ZenSpaceApp HIPAA Compliance.

The accompanying sections describe in detail how we maintain compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules.

Privacy Compliance

HIPAA privacy rule
The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives clients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections

ZenSpaceApp Notice of Privacy Practices (NPP)

  • We may disclose your Personal Health Information (PHI) to facilitate treatment, payment or healthcare operations. We take maximum precautions to disclose only the minimum necessary information to achieve the required purpose.(HIPAA Privacy Rule §45 CFH 164.501)
  • We do NOT disclose or sell your PHI for marketing, analytics or any other purposes without your expressed written permission.
  • We also make it very easy to access (HITECH Act) and correct your personal health information at any time using our mobile health applications available on multiple platforms.
  • De-identification of Protected Health Information. In the event we use your health information for research and analytics pruposes it's stripped of any identifiable information that can trace it back to you. We also employ specialists under the HIPAA Safe Harbor method determine what consititues minumum needed information for statistical analyses and priniciples, and the information tha need to be stripped before any information can be used or stored.
  • You have the right to requestlist of the recorded disclosures of PHI for 6 years prior to the date that the request is made.

Security Compliance

HIPAA Security Rule
“The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic Protected Health Information (ePHI)”.

At ZenSpaceApp we are committed to ensuring that our customers are protected from becoming vistims of fraud and abuse.
We have implemented HIPAA security guidelines whenever the ePHI is in transit or rest. At rest means the device on which ePHI has been saved (cloud-servers, databases), and in transit relates to any electronic communications (video, messaging, file transfer).

At ZenSpaceApp we have implemented the following safeguards as required by the HIPAA Security Rule:

45 CFR § 164.308 - Administrative safeguards.

The Security Rule states administrative safeguards are, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information

The administrative safeguards consists of:

The Security Management Process

The Security Management Process covers the implementation of policies and procedures to prevent, detect, contain, and correct security violations.

Implementation specifications:
  1. Risk analysis: A risk analysis is a procedure by which the entire organization is assessed for potential security vulnerabilities and risks to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity.We believe we are our part a security co and part a healthcare co. That we are entrusted with sensitive and we conduct vey aspect of our work with security as the highest priority. Staff and engineers that come in contact with ePHI are given strict guidelines how a given piece of data is to be handled.
  2. Risk Management (Required): Once a risk analysis has been conducted, and all potential security vulnerabilities identified, the covered entity must then implement security measures sufficient to reduce those risks and vulnerabilities to a reasonable and appropriate level.We have not identified any security vulnerabilities thus far. But we are constantly improviing our manual and automated testing to catch any vulnerabilities before it manifests itself.
  3. Sanction Policy (Required): A sanction policy must be put in place to allow the covered entity to take action against workforce members who fail to comply with the security policies and procedures of the covered entity.When we hire people we make it crystal clear the importance of security at our workplace. We train them with our security processes and procedures. So we hope we don't have to sanction anyone in the future. But if we find anyone in breach of protocols - they will have to retake HIPAA Security and Privacy rules training, and ensure processes are not skipped.
  4. Information System Activity Review (Required): It is essential all covered entities implement a system – preferably automated – that logs activity relating to ePHI; in particular any requests to access patient records or make amendments to ePHI. Audit logs must be created, and the system must be capable of generating security incident tracking reports.We have a BAA agreement with Amazon Web Services (AWS) and Google Cloud where ZenSpaceApp application is hosted and deployed. Both of these cloud service providers support HIPAA compliance, as described in their documentation. They also provide logging and auditing capabilities to identify any potenital breach or malicilous activity. Additionaly all sensitive data is encrypted before being stored on these cloud servers (databases) rendering it useless without matching crypto keys.
Assigned Security Responsibility

A HIPAA security officer should be appointed and given responsibility for the development and implementation of HIPAA policies and procedures relating to data security.

Implementation specifications:
Rupesh Pandey is responsible for the development, implementation and adherence to HIPAA Security and Privacy rules.
Workforce Security

Policies and procedures to ensure members of the workforce have appropriate access to ePHI, as required under the Information Access Management standard, while others must be prevented from viewing ePHI.

