|
REDI REQUIREMENTS |
SAFETYSEND REDI
ATTRIBUTES |
|
(1)Ensure the
confidentiality,
protection, integrity,
and availability of
electronic data (REDI),
and communication
information the entity
creates, receives,
maintains, or transmits.
|
Allows the Client a
secure method to transfer
confidential information
(REDI) from sender
via interim custody and
delivery. Validates
transfer of custody to
authenticated recipient
at each interval.
Provides remote storage
of in secure folders in
an uncorrupted form;
transmission is via
encrypted channel to a
verified recipient. |
|
(2) Protect against any
reasonably specification
is a reasonable and
appropriate safeguard in
its environment, when
analyzed with reference
to the likely
contribution to
protecting the entity's
REDI;
|
Authentication is
required to access any
secured data on the
system. Each data
exchange is verified by
the system during a
documents transfer of
custody and summarily
applied to an audit
trail. This dynamic
authentication method is
established by the
creation and use of a
personal password system
including generation of
temporary passwords to
assigned known
recipients. Timed “log
out” protects against
unauthorized system
access at defined
intervals or by manual
exit. System provides
automatic virus filtering
and updating; Spam
filtering; spyware
removal on demand. |
|
(3) Protect against any
reasonably anticipated
uses or disclosures of
such information that are
not permitted or
required. |
Requires user
authentication upon each
timed entrance to the
secure communication
system. |
|
(4) A System
Administrator to ensure
compliance with this
subpart by its workforce.
|
Sanction is established
by the entity; compliance
is under purview of
entity designated “system
administrator”. Executed
at the direction of the
System Administrator by
SafetySend Client
Services. |
|
(b)REDI - Flexibility of
approach. |
|
|
(1) Entities can apply
many security measures
that allow the entity to
reasonably and
appropriately implement
their standards and
implementation
specifications as
specified in their
policies and procedures.
|
Adaptable to evolution of
GLB, HIPAA regulation
without need for software
upgrades to individual
user terminals or
computers. Adaptations
are implemented
throughout the system to
all users. Changes or
modification of
regulations are
implemented for all
client users as they
become law. Specific
Corporate Security
Directives may also be
applied. |
|
(2) In deciding which
security measures to use,
a entity should review
take into account the
following factors |
Specific policies and
procedures are always the
responsibility of the
regulated entity. Safety
Send provides the
attributes for electronic
communication and a
component to overall
Compliance to regulation.
|
|
(i) The size, complexity,
and capabilities of the
covered entity.
|
Scalable to over 10,000
users in each domain or
larger size of operation
when adapted without
regard to the number of
authorized and
authenticated users.
Message, document and
image size are
unrestricted.
|
|
(ii) The covered entity's
technical infrastructure,
hardware, and software
security capabilities.
|
Safety Send does not rely
on the hardware or
software of the covered
entity - operates on
proprietary code and
secure servers
established specifically
for this purpose.
|
|
(iii) The costs of
security measures |
Clients are not charged
for increased security
upgrades or modifications
on an individual basis.
System upgrades, security
improvements and changes
in functionality are
implemented at the secure
server application and
immediately applied
throughout the system |
|
(iv) The probability and
criticality of potential
risks to REDI. |
Reduces the risk of loss
probability with
identified controls of
access and untraceable
dissemination. Access is
limited; transmissions
are auditable; receipts
are auditable; users are
authenticated and
identifiable. |
|
REDI - Administrative
safeguards. |
|
|
A covered entity is
required to address
application of
Administrative Safeguards
in accordance with
Regulations. |
|
|
(1)(i) Standard: Security
management process.
Implement policies and
procedures to prevent,
detect, contain, and
correct security
violations.
|
Security procedures are
designed to detect and
record attempts at
unauthorized access and
immediately notify
network administrators of
excessive password
violations, attempted
transfer of computer
viruses, containment of
potentially harmful files
and renders activities to
a security log.
Individual tools are made
available to each user
for the detection and
removal of viruses,
spyware and other
compromising software
from our main menu. |
|
(A) Risk analysis is
required. Conduct
accurate and thorough
assessment of the
potential risks and
vulnerabilities to the
confidentiality,
integrity, and
availability of
confidential and
protected information
held by the covered
entity. |
The secure network is
only available to it’s
authenticated users;
provides continuous
encryption of internal
and external transmission
of REDI; conducts daily
modification of intrusion
and invasion by outside
parties by conducting
modification of code
algorithms to negate
intrusion. SafetySend
also provides additional
detection tools to assess
potential security
vulnerabilities of each
individual computer |
|
(B) Risk management is
required. Implement
security measures
sufficient to reduce
risks and vulnerabilities
to a reasonable and
appropriate level. |
Requires two levels of
authentication initiate
user identification;
multi-challenge
verification to change
password. Use of
proprietary code;
application of processing
algorithms, virus
filters, and secure
firewall updated no less
than once per day.
|
|
(C) Sanction policies are
required. Entities must
apply appropriate
sanctions against
workforce members who
fail to comply with the
security policies and
procedures of the covered
entity.
|
Sanction policy is
established by the
covered entity on the
SafetySend system –
termination or suspension
is established by entity
“system administrator”.
