How SigningHub implements HIPAA compliant security standards

Posted by M Wahaj Khan on 02-Jan-2018 07:37:24

HIPAA (Health Insurance Portability and Accountability Act of 1996) is a United States legislation that provides data privacy and security provisions for safeguarding medical information.

How SigningHub implements HIPAA compliant security standards

Follow this quick check list to know how SigningHub implements HIPAA compliant security standards. The below is extracted from: https://www.ihs.gov/hipaa/documents/IHS_HIPAA_Security_Checklist.pdf

More details can be found here

 

.

 

Clause

Description

Supported?

Details

164.312(a)(2)(i)

Have you assigned a unique name and/or number for identifying and tracking user identity?

Yes

Each SigningHub account holder has a unique ID (generally an email address) to access SigningHub. All user activities and actions are tracked using this.

164.312(a)(2)(ii)

Have you established (and implemented as needed) procedures for obtaining the necessary ePHI during an emergency?

Yes

SigningHub is deployed on Azure cloud which is fully HIPAA compliant. In case of any disaster, SigningHub is automatically re-located by Azure to ensure access. Learn more here.

164.312(a)(2)(iii)

Have you implemented procedures that terminate an electronic session after a predetermined time of inactivity?

Yes

Yes, after 15 minutes of inactivity SigningHub prompts the user to terminate the session and then logs the user out after a further one minute of inactivity.

164.312(a)(2)(iv)

Have you implemented a mechanism to encrypt and decrypt ePHI?

Yes

All communication between a browser and the SigningHub server is protected with SSL/TLS. We only support strong SSL versions (TLS 1.0 onwards) and strong ciphers. Check our rating from Qualys SSL Labs here.

Also, all documents are encrypted using AES 256 before being storing in the database. 

164.312(b)

Have you implemented Audit Controls, hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI? 

Yes

SigningHub creates secure logs and workflow evidence reports which provide complete tracking of which activity was performed and when. The workflow evidence report is also digitally signed recording who, when, where, how and what was performed on a document. Click here to find out more information. Separately, SigningHub maintains operator logs letting auditors examine staff activities.

 

164.312(c)(1) - Integrity

 

Clause

Description

Supported?

Details

164.312(c)(2)

Have you implemented electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorised manner?

Yes

SigningHub signatures are cryptographically protected - any change in the document after signing is easily identified within SigningHub and also using third party free software like Adobe Acrobat Reader. Click here to know more about SigningHub's security functions - it uses a secure crypto engine (ADSS Server) which auto-detects any data alteration and notifies administrators.

164.312(d)

Have you implemented Person or Entity Authentication procedures to verify that a person or entity seeking access to ePHI is the one claimed to be? 

Yes

SigningHub provides multiple authentication options including two factor authentication before the user or entity is authorised to view and sign the document. These include:

  • SigningHub ID (email/password)
  • Smart Cards (SSL Client)
  • One Time Password
  • Active Directory
  • SAML
  • Salesforce
  • Office 365
  • Entrust IDG
  • Freja Mobile
  • Linked In
  • Ubisecure


In the case of One Time Passwords, note that this doesn't contain any Protected Health Information as well rather only one time codes. More details on ePHI can be found here.

 

 

164.312(e)(1) - Transmission Security

 

Clause

Description

Supported?

Details

164.312(e)(2)(i)

Have you implemented security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of?

Yes

  • All communication between the browser and SigningHub server is over secure TLS
  • All documents are encrypted before stored
  • All external communication with other identity providers is on TLS
  • User can configure to avoid sending any document via email
  • SigningHub adheres to EU data protection directive hence no data is exported out of Europe. Read more PII information here

164.312(e)(2)(ii)

Have you implemented a mechanism to encrypt EPHI whenever deemed appropriate?

Yes

See above.

Topics: HIPAA, hipaa compliance, hipaa regulations, hipaa requirements, hipaa act, hipaa guidelines, health insurance portability act, hipaa compliance requirements, hipaa compliance checklist, hipaa security standards, hipaa information security, hipaa security rule checklist

Recent Posts

Posts by Topic

see all

Download this essential eBook

Choosing the right type of e-signature
for your business

Download your eBook