Microsoft and HIPAA and the HITECH Act
HIPAA regulations require that covered entities and their business associates—in this case, Microsoft when it provides services, including cloud services, to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Once a BAA is in place, Microsoft customers—covered entities—can use its services to process and store PHI.
Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.
Microsoft enterprise cloud services are also covered by FedRAMP assessments. Microsoft Azure and Microsoft Azure Government received a Provisional Authority to Operate from the FedRAMP Joint Authorization Board; Microsoft Dynamics 365 U.S. Government received an Agency Authority to Operate from the US Department of Housing and Urban Development, as did Microsoft Office 365 U.S. Government from the US Department of Health and Human Services.
Simple Dictation & Third Party Vendors
SimpleDictation sells telecom services, data exchange and application hosting platform services for numerous industries including healthcare providers and transcription service organizations. We act as a Business Associate in the provision of technical support related to our products and/or services for those customers handling patient health information (PHI) and are considered a covered entity. In order to assist our customers and partners in assessing their risk related to the use of SimpleDictation products, we offer the following compliance information. The following statement is not intended to replace or amend an executed Business Associate Agreement when applicable.
SimpleDictation Services, either hosted by SimpleDictation or 3rd party service hosting providers for use in a Software as a Service (SaaS) or Internet Cloud model, provide security and privacy tools to the covered entity through the following.
1. Users are individually identified and authenticated using a unique user ID and password.
2. Users are given permissions to restrict their access only to the data deemed necessary by the covered entity.
3. Data is encrypted using SSL.
4. Length of time data is stored on host servers is configured and controlled by the covered entity.
5. Specific data transmitted to host servers is controlled by the covered entity.
6. Database changes are audited via log files.
7. User access is audited via log files.
8. User inactivity timeouts are configured and controlled by the covered entity.
The security and privacy of the data therein is ensured by the overall security of the covered entity and/or facility’s premise network and security restrictions.
Business Associates (45CFR 164.502(e), 164.504(e), 164.532(d) and (e))
In certain instances, and upon specific request by the covered entity, it may be necessary for SimpleDictation employees to view sensitive information from the covered entity’s system in order to provide proper technical support for our products; therefore, SimpleDictation requires all customers and partners who plan to store Patient Health Information (PHI) data to execute a Business Associate Agreement prior to any such support. SimpleDictation employees are trained that all patient and provider sensitive information viewed as a result of normal support procedures is treated as confidential and private. This data is viewed on secure computer workstations and servers requiring unique usernames and passwords to access such data.
By law, the HIPAA Privacy Rule applies only to covered entities. However, most healthcare providers do not carry out all of their activities and functions by themselves. Often the use of services provided by a variety of other persons and businesses are required. The Privacy Rule allows covered providers to disclose protected health information to these "business associates" if the providers obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule, and help the covered entity carry out its healthcare functions. For example:
a) A member of the covered entity’s workforce is NOT a business associate.
b) An independent medical transcriptionist that provides transcription services to a physician IS a business associate.
c) A software vendor only becomes a "Business Associate" when it is required that a company representative view patient data in relation to providing services in the installation or maintenance of computer software. If the viewing of patient data can be avoided in this regard, a software vendor is not considered a business associate.
Uniform Coding and Transmission of Data
SimpleDictation uses the covered entity’s HIPAA compliant formats to retransmit data to the entity or other 3rd parties as part of the delivery of services. All data transmitted and received by SimpleDictation products outside of the covered entity’s private network is encrypted and secured by SSL. Based on the information contained in this statement, it is SimpleDictation’s view that any covered entity using SimpleDictation products is capable of HIPAA compliance as defined by the federally mandated HIPAA Act of 1996.
Privacy and Security
• All patient-and-provider-specific information and electronic data that we receive or generate as a result of delivering our services is treated as confidential. Electronic data is stored only on secure servers which can be accessed only via a unique per-employee user name, password, and RSA SecureID two-factor authentication process.
• SIMPLEDICTATION does not allow patient or provider information to be printed by our staff at any time.
• SIMPLEDICTATION has established secure logging and tracking mechanisms that document any access to protected healthcare information.
Physical Security
• Only authorized staff who are fully aware and trained in the HIPAA Privacy requirements have access.
• ICSA certified firewall and filter on incoming ports allowing only FTP and management ports for administrative access into our system.
• System administrators perform Network Address Translation (NAT) and addresses cannot be routed without traversing the firewall.
• FTP Server is accessed only with FTP Clients using SSL, all files are encrypted while being sent across the internet. This means, anyone intercepting any data while it is being transferred from our server to your computer could not interpret or decode this data.
• To access any data from our SFTP or webFTP Server, a valid username and password is required.
• Desktop Access: Access to our network is limited by auto-logoff, ID/password protection, password protected screensavers, and a security-enabled OS (WinNT)
• Only fully trained staff have access to the server and dictation files for support and maintenance.
-
Redundancy: SimpleDictation voice capture services, data storage and backup system hardware consists of multiple redundant servers. The operating software and digital voice software reside on three mirrored hard drives which provide full fault tolerance and total system redundancy. Only one of the server towers is in use at any particular time, thereby guaranteeing a second level of system redundancy.