HIPAA Statement

HIPAA

HIPAA Notice of Privacy Practices

 

All users should download and sign the Mediprocity Business Associates Agreement provided on the front page of the website according to HIPAA Final Rule. Business Associate Agreement

 

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice applies to the network owned or managed by Mediprocity, Inc. (“Mediprocity.com”).

Our Legal Duty

State and federal law requires Mediprocity, Inc. to: Maintain the privacy of your health information provide you with this notice about our legal duties and privacy practices and your legal rights pertaining to health information.

We reserve the right to change our information practices and to make the changes effective for all protected health information we maintain. Should our information practices change, we will change our Notice of Privacy Practices and make the new Notice available to you.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to protect electronic data pertaining to patient identification and health, and standardize the process of data interchange. A major component of HIPAA is the “Security Rule”, which includes technical safeguards and their implementation. Technical safeguards are defined in 445 CFR Part 164 § 164.304:

Technical safeguards means the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.

The Security Rule’s technical safeguards do not mandate a specific technology solution but rather employ the adaptable requirement that an entity use any and as many security measures as are reasonable and appropriate. These security measures are required to meet several standards, as described below. Mediprocity meets -- and in many cases exceeds -- these standards while bringing innovative flexibility and features to healthcare users.

Access Control “Access” is defined in § 164.304:

Mediprocity does not keep non-encrypted patient information on file - only our users will keep this on file.  Mediprocity does not send patient information.  Any health records that are on our website are secured using SSL or fully encrypted and controlled by the user.

Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

The access control standard § 164.312(a)(1) requires that a covered entity must: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

Access controls are designed to provide the appropriate privileges to user accessing data, applications and files. The HIPAA Security Rule describes implementation specifications for the access control standard:

Mediprocity has implemented administrative and technical security control mechanisms including but not limited to login time-outs, encryption, unique user IDs and logging to support client compliance with information security regulations and guidelines. Users should be aware these technical controls operate in combination with User selected controls implemented on User owned and operated mobile devices, web browsers and personal computers. Users should implement appropriate access controls on devices used to access Mediprocity. Users should implement timeouts of shorter duration than the desktop application which is set for 2 hours when using a browser. Users on desktops or laptops should implement a much shorter timeout that would enable their system to go to sleep and enable password protection. As a general recommendation, security controls should be stricter on mobile devices or any computer located in publicly accessible areas, e.g. login time outs should be immediate or very short on these devices.

Mediprocity sets application timeouts based on typical use models and to accommodate standards across multiple client organizations. Users should set device specific timeouts to match their organization security policies.

Mediprocity is not liable for any harm related to relaxed or absent access control mechanisms on User owned and operated devices including but not limited to mobile phone screen locks or personal computer desktop screen time-outs.

Mediprocity has the ability to monitor and collects a report on the failed logins and access auditing.  If an organization administror needs a report on users associated with their org may request one from Mediprocity Security with date range, organization name.  The organization admin panel does however allow any super admin to invite/deactivate and see who is active with their organization.  For a detailed report request please contact Mediprocity Support.

Unique user identification § 164.312(a)(2)(i).

Assign a unique name and/or number for identifying and tracking user identity.

Unique user identification § 164.312(a)(2)(i).

Assign a unique name and/or number for identifying and tracking user identity.

Automatic Log-off § 164.312(a)(2)(iii).

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Users of Mediprocity have to enter their password and encryption key after 2 hours of inactivity, and every time the application is re-opened, in order to view or respond to information on the platform.

The mobile apps do not have automatic logoff.  iOS does include an extra layer with a user enable PIN. But both apps do remain in a logged-in state. Mediprocity recommends all users who utilize the apps, enable a 4-digit PIN on their apps.  Should you have your apps stolen or lost, you may do one of the following (a) get to the closet computer, log into your Mediprocity account and change your password.  This sends a signal to the lost device for remote log off.  (b) contact your system administrator to log into your account and change your password to trigger the remote log off. (c) contact Mediprocity support by calling: 636-812-0242 or for immediate response email Support and we will update your password and trigger the remote log out.  Mediprocity Support can also see if your app was accessed during the time period you specificy for lost device.

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Users of Mediprocity have to enter their password and encryption key after 2 hour of inactivity, and every time the application is reopened, in order to view or respond to information on the platform.

Encryption and decryption § 164.312(a)(2)(iv).

Implement a mechanism to encrypt and decrypt electronic protected health information.