In the case of an
individual client or the
identified violation by a
client user within the
entity, the individual is
responsible for
compliance with the
policies and procedures
of Safety Send, Inc. that
are in concert with GLB
and HIPAA. Violation of
those policies and
procedures constitutes
immediate suspension of
privileges to use the
SafetySend system. |
|
(D) Information system
activity reviews are
required. Implement
procedures to regularly
review records of
information system
activity, such as audit
logs, access reports, and
security incident
tracking reports. |
Provides system activity
review under an “audit
trail” by retained
history of “secure”
transmissions outside the
SafetySend system as well
as equal history
transmissions within the
SafetySend system. |
|
(2) Standard: Assigned
security responsibility.
Identify the security
official who is
responsible for the
development and
implementation of the
policies and procedures
are required by
regulation. |
The entity designates
their “System
Administrator” who
becomes the assigned
responsible party. This
system administrator has
access to review, modify
or suspend user
privileges.
|
|
(3)(i) Standard:
Workforce security.
Implement policies and
procedures to ensure that
all members of its
workforce have
appropriate access to
electronic confidential
and protected
information, as provided
under paragraph in this
section, and to prevent
those workforce members
who do not have access
under paragraph (a)(4) of
this section from
obtaining access to
electronic confidential
and protected
information. |
Specific access is
authorized by the System
Administrator. Non
Access and Sanction
policy is established by
the covered entity –
termination or exclusion
is established by entity
“system administrator”.
Authorized access
requires two levels of
authentication initiate
client user
identification; dual
identity verification to
change password |
|
(ii) Implementation
specifications: |
|
|
(A) Authorization and/or
supervision must be
addressed. Implement
procedures for the
authorization and/or
supervision of workforce
members who work with
electronic confidential
and protected information
or in locations where it
might be accessed.
|
Authorization is
addressed in (2) &
(3)(i)(a)(4)
|
|
(B) Workforce clearance
procedure must be
addressed. Implement
procedures to determine
that the access of a
workforce member to
electronic confidential
and protected information
is appropriate.
|
System Administrator
establishes clearance
procedure and authorizes
access to system.
Individual client users
self administrate. |
|
(C) Termination
procedures that can
restrict or suspend
and/or cancel access.
Implement procedures for
terminating access to
electronic confidential
and protected information
when the employment of a
workforce member ends.
|
Non Access and Sanction
policy is established by
the covered entity –
termination or exclusion
is established by entity
“system administrator”.
Authorized access to
SafetySend requires two
levels of authentication
initiate client user
identification; dual
identity verification to
change password. System
Administrator has
authority to deny access
to any user. In the case
of an individual client
or the identified
violation by a client
user within the entity,
the individual is
responsible for
compliance with the
policies and procedures
of Safety Send, Inc. that
are in concert with HIPAA
and GLB. Violation of
those policies and
procedures constitutes
immediate suspension of
privileges to use the
SafetySend system. |
|
4)(i) Standard:
Information access
management. Implement
policies and procedures
for authorizing access to
electronic protected
information that are
consistent with the
applicable requirements
of subpart E of this part |
SafetySend policies &
procedures consistent
with subpart E.
|
|
(ii) Implementation
specifications: |
|
|
(A) Isolating
clearinghouse functions
is a regulatory
requirement. If a
Financial / Health Care
clearinghouse is part of
a larger organization,
the clearinghouse must
implement policies and
procedures that protect
the electronic
confidential protected
information of the
clearinghouse from
unauthorized access by
the larger organization.
|
SafetySend does not
operate as a
clearinghouse. These
policies and procedures
are the specific and may
be unique to the entity.
|
|
(B) Access authorization
must be addressed.
Implement policies and
procedures for granting
access to electronic
confidential protected
information, for example,
through access to a
workstation, transaction,
program, process, or
other mechanism.
|
Access to all information
in the SafetySend system
requires two levels of
authentication; proper
user identification and
password; dual identity
verification to change
password. The use of
proprietary code;
application of processing
algorithms, virus
filters, and anti hacking
shields are updated no
less than once per day.
|
|
(C) Access establishment
and modification
(Addressable). Implement
policies and procedures
that, based upon the
entity's access
authorization policies,
establish, document,
review, and modify a
user's right of access to
a workstation,
transaction, program, or
process.
|
Sanction policy is
established by the
covered entity –
termination or exclusion
is established by entity
“system administrator”.
In the case of an
individual client or the
identified violation by a
client user within the
entity, the individual is
responsible for
compliance with the
policies and procedures
of Safety Send, Inc. that
are in concert.
Violation of those
policies & procedures
constitutes immediate
suspension of system
privileges.SafetySend
requires two levels of
authentication to
initiate client user
identification; dual
identity verification to
change password.
|
|
(5)(i) Standard: Security
awareness and training.
Implement a security
awareness and training
program for all members
of its workforce
(including management).
|
Users are notified on no
less than on an annual
basis of the security
requirement of GLB and
HIPAA at such times as
those security
requirements may be
amended. Acknowledgement
is required to avoid
suspension of access to
SafetySend. |
|
(ii) Implementation
specifications.
Implement: |
|
|
(A) Security reminders
must be addressed by
periodic security
updates. |
Daily review and update
of security components. |
|
(B) Protection from
malicious software must
be addressed. Procedures
for guarding against,
detecting, and reporting
malicious software. |
Proprietary code guards
against malicious
software and reports
intrusion attempts to the
targeted user via
constant monitoring and
exclusion of malicious
software. Virus and Spam
filters are active. |
|
(C) Log-in monitoring
must be addressed.
Procedures for monitoring
log-in attempts and
reporting discrepancies.
|
Requires two levels of
authentication to
initiate client user
identification; dual
identity verification to
change password. An 8
digit – alpha –numeric
password is required to
enter the system. Failure
to enter requires
confidential answers to
two levels of specific
questions to acquire a
temporary password, then
re-establishment of an
active password.
|
|
(D) Password management
must be addressed.
Procedures for creating,
changing, and
safeguarding passwords.
|
An 8 digit – alpha
–numeric password is
required to enter the
system. SafetySend
requires two levels of
authentication initiate
client user
identification; dual
identity verification to
change password. The use
of proprietary code;
application of processing
algorithms, virus
filters, and anti hacking
shields are updated no
less than once per day.
|
|
(6)(i) Standard: Security
incident procedures.
Implement policies and
procedures to address
security incidents.
|
Authentication upon
system entrance; verified
change of custody by
receipt by established
password or temporary
password to known
receiver; timed “log out”
of the system at 20
minutes automatically or
by manual exit; automatic
virus filtering and
updating; spyware removal
on demand. Users are
notified of intrusion
incident attempts. Non
compliance incidents by a
user are suspended until
suspension is released by
System Administrator. |
|
(ii) Implementation
specification: Response
and Reporting is
required. Identify and
respond to suspected or
known security incidents;
mitigate, to the extent
practicable, harmful
effects of security
incidents that are known
to the covered entity;
and document security
incidents and their
outcomes. |
Suspends and denies
access by action of the
System Administrator or
upon notification by the
System Administrator to
any users suspected of a
security incident.
Individual client users
are self administered
under their own
responsibility. Should
SafetySend be aware of a
security incident; access
and use are suspended
immediately or within one
day of notification being
the extent practicable.
|
|
(7)(i) Standard:
Contingency plan.
Establish (and implement
as needed) policies and
procedures for responding
to an emergency or other
occurrence (for example,
fire, vandalism, system
failure, and natural
disaster) that damages
systems that contain
electronic protected
health information.
|
Contingency plan for
response to emergency or
occurrence for
safeguarding REDI.
Destruction or damage to
user and/or entity
computers does not
destroy or deny access to
PHI data on SafetySend
secure servers.
SafetySend operates as
“backup” servers at a
second location in the
even of loss or damage to
primary client storage
servers. |
|
(ii) Implementation
specifications: |
|
|
(A) Data backup plan
(Required). Establish and
implement procedures to
create and maintain
retrievable exact copies
of electronic protected
health information. |
Provides storage of REDI
backup files in
retrievable “Secure
Folders”. SafetySend is
the backup in two
location sites for the
entity or individual
client user. |
|
(B) Disaster recovery
plan is required.
Establish (and implement
as needed) procedures to
restore any loss of REDI
data. |
Secure backup servers at
secondary locations
retrieve data in the
event of a disaster.
SafetySend is the backup
in two location sites for
the entity or individual
client user. |
|
(C) Emergency mode
operation plan
(Required). Establish
(and implement as needed)
procedures to enable
continuation of critical
business processes for
protection of the
security of electronic
protected health
information while
operating in emergency
mode. |
SafetySend is an ASP
system – thereby allowing
continuation of
operations from alternate
locations where Internet
connections can be made.
Critical business
processes can function
without interruption as
long as Internet access
is available.
|
|
(D) Testing and revision
procedures are required
to be addressed, A
regulated entity is
required to Implement
procedures for periodic
testing and revision of
contingency plans.
|
SafetySend contingency
plans are reviewed and
revised on a regular
basis |
|
(E) Applications and data
criticality analysis
(Addressable). Assess the
relative criticality of
specific applications and
data in support of other
contingency plan
components. |
SafetySend makes
assessment of critical
applications on a regular
basis.
|
|
(8) Standard: Evaluation.
