(1)Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

Allows the covered entity a secure method to transfer PHI from sender via interim custody and delivery.  Validates transfer of custody to authenticated recipient at each interval. Provides remote storage of PHI in secure folders in an uncorrupted form; transmission is via encrypted channel to a verified recipient.

(2) Protect against any reasonably specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information;

Authentication is required to access any secured data on the system.  Each data exchange is verified by the system during a documents transfer of custody and summarily applied to an audit trail.  This dynamic authentication method is established by the creation and use of a personal password system including generation of temporary passwords to assigned known recipients.  Timed “log out” protects against unauthorized system access at defined intervals or by manual exit.  System provides automatic virus filtering and updating; Spam filtering; spyware removal on demand.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

Requires user authentication upon each timed entrance to the secure communication system

(4) Ensure compliance with this subpart by its workforce.

Sanction is established by the covered entity; compliance is under purview of entity designated “system administrator”. Executed at the direction of the System Administrator.

(b) Flexibility of approach.

(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

Adaptable to evolution of HIPAA regulation without need for software upgrades to individual user terminals or computers. Adaptations are implemented throughout the system to all users. Changes or modification of HIPAA regulation are implemented for all client users as they become law.

(2) In deciding which security measures to use, a covered entity must take into account the following factors

(i) The size, complexity, and capabilities of the covered entity.

Scalable to over 100,000 users in each domain or larger size of operation when adapted without regard to the number of authorized and authenticated users. Message, document and image size are unrestricted.

(ii) The covered entity's technical infrastructure, hardware, and software security capabilities. 

Does not rely on the hardware or software of the covered entity - operates on proprietary code and secure servers established specifically for this purpose.

(iii) The costs of security measures

Clients are not charged for increased security upgrades or modifications on an individual basis.  System upgrades, security

improvements and changes in functionality are implemented at the secure server application and immediately applied throughout the system

(iv) The probability and criticality of potential risks to electronic protected health information

Reduces the risk of loss probability with identified controls of access and untraceable dissemination. Access is limited; transmissions are auditable; receipts are auditable; users are authenticated and identifiable.

§ 164.308 Administrative safeguards.

A covered entity must, in accordance with

 § 164.306:

SafetySend conforms to § 164.306

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

Security procedures are designed to detect and record attempts at unauthorized access and immediately notify network administrators of excessive password violations, attempted transfer of computer viruses, containment of potentially harmful files and renders activities to a security log.  Individual tools are made available to each user for the detection and removal of viruses, spyware and other compromising software from our main menu.

(A) Risk analysis (Required). Conduct accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 

The secure network is only available to it’s authenticated users; provides continuous encryption of internal and external transmission of PHI; conducts daily modification of intrusion and invasion by outside parties by conducting modification of code algorithms to negate intrusion.  SafetySend also provides additional detection tools to assess potential security vulnerabilities of each individual computer

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a)

Requires two levels of authentication initiate user identification; multi-challenge verification to change password. The use of proprietary code; application of processing algorithms, virus filters, and secure firewall are updated no less than once per day. 

(C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.

Sanction policy is established by the covered entity on the SafetySend system – termination or suspension is established by entity “system administrator”.  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures of Safety Send, Inc. that are in concert with HIPAA.  Violation of those policies and procedures constitutes immediate suspension of privileges to use the SafetySend system.

(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Provides system activity review under an “audit trail” by retained history of “secure” transmissions outside the SafetySend system as well as equal history transmissions within the SafetySend system.

(2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.

The entity designates their “System Administrator” who becomes the assigned responsible party.  This system administrator has access to review, modify or suspend user privileges.

(3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

Specific access is authorized by the System Administrator.  Non Access and Sanction policy is established by the covered entity – termination or exclusion is established by entity “system administrator”.  Authorized access requires two levels of authentication initiate client user identification; dual identity verification to change password

(ii) Implementation specifications:

(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Authorization is addressed in (2) & (3)(i)(a)(4)

(B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

System Administrator establishes clearance procedure and authorizes access to system. Individual client users self administrate.

(C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or required by paragraph (a)(3)(ii)(B) of this section.

Non Access and Sanction policy is established by the covered entity – termination or exclusion is established by entity “system administrator”.  Authorized access to SafetySend requires two levels of authentication initiate client user identification; dual identity verification to change password. System Administrator has authority to deny access to any user.  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures of Safety Send, Inc. that are in concert with HIPAA.  Violation of those policies and procedures constitutes immediate suspension of privileges to use the SafetySend system.

