Securing your patient’s or client’s protected health information is not only good practice but failure to do so may result in costly fines or even legal action.

The following is how the HIPAA FORMS Service solution complies with HIPAA Regulations to protect both you and your patients or clients:

Section 164.310(d)(2)(iv) “Create a retrievable, exact copy of electronic protected
health information, when needed, before movement of equipment.”
○ No equipment that stores data is moved. Nonetheless, there are daily back-ups of all data.
● Section 164.310(d)(2)(i) “Implement policies and procedures to address the final
disposition of electronic protected health information, and/or the hardware or electronic
media on which it is stored.”
○ ePHI will be deleted and purged upon request. If an account has been inactive for a number of years data may be purged from the system however a notice will be sent prior to any removal of data.
● Section 164.312(a)(2)(i) requires that you “Assign a unique username and/or number
for identifying and tracking user identity.”
○ The HIPAA FORMS Service issues a unique license key and id to each account.  In addition to this the interface method such as the WordPress plugin requires a username and password for an account with specific user roles to access data.  Any time a user logs in and access ePHI the user id, name and other relevant user data is logged.

—————–
● Section 164.312(a)(2)(ii) “Establish (and implement as needed) procedures for
obtaining necessary electronic protected health information during an emergency.”
○ The HIPAA FORMS Service is available from any internet location to anyone with the appropriate credentials. ePHI is only
recoverable through a login protected portal protected by an SSL connection.

● Section 164.312(a)(2)(iv) “Implement a mechanism to encrypt and decrypt electronic
protected health information.”
○ All communication between users and the HIPAA FORMS Service is sent over SSL
encrypted connections and encrypted prior to transit. Data at rest is also encrypted.
● Section 164.312(b) “Implement hardware, software and/or procedural mechanisms that
record and examine activity in information systems that contain electronic
protected health information.”
○ Any time ePHI is accessed the user id, name and other information is logged and retained in our secured storage solution.  You and your staff with the appropriate login credentials and user roles can access these logs at any time.
● Section 164.312(c)(1) “Implement policies and procedures to protect electronic
protected health information from improper alteration or destruction. Implement
electronic mechanisms to corroborate that electronic protected health information has
not been altered or destroyed in an unauthorized manner.”
○ In addition to requiring user authentication with password credentials over an
SSL secure connection, submitted ePHI cannot be altered, deleted, or destroyed.  Even if data is “deleted” by a user we retain a copy of the encrypted data within our secured HIPAA Compliant data storage solution. This data can be recovered by
authenticated users by request or by authorities if an investigation is issued and a request is sent. The HIPAA FORMS Service will require
validation of client identity through phone verification, including known details
about the client, before purging any data.
● Section 164.312(d) “Implement procedures to verify that a person or entity seeking
access to electronic protected health information is the one claimed.”
○ All users must provide correct authentication credentials to have access to ePHI,
including a secure complex password as well as a valid license key and associated domain. MedForward will require validation of client identity through phone
verification, including known details about the client, before any information is given.
● Section 164.312(e)(2)(i) “Implement technical security measures to guard against
unauthorized access to electronic protected health information that is being transmitted
over an electronic communications network. Implement security measures to ensure that
electronically transmitted electronic protected health information is not improperly
modified without detection until disposed of.”
○ All data is sent solely over secure SSL encrypted connection and the data is encrypted prior to transit, which securely
prevents interception of ePHI.
● Section 164.312(e)(2)(ii) “Implement a mechanism to encrypt electronic protected
health information whenever deemed appropriate.”
○ When transmitted, all data is sent over secure verified SSL encrypted
connections as well as encrypted prior to transit. The data at rest remains encrypted to ensure
datacenter staff cannot access the electronic protected health information.  PDF versions of the forms are also encrypted and password protected prior to generation ensuring that the PDF files can not be intercepted or read without the appropriate password.