The Final Hipaa Rule on Security Standards was issued on February 20, 2003. The Security Rule complements the Privacy Rule, and deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical.
Lockbin was constructed with strong consideration of the technical safeguards to assist your organization in achieving compliance with Hipaa.
Technical Safeguards – controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
Lockbin complies with this requirement by only allowing strong encrypted SSL connections from sender and recipient. Lockbin uses AES 256bit FIPS 140-2 validated encryption, which is approved by the NSA for use by US government employees and contractors for protecting secrets. While in storage on Lockbin servers, the data is completely encrypted, again with AES-256 bit encryption implemented from a FIPS 140-2 validated crypto library.
Covered entities must also authenticate entities with which they communicate. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.
Lockbin authenticates the recipient using password systems. The recipient must be in possession of two crucial pieces of information: the url address to the "locker" where the message is stored, and the password (key to the locker).
In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.
Lockbin has prepared a diagram which users can keep in their written records that
detail Lockbin’s role in helping you achieve and maintain Hipaa compliance.
Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)
Lockbin has prepared a short risk analysis document which users can keep within their written records. It details the risk that we perceive to the system and steps we have taken to mitigate those risks.
Hipaa Security Rule (45 CFR part 164, subparts A and C).
The security rule requires covered entities to safeguard electronic protected health information and permits covered entities to use any security measures that allow them to reasonably and appropriately implement all safeguard requirements. Under 45 CFR 164.312(a)(2)(iv) and (e) (2)(ii) a covered entity must consider implementing encryption as a method for safeguarding EPHI.
"Electronic PHI has been encrypted as specified in the HIPAA security rule by "the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning with the use of a confidential process or key" and such process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt."
Lockbin does not store your key on its servers. Therefore, the tools necessary to decrypt the data are separate: you and the recipient control the decryption keys (password) while the data is "at rest" on our server in an encrypted state.
Lockbin’s encryption process also complies with DHHS guidance regarding what is a "valid encryption process for data in motion."
"Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52… or others which are Federal Information Processing Standards (FIPS) 140-2 validated."
Lockbin encrypts data on its servers with strong AES-256 bit encryption, using only a validated FIPS 140-2 verified cryptographic library which has been issued NIST certificate #1012. Systems claiming to be "FIPS compliant" may not meet DHHS guidance. There is a difference between "verified" and "compliant" modules. Demand the use of only FIPS "verified" modules that have been issued a certificate from NIST.
DHHS guidance also says that EPHI must be destroyed in accordance with NIST special publication 800-88, "Guidelines for Media Sanitization."
Lockbin’s policy is to destroy content at regularly scheduled daily intervals, and to perform a secondary wipe of the data on the disk. We have implemented a military grade (US DoD 5220.22-M (8-306./E) (3 passes) ) data destruction system to comply with this guidance to ensure that protected information is irretrievably destroyed after it is no longer required on our servers. This may be overkill, as the data is already encrypted using AES-256 bit encryption, and can never reside on our server in an "unsecured" state.
Hipaa rule CFR 164.505(e)(2)(ii)(C) and 164.314.(a)(2)(i)(C) require that the business associate of the covered entity (you) and the business associate (us) establish a contract to provide that the business associate report to the covered entity uses or disclosures of EPHI not provided by the contract as well as security incidents of which we become aware.
Our attorney has prepared a standard contract to satisfy this requirement. If you will be uploading EPHI to Lockbin’s servers and are a paying customer, contact us about executing this contract, which states that we will provide notice of a breach of unsecured protected health information without reasonable delay and in no case later than 60 days following the discovery of the breach (Section 164.410(b)).
Should Lockbin’s servers be compromised, notification to your patients would not be required since EPHI does not reside on our server in an "unsecured" state, and because it has been protected and later destroyed in according with guidance.
Restricted Access to Lockbin Servers
Lockbin’s servers are located at PhoenixNAP in Phoenix, Arizona, USA, a world-class physical facility, with fully redundant infrastructural systems, and optimal security and control systems.