HIPAA Compliance

 

 
The Health Insurance Portability and Accountability Act (HIPAA) sets privacy and security standards designed to protect the confidentiality of patient health and personal information. With respect to video conferencing, to comply the solution and security architecture must provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted.

In general, the requirements of HIPAA Security Standards state that any organization must:

1. Ensure the confidentiality, integrity, and availability of all electronic protected personal and health information the covered entity creates, receives, maintains, or transmits.

2. Protect against any reasonably-anticipated threats or hazards to the security or integrity of such information.

3. Protect against any reasonably-anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.

4. Ensure compliance by its workforce.

 

 

How does MIVNET Connect comply with HIPAA Standards?

We do not have access to identifiable health information and we protect and encrypt all audio, video, and screen sharing data.

The following demonstrates how MIVNET supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).

 

HIPAA Standard

 

Access Control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized persons or software programs.

  • Unique User Identification: Assign a unique name and/or number for identifying and
    tracking user identity.
  • Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic health information during an emergency.
  • Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  • Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.

 

 

MIVNET Connect's Support of the Standard

 

Meeting data transmitted across the network is protected using a unique Advanced Encryption Standard and securely
distributed to all participants.

Multi-layered access control for community managers, provisioners, and members.

Application access is protected by userid and passwords.

Meeting access is password protected.

Public meetings are listed publicly only to verified community members. Private meetings are not listed.

MIVNET Connect leverages a redundant and distributed worldwide architecture that offers a high level of availability
and redundancy.

MIVNET Connect maintains no customer data other than user names, email addresses and encrypted passwords
(and not even that if the customer is using their own third party authentication).

Meeting moderators can disconnect attendees or terminate sessions in progress. 

Meeting moderators can lock a meeting in progress yet still allow other community members to 'knock' to enter.

Meetings can end automatically with timeouts.

 

Audit Controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems
that contain or use electronic protected health information.

Meeting connections traverse MIVNET Connect’s secure and distributed mesh software defined real time communications
infrastructure.

Meeting connections are continually logged for audio and quality-of-service purposes.

Account admins have secured access to meeting management and statistics.

 

Integrity

Implement policies and procedures to protect electronic protected health information from improper changes or
destruction.

Patient related information is not stored in eZuce's cloud.

Multi-layer integrity protection is designed to protect both data and service layers.

Controls are in place and protect data in motion and at-rest.

 

Integrity Mechanism

Establish a mechanism to authenticate electronic protected health information.

Implement methods to verify that information has not been destroyed or altered.

Application executables are all digitally signed for all platforms.

Data transmission is protected using 256 bit advanced encryption systems.

 

Authentication

Verify that the person or entity seeking access is the one claimed.

Single Sign On with an organizations authentication services is an option

Web and application access are protected by verified email and password.

Meeting host must log in to MIVNET Connect using a unique email address and account password.

Access to desktop or window for screen sharing is under the Community Manager's control.

 

Information Transmission Security

Protect personal and electronic health information that is transmitted over a network.

Ensure that protected health information is not improperly modified.

Encrypt any data transmitted across a network.

End-to-end data security protects against passive and active attacks on transmitted data.

Data transmission is protected using 256 bit message authentication codes.

Meeting data transmitted across the network is protected with a unique Advanced Encryption Standard.

 

Security and Encryption

Only members invited by Community Managers and Provisioners can host MIVNET Connect meetings. Meeting moderators control meeting attendance through the use of meeting IDs and passwords. Each meeting has only one moderator unless an additional moderator is purposefully added by the meeting owner. The moderator can screen share or lock screen sharing for the meeting. The meeting moderators have control of the meeting and meeting attendees. The moderators can utilize features such as locking a meeting, kicking out attendees, mute/unmute attendees, etc.

MIVNET Connect employs industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 256-bit keys to protect meetings. MIVNET Connect's encryption fully complies with HIPAA Security Standards to ensure the security and privacy of patient data.

 

Screen Sharing and Healthcare

Medical professionals and authorized healthcare partners can use MIVNET Connect to meet with patients and other healthcare professionals to screen-share health records and other resources. MIVNET Connect does not distribute any actual patient data. Screen sharing transmits encrypted screen capture along with mouse and keyboard strokes only, not the actual data.

MIVNET Connect further protects data confidentiality through a combination of encryption, strong access control, an option for customer supplied access control, and other protection methods.

 

Created by Michael Picher on 2020-03-16
 
Customer Support