HIPAA Compliance

We Take an Active Interest in Our Client’s HIPAA-Readiness

Regarding HIPAA compliance, at DiVA Solutions we are aware that this is an important and often complex consideration. DiVA is a HIPAA-compliant software and maintains compliance with HIPAA security standards related to Electronic Protected Health Information (EPHI).

We take HIPAA compliance seriously and regularly review the latest legislation for any changes that may affect software-related compliance. We also take an active interest in our client’s HIPAA-readiness, as much of the compliance requirement falls to the organization. While many of our clients already have internal HIPAA compliance assessment and procedural documentation in place, we recommend a review of this Department of Health and Human Services (HHS) document as a valuable supplemental reference for your company. It contains a valuable Security Standards Matrix which can be very helpful to organizations for internal assessment and development of HIPAA documentation.

DiVA, being a document management system, does not process HIPAA-applicable transactions (claims, encounter information, payment and remittance, claims status inquiries, eligibility inquiries, referral and authorization inquiries, etc.) and therefore the security requirements for this area are not relevant. This requirement typically falls to an existing HIPAA-compliant medical billing software that functions to transmit any electronic health information in connection with transactions for which HHS has adopted a standard.

DiVA does allow access (internal and/or external) to EPHI data, and therefore is compelled to meet HIPAA security risk requirements. The table below discusses how we have addressed this:

Risk	DiVA Compliance
Protecting Login/Password Information	DiVA is Active Directory Integrated providing considerable authentication security. Additionally, security for remote access to DiVA can be augmented by implementing two-factor authentication, such as the deployment of VPN access.
Authorized Access to EPHI	In addition to granting general access to DiVA via Active Directory permissions, DiVA maintains internal user and group roles that govern access to and usage of DiVA functions. In the event that network logon/password information was lost or stolen, access to EPHI data would still be controlled by the DiVA administrator.
Unattended Workstations	DiVA is a completely web-based application and employs timed session termination (time-out) on inactive sessions/connections.
Unauthorized Access to EPHI Data Due to Lost or Stolen Local, Remote or Portable Devices	All DiVA data is stored centrally in secure network and SQL database locations. No data is stored on local devices. Access can further be controlled via company network policies that require remote thin-client access.
Use of external device to access corporate data resulting in the loss of operationally critical EPHI on remote devices.	All DiVA data is stored centrally in secure network and SQL database locations. No operationally critical or EPHI data is stored on local devices.
Loss or theft of EPHI data left on devices after inappropriate disposal.	All DiVA data is stored centrally in secure network and SQL database locations. No data is stored on local devices. Access can further be controlled via company network policies that require remote thin-client access.
Contamination of systems by a virus introduced from the internal network or remote device.	Not a function of the software. Company policies must ensure the installation of virus-protection software on all local, portable or remote devices.
Data intercepted or modified during transmission.	DiVA’s architecture prevents the modification of the original stored document. Company policy must prohibit transmission of EPHI via open networks, such as the Internet, where appropriate, which can be accomplished via the use of more secure connections and appropriately strong encryption solutions for transmission of EPHI (e.g. SSL, HTTPS etc.). SSL should be a minimum requirement for all Internet-facing systems which manage EPHI in any form, including corporate web-mail systems.