HIPAA Compliance Guide

Access Control:

• Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized persons or software programs.
• Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.
• Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic health information during an emergency.
• Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
• Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.

• Learner and meeting data transmitted across the network is protected using a unique Advanced Encryption Standard (AES) with a 256-bit key generated and securely distributed to all participants at the start of each session.
• Multi-layered access control for owner, admin, and learners. • Web and application access are protected by verified email address and password.
• Meeting access is password protected.
• Meetings are not listed publicly.
• Tovuti leverages a redundant and distributed architecture to offer a high level of availability and redundancy.  In addition, Tovuti regularly performs snapshots of our data and can quickly assist the customer with data restoration and access to their data kept in Tovuti's cloud.
• Meeting host can easily disconnect attendees or terminate sessions in progress.
• Host can lock a meeting in progress
• Meeting ends automatically with timeouts.

Audit Controls:

• Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

• Meeting connections traverse Tovuti's secured and distributed infrastructure.
• Meeting connections are logged for audio and quality-of-service purposes.
• Account admins have secured access to meeting management and reports.

Integrity:

• Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

• Multi-layer integrity protection is designed to protect both data and service layers.
• Controls are in place and protect data in-motion and at-rest.

Integrity Mechanism:

• Mechanism to authenticate electronic protected health information.
• Implement methods to corroborate that information has not been destroyed or altered.

• Application executables are digitally signed.
• Data transmission is protected using HMACSHA-256 message authentication codes.

Person or Entity Authentication:

• Verify that the person or entity seeking access is the one claimed.

• Web and application access are protected by verified email and password.
• Meeting host must log in to Tovuti using a unique email address and account password.
• Access to desktop or window for screen sharing is under the host’s control.

Transmission Security:

• Protect electronic health information that is being transmitted over a network.
• Integrity controls: Ensure that protected health information is not improperly modified without detection.
• Encryption: Encrypt protected health information.

• End-to-end data security protects against passive and active attacks on confidentiality.
• Data transmission is protected using HMAC-SHA-256 message authentication codes.
• Learner and meeting data transmitted is protected using a unique Advanced Encryption Standard (AES) with a 256-bit key generated and securely distributed to all participants at the start of each session.