used the service.
  2. Windows PC Auditing: Windows 2000 and later versions include the ability to audit files and directories. This feature can be used to provide additional audit information about access to specific transactions associated with the patient’s case records.
    ServiceHub believes that the continued successful compliance with the standards for administrative simplification depend in great part on the parallel efforts of its business partners and customers.  Similarly, to the extent that protected information in ServiceHub databases is accessible to its partners and customers, their cooperation is essential in the design and implementation of the security mechanisms, such as for access control, authorization control, and user authentication.  ServiceHub cooperates with its customers who are HIPAA covered entities to ensure the timely and effective implementation of our respective compliance responsibilities.