HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

Covered Entities

According to hhs.gov, the Privacy and Security Rules apply only to covered entities. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If an entity is not a covered entity, it does not have to comply with the Privacy Rule or the Security Rule.

Covered entities include the following three categories:

1. Healthcare Providers

Examples of healthcare providers are doctors, clinics and psychologists.

2. Health Plan

Examples of health plans are health insurance companies, HMOs, and company health plans.

3. Healthcare Clearinghouse

Healthcare clearinghouses are entities that process nonstandard health information from other entities into a standard format.


Our Security

Even though Healthcare Sign Out is not a covered entity as defined by hhs.gov, we know that you are, and therefore we either meet or exceed the security and privacy requirements as detailed below.

Learn more about our security features.

Physical Safeguards

Requirement Our Standard
Controls must govern the introduction and removal of hardware and software from the network. Healthcare Sign Out is hosted at a SAS 70 Type II Certified data center with strict hardware and software controls and restrictions on who can access the physical hardware.
Access to equipment containing health information should be carefully controlled and monitored. Access to Healthcare Sign Out secure servers is limited to IT personnel only. Data is stored at our secure location protected by biometric access restriction, and is stored encrypted in our database. Therefore, even the IT personnel who do have access to the database cannot view the patient information.
Access to hardware and software must be limited to properly authorized individuals. Healthcare Sign Out is hosted at a secure remote location. Access to this secure location is restricted biometrically.
Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts. Healthcare Sign Out is hosted at a secure remote location, who strictly control the hardware used to host Healthcare Sign Out.
Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public. Data is not available via Healthcare Sign Out workstations. Data is stored encrypted in our database, and can only be decrypted by logging into Healthcare Sign Out.
If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities. Healthcare Sign Out does not utilize contractors or agents.

Technical Safeguards

Requirement Our Standard
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional. All data that flows to and from Healthcare Sign Out is protect by TLS 1.2 128-bit encryption.
Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. All data is protected via role-based security, and all data changes are logged in the database.
Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity. Data is stored in our database encrypted, and can only be decrypted by logging into Healthcare Sign Out.
Covered entities must also authenticate entities with which they communicate. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems. Healthcare Sign Out is protected via role-based security. Username and password are required to access the system, and passwords must be changed on a regular basis.
Covered entities must make documentation of their HIPAA practices available to the government to determine compliance. All practices are documented and available via our HIPAA compliance page found at Healthcare Sign Out.
In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing. Healthcare Sign Out technology documentation is regularly kept up-to-date.
Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. Risk mitigation and system security is a continual focus at Healthcare Sign Out. We go above and beyond the minimal requirements in order to keep your data safe.