4)(i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part

SafetySend policies and procedures are consistent with subpart E.

(ii) Implementation specifications:

(A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

SafetySend does not operate as a clearinghouse.

(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

Access to all PHI in the system requires two levels of authentication; proper user identification and password; dual identity verification to change password. The use of proprietary code; application of processing algorithms, virus filters, and anti hacking shields are updated no less than once per day.

(C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the entity's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

Sanction policy is established by the covered entity – termination or exclusion is established by entity “system administrator”.  In the case of an individual client or the identified violation by a client user within the entity, the individual is responsible for compliance with the policies and procedures of Safety Send, Inc. that are in concert with HIPAA.  Violation of those policies and procedures constitutes immediate suspension of privileges to use the SafetySend system.  SafetySend requires two levels of authentication to initiate client user identification; dual identity verification to change password.

(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

Users are notified on no less than on an annual basis of the security requirement of HIPAA and at such times as those security requirements may be amended. Acknowledgement is required to avoid suspension of access to SafetySend.

(ii) Implementation specifications. Implement:

(A)     Security reminders (Addressable). Periodic security updates.

Daily review and update of security components.

(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

Proprietary code guards against malicious software and reports intrusion attempts to the targeted user via constant monitoring and exclusion of malicious software. Virus and Spam filters are constantly active.

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

Requires two levels of authentication to initiate client user identification; dual identity verification to change password.  An 8 digit – alpha –numeric password is required to enter the system. Failure to enter requires confidential answers to two levels of specific questions to acquire a temporary password, then re-establishment of an active password.

(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

An 8 digit – alpha –numeric password is required to enter the system.  SafetySend requires two levels of authentication initiate client user identification; dual identity verification to change password. The use of proprietary code; application of processing algorithms, virus filters, and anti hacking shields are updated no less than once per day. 

(6)(i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.

Authentication upon system entrance; verified change of custody by receipt by established password or temporary password to known receiver; timed “log out” of the system at 10 minutes automatically or by manual exit; automatic virus filtering and updating; spyware removal on demand. Users are notified of intrusion incident attempts. Non compliance incidents by a user are suspended until suspension is released by System Administrator.

(ii) Implementation specification: Response and Reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

Suspends and denies access by action of the System Administrator or upon notification by the System Administrator to any users suspected of a security incident. Individual client users are self administered under their own responsibility. Should SafetySend be aware of a security incident; access and use are suspended immediately or within one day of notification being the extent practicable. 

(7)(i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Contingency plan for response to emergency or occurrence for safeguarding PHI. Destruction or damage to user and/or entity computers does not destroy or deny access to PHI data on SafetySend secure servers.  SafetySend operates as “backup” servers at a second location in the even of loss or damage to primary client storage servers.

(ii) Implementation specifications:

(A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

Provides storage of PHI backup files in retrievable “Secure Folders”.  SafetySend is the backup in two location sites for the entity or individual client user.

(B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

Secure backup servers at secondary locations retrieve data in the event of a disaster. SafetySend is the backup in two location sites for the entity or individual client user.

(C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

SafetySend is an ASP system – thereby allowing continuation of operations from alternate locations where Internet connections can be made.  Critical business processes can function without interruption as long as Internet access is available.

(D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

SafetySend contingency plans are reviewed and revised on a regular basis

(E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

SafetySend makes assessment of critical applications on a regular basis.

(8) Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of the electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

SafetySend reviews all operational changes for compliance prior to implementation and modifies to compliance in the event of compliance changes quarterly and no less than three times per year. All servers are under physical security as well as technical security provided by proprietary code.

(b)(1) Standard: Business associate contracts and other arrangements. A covered entity, in accordance with

§ 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) that the business associate will appropriately safeguard the information.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures.

(2) This standard does not apply with respect to— [application of the part and subpart is determined by the covered entity]

(i) The transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(ii) The transmission of electronic protected health information by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of

§ 164.314(b) and § 164.504(f) apply and are met; or

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(iii) The transmission of electronic protected health information from or to other agencies providing the services at § is a health plan that is a government program providing public benefits, if the requirements of § 164.502(e)(1)(ii)(C) are met.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(3) A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and § 164.314(a).

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(4) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

§ 164.310 Physical safeguards. A covered entity must, in accordance with §164.306:

(a)(1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures.

(2) Implementation specifications:

(i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures.

(ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(iii) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.

(b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Compliance Guideline is available to Business Associate Clients and their Clients as documentation of applied Compliance policies and procedures. Facility Policies and Procedures are covered by client user.