SpeakWrite and HIPAA Compliance
Safeguarding our client's data, including Protected Health Information (PHI), is a top priority at SpeakWrite. Our privacy & security policies and procedures adhere to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as outlined below.
The HIPAA Privacy Rule
SpeakWrite does not facilitate health care treatment, payment or operations for our clients but does process client dictations and documents that contain Protected Health Information (PHI). Therefore, we approach HIPAA's Privacy Rule with the level of emphasis that is expected from all business associates of covered entities. Specifically we:
- Use appropriate safeguards to prevent unauthorized use or disclosure of PHI. In addition to maintaining strict technical standards under the HIPAA Security Rule, SpeakWrite employees and typists must master an extensive set of procedures which includes information pertaining to security, privacy and confidentiality.
Examples of activities that are specifically prohibited include:
- Disclosing any client information, including PHI, for any purpose
- Discussing client information in public or private with any person for any reason
- Attempting to contact or contacting clients or anyone connected to them for any reason
- Generating written or printed copies of any client work
- Maintaining any computer file or other record of client materials
- Leaving client information open to view by unauthorized persons
- Document the permitted and required uses of PHI, as required by the Privacy Rule
- Contractually agree that SpeakWrite will not use or further disclose the PHI other than as permitted or required by the contract or as required by law
SpeakWrite educates all employees and typists on the importance of protecting client information. All SpeakWrite employees and typists take HIPAA training, and sign confidentiality agreements that reinforce our privacy policies and procedures.
The HIPAA Security Rule
This rule concerns security of Electronic Protected Health Information. There are three types of security safeguards outlined in HIPAA: Administrative, Physical and Technical.
SpeakWrite adheres to the following Administrative Safeguards:
- SpeakWrite has a Privacy Officer to develop HIPAA-related policies and monitor and enforce compliance of those policies by SpeakWrite employees and typists. The Privacy Officer oversees the implementation of HIPAA and security awareness training for employees and typists, as well as prevention, detection, containment and correction of security violations. The Privacy Officer, in conjunction with the VP of Technology, continually assesses and manages security risks in accordance with SpeakWrite's risk management procedures.
- The SpeakWrite system restricts access to PHI to individuals who have the required access authority and appropriate clearances.
- SpeakWrite has policies and procedures for employee roll-on and terminations and monitors access on an ongoing basis.
- Both our clients and our typists require authentication in the system. Clients are authenticated using their Account ID and PIN when they use the toll-free dictation line or login to the web site. Typists are authenticated at multiple steps in the transcription process to increase the level of security.
- Our security model uses authorization to verify client access upon logging in and to verify which functionality is available to that particular client. For typists, authorization is used to verify that they have been assigned a job and verifies the authority of a typist to download job information and upload finished documents.
- We maintain virus protection software on all servers to detect malicious software.
- SpeakWrite has tracking mechanisms to monitor each log-in and authentication to our system.
- We do not permit the sharing of passwords or email passwords. We revoke Employee User IDs that have not been used for a period of 60 days. All employees are required to change their passwords every 30 days.
- SpeakWrite has policies and procedures regarding incidents and notification to clients. In the event of attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations, SpeakWrite will:
- Assess the incident in terms of our risk management plan and procedures
- Notify the covered entity/client and any other affected parties immediately of the incident and any impacts
- If the cause of the security incident is human-based, adhere to sanction and/or termination policy
- SpeakWrite has a full business continuity plan and maintains comprehensive contingency plans including the following:
- SpeakWrite continually transports data to a parallel disaster recovery environment that is geographically separate from our production environment. In case of a disaster, SpeakWrite has a disaster recovery plan with detailed procedures on moving operations to the disaster recovery site. Both the production and disaster recovery sites are located in hosted and managed data centers.
- We have multiple redundancies in place as contingencies in case of power failure, internet failure or WAN failure.
- We have additional phone lines available and activate them as needed to handle any increased call volume with no interruption of service.
- SpeakWrite maintains a minimum cushion of available server storage space necessary to provide services at several times our current volume. Our technical staff uses automated monitoring tools to constantly evaluate capacity and increase it as necessary.
- We have an Emergency Mode Operation Plan in place with contingencies for multiple scenarios.
- SpeakWrite implements a security audit on all system changes and continually monitors and updates security controls and processes in order to document compliance with its own security policies and the HIPAA Security Rule.
- As a business associate of covered entities, we adhere to the covered entity's contract requirements and provisions. We contractually agree that SpeakWrite will not use or further disclose the PHI other than as permitted or required by the contract or as required by law.
SpeakWrite adheres to the following Physical Safeguards:
- SpeakWrite's production and disaster recovery environments are located in geographically dispersed collocation facilities with redundant power (grid, battery and generator power), HVAC and networks. The collocation facilities maintain physical security including card access, locking server racks and monitoring via closed-circuit television.
- SpeakWrite implements a workstation lockout policy and requires employees to change their passwords every 30 days.
- SpeakWrite has policies and procedures to prevent unauthorized physical access to workstations that can access PHI while ensuring that authorized employees have appropriate access.
SpeakWrite adheres to the following Technical Safeguards:
- All systems require a unique user name and password to gain access. SpeakWrite desktops implement an automatic lockout policy if left unattended.
- SpeakWrite tracks and logs all movement of information systems and electronic media containing PHI.
- SpeakWrite ensures that electronically transmitted PHI is not improperly modified by implementing 128-bit secure socket layer encryption and audit trails.
- All users have a unique user name and password to access our system. All users seeking access are appropriately authenticated before access is granted.