Security

The security norms of the accessible information gathered from the focus of the security rule is to the confidentiality, integrity, and availability of electronic protected User information (ePHI) that the HopeQure University covered components creates, accesses, transmits or receives.
ePHI is any information which is electronically Protected Health Information and is stored, accessed, transmitted or received electronically.

Privacy vs Security

HIPAA regulations cover both security and privacy. Security and privacy are distinct, but related.
The Privacy rule emphasizes on an individual’s right to manage the use of their personal information. Protected Health information (PHI) should not be disclosed or used by others against their will. The Privacy rules maintains the confidentiality of PHI in all formats including electronic, paper and oral. Confidentiality is providing assurance for safeguarding the information from unauthorized disclosure. The physical security of PHI in all formats is an element of the Privacy rule.
The Security rule emphasizes on technical administrative and physical provides specifically related as they relate to electronic PHI (ePHI). Protection of ePHI data from unauthorized access, whether external or internal, stored or in transit, is an integral part of the safety rule.

Policy & Guidelines for Physical Security

General Information

  • Records of paper that include protected Health information must be secured. All incidents that may involve the loss or theft of any such paper records must be reported immediately.
  • Call: 0120-4108931 to report potential breaches
  • Medical record and Health Information must be placed and used minimizing incidental disclosure of PHI.
  • There should be no distinction of patient data and medical records and PHI.
  • We recommend having a process for tracking/logging the location of medical records and PHI while in use, transit or storage

Storage

  • The health information must be stored where the access is regulated. All offices, rooms and facilities that contain other than public information resources will be protected accordingly to prevent unauthorized access, damage or interference to the business processes.
  • Sensitive documents will be locked in file cabinets or other protective furniture that takes into account the results of the risk analysis.
  • We suggest the storage of medical records and PHI in hallways that are accessible by unauthorized individuals should be in locked cabinets.
  • Only locked shelves in patient or research subject area.
  • No reachable shelves in places which are open to individuals not authorized to access those medical records and PHI.
  • Medical Records and PHI should be stored out of sight of unauthorized individuals, and should be locked in a cabinet, room or building when not supervised or in use.
  • Monitoring could include any or all of the following technologies, based on the outcome of the physical security risk assessment and access control through the following:
    • Locked file cabinets, desks, closets or offices
    • Mechanical Keys
    • Glass break sensors
    • Door and window opening alarms
    • Hold open sensors for doors or windows
    • Always-active door alarms for emergency exits and other little used doors
    • Above or below ceiling sensors sites with false ceilings and walls that do not extend from floor to ceiling
    • Motion/heat sensors for sensitive working areas
    • Security Patrols
    • Closed circuit TV or video cameras
    • Change keypad access codes on a regular basis
    • Assign an Individual to manage assess and control the document access areas.
    • Identify individual(s) with the authority to grant access to an area

Definitions

Designated Record Set: Medical, Clinical and billing records about an individual maintained or used individual’s treatment, appointment booking and decision making. This record set is subject to an individual’s right to request access and amendment.

Medical Record stated for the purpose of the policy guidelines ‘medical record’ Problem List; History and Physical; Diagnosis and prognosis notes and reports, Progress Notes (including documentation); Neuroimaging and other pathological reports Previous Consultations; and Photographs.

Protected Health Information (PHI):

Any individually identifiable health information, including demographic information, collected from an individual, whether oral or recorded in any form or medium that is created or received by a covered entity PHI contains information used to identify an individual and relates to:

PHI encompasses information that identifies an individual or might reasonably be used to identify an individual and relates to:

  • The individual’s past, present or future physical or mental health or condition of an individual; OR
  • he past, present or future payment of health care to an individual; OR

Data is used to identify an individual if it contains either the name of the patient or any other data that could be taken together or used with other information in order to ascertain the identity of an individual. (For example: date of birth, medical records number, address, phone number, email address, IP address, license numbers, photograph or a list of HIPAA Identifiers)

Secure Computing

General Information

  • We at HopeQure, acknowledge the fact that mental health is extremely private and personal to every individual. Hence safeguarding the interests and information of our clients and therapists is our top priority. We have deployed advanced security practices to maintain the privacy and confidentiality of both the HopeQure clients and the mental health professionals.
  • Our aim is to establish high standards of digital security in practice. Our essential security features, assure that personal and private data cannot be accessed by unauthorised persons within our team or anybody but only the authorized individual. This allows users to securely transmit confidential and personal information such as views and thoughts, treatment requirements, mental health conditions, diagnosis and treatment plans as well as credit card numbers and login credentials.
  • The steps taken by HopeQure to implement strong security policy are appended below:-
    • HIPAA Certification- Processes on the website and mobile applications of HopeQure are HIPPA compliant and all relevant data residing on the HopeQure server is encrypted to match HIPPA requirements.
    • SSL Implementation- SSL certification ensures secure web browsing via https protocol. It assures authenticity, integrity and encryption to the server and client.
    • Encryption- The data is encrypted with 256 bits SHA encryption as well as uses RSA encryption process for encrypting relevant information in a way that only authorized parties can access. It denies the intelligible content to a would-be interceptor.
    • Doctor-client Confidentiality- During the session, any information provided by the client is only accessible to the concerned professionals.
    • Access Zones- This set up restricts information access from undefined sources. It assures access occurring only from client specified physical location, even if the authentic information leaks.
    • Secured Video In-Built Calling Sessions- We provide real-time video calling sessions controlled by our secure server that encrypts the conversation during the session.
      Using these and other security features HopeQure assures protection of all the information transmitted on the site. Security and confidentiality of the member details is our prime concern.

Cybersecurity

Classifying HopeQure Data And IT Systems

  • Every individual who is allowed to access to HQ Data and IT Systems is responsible for protecting it. The information assets are classified into 3 different categories based on their security requirement. The security requirements for HopeQure Data and IT Systems is determined by classifying the information at following levels: Confidential, Internal and public.
  • The Hopequre IT Systems Guideline for Classification and Security outlines how HopeQure IT Systems can be categorized based on data classification, quality criteria, and any contractual obligations.
  • Care will be taken when interpreting the classification systems from other organizations as their classification systems may have different parameters. Information assets shall be assigned a sensitivity classification by the asset information owner or their nominees, in accordance with the following classification definitions:
    • Confidential: Sensitive information requiring the highest degree of protection. Access to this information shall be tightly restricted based on the concept of need-to-know. Disclosure requires the information custodian’s approval and, in the case of third parties, a signed confidentiality agreement. If this information were to be compromised, there could be serious negative financial, legal, or public image impacts to HopeQure or HopeQure’s members. Examples include member share information, employee performance reviews, product research data, etc.
    • Internal: Information that is related to HopeQure business operations, but not available for public consumption. This information shall only be disclosed to third parties if a confidentiality agreement has been signed. Disclosure is not expected to cause serious harm to HopeQure, and access is provided freely to all employees. Examples include policies and standards, operational procedures, etc.
    • Public: Information that requires no special protection or rules of use. This information is suitable for public dissemination. Examples include press releases, marketing brochures, etc.