How AngelTrack implements HIPAA and suggestions for agencies
This is Not Legal Advice
This document is not legal advice, and AngelTrack LLC does not provide legal counsel. This document is not a full or sufficient treatment of the subject. This document is not a substitute for professional legal advice.
You should consult your legal counsel before setting any contract prices, before offering any discount or gift to any customer, and before charging or accepting any bounty for delegated calls. Nor does compliance with this guide constitute compliance with all HIPAA guidelines.
HIPAA Compliance Guide
AngelTrack is HIPAA-compliant software, and the server provided for you is secured in a HIPAA-compliant manner (physically secured with visitors logged). But HIPAA-compliant software is not enough; you must have a HIPAA-compliant organization, built on top of AngelTrack's HIPAA-compliant foundation.
There are three aspects of HIPAA compliance:
- The "Security Rule" governing computer systems used to store patient data;
- The "Privacy Rule" governing the release of patient data to third parties; and
- The "HITECH Act" which grants patients the right to demand electronic copies of their records.
HIPAA Security Rule Features in AngelTrack
The HIPAA "Security Rule" mandates protection of patient data when stored electronically. AngelTrack complies with the provisions of the Rule, provided that your organization practices good computing hygeine on the computers used to access AngelTrack.
The following AngelTrack features will contribute to your organization's compliance with the Security Rule:
- Separate user account for each employee
- Automatic account lockout after failed login attempts
- Automatic spoofing to prevent username guessing attacks
- Rejection of insecure passwords
- Automatic password expiration after a configurable number of days
- Two-factor authentication
- Passwords stored as one-way hashes
- Journals of each account's logon successes and failures
- TLS v1.2 requirement / "HTTPS everywhere"
- Role-based access control
- Fast and easy deactivation of a terminated employee's access
- HIPAA-compliant email provider*
*AngelTrack's outbound emails are sent by a HIPAA-compliant email provider (Mailgun), but AngelTrack does not control the receiving account and so cannot guarantee that the recipient's account is likewise HIPAA-compliant.
HIPAA Privacy Rule Features in AngelTrack
The HIPAA "Privacy Rule" regulates the release of patient information to third parties. Patients must give their consent before any personally identifiable information can be disseminated outside your organization.
The following features in AngelTrack will contribute to your organization's compliance with the Privacy Rule:
- .PDF run reports are engraved with the date, name, and IP address of the employee who downloaded them.
- Printed run reports are engraved with the name of the employee who printed them.
- Emails sent by AngelTrack on behalf of an employee contain the name of the employee who initiated them.
- NEMSIS XML data is engraved with the date, name, and IP address of the employee who exported it.
- Journals are kept of every access of HIPAA-protected data, including the date and name of the employee who accessed it.
- Webserver logs are kept to show all accesses of your cloud server, including the date, IP address, and browser identification.
Compliance with the HITECH Act
The HITECH Act of 2009 amends HIPAA to give patients the right to demand copies of their medical records -- in electronic format -- from medical service providers. AngelTrack makes it easy to fulfill such demands, should you ever receive one:
- Access AngelTrack, and visit either the Dispatch home page or the Billing home page.
- Click Patients List.
- Locate and open the record for the patient in question, using the search fields as needed.
- Select the "History" tab. Use the date controls to view the date range specified in the demand letter.
- Click the checkbox in the upper-left corner of the grid, causing all records in the grid to be checked.
- Click the "Export Checked Runs as .PDFs" button. AngelTrack downloads a .ZIP file to you, containing .PDFs of all selected dispatches, plus a summary .XML file viewable in Microsoft Excel.
- Burn the data to a CD or thumbdrive and then mail it to the patient. Or, use a secure dropbox service to post the data online for the patient to privately download.
Tracking Your Crews' HIPAA Training
AngelTrack has a built-in certificate type for HIPAA training. Award it to employees who finish the company HIPAA training program, and set its expiration date for two years in order to remind them to watch a refresher video.
You can then pull the Crew Certificates Overview report under HR Home to check -- or to prove to a compliance auditor -- that all crew members have received proper HIPAA training.
Tracking Down a Data Leak
If you receive a complaint that HIPAA-encumbered data from your operation has turned up in a public place, AngelTrack has accountability tools to help you track down the originator of the leak.
Read the Data Leak Forensics Guide to learn more.
How might a criminal obtain an employee's AngelTrack password?
If a disgruntled employee obtains another user's password, he or she could use it to exfiltrate data, or intentionally cause problems.
Note that there is no way to get it directly out of AngelTrack, because AngelTrack does not know anyone's password. Passwords in AngelTrack are stored as one-way cryptographic hashes. A one-way cryptographic hash is a mathematical representation of the password that cannot be reversed except by enormous brute force. AngelTrack defends against brute-force attacks by automatically locking a user's account after three incorrect password attempts.
But here are some of the ways that a password might nevertheless leak:
- A rogue employee could read it over the shoulder of the employee who is typing it in.
- A trusting employee might tell it to the rogue employee, asking them to "go ahead and log me in, will you?"
- A rogue employee might read it off the smartphone of an employee who received their self-serve-password-reset notification via text message.
- A rogue person might have access to the email inbox of an employee who received their self-serve-password-reset notification via email.
- A rogue employee might install remote-control or keyboard-logging software onto a company mobile device, in order to covertly observe other employees using the device.
- A rogue person might have a keyboard-logger virus installed on a personal computer that an employee uses to access AngelTrack.
For all of these threats, the first and best line of defense is: Enable two-factor authentication on all employee accounts. To find out which employee accounts do not have 2FA enabled, visit the Employees Missing HR Data report under HR Home.