Support – SpeakWrite Security


SpeakWrite’s Security Record


Since 1997, SpeakWrite has never had a breach of security or an issue surrounding confidentiality. We take every precaution to ensure that work submitted and received through our secure channels is not accessible by anyone outside the SpeakWrite network. We take security seriously and hold the highest standards in the industry. If you can think of a precaution we haven’t taken Email Us – we’d love to hear it.

SpeakWrite uses a combination of three standard security approaches: authentication, authorization and encryption.

Typist Security and Confidentiality


    Secure Network of Typists

    Our network of typists are United States based and are geographically dispersed through the country. SpeakWrite does not use any offshore resources. Prior to being accepted into our network, a review of each typist’s employment history is conducted and they are required to sign Nondisclosure and Confidentiality Agreements.  After acceptance into our network, they receive further HIPAA training and internal review. Jobs are assigned at random to ensure that no typist receives multiple jobs about the same case or subject and a typist’s identity is never available to other typists and customer contact information is never available to the typist as well.

    Background Checks

    All SpeakWrite Typists and Proofreaders are subjected to background checks, which they must pass before ever gaining access to any client work.

SpeakWrite’s 3-pronged Security: Authentication, Authorization and Encryption.


    Authentication
    Authentication is confirming the identity of an individual. The two major groups requiring authentication in the SpeakWrite system include the customer and the typists. Clients are authenticated using their Account Number and PIN when they use the toll-free dictation line or at Customer Login. Typists are authenticated at multiple steps in the transcription process ensuring a high level of security.
    Authorization
    Authorization is confirming that an individual has access to a particular resource. The SpeakWrite security model uses authorization to verify client access upon logging in and which functionality is available. For typists, authorization is used to verify that they have been assigned a job and verifies the authority of a typist to download job information and upload finished documents.

    Encryption and SSL Encryption
    Encryption creates a secure channel between the user’s web browser and the SpeakWrite servers and prevents eavesdropping, message tampering and message forgery. SpeakWrite uses 2048 bit keys with 256-bit algorithm when sending and receiving files over the Internet. This includes customer uploads of audio, client downloads of completed jobs, customers viewing and updating personal information and the upload and download of customer jobs to our network of typists.

Password Protected Documents


    For extra security, customers can receive work via a password protected URL. This feature can be activated by going to Customer Login and clicking ‘Preferences’ at the top right of the page.

SpeakWrite and HIPAA Compliance


Safeguarding client data, including Protected Health Information (PHI), is a top priority at SpeakWrite. Our privacy & security policies and procedures adhere to the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as outlined below.

The HIPAA Privacy Rule


SpeakWrite does not facilitate health care treatment, payment or operations for our clients but does process client dictations and documents that contain Protected Health Information (PHI).

Therefore, we approach HIPAA’s Privacy Rule with the level of emphasis that is expected from all business associates of covered entities.

Specifically, we use appropriate safeguards to prevent unauthorized use or disclosure of PHI. In addition to maintaining strict technical standards under the HIPAA Security Rule, SpeakWrite employees and typists must master an extensive set of procedures which includes information pertaining to security, privacy and confidentiality. Examples of activities that are specifically prohibited include:

  • Disclosing any client information, including PHI, for any purpose
  • Discussing client information in public or private with any person for any reason
  • Attempting to contact or contacting clients or anyone connected to them for any reason
  • Generating written or printed copies of any client work
  • Maintaining any computer file or other record of client materials
  • Leaving client information open to view by unauthorized persons
  • Document the permitted and required uses of PHI, as required by the Privacy Rule
  • Contractually agree that SpeakWrite will not use or further disclose the PHI other than as permitted or required by the contract or as required by law

SpeakWrite educates all employees and typists on the importance of protecting client information. All SpeakWrite employees and typists take HIPAA training, and sign confidentiality agreements that reinforce our privacy policies and procedures.

The HIPAA Security Rule


This rule concerns security of Electronic Protected Health Information. There are three types of security safeguards outlined in HIPAA: Administrative, Physical and Technical.

