HIPAA COMPLIANCE

Executive Summary

Healthcare workers often face many communication barriers — they are restricted to outdated, HIPAA approved devices such as pagers and fax machines. Although text messaging is standard practice in other fields, SMS and emails do not meet HIPAA security requirements. That prohibits instant, text-based communication within and outside organizations. Until now.

Introducing the Hucu.ai platform, a HIPAA compliant technology that makes private communication easier and more secure than ever. Users can participate in real-time, conversational exchanges via web, smartphones, and WIFI enabled devices. Group conversations are also possible using Hucu.ai apps and are encrypted to make every discussion confidential. In addition, Hucu.ai gives various care providers and decision makers (nursing staff, physicians, specialists, etc.) the power to exchange key health information about a specific patient/member to achieve timely care decisions.

HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to protect electronic data pertaining to patient identification and health, and standardize the process of data interchange. A major component of HIPAA is the “Security Rule”, which includes technical safeguards and their implementation. Technical safeguards are defined in 445 CFR Part 164 § 164.304:

Technical safeguards mean “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”

The Security Rule’s technical safeguards do not mandate a specific technology solution but rather employ the adaptable requirement that an entity use any and as many security measures as are reasonable and appropriate. These security measures are required to meet several standards, as described below. Hucu.ai meets, and in many cases exceeds these standards.

Access Control

“Access” is defined in § 164.304:

Access means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.

The access control standard § 164.312(a)(1) requires that a covered entity must:

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

Access controls are designed to provide the appropriate privileges to users accessing data, applications and files. The HIPAA Security Rule describes implementation specifications for the access control standard:

164.312(a)(2)(i). Assign a unique name and/or number for identifying and tracking user identity.

Hucu.ai assigns each user a unique identification number, allowing it to route information appropriately and track user activity. For a majority of users, these unique ID numbers exist before a user even registers. Organizations have full control over which users are given access to specific patient/member information.

  • Automatic logoff § 164.312(a)(2)(iii). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Users of Hucu.ai apps have to enter their secure login id and password, or secure pin or biometric authentication to resume their work after 5 minutes of inactivity and every time the application is reopened, in order to view or work in Hucu.ai apps.

  • Encryption and decryption

§ 164.312(a)(2)(iv). Implement a mechanism to encrypt and decrypt electronic protected health information.

To protect sensitive health information from unauthorized access, all data on the Hucu.ai platform is protected using the Secure Sockets Layer (SSL) protocol. This allows Hucu.ai platform to force the https:// standard for all mobile and web communication features, protecting from unauthorized access over wireless and wired networks. Hucu.ai platform is additionally encrypted end-to-end using up to 256-bit Encryption Advanced Encryption Standard (AES) encryption for data both in motion and at rest.

In addition, Hucu.ai design takes into account NIST best practices for Access Control § 164.312(a) Technical Safeguards in order to make available functions which enable users to

  • Manage and Control Technical Access
  • Review and Update User Access
  • Terminate Access if it is No Longer Required
  • Complete Emergency Access Procedure

Audit Control

The audit control standard § 164.312(b) requires a covered entity must:

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Hucu.ai records and examines network activity to protect users, technical infrastructure and electronic health information from security violations.

Integrity

“Integrity” is defined in § 164.304:

Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.

The integrity standard § 164.312(c)(1) requires that a covered entity must:

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Hucu.ai protects the integrity of electronic health information on its secure platform via end-to-end encryption and decryption of messages transferred over the SSL protocol.

Person or Entity Authentication

The person or entity authentication control standard § 164.312(d) requires that a covered entity must:

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

To verify identity on website or mobile access, Hucu.ai authenticates with either login or registration. Existing user login requires a username and password.

Transmission Security

The transmission security standard § 164.312(e)(1) requires that a covered entity must:

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

There are two implementation specifications for the transmission security standard:

  • Integrity controls § 164.312(e)(2)(i). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
  • Encryption § 164.312(e)(2)(ii). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Hucu.ai uses Secure Socket Layer (SSL) Handshake Protocol, which uses the secure https:// standard for all mobile and web access, protecting from unauthorized access over wireless and wired networks.

Highlights of Hucu.ai’s Security and Compliance Components

  • User Identification and Verification (including biometric identification)
  • SSL Handshake Protocol 
  • Secure Messaging with End-to-End 256-bit Encryption
  • Unique Session Resume option before automated logoff due to inactivity (to avoid data loss) 
  • Audit Control to Protect Users from any Security Violations
  • Backup of All Network Activity

Hucu.ai platform can be utilized on iPhone, iPad, Android, Windows, Macs, and the web. HIPAA compliance and data security is a top priority for Hucu.ai‘s messaging platform. We welcome any additional questions, ideas or feedback at info@Hucu.ai.