To protect sensitive health information from unauthorized access, all data on the Mediprocity network is protected using the Secure Sockets Layer (SSL) protocol. All data that is encrypted on our platform is using triple-layer encryption end-to-end using 256-bit Advance Encryption Standard.

(AES) encryption for message data both in motion and at rest and 4096-bit RSA encryption for key exchange between members of a conversation.

Additionally Mediprocity has another private layer of encryption that is proprietary to our company that is on top of the AES 256.

Audit Control The audit control standard § 164.312(b) requires that a covered entity must:

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Mediprocity records and examines network activity to protect users, technical infrastructure and electronic health information from security violations.

Mobile Device Security:

No PHI is stored locally that is not encrypted on mobile devices. Users who have a mobile device can keep themselves logged in, but Mediprocity recommends that mobile users logout of their mobile app after each use to prevent any data breach. In the event a user has a lost or stolen mobile device, Mediprocity can lock the user's account from the main platform. Also, users can login and under My Account - Preferences users can simply send an automatic logoff signal to that device and/or installed app by changing their password. This will send a signal to the registered device and auto-logout rendering all PHI on that device useless.

Integrity “Integrity” is defined in § 164.304:

Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner. Mediprocity archives all messages and referral content for 6 years per standards required.

The integrity standard § 164.312(c)(1) requires that a covered entity must: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Mediprocity protects the integrity of electronic health information on its secure platform via end-to-end encryption and decryption of communication between users over the SSL protocol.

Person or Entity Authentication

The person or entity authentication control standard § 164.312(d) requires that a covered entity must:

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

To verify identity upon website access, Mediprocity authenticates with either login or registration. Existing user login requires a username and password and encryption key.

Mediprocity makes daily backups of all our data, we also make 2-week offsite HIPAA controlled backups of all data.  Mediprocity has a full Disaster Recovery §164.310 (d) in place.  Although Mediprocity does have redundancy and load balancing in place, should a serious disaster arise it could take up to 24 hours to fully bring the system back online.  The disaster recovery plan does include for proper backups.

We welcome any additional questions, ideas or feedback at Mediprocity Support


Mediprocity User DO and DO NOT Policy

By creating an account on Mediprocity and using the service you have bound yourself to the this policy and will observe and report abuse to Mediprocity.

DO:

  • Comply with all applicable laws, including, without limitation, state and federal patient privacy laws, intellectual property laws, export control laws, tax laws, and regulatory requirements
  • Provide accurate information to us and update it as necessary
  • Review and comply with our Privacy Policy, Terms & Conditions and HIPAA Standard
  • Review and comply with notices sent by Mediprocity concerning the Services
  • Disclose any potential conflicts-of-interest, such as consultant fees (e.g. promoting "off-label" use) as appropriate
  • Use the Services in a professional manner.

DO NOT

  • Act dishonestly or unprofessionally by engaging in unprofessional behavior by posting inappropriate, inaccurate, or objectionable content to Mediprocity
  • Publish inaccurate information in the designated fields on the profile form (e.g., do not include a link or an email address in the specialty field). Please also protect sensitive personal information such as your email address, phone number, street address, or other information that is confidential in nature
  • Harass, abuse or harm another person, including sending unwelcomed communications to others using Mediprocity
  • Upload a profile image that is not your likeness or a head-shot photo
  • Use or attempt to use another's account without authorization from the user, or create a false identity on Mediprocity
  • Make false statements, libelous, abusive, obscene or discriminatory.
  • Upload or provide links to spam, junk mail, viruses, chain letters or pyramid schemes.
  • Reverse engineer, decompile, disassemble, decipher or otherwise attempt to derive the source code for any underlying intellectual property used to provide the Services, or any part thereof
  • Infringe or use Mediprocity's brand, logos and/or trademarks, including, without limitation, using the word "Mediprocity" in any business name, email, or URL or including Mediprocity's trademarks and logos or as expressly permitted by Mediprocity
  • Attempt to or actually override any security component included in or underlying Mediprocity.
  • Interfere or disrupt Mediprocity servers or databases and mobile applications.

Any of the DO NOT infractions shall be considered a trespass and computer fraud and/or abuse and will be punished to the full extent of the law by State and Federal limits.

Any complaints or abuse reports should be directed to the following: Mediprocity, Inc. Attn: Legal 714 Spirit 40 Park Drive Suite 140 Chesterfield, MO 63005 Mediprocity Support (636) 812-0242