This is to put on record that Dic2Doc, adheres to all the HIPAA regulations related to Electronic Transmission of PHI (Patient Health Information). We use the best technologies for handling Protected Healthcare Information (PHI) and enabling secure Medical Transcription workflow, adhering to all the applicable and relevant HIPAA norms. The PHI we handle on behalf of our clients exists in two forms viz., audio files dictated by the end users i.e. the dictators and the transcribed documents. All client / patient data, audio file storage, transcribed document file storage, data storage and document management either confirms to or exceeds HIPAA regulation norms. To elucidate this further, we have explained below the security arrangements that we have in place and how these provisions are brought into play at various levels of the work flow process using which the dic2doc platform helps you carry out your business in a safe and secure manner.
At Dic2Doc, the emphasis on security starts right at the first point of contact with our prospective clients. So, when a prospective client first signs up to use our service, we ask them to enroll using a sign up module which is specifically designed to capture the clients details. This module has a double layered security protection. The entire data capture is secured by the Secure Socket Layer (SSL) and encryption technology provided to us by "Thawte". The clients financial information capture is done in this SSL environment but here the protection and security is further strengthened by the extremely stringent "SecurityMetrics" security service. Dic2Doc server and software meet the PCI data security requirements by passing a SecurityMetrics Site Certification vulnerability scan. This SecurityMetrics test ensures that high security standards are maintained, which significantly reduces the risk that our site will be compromised and credit card or other sensitive data will be stolen or misused.
Your clients i.e. the end users of our dictation recording service platform have two options to send their audio files. They can do so by using one of the following two methods:
1) Using our toll free dictation recording Toll Free Dictation Recording (TFDR)
Our Dial In Dictation Recording Server(s) use dedicated Toll Free Numbers (TFN) not known to the external world. So, these TFNs are known only to you and your clients. Additionally, each dictator is issued / allocated a unique access code (AC) for accessing our toll free dictation recording system. This TFN and AC act like a username and password combination. So, each individual dictator needs to know the toll free number and access code combination to be able to access and use our dictation system. It is impossible to access the server, If that is not available.
The dictation server itself is governed and monitored by us with secure end point protection guarding its interface with the external world. Not only that, as soon as a dictator creates an audio file using the toll free number call in facility, the file is transferred to a location which can only be accessed by our clients using SFTP i.e. Secure File Transfer Protocol by way of UN & PW combination known only to them.
2) Using the multiple file uploading Secure File Uploading (SFU)
Alternatively, our end users i.e. our clients clients send us audio files that they record on a digital hand held recorder. This they are able to do by using our SFU interface which is also secured by SSL and encryption technology provided to us by "Thawte". It acts like a shield against any form of hacking or online data theft attempts. Our clients can then access these audio files uploaded by their end users only through the SFTP interface as explained earlier.
All Dic2Doc servers are protected by their individual firewalls which prevent unauthorized access and shield our servers from all kinds of online vulnerabilities. This makes our dictation recording server(s) extremely safe and secure. Additionally all our servers are password protected and so only the authorized person is granted access for administration, back up and maintenance purposes. Password protection also helps in restricting unauthorized access to data and other resources present on the servers. Since random access is prohibited, it automatically rules out unauthorized viewing, editing, printing, deleting, or copying of any files / data from our servers. We have extensive logging of all transactions to prevent, detect & restrict all possible security breaches.
Besides these provisions, we are also proactively monitoring our preparedness to meet any possible security breaches by subjecting ourselves to the stringent testing done by Security Metrics to ascertain the well being of our servers every three months. So if at all a new threat or new vulnerability is detected this service alerts us, informs us and draws our attention towards the issue which we then set out to rectify in the shortest possible time. We also have policies to handle the task of deleting and purging PHI from our archives when a customer cancels the service.
Once the files are recorded we use an encryption mechanism, which encrypts the recorded files before they are transmitted through the Internet. The transmission is through secure and dedicated (not shared) web space solely managed and used by Dic2Doc. It is done in exactly the same manner as we do in SFU (explained above), transcribed files too are transferred with the protection rendered by the SSL and encryption technology provided to us by "Thawte".
The transcribed documents are archived on a secure server which (like the dictation server) is directly under our control. Each of our clients is given a specific Username (UN) and Password (PW) combination using which they can access their reports from our website. Amongst all the data transmission methods that an end user can possibly use, we discourage all our clients from using conventional free email services since they are considered HIPAA non compliant. Although transmission by fax continues to be considered a relatively safe alternative most clients prefer a cheaper alternative as fax transmission costs are levied on a per page basis.
This is where the dic2doc service plays a crucial part in presenting the transcribed documents in a safe and secure manner. Since delivery by simple FTP and by conventional email is considered non HIPAA compliant, we provide our end users a secure way of accessing their transcribed documents. The term that we give to that portion of our platform is SODD (Secure Online Document Delivery). Our SODD service offers an extremely user friendly online interface which apart from being secure offers integration at a single point of interface for the end user making their daily task extremely easy.
This single window interface will enable your clients to not only upload their audio files securely but from the same online portal they will be able to securely download their transcribed reports. It will also help them to access their old reports up to 3 months old from the online archives. They will also be able to run intuitive searches for fetching a particular report based on certain parameters.
Our systems are regularly monitored and subjected to internal audits. Technical evaluations are performed on a routine basis to make sure all systems meet specified security requirements as outlined in our internal policies.
On the employee front, the access to PHI (Patient Health Information) is provided based on the rank of a person within the organization. Each individual employee has a distinctly different set of rights and priorities based on that individuals rank and position. All employee access configurations are stored securely on the work flow processing server. This server is also programmed to keep a time-audit-trail of all the individual employees who access the PHI. So, in short, each individual employee is given only that much access as is necessary for completing their task. So whatever an employee does with that information is recorded on the company's central database server. We also have established procedures and policies in place for closing system access to out going employees. All entry, login and access rights are removed when an employee parts ways with the company.
It is extremely important for all our clients and our clients should always inform their clients in turn that the responsibility of safeguarding the PHI after it is downloaded by you or your clients becomes the sole responsibility and prerogative of the one who downloads it. The responsibility of dic2doc is only to the point of providing the interface for its download. Once you or any of your clients downloads it at your end the responsibility to safeguard that information is entirely yours.