    Administrative Safeguards
    SpeakWrite adheres to the following Administrative Safeguards:

    • SpeakWrite has a Privacy Officer to develop HIPAA-related policies and monitor and enforce compliance of those policies by SpeakWrite employees and typists. The Privacy Officer oversees the implementation of HIPAA and security awareness training for employees and typists, as well as prevention, detection, containment and correction of security violations. The Privacy Officer, in conjunction with the VP of Technology, continually assess and manage security risks in accordance with SpeakWrite’s risk management procedures.
    • The SpeakWrite system restricts access to PHI to individuals who have the required access authority and appropriate clearances.
    • SpeakWrite has policies and procedures for employee roll-on and terminations and monitors access on an ongoing basis.
    • Both our clients and our typists require authentication in the system. Clients are authenticated using their Account ID and PIN when they use the toll-free dictation line or login to the web site. Typists are authenticated at multiple steps in the transcription process to increase the level of security.
    • Our security model uses authorization to verify client access upon logging in and to verify which functionality is available to that particular client. For typists, authorization is used to verify that they have been assigned a job and verifies the authority of a typist to download job information and upload finished documents.
    • We maintain virus protection software on all servers to detect malicious software.
    • SpeakWrite tracking mechanisms monitor each log-in and authentication to our system.
    • We do not permit the sharing of passwords or email passwords. We revoke Employee User IDs that have not been used for a period of 60 days. All employees are required to change their passwords every 30 days.
    • SpeakWrite has policies and procedures regarding incidents and notification to clients. In the event of attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations, SpeakWrite will:
      1. Assess the incident in terms of our risk management plan and procedures
      2. Notify the covered entity/client and any other affected parties immediately of the incident and any impacts
      3. If the cause of the security incident is human-based, adhere to sanction and/or termination policy
    • SpeakWrite has a full business continuity plan and maintains comprehensive contingency plans including the following:
      1. SpeakWrite continually transports data to a parallel disaster recovery environment that is geographically separate from our production environment. In case of a disaster, SpeakWrite has a disaster recovery plan with detailed procedures on moving operations to the disaster recovery site. Both the production and disaster recovery sites are located in hosted and managed data centers.
      2. We have multiple redundancies in place as contingencies in case of power failure, internet failure or WAN failure.
      3. We have additional phone lines available and activate them as needed to handle any increased call volume with no interruption of service.
      4. SpeakWrite maintains a minimum cushion of available server storage space necessary to provide services at several times our current volume. Our technical staff uses automated monitoring tools to constantly evaluate capacity and increase it as necessary.
      5. We have an Emergency Mode Operation Plan in place with contingencies for multiple scenarios.
    • SpeakWrite implements a security audit on all system changes and continually monitors and updates security controls and processes in order to document compliance with its own security policies and the HIPAA Security Rule.
    • As a business associate of covered entities, we adhere to the covered entity’s contract requirements and provisions. We contractually agree that SpeakWrite will not use or further disclose the PHI other than as permitted or required by the contract or as required by law.
    Physical Safeguards
    SpeakWrite adheres to the following Physical Safeguards:

    • SpeakWrite’s production and disaster recovery environments are located in geographically dispersed collocation facilities with redundant power (grid, battery and generator power), HVAC, and networks. The collocation facilities maintain physical security including card access, locking server racks, monitoring via closed-circuit television, man traps and biometric access.
    • SpeakWrite implements a workstation lockout policy and requires employees to change their passwords every 30 days.
    • SpeakWrite has policies and procedures to prevent unauthorized physical access to workstations that can access PHI while ensuring that authorized employees have appropriate access.
    Technical Safeguards
    SpeakWrite adheres to the following Technical Safeguards:

    • All systems require a unique user name and password to gain access. SpeakWrite desktops implement an automatic lockout policy if left unattended.
    • SpeakWrite tracks and logs all movement of information systems and electronic media containing PHI.
    • SpeakWrite ensures that electronically transmitted PHI is not improperly modified by implementing 128-bit secure socket layer encryption and audit trails.
    • All users have a unique user name and password to access our system. All users seeking access are appropriately authenticated before access is granted.