Implementation specifications:
  1. Authorization and/or Supervision (Addressable): Policies must be developed and procedures implemented which allow users to be granted authorization to access or amend ePHI commensurate with their position.
    No individual/employee at ZenSpaceApp has access or can amend any ePHI due to its encrypted nature. ePHI can only be amended by clients using our mobile apps.
  2. Workforce Clearance Procedure (Addressable): A clearance procedure must exist that assesses whether the level of access to ePHI an individual workforce member needs to perform his or her duties is appropriate.All access to ePHI is via secured programming endpoints. Database access is for administrators and they cannot view since the stored data is encrypted.
  3. Termination Procedures (Addressable): Just as procedures must be developed to grant users access to essential ePHI, procedures must also be in place to terminate those access rights when they are no longer required, such as following a change in the individual’s duties or a_er the termination of an employment contract.
Information Access Management

The fourth standard covers the management of access to ePHI by members of the workforce who need to view, amend or update ePHI as part of their daily duties. Controlling access is an essential element of data security that limits the potential for accidental or deliberate disclosure of PHI to non-authorized individuals, while also limiting the possibility of erasure or alteration of ePHI

Implementation specifications:
  1. Isolating Healthcare Clearinghouse Functions (Required):ZenSpaceApp does not perform any functions of a clearinghouse.
  2. Access Authorization (Addressable): This speci:cation is similar to that stated in the Workforce Security section, but instead of determining access rights, Access Authorization requires policies and procedures to be implemented for granting access to ePHI, such as through a particular workstation or for speci:c transactions, programs, processes, or other mechanisms.No function at ZenSpaceApp require any direct interaction with patient ePHI.
  3. Access Establishment and Modification (Addressable): A covered entity must implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
Security Awareness and Training

One of the most important elements of the administrative safeguards is the provision of training on the HIPAA Security and Privacy Hules, not only for the staff granted access to ePHI or may otherwise come into contact with it, but all members of the workforce, including management.

Implementation specifications:
  1. Security Reminders (Addressable): The provision of training ensures the workforce is fully aware of the HIPAA Privacy and Security Rules; however, policies frequently need to be updated and these changes must be communicated to staff. It is also important to provide the workforce with reminders on the importance of data security, policies and procedures.All reminders are documented and introduced to staff members when they join the workforce. All security measures dealing with architecture and programming activities are also well documented. We are constantly evaluating and improving our security processes and implementation.
  2. Protection from Malicious Software (Addressable): All members of the workforce must receive training to help them identify potentially dangerous software and staff should be aware of how, and to whom, they should report the potential installation of malicious so_ware. This includes developing policies that restrict how the Internet is used and what can be downloaded.All of our software is hosted on Amazon Web Services (AWS) and Google Cloud with whom we have a Business Associate (BA) agreement and are responsible for all necessary security precautions to detect malicious software. All our employee workstations are kept up-to-date with security updates.
  3. Log-in Monitoring (Addressable): Log-in Monitoring (Addressable) Procedures must be developed for monitoring log-in attempts and reporting discrepancies. A system must be in place that can log access attempts, such as multiple attempts to gain access to ePHI using incorrect passwords or usernames.ePHI cannot be accessed by any individual or employee even if they can get acesss to usernames. Using incorrect passwords likewise has no bearing on accessing ePHI.
  4. Password Management (Addressable): Procedures must be developed to cover creating, changing, and safeguarding passwords used to access ePHI.
    5. Rolling passwords are used and employees are advised how to safeguard passwords and scripts where these passwords are used.
Security Incident Procedures

Covered entities must therefore implement procedures that allow these incidents to be reported quickly, and to the appropriate personnel.

There is only one implementation specification:
  1. Response and Reporting (Required): This specification states that all HIPAA-covered entities must be able to “identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.Our security officer is the primary contact internally and externally for reporting an incident. He is then responsible for taking remedial measures to mitigate the threat, and also notifying the affected parties. These incidents are documented to prevent future incidents and solidify our systems, and also available upon request.
Contingency Planning

Access to ePHI must be maintained at all times, even during emergencies. Procedures must therefore be developed to ensure that this is the case. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain ePHI

