This blog post is an in-depth look at what it means to be “HIPAA compliant,” AgileLaw’s security standards, AgileLaw’s handling of HIPAA protected information, and what law firms need to know about their document vendors.
HIPAA – “Compliance” vs “Certification”
First, Federal law does not provide for any HIPAA “certification.” Therefore any company that touts that is “certified” under HIPAA is mistaken. The company may have a certification from an independent auditor, but this certification does not mean that the software or the company has been HIPAA approved in any way by the Federal government or any other regulatory authority.
HIPAA “compliance” is based on a company’s compliance with the HIPAA Security Rule. Compliance is determined internally and there is no one set of procedures that will make a company “compliant” or “non-compliant.” HHS.gov states that the rule is “flexible and scalable” and “does not dictate” the security measures that must be used. Instead the Rule gives guidelines on what could constitute compliance. Companies are required to conduct a risk analysis, which evaluates the risk to unauthorized access to protected information. On a high level a company handling electronic Personal Health Information (“ePHI”) must implement (i) administrative, (ii) physical, and (iii) technical safeguards to prevent unauthorized access, but how it does so remains largely up to the company itself.
Since its inception AgileLaw has always utilized 256 bit AES encryption of each document, which is the same encryption standard required of banks and other financial institutions. We have also designed multiple safeguards to prevent unauthorized access of all information, not just ePHI. This Security Document outlines the steps we take to protect information in our system. The most important thing to take away is that AgileLaw employees have no access to documents that you upload to the system. This inability to access your documents was built on purpose because we understand that our employees have no business looking at or accessing your documents.
AgileLaw’s Security Means We Cannot Tell What ePHI is in the System
One standard requirement of any HIPAA compliance program is the ability of the software to detect unauthorized access and then to notify the person/people whose ePHI was improperly disclosed or revealed. For AgileLaw, because we cannot see the contents of the documents that you upload, (i) we don’t know if any specific document contains ePHI (and therefore if it’s covered by HIPAA) and (ii) we don’t know whose information is on the document. This does not mean that AgileLaw cannot comply with HIPAA; but it does mean that our approach to protecting ePHI is different than what one might see at another company that actually can see the underlying data that it houses.
AgileLaw’s Administrative Safeguards
The HIPAA rules first require that companies subject to HIPAA (known as “covered entities” and their business associates) implement Administrative Safeguards. For the sake of brevity this post will not explain the details of Administrative Safeguards. For more information in general about the requirements of HIPAA Administrative Safeguards you can do a general search online or review these links:
AgileLaw has implemented the following Administrative Safeguards to comply with the regulations:
- Designated a Primary and Secondary Privacy Officer to develop procedures
- Provides regular HIPAA security training for all its employees
- Performs a regular risk assessment to determine vulnerabilities in its application
- Modifies its processes as a result of any risks identified in the assessment
- Established a system of backups to mitigate any risk of lost or corrupted data
- Established notification and incident procedures in the event of any unauthorized access to the system*
- Zero AgileLaw employee access to ePHI (see explanation above)
- Execution of Business Associate Agreements when requested
- AgileLaw has an existing Business Associate Agreement in place with Amazon, which hosts AgileLaw’s servers
*To date AgileLaw has never needed to implement any such notification. For more information on AgileLaw’s notification procedure see the Nitty Gritty section below.
AgileLaw’s Physical Safeguards
AgileLaw does not have physical access to ePHI or the servers that house any of its data. All of your data within AgileLaw’s servers are housed in Amazon’s AWS cloud in multiple availability zones. Because access to AgileLaw’s servers are restricted only to electronic access, the risk of physical intrusion into an AgileLaw server is extremely low. Amazon takes on the obligation of ensuring that unauthorized physical access to the underlying servers is not permitted (see this link and this link). Finally, although not a physical safeguard, AgileLaw’s encryption ensures that, even if unauthorized access to an Amazon server did occur, the perpetrator would still have to decrypt the data before they could see anything stored within the server.
AgileLaw’s Technical Safeguards
As explained above, AgileLaw’s primary technical safeguard is its 256-bit encryption along with the architecture that prevents any AgileLaw employee from ever seeing the contents of any document uploaded to its server. In addition to this design AgileLaw also utilizes SSL encryption for data in transit, maintains an access and audit log of all users, and the system is designed such that documents uploaded to the system cannot be altered once they are in the system.
The Nitty Gritty
For most companies handling ePHI if an unauthorized disclosure of information occurs then the company is required to notify the person whose PHI was disclosed. As explained above, AgileLaw is unable to perform this notification because it cannot see the underlying data. Therefore if a data breach ever occurred AgileLaw would not know if any ePHI was involved or whose PHI was compromised. Therefore to satisfy the notice requirement, in the event any unauthorized access is ever discovered then AgileLaw would notify its affected customers. Those customers would have access to the underlying data and therefore should know what ePHI has been uploaded. They then would be responsible for distributing the proper notices to the affected parties under HIPAA.
One other important element to point out is that AgileLaw ultimately cannot control access to ePHI. Because our system allows our customers to permit outside parties to join sessions it is ultimately up to our customers to ensure that they do not permit people into a session who should not have access, and it is up to our customer not to disclose ePHI (or any other protected information) to a participant that should not have access to the data.
If you have questions on how to prevent access to a sensitive document in the system (such as preventing downloading of the document) please contact us.
What to Ask Vendors
There are several vendors in the electronic exhibit space and e-Discovery in general who claim to be “HIPAA compliant.” They may be, but you should not just assume it to be true. When evaluating the vendors’ compliance with HIPAA we suggest you ask them the following questions:
- Who is your Privacy Officer?
- When was your last HIPAA security training?
- Will you execute a Business Associate Agreement?
- What technical safeguards do you have in place to prevent your employees from seeing ePHI?
- What is your notification process in the event of unauthorized access to ePHI?
A vendor that is unable to answer these questions is likely not HIPAA compliant regardless of their marketing material.
Questions or Concerns?
Let us know. We have executed Business Associate agreements for several customers in the past and we are happy to execute one for you if required. If you have questions that are not adequately answered here just chat with us and we will do our best to resolve your question promptly.
About the Author
Cyclone Covey wrote this post. Cyclone is a co-founder of AgileLaw and AgileLaw’s Primary Privacy Officer. Cyclone is a licensed attorney (in Georgia and California) who maintains an active litigation practice in addition to supporting AgileLaw. Prior to co-founding AgileLaw Cyclone worked as General Counsel for Clearwave Corporation, which is a software company that provides real-time health insurance verification to doctors and hospitals. In this role his duties included ensuring Clearwave maintained HIPAA compliant procedures, drafting and approving Business Associate Agreements, and ensuring that new hardware and software complied with necessary technical and physical safeguards.