HIPAA Compliance Guide

HIPAA Compliance


The Health Insurance Portability and Accountability Act (HIPAA) lays out privacy and security standards that protect the confidentiality of patient health information. In terms of a learning management system, the solution and security architecture must provide end-to-end encryption and meeting access controls so data in transit cannot be intercepted. The general requirements of HIPAA Security Standards state that covered entities must:


  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
  2. Protect against any reasonably-anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any reasonably-anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.
  4. Ensure compliance by its workforce.


How Tovuti Enables HIPAA Compliance


The following table demonstrates how Tovuti supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).

HIPAA Standard

Access Control:

  • Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized persons or software programs.
  • Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.
  • Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic health information during an emergency.
  • Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  • Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.
How Tovuti Supports the Standard
  • Learner and meeting data transmitted across the network is protected using a unique Advanced Encryption Standard (AES) with a 256-bit key generated and securely distributed to all participants at the start of each session.
  • Multi-layered access control for owner, admin, and learners. • Web and application access are protected by verified email address and password.
  • Meeting access is password protected.
  • Meetings are not listed publicly.
  • Tovuti leverages a redundant and distributed architecture to offer a high level of availability and redundancy.  In addition, Tovuti regularly performs snapshots of our data and can quickly assist the customer with data restoration and access to their data kept in Tovuti's cloud.
  • Meeting host can easily disconnect attendees or terminate sessions in progress.
  • Host can lock a meeting in progress
  • Meeting ends automatically with timeouts.
HIPAA Standard

Audit Controls:

  • Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
How Tovuti Supports the Standard
  • Meeting connections traverse Tovuti's secured and distributed infrastructure.
  • Meeting connections are logged for audio and quality-of-service purposes.
  • Account admins have secured access to meeting management and reports.
HIPAA Standard

Integrity:

  • Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
How Tovuti Supports the Standard
  • Multi-layer integrity protection is designed to protect both data and service layers.
  • Controls are in place and protect data in-motion and at-rest.
HIPAA Standard

Integrity Mechanism:

  • Mechanism to authenticate electronic protected health information.
  • Implement methods to corroborate that information has not been destroyed or altered.
How Tovuti Supports the Standard
  • Application executables are digitally signed.
  • Data transmission is protected using HMACSHA-256 message authentication codes.
HIPAA Standard

Person or Entity Authentication:

  • Verify that the person or entity seeking access is the one claimed.
How Tovuti Supports the Standard
  • Web and application access are protected by verified email and password.
  • Meeting host must log in to Tovuti using a unique email address and account password.
  • Access to desktop or window for screen sharing is under the host’s control.
HIPAA Standard

Transmission Security:

  • Protect electronic health information that is being transmitted over a network.
  • Integrity controls: Ensure that protected health information is not improperly modified without detection.
  • Encryption: Encrypt protected health information.
How Tovuti Supports the Standard
  • End-to-end data security protects against passive and active attacks on confidentiality.
  • Data transmission is protected using HMAC-SHA-256 message authentication codes.
  • Learner and meeting data transmitted is protected using a unique Advanced Encryption Standard (AES) with a 256-bit key generated and securely distributed to all participants at the start of each session.

Security and Encryption


Only members invited by account administrators can host Tovuti meetings in accounts with multiple members. The host controls meeting attendance through the use of meeting IDs and passwords. Each meeting has only one host unless a co-host is purposefully added by the host. The host can screen share or lock screen sharing. The host has complete control of the meeting and meeting attendees, with features such as lock meeting, expel attendees, mute/unmute all, lock screen sharing, and end meeting.

Tovuti employs industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 256-bit keys to protect meetings. Tovuti encryption fully complies with HIPAA Security Standards to ensure the security and privacy of patient data.


Screen Sharing in Healthcare


Medical professionals and authorized healthcare partners can use Tovuti to meet with patients and other healthcare professionals to screen-share health records and other resources. Tovuti does not distribute the actual patient data. Screen sharing transmits encrypted screen capture along with mouse and keyboard strokes only, not the actual data. Tovuti further protects data confidentiality through a combination of encryption, strong access control, and other protection methods.



HIPAA Certification


Currently, the agencies that certify health technology – the Office of the National Cordinator for Health Information Technology and the National Institute of Standards and Technology – do “not

assume the task of certifying software and off-the-shelf products” ( p. 8 352 o f t he Security Rule), nor accredit independent agencies to do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as Tovuti is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies.