HIPAA Compliance


The Health Insurance Portability and Accountability Act (HIPAA) sets privacy and security standards designed to protect the confidentiality of patient health and personal information. With respect to video conferencing, to comply the solution and security architecture must provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted. 

In general, the requirements of HIPAA Security Standards state that any organization must:

1. Ensure the confidentiality, integrity, and availability of all electronic protected personal and health information the covered entity creates, receives, maintains, or transmits.

2. Protect against any reasonably-anticipated threats or hazards to the security or integrity of such information.

3. Protect against any reasonably-anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.

4. Ensure compliance with its workforce.

 

How does MIVNET Connect comply with HIPAA Standards?

We do not have access to identifiable health information and we protect and encrypt all audio, video, and screen sharing data.

The following demonstrates how MIVNET supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).

 

 

HIPPA Standard

 

 

Access Controls

Implement technical policies and procedures for electronic information
systems that maintain electronically protected health information to allow access only to authorized persons or software programs.

 

  • Unique User Identification: Assign a unique name 
    and/or number for identifying and
  • tracking user identity.
  • Emergency Access Procedure: Establish 
    (and implement as needed) procedures for 
    obtaining necessary electronic health 
    information during an emergency.
  • Automatic Logoff: Implement electronic 
    procedures that terminate an electronic 
    session after a predetermined time of inactivity.
  • Encryption and Decryption: Implement a 
    the mechanism to encrypt and decrypt 
    electronically protected health information.

 

Audit Controls

Implement hardware, software, and/or procedural
mechanisms that record and examine activity in
information systems that contain or use electronically
protected health information.

 

Integrity

Implement policies and procedures to protect electronically protected health information from improper changes or destruction.

 

Integrity Mechanism

Establish a mechanism to authenticate electronically protected health information. Implement methods to verify that information
has not been destroyed or altered.

 

Authentication

Verify that the person or entity seeking access is the one claimed.

 

Information Transmission Security

Protect personal and electronic health information that is transmitted over a network. Ensure that protected health information is not improperly modified. Encrypt any data transmitted across a network.

 

Security and Encryption

Only members invited by Community Managers and Provisioners can host MIVNET Connect meetings. Meeting moderators control meeting attendance through the use of meeting IDs and passwords. Each meeting has only one moderator unless an additional moderator is purposefully added by the meeting owner. The moderator can screen share or lock screen sharing for the meeting.
The meeting moderators have control of the meeting and meeting attendees.   The moderators can utilize features such as locking a meeting, kicking out attendees, mute/unmute attendees, etc.
MIVNET Connect employs an optional setting to support
industry-standard end-to-end Advanced Encryption Standard
(AES) encryption using 128-bit keys to protect meetings.
MIVNET Connect's encryption fully complies with HIPAA
Security Standards to ensure the security and privacy of patient data. Additionally, there is no data stored "at rest" in the infrastructure. Data "in motion" (voice, video, and chat) by default is not transferred as RTP but instead encapsulated in a
proprietary manner so as to utilize less overhead. Optionally
TLS and SRTP can be enabled to encrypt transmitted data that was mandated by law. 

MIVNET Connect Support of the Standard

 

 

Access Controls

  • Meeting data transmitted across the network is protected using a unique Advanced Encryption Standard and securely distributed to all participants.
  • Multi-layered access control for community managers, provisioners, and members.
  • Application access is protected by user id and passwords.
  • Meeting access is password protected.
  • Public meetings are listed publicly only to verified community members. Private meetings are
  • not listed.
  • MIVNET ConnectMIVNET Connect leverages a redundant and distributed worldwide architecture that
  • offers a high level of availability and redundancy.
  • MIVNET Connect maintains no customer data other than user names, email addresses, and encrypted
  • passwords (and not even that if the customer is using their own third-party authentication).
  • Meeting moderators can disconnect attendees or terminate sessions in progress. 
  • Meeting moderators can lock a meeting in progress yet still allow other community members to 'knock' to enter.
  • Meetings can end automatically with timeouts.

 

Audit Controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information. Meeting connections traverse MIVNET Connect's secure and distributed mesh software-defined real-time communications infrastructure. Meeting connections are continually logged for audio and quality-of-service purposes. Account admins have secured access to meeting management and statistics.

 

Integrity
Implement policies and procedures to protect electronically protected health information from improper changes or destruction. Patient-related information is not stored in MIVNET's cloud. Multi-layer integrity protection is designed to protect both data and service layers. Controls are in place and protect data in motion and at rest.

 

Integrity Mechanism

Establish a mechanism to authenticate electronically protected health information. Implement methods to verify that information has not been destroyed or altered. Application executables are all digitally signed for all platforms. Data transmission is protected using advanced encryption systems.

 

Authentication

Verify that the person or entity seeking access is the one claimed. Single Sign-On with an organization's authentication services is an option Web and application access is protected by verified email and password. The meeting host must log in to MIVNET Connect using a unique email address and account password. Access to desktop or window for screen sharing is under the Community Manager's control.

 

Information Transmission Security

Protect personal and electronic health information that is transmitted over a network. Ensure that protected health information is not improperly modified. Encrypt any data transmitted across a network. End-to-end data security protects against passive and active attacks on transmitted data. Meeting data transmitted across the network is protected with a unique Advanced Encryption Standard.

 

Security and Encryption

Only members invited by Community Managers and Provisioners can host MIVNET Connect meetings. Meeting moderators control meeting attendance through the use of meeting IDs and passwords. Each meeting has only one moderator unless an additional moderator is purposefully added by the meeting owner. The moderator can screen share or lock screen sharing for the meeting. The meeting moderators have control of the meeting and meeting attendees.  The moderators can utilize features such as locking a meeting, kicking out attendees, mute/unmute attendees, etc. MIVNET Connect employs an optional setting to support industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 128-bit keys to protect meetings. MIVNET Connect's encryption fully complies with HIPAA Security Standards to ensure the security and privacy of patient data. Additionally, there is no data stored "at rest" in the infrastructure. Data "in motion" (voice, video, and chat) by default is not transferred as RTP but instead encapsulated in a proprietary manner so as to utilize less overhead. Optionally TLS and SRTP can be enabled to encrypt transmitted data that was mandated by law. 

 

Information Transmission Security

Protect personal and electronic health information that is transmitted over a network. Ensure that protected health information is not improperly modified. Encrypt any data transmitted across a network. End-to-end data security protects against passive and active attacks on transmitted data. Meeting data transmitted across the network is protected with a unique Advanced Encryption Standard.

 

Security and Encryption

Only members invited by Community Managers and Provisioners can host MIVNET Connect meetings. Meeting moderators control meeting attendance through the use of meeting IDs and passwords. Each meeting has only one moderator unless an additional moderator is purposefully added by the meeting owner. The moderator can screen share or lock screen sharing for the meeting. The meeting moderators have control of the meeting and meeting attendees. The moderators can utilize features such as locking a meeting, kicking out attendees, mute/unmute attendees, etc. MIVNET Connect employs an optional setting to support industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 128-bit keys to protect meetings. MIVNET Connect's encryption fully complies with HIPAA Security Standards to ensure the security and privacy of patient data. Additionally, there is no data stored "at rest" in the infrastructure. Data "in motion" (voice, video, and chat) by default is not transferred as RTP but instead encapsulated in a proprietary manner so as to utilize less overhead. Optionally TLS and SRTP can be enabled to encrypt transmitted data that was mandated by law. 

 

Screen Sharing and Healthcare

Medical professionals and authorized healthcare partners can use MIVNET Connect to meet with patients and other healthcare professionals to screen-share health records and other resources. MIVNET Connect does not distribute any actual patient data. Screen sharing transmits encrypted screen capture along with mouse and keyboard strokes only, not the actual data. MIVNET Connect further protects data confidentiality through a combination of encryption, strong access control, an option for customer supplied access control, and other protection methods.

Customer Support