By Peter Leiner, General Counsel at CentralReach
If you work in any medical field, there are five letters burned into your brain, H-I-P-A-A. We all know that this is not some dance move, but rather it’s Federal Regulation that causes all who work in the medical field to lose sleep over potentially being subject to fines ranging from $100.00 to $50,000.00 per violation. As part of the Health Insurance Portability Accountability Act of 1996, commonly referred to as HIPAA, Congress mandated the enactment of Federal standards to ensure that important and private health information remains secure. HIPAA took form through two different rules, both of which serve the purpose of properly handling protected health information (PHI).
The two rules are the Privacy Rule and the Security Rule, and organizations must abide by them to meet HIPAA standards. The Privacy Rule sets standards related to access to PHI by requiring appropriate safeguards and places limits on the use and disclosures of PHI without patient authorization. The Security Rule requires the confidentiality, integrity and availability of the PHI through identification and protection against reasonably anticipated threats to the security or integrity, and to protect against reasonably anticipated, impermissible uses or disclosures.
Here at CentralReach, we have focused on ensuring that our organization fully complies with the mandates of HIPAA, so that organizations don’t have to worry when using our platform. To accomplish compliance, CentralReach has completed rigorous third-party auditing and will continue to be proactive with audits, utilizing outside consultation for proper auditing and ongoing training.
One of the first, and most important things CentralReach does—a step every organization should be doing—is annual in-house auditing. This annual audit consists of a risk assessment wherein every part of the CentralReach organization is reviewed. It is important to note, the audit isn’t just on whether our platform is secure, as there is so much more to achieving HIPAA compliance. The in-house audit includes things such as office security, review of the employee policies and procedures manual, and reviewing of office electronic inventory. We even have a process in place if our Florida-based company is hit by a category 5 hurricane. These things are all done to ensure that CentralReach can continue to provide top tier access to PHI, as well as to ensure that this information is secure from access by unauthorized third-parties. Of course, CentralReach’s in-house audit includes an extensive review of the platform and potential cyber-attacks. The in-house audit is just the first step taken in a laundry list of protections.
Once the annual audit is done in a process that takes about two months, CentralReach continues with ongoing auditing. The ongoing auditing includes reviews of new features, such as our recently-launched ReachMe, HIPAA-secure chat to allow for better, real-time collaboration in your practice. We also have ongoing auditing to revisit any prior potential issues identified during the annual audit to ensure the they were rectified. What’s more, CentralReach’s ongoing audit provides an opportunity to continuously review, revise and expand policies and procedures to better secure PHI. Finally, CentralReach uses every opportunity to provide updated information on the mandates of HIPAA as new areas of the law develop.
While the in-house auditing is great, we don’t believe that this is sufficient. That’s why CentralReach has continued to take steps to ensure top tier HIPAA security through our platform by retaining third-party auditors to review our organization. Like CentralReach’s in-house audit, the third-party auditors did not just review the CentralReach’s platform but also reviewed the entirety of the organization. Most recently, CentralReach earned a SOC 3 attestation for the cloud security platform environment. The SOC 3 certification serves as confirmation that CentralReach has taken appropriate steps to maintain controls over security and privacy when holding PHI, and to avoid unauthorized access. The SOC 3 Report is available to our users for review. Please contact me for more information. The SOC 3 Certification was just another step in CentralReach’s continuous venture to provide industry-leading security so that we may best serve our users. CentralReach also recently underwent a third-party audit specific to the HIPAA Security Rule. As was no surprise to anyone at CentralReach, the third-party auditor certified CentralReach as compliant.
Earning these certifications is great for CentralReach, but it is paramount for you as a user of our software. When you use CentralReach, you know you are using a platform that is pushing daily to do more than just satisfy basic standards. You are using a platform that always has HIPAA compliance on its mind and that strives to make HIPAA compliance a priority with every feature we offer and for every user we welcome.