How does Contract Cloud support HIPAA compliance within its product and platform?
Contract Cloud helps healthcare customers meet compliance requirements by controlling the video attestation process and ensuring all information is authenticated and remains both private and secure.
Contract Cloud shares HIPAA obligations with cloud computing provider, Amazon Web Services (AWS). The terms of this agreement are available upon request and defined in our Business Associate Addendum (BAA). AWS provides Contract Cloud with a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001,ISO 9001, FISMA Moderate, and SOC 1/SSAE 16/ISAE 3402.
The AWS services and data centers utilized by Contract Cloud have multiple layers of operational and physical security to ensure the integrity and safety of our data. The AWS services that we utilize, as included our BAA, Amazon EC2 and Amazon S3.
How does Contract Cloud Encrypt your data?
HIPAA’s Security Rule includes addressable implementation specifications regarding the encryption of PHI and PII in transmission (“inflight”) and in storage (“at-rest”). The same data encryption mechanisms used in a traditional computing environment, such as a local server or a managed hosting server, are used in our virtual computing environment, Amazon S3. Contract Cloud has full root access and administrative control over our virtual servers located in North America. To protect data security during electronic transmission, our files are encrypted using technologies such as 128-bit AES algorithm; 256-bit AES encryption is available upon request.
AWS Security Policies
For Amazon S3, AWS employees’ access to customer data is highly restricted and not necessary for customer support or maintenance.
Contract Cloud Control Policies
Contract Cloud uses a number of mechanisms to control access to the video witness data while in-flight and at-rest in the AWS cloud. Our system administrators set user and computer access controls to restrict data access and secure data. Contract Cloud employees are unable to access the data before it is de-identified. Our customers control their own access to our data and should restrict access to constituents who are HIPAA trained.
Auditing, Back-Ups, and Disaster Recovery
HIPAA’s Security Rule requires in-depth auditing capabilities, data backup procedures, and disaster recovery mechanisms. The services Contract Cloud utilizes in AWS contain features that address these requirements.
Contract Cloud technology is designed to be consistent with HIPAA and HITECH auditing requirements. Auditing capabilities are in place to allow security analysts to drill down into detailed activity logs or reports to see who had access, IP address entry, what data was accessed, etc. This data is tracked, logged, and stored in a central location for extended periods of time, in case of an audit. Using Amazon EC2, Contract Cloud runs activity log files and audits down to the packet layer on AWS virtual servers. We also track any IP traffic that reaches our virtual server instance.
Under HIPAA, covered entities must have a contingency plan to protect data in case of an emergency and must create and maintain retrievable exact copies of electronic PHI. We use Amazon S3 to implement a data back-up plan on AWS. By loading our files into Amazon S3, multiple redundant copies are automatically created and stored in separate data centers. These files can be accessed at any time, from anywhere (based on permissions) and are stored until intentionally deleted by the Contract Cloud system administrator or our customer’s system administrator.
Disaster recovery, the process of protecting an organization’s data and IT infrastructure in times of disaster, is a HIPAA requirement satisfied by AWS3. It involves maintaining highly available digital systems, keeping both the data and system replicated off-site, and enabling continuous access to both. By using Amazon S3, our data is replicated and automatically stored in separate data centers in North America to provide reliable data storage with a service level of 99.9% availability and no single points of failure.
For more information on AWS HIPAA compliance, please review their May 2015 White Paper – Creating Healthcare Data Applications to Promote HIPAA and HITECH ComplianceBack