HIPAA Compliance Guide

AngelTrack is HIPAA-compliant software, and the server provided for you is secured in a HIPAA-compliant manner (physically secured with visitors logged). But HIPAA-compliant software is not enough; you must have a HIPAA-compliant organization, built on top of AngelTrack's HIPAA-compliant foundation.

There are three aspects of HIPAA compliance: the "Security Rule" governing computer systems used to store patient data, the "Privacy Rule" governing the release of patient data to third parties, and the recent "HITECH Act" which grants patients the right to demand electronic copies of their records.

Compliance with the HIPAA Security Rule

The HIPAA "Security Rule" mandates protection of patient data when stored electronically. AngelTrack complies with the provisions of the Rule, provided that your organization practices good computing hygeine on the computers used to access AngelTrack.

Password security

First and foremost, instruct all employees in password confidentiality. Employees should understand that not only should they keep their own password a secret, but they should also actively avoid knowing another employee's password. When employee X knows employee Y's password, employee Y can conduct malicious activities and then blame employee X for it... but most employees who know another's password have not realized this hazard.

Second, instruct employees to make use of AngelTrack's password strength indicator (displayed on the page where employees set/change their password) in order to choose a strong password. And keep AngelTrack's password expiration interval low -- perhaps 180 days.

Third, write and publish a firm company policy enforcing password confidentiality. Anyone caught sharing passwords, or writing their password down on paper, should be harshly disciplined.

Securing company-owned wireless networks

Follow these guidelines in securing the company's wireless networks:

Securing company-owned workstations

Follow these guidelines in securing the company's computer workstations:

Securing mobile devices

Securing company email

If your crews need to send their run reports directly from their mobile devices to an ER, the best way to do so is a fax-over-internet app. That way, the faxes arriving at the ER will be stamped with the receipient's fax number, and so the ER can be held responsible for any leaked HIPAA-protected data.

If that is not practical, and you must email the reports instead, then use a HIPAA email provider that offers message expiration. The message expiration feature is critical, so that HIPAA-protected data does not accumulate in the recipient's inboxes, nor in the sentmail folders of your crews' mobile devices. The email provider should also provide auditing of sent messages, in case the recipient accidentally leaks the HIPAA-protected data and then blames EMS for it*.

One such service, among others, is Protected Trust, which offers low-cost monthly subscriptions to the service. (AngelTrack LLC has no affiliation with that service, or with any other commercial email services.)

Forbid employees from using personal email accounts to send PCR run reports and other HIPAA-protected data under any circumstances. If you have neither a fax-over-internet solution nor a protected email solution as outlined above, then your dispatchers should perform all faxing tasks on behalf of the crews; remember, dispatchers have access to the live PCR data just as soon as the crews create it.

*This is always a possibility, because an electronic .PDF run report cannot say how many hands it has passed through by the time it leaked.

AngelTrack's responsibilities

AngelTrack holds all of your HIPAA-encumbered data, so it has certain responsibilities under HIPAA. To learn how AngelTrack is secured to comply with HIPAA, read the AngelTrack's Security Features Guide.

Compliance with the HIPAA Privacy Rule

The HIPAA "Privacy Rule" regulates the release of patient information to third parties. Patients must give their consent before any personally identifiable information can be disseminated outside your organization. To an EMS company, the Rule boils down to just two ideas:

All employees should be trained in the HIPAA privacy rule. The initial lectures are available on DVD, and you can post periodic refresher messages on station doors to remind employees how patient data should be treated. AngelTrack has a certificate type called "HIPAA Compliance Training" which you can use to record who has received formal training, and check to see who is due for a refresher.

Securing printed materials

Printed materials containing patient information should be treated as hazardous waste:

This is a mindset that should be inculcated in all employees. Many of your crews will be coming over from paper-based EMS services, where they were taught a cavalier attitude about printed materials. As a result, they carelessly leave run reports and face sheets in ambulances, in regular trash cans, and in clipboards laying around the station. Such behavior must be reprimanded whenever it occurs. Train your supervisors in this policy, and make it clear that you expect them to lead by example.

Locking document box Next, take steps to secure printed materials at crew stations:

Electronically locked doorknob ...and at headquarters:

Securing digital photographs

AngelTrack makes extensive use of the digital cameras in your mobile devices -- including personal devices used in the line of duty. Over time, the devices' camera rolls will fill up with HIPAA-protected data, which creates a HIPAA exposure.

The first line of defense against this exposure is the lock code, which prevents an attacker from casually accessing your mobile devices. As already noted, the lock code should be configured to wipe the device after ten unsuccessful attempts to unlock the device.

The second line of defense is a policy of regular deletion of camera rolls on all mobile devices -- including personal devices. The difficulty is getting employees to remember to clear their camera rolls on a regular basis. Consider adding an item to the daily or weekly checklist to prompt them to take care of it.

Fortunately there are mobile apps for quickly clearing out the camera roll on a mobile device. The Bulk Delete app for iOS or the Photo Delete app for Android, among many similar apps, make the process quick and easy.

Guaranteeing accountability

AngelTrack's HIPAA accountability features keep track of who is accessing your HIPAA-encumbered data. These features depend on your organization to follow and enforce these simple rules:

  1. Do not share AngelTrack employee accounts, or permit anyone else to do so.
  2. Do not allow anyone to tell you their password. If you know someone's password, they can later claim you used it to login under their account.
  3. Do not allow anyone to use an anonymous account such as the built-in Administrator account. That account is used to create, modify, deactivate, and reactivate other accounts. It should not be used for any other purpose!

The above rules guarantee that AngelTrack will later be able to provide full accountability for all data accesses and modifications.

If a data leak does occur, the Data Leak Forensics Guide shows how to trace it back to a specific employee.

Tracking Your Crews' HIPAA Training

AngelTrack has a built-in certificate type for HIPAA training. Award it to employees who finish the company HIPAA training program, and set its expiration date for two years in order to remind them to watch a refresher video.

You can then pull the Crew Certificates Overview report under HR Home to check -- or to prove to a compliance auditor -- that all crew members have received proper HIPAA training.

Compliance with the HITECH Act

The HITECH Act of 2009 amends HIPAA to give patients the right to demand copies of their medical records -- in electronic format -- from medical service providers. AngelTrack makes it easy to fulfill such demands, should you ever receive one:

  1. Access AngelTrack, and visit either the Dispatch home page or the Billing home page.
  2. Click Patients List.
  3. Locate and open the record for the patient in question, using the search fields as needed.
  4. Select the "History" tab. Use the date controls to view the date range specified in the demand letter.
  5. Click the checkbox in the upper-left corner of the grid, causing all records in the grid to be checked.
  6. Click the "Export Checked Runs as .PDFs" button. AngelTrack downloads a .ZIP file to you, containing .PDFs of all selected dispatches, plus a summary .XML file viewable in Microsoft Excel.
  7. Burn the data to a CD or thumbdrive and then mail it to the patient. Or, use a secure dropbox service to post the data online for the patient to privately download.

Tracking Down a Data Leak

If you receive a complaint that HIPAA-encumbered data from your operation has turned up in a public place, AngelTrack has accountability tools to help you track down the originator of the leak.

Read the Data Leak Forensics Guide to learn more.

AngelTrack Help Index - AngelTrack Support