We’re HIPAA Compliant
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets the standard for protecting sensitive patient data in the U.S. The primary goal of this law is protect the confidentiality and security of healthcare information.
Firmex has been verified as “compliant” under Avertium’s HIPAA Certification Program. Being compliant with HIPAA means that we have implemented the necessary technical, physical and administrative “safeguards” (controls) to ensure compliance with the HIPAA Privacy, Security and Breach Notification requirements.
HIPAA Matters to Both of Us
Any company that deals with protected health information must ensure that all required physical, network, and process security measures are in place and followed. This includes:
- Covered Entities (CE): anyone who provides treatment, payment and operations in healthcare
- Business Associates (BA): anyone with access to patient information and provides support in treatment, payment or operations
- Subcontractors, or business associates of business associates
HIPAA requires all CEs to sign Business Associate Agreements with BAs and third party vendors. If you use Firmex to store electronic public health records, you must sign a Business Associate Agreement with us.
As of 22 September, 2014 if you do not have a Business Associate Agreement in place with all BAs and/or third party vendors, you could be penalized.
We Support HIPAA Compliance in Lots of Ways
In addition to a signed Business Associate Agreement, we support HIPAA compliance through the following product features and organizational policies:
- Ongoing Risk Management and Assessment by company executives
- Data encryption in transit and at rest
- Restricted physical access to servers
- Strict logical system access controls
- Dedicated firewall and network monitoring
- Granular administrative controls that allow our clients to:
- Control access to files (e.g. restrict downloading, saving, printing)
- Lock down files by IP address or computer
- Password protect files
- Monitor access to documents
- Reporting and audit trail of account activities for users & documents
- Formally defined breach notification policy
- Training of employees on security policies and controls
- Employee access to customer data files are highly restricted
- Multiple data center facilities to mitigate disaster situations
- 99.9% uptime SLA