HIPAA Compliance Guide

AngelTrack is HIPAA-compliant software, and the server provided for you is secured in a HIPAA-compliant manner (physically secured with visitors logged). But HIPAA-compliant software is not enough; you must have a HIPAA-compliant organization, built on top of AngelTrack's HIPAA-compliant foundation.

There are three aspects of HIPAA compliance:

  1. The "Security Rule" governing computer systems used to store patient data;
  2. The "Privacy Rule" governing the release of patient data to third parties; and
  3. The "HITECH Act" which grants patients the right to demand electronic copies of their records.

HIPAA Security Rule Features in AngelTrack

The HIPAA "Security Rule" mandates protection of patient data when stored electronically. AngelTrack complies with the provisions of the Rule, provided that your organization practices good computing hygeine on the computers used to access AngelTrack.

The following AngelTrack features will contribute to your organization's compliance with the Security Rule:

  1. Separate user account for each employee
  2. Automatic account lockout after failed login attempts
  3. Automatic spoofing to prevent username guessing attacks
  4. Rejection of insecure passwords
  5. Automatic password expiration after a configurable number of days
  6. Two-factor authentication
  7. Passwords stored as one-way hashes
  8. Journals of each account's logon successes and failures
  9. TLS v1.2 requirement / "HTTPS everywhere"
  10. Role-based access control
  11. Fast and easy deactivation of a terminated employee's access
  12. HIPAA-compliant email provider*

*AngelTrack's outbound emails are sent by a HIPAA-compliant email provider (Mailgun), but AngelTrack does not control the receiving account and so cannot guarantee that the recipient's account is likewise HIPAA-compliant.

HIPAA Privacy Rule Features in AngelTrack

The HIPAA "Privacy Rule" regulates the release of patient information to third parties. Patients must give their consent before any personally identifiable information can be disseminated outside your organization.

The following features in AngelTrack will contribute to your organization's compliance with the Privacy Rule:

Compliance with the HITECH Act

The HITECH Act of 2009 amends HIPAA to give patients the right to demand copies of their medical records -- in electronic format -- from medical service providers. AngelTrack makes it easy to fulfill such demands, should you ever receive one:

  1. Access AngelTrack, and visit either the Dispatch home page or the Billing home page.
  2. Click Patients List.
  3. Locate and open the record for the patient in question, using the search fields as needed.
  4. Select the "History" tab. Use the date controls to view the date range specified in the demand letter.
  5. Click the checkbox in the upper-left corner of the grid, causing all records in the grid to be checked.
  6. Click the "Export Checked Runs as .PDFs" button. AngelTrack downloads a .ZIP file to you, containing .PDFs of all selected dispatches, plus a summary .XML file viewable in Microsoft Excel.
  7. Burn the data to a CD or thumbdrive and then mail it to the patient. Or, use a secure dropbox service to post the data online for the patient to privately download.

Tracking Your Crews' HIPAA Training

AngelTrack has a built-in certificate type for HIPAA training. Award it to employees who finish the company HIPAA training program, and set its expiration date for two years in order to remind them to watch a refresher video.

You can then pull the Crew Certificates Overview report under HR Home to check -- or to prove to a compliance auditor -- that all crew members have received proper HIPAA training.

Tracking Down a Data Leak

If you receive a complaint that HIPAA-encumbered data from your operation has turned up in a public place, AngelTrack has accountability tools to help you track down the originator of the leak.

Read the Data Leak Forensics Guide to learn more.

How might a criminal obtain an employee's AngelTrack password?

If a disgruntled employee obtains another user's password, he or she could use it to exfiltrate data, or intentionally cause problems.

Note that there is no way to get it directly out of AngelTrack, because AngelTrack does not know anyone's password. Passwords in AngelTrack are stored as one-way cryptographic hashes. A one-way cryptographic hash is a mathematical representation of the password that cannot be reversed except by enormous brute force. AngelTrack defends against brute-force attacks by automatically locking a user's account after three incorrect password attempts.

But here are some of the ways that a password might nevertheless leak:

For all of these threats, the first and best line of defense is: Enable two-factor authentication on all employee accounts. To find out which employee accounts do not have 2FA enabled, visit the Employees Missing HR Data report under HR Home.

AngelTrack Help Index - Training Portal - AngelTrack Support