HIPAA and FISMA COMPLIANCE

SoCal VRI is a privacy compliant platform that follows best practices in the storage and accessibility of protected health information (PHI) both at rest and in motion. The following is a description of what HIPAA requires, how it relates to SoCal VRI and what we do to maintain HIPAA compliance and advise those who decide to use VRI. Below extends to FISMA compliance as well. This approach also satisfies the vast majority of California laws addressing consumer and citizen privacy, such as those intended to protect Personally Identifiable Information (PII).

HIPAA Privacy Rule

The Privacy Rule endeavors to protect individuals’ health information by preventing the transmission of PHI over open networks or downloading it to public or remote computers without encryption. This rule is often referenced in conjunction with the term data in motion (data that is transmitted across a network, for example).

Because SoCal VRI does not ask for any protected health information, nor does record or store audio, video or text chat streams, the risk of transmitting protected health information is low. Interpret San Diego, through its SoCal VRI service offering, understands, however, the importance of maintaining HIPAA-compliant practices regardless of data type, and has instituted the following measures:

1. All network transmissions between ‘VRI Direct’ servers and SoCal VRI users are encrypted. Audio, video and text chat streams are encrypted and transmitted using 128-bit ADH and 256-bit SSL encryption. Web request/response actions are transmitted using 256-bit SSL encryption.

2. All network transmissions between ‘VRI Direct’ servers, SoCal VRI, and ‘VRI Direct’ IT personnel are encrypted using key-based SSH authentication.

3. No audio, video or text chat streams are recorded or stored, either temporarily or permanently, by SoCal VRI or ‘VRI Direct’ on any ‘VRI Direct’ servers.

HIPAA Security Rule

The Security Rule requires covered entities such as SoCal VRI and ‘VRI Direct’ to install administrative, physical and technical safeguards to protect electronic PHI. These safeguards include access controls, data encryption and auditing in a manner that is commensurate with the associated risk.

Since Interpret San Diego, through its SoCal VRI service offering, does not ask for protected health information and does not record audio, video or text chat streams, SoCal VRI’s associated risk is low. However, both Interpret San Diego and ‘VRI Direct’ remain sensitive to implementing practices that meet HIPAA requirements:

1. ‘VRI Direct’ servers are hosted in Amazon’s AWS data centers, which are themselves HIPAA-compliant. For more information, please read “Creating HIPAA-Compliant Medical Data Applications with AWS”, which includes information about Amazon Web Services’s own HIPAA-compliant practices.

2. All remote server access is through key-based, encrypted SSH sessions. This access is also audited using server logs.

3. Physical server access requires multi-factor authentication (password, card reader, handprint/thumbprint authentication) and is audited.

4. Server passwords follow strong password requirements (eight or more characters; no dictionary words; combination of case-sensitive alphanumeric/symbolic characters) that must be reset several times per year (typically every 90 days).

5. Server access is restricted to ‘Amazon’ IT personnel and ‘VRI Direct’ technical personnel.


Expertise

Eric Clifford, Interpret Orange County’s Chief Operating Officer, is a multi-certified expert in building network infrastructures as well as security and privacy compliance within the Department of Defense. He also provides business systems, risk, and information technology consultation to the healthcare and energy sectors. Clients include Accenture, CareFusion, San Diego Gas & Electric, and Southern California Gas. Eric is also a Distinguished Faculty Member at the University of Phoenix’s College of Information Systems and Technology. He currently teaches application development, telecommunications, computer networking, and cyber security at seven ground campuses stretching from El Centro to Palm Springs.