Implementation specifications:
  1. Data Backup Plan (Required). Entities must establish and implement procedures to create and maintain retrievable exact copies of ePHI.We have daily database backups and allows us to recover data in case of a threat or ransomware attack without any disruptions to our services.
  2. Disaster Recovery Plan (Required). HIPAA-covered entities must establish and implement procedures to restore any loss of data, and this plan must be reviewed, revised, and tested frequently.Achieved by following the data backup plan.
  3. Emergency Mode Operation Plan (Required). Even during a power outage or other emergency situation such as a server malfunction, procedures must exist to ensure the continuation of critical business processes and the protection of ePHI while a covered entity is operating in emergency mode.AWS and Google Cloud provide the tools to retrieve data and ensure business processes are not affected for too long, and to bring back up the APIs and applications in a controlled manner.
  4. Testing and Revision Procedures (Addressable). All Contingency Plan implementation speci:cations must be subjected to tests to ensure data can be restored. Emergency operational procedures must similarly be subjected to live tests to ensure they are eVective. These tests should be conducted on a regular basis, and policies and procedures revised as appropriate.We maintain application health and security by rigorous internal testing (manual and automatic) before every deployment of our software.
  5. Applications and Data Criticality Analysis (Addressable). Covered entities are required to “Assess the relative criticality speci:c applications and data in support of other contingency plan components.”AWS and Google Cloud provide the necessary tools to restore data in a secure manner.
Evaluation

This standard covers the monitoring and evaluation of all security measures to ensure they continue to offer the appropriate level of protection to keep ePHI secure.

We are constantly evaluating our security procedures and upgrading our coding practices to employ the best technology available to secure patient ePHI.
Business Associate Contracts and Other Arrangements

A covered entity, in accordance with with § 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information.

We have BAA agreements with Amazon Web Services (AWS) and Google Cloud as all our software is deployed on their platform.

45 CFR § 164.310 - Physical safeguards.

The physical safeguards are a set of rules and guidelines outlined in the HIPAA Security Rule that focus on physical access to ePHI and how PHI is stored. There are four standards in the physical safeguards:

Facility access controls

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Implementation specifications:
  1. Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.N/A. ZenSpaceApp does not own or operate any facilities.
  2. Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.N/A. ZenSpaceApp does not own or operate any facilities.
  3. Access control and validation procedures (Addressable). Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.N/A. ZenSpaceApp does not own or operate any facilities.
  4. Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).ZenSpaceApp does not own or operate any facilities. All of our equipments for development and testing are secured and kept up-to-date with software updates.
Workstation use.

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Only authorised personnel have access to our machines and equipment.
Workstation security.

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

All development work and handling of patient health information is performed on secured equipment and over encrypted lines.
Device and media controls.

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

Implementation specifications:
  1. Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.ePHI is never stored locally on any machines, only in the cloud and accessed using web-services.
  2. Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.ePHI is never stored locally on any machines, only in the cloud and accessed using web-services.
  3. Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.We employ logging capabilities provided by AWS and Google Cloud to ensure only authorised users can access this information.
  4. Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.Data is stored in the cloud and is regularly backed-up, easily retrieveable and not tied to any particular equipment.

45 CFR § 164.312 - Technical safeguards.

Technical safeguards in the HIPAA Security rule exist to protect communications containing PHI when they are transmitted electronically over open networks. The Security Hule technical safeguards concern the technology and related policies and procedures that protect ePHI and control access to it, and they apply to all forms of ePHI.
Technical safeguards constists of:

Access control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

Implementation specifications:
  1. Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.A unique identifier is generated for every user (patient, provider, admin) that creates an account with ZenSpaceApp.
  2. Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.PHI is backed up daily and in the event of an emergency it would be trivial for us to switch data sources for PHI.
  3. Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.ZenSpaceApp used short-lived tokens that needs to be refreshed frquently for accessing PHI.
  4. Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.ePHI is encrypted using 256-bit encryption while in transit (TLS) and at rest (symmetric and asymmetric key cryptography).
Audit controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Logging capabilities provided by AWS, Google Cloud and custom ZenSpaceApp is used for monitoring the footrprint.
Integrity

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Implementation specification:
PHI cannot be deleted or modified by unauthorized users. Only the patient and the provider can read or write this data.
Person or entity authentication.

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Users are verified via email or multi-factor authentication using a phone number. Once verified authenticated users access the PHI using their email/password or phone number/one-time-password combinations.
Transmission security

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Implementation specifications::
  1. Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.PHI is encrypted first and then transferred using TLS (256-bit encryption). In-flight data hence has no threat of modification or tampering.
  2. Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.PHI is encrypted while in transit and at rest using 256-bit encryption.

§ 164.316 Policies and procedures and documentation requirements.

A covered entity or business associate must, in accordance with § 164.306.

Policies and procedures.

Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

We have documented our Notice of Privacy Practices (NPP) and security procedures online and here.
Documentation.

Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, ctivity, or assessment.

Implementation specifications:
  1. Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.Documentation will be stored for at least 6 years.
  2. Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.All documentation is available internally, and online for public consumption.
  3. Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.Staying up-to-date with HIPAA-compliance is our top priority.