The Health Insurance Portability and Accountability Act (HIPAA) was passed to enable better access to health insurance, reduce health care fraud and abuse, and lower the overall cost of health care in the U.S. All covered entities who store patient data electronically must comply with HIPAA. Covered entities are defined as 1) health plans, 2) health care clearinghouses and 3) health care providers (doctors, dentists, etc.). Syntermed's policies and procedures enable covered entities to comply with both the HIPAA Privacy and HIPAA Security Rules.
HIPAA Security Rules
Syntermed complies with all requirements of the HIPAA Security Rule establishing that covered entities must do the following:
Ensure the confidentiality, integrity and availability of all electronically protected health information the covered entity creates, receives, maintains or transmits.
All ePHI is encrypted "in flight" and "at rest" at all times including backups and redundant dataset(s).
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
All access to ePHI is logged and logs are monitored for interaction deemed "inconsistent" or "out of normal bounds".
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
All ePHI is protected by strict Aceess Control mechanisms.
Ensure compliance by the workforce.
All Syntermed employees are required to complete internal HIPAA training and maintain the highest level of compliance when dealing with ePHI.
Maintain a Continegency and Disaster Recovery Plan
Syntermed maintains a written contingency plan for responding to system emergencies that includes a detailed plan concerning data backup and recovery and related processes in the event of a disaster.
The Syntermed Live server infrastructure is a cloud-based, remotely hosted server farm environment. All incoming and outgoing data to Syntermed Live is transported over an industry standard secure channel. All communications to/from Syntermed Live are logged, including, but not limited to machine identifiers, user identifiers, timestamps, data/object identifiers and request types. All data contained within Syntermed Live including, but not limited to documents, images, databases, backups and snapshots are encrypted while in storage ("at rest") as well as in transit ("in flight"). Syntermed agrees that the design and security implementation within Syntermed Live meets or exceeds all HIPAA requirements.
For more details, please refer to the Syntermed Live HIPAA Compliance & Security Overview document. For security reasons, many specific details as to the configuration and management of Syntermed Live are considered proprietary.
For more information about HIPAA, please visit www.hhs.gov/ocr/hipaa.