Perform a periodic
technical and
non-technical evaluation,
based initially upon the
standards implemented
under the regulation and
subsequently, in response
to environmental or
operational changes
affecting the security of
the regulated REDI of
health and/or financial
information that
establishes the extent to
which an entity's
security policies and
procedures meet the
regulatory requirements
of this subpart.
|
SafetySend reviews all
operational changes for
compliance prior to
implementation and
modifies to compliance in
the event of compliance
changes quarterly and no
less than three times per
year. All servers are
under physical security
as well as technical
security provided by
proprietary code.
|
|
(b)(1) Standard: Business
associate contracts and
other arrangements. A
covered entity, in
accordance with the
applicable HIPAA or GLB
regulation. A regulated
entity may permit a
business associate to
create, receive,
maintain, or transmit
regulated electronic
protected information on
the entity's behalf only
if the covered entity
obtains satisfactory
assurances, in accordance
with that the business
associate will
appropriately safeguard
the information. |
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. |
|
(2) This standard may or
may not apply with
respect to—
[application of a
specific part and subpart
is determined by the
regulated entity] |
|
|
(i) The transmission by a
covered entity of
regulated electronic
information to a health
care or financial service
provider concerning the
treatment of an
individual. |
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. Facility
Policies and Procedures
are covered by client
user. |
|
(ii) The transmission of
regulated electronic
information by a
regulated financial
entity, association or
health entity, group plan
or an HMO or health
insurance issuer on
behalf of a group health
plan to a plan sponsor,
to the extent that the
requirements of
regulation. |
Compliance Guideline is
available to Entities and
Business Associate
Clients and their Clients
as documentation of
applied Compliance
policies and procedures.
Facility Policies and
Procedures are covered by
client user. |
|
(iii) The transmission of
REDI from or to other
agencies providing the
services is a financial
entity, agency or health
plan that is a government
program providing public
benefits, if the
requirements of the
applicable regulation are
met. |
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. Facility
Policies and Procedures
are covered by client
user. |
|
(3) A covered entity that
violates the satisfactory
assurances it provided as
a business associate of
another covered entity
will be in noncompliance
with the regulatory
standards, implementation
specifications, and
requirements of
applicable regulations
and subject to penalties
of the enforcing agencies
or departments |
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. Facility
Policies and Procedures
are covered by client
user. |
|
(4) Implementation
specifications: Written
contract or other
arrangement (Required).
Document the satisfactory
assurances required by
paragraph (b)(1) of this
section through a written
contract or other
arrangement with the
business associate that
meets the applicable
requirements.
|
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. Facility
Policies and Procedures
are covered by client
user. |
|
Physical safeguards. A
covered entity must, in
accordance with specific
regulation: |
Physical safeguards are
under the control of the
regulated entity. |
|
(a)(1) Standard: Facility
access controls.
Implement policies and
procedures to limit
physical access to its
electronic information
systems and the facility
or facilities in which
they are housed, while
ensuring that properly
authorized access is
allowed. |
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. |
|
(2) Implementation
specifications: |
|
|
(i) Contingency
operations are
addressable with the
requirement to establish
(and implement as needed)
procedures that allow
facility access in
support of restoration of
lost data under the
disaster recovery plan
and emergency mode
operations plan in the
event of an emergency. |
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. All
communication is
retrievable from Safety
Send. |
|
(ii) Facility security
plan (Addressable).
Implement policies and
procedures to safeguard
the facility and the
equipment therein from
unauthorized physical
access, tampering, and
theft. (iii) Access
control and validation
procedures (Addressable).
Implement procedures to
control and validate a
person's access to
facilities based on their
role or function,
including visitor
control, and control of
access to software
programs for testing and
revision. |
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. Facility
Policies and Procedures
are covered by client
user. |
|
(iii) Maintenance records
(Addressable). Implement
policies and procedures
to document repairs and
modifications to the
physical components of a
facility which are
related to security (for
example, hardware, walls,
doors, and locks). |
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. Facility
Policies and Procedures
are covered by the
regulated entity or
client user. |
|
(b) Workstation use.
Regulated entities are
required to Implement
policies and procedures
that specify the proper
functions to be
performed, the manner in
which those functions are
to be performed, and the
physical attributes of
the surroundings of a
specific workstation or
class of workstation that
can access electronic
protected health
information. |
Compliance Guideline is
available to Business
Associate Clients and
their Clients as
documentation of applied
Compliance policies and
procedures. Facility
Policies and Procedures
are covered by client
user. Specific procedures
are the responsibility of |
