SoftSlate HIPAA Compliance Overview

SoftSlate addresses major HIPAA requirements through a comprehensive set of policies and procedures that are summarized in this document.

Administrative Safeguards:

  • Security Management Process: SoftSlate conducts bi-annual risk analyses to identify vulnerabilities in our systems, and implements corrective actions based on these analyses. Information system activity, including application errors, request logs, and audit logs, is continuously reviewed for suspicious activity.
  • Workforce Security: Developers are restricted from accessing ePHI, working with washed development databases. Operations personnel undergo training on secure handling procedures.
  • Information Access Management: Access to ePHI for both clients and SoftSlate employees is role-based, with clients managing their employee access through the administrator application. All access changes for clients are logged in read-only audit logs.
  • Security Awareness and Training: Annual reminders are provided to developers regarding OWASP top ten vulnerabilities and to all employees regarding workstation vulnerabilities.
  • Protection from Malicious Software: Multiple layers of protection are in place, including WAF, multiple firewalls, automated system updates, CIS-benchmarked machine images, and regular vulnerability scans.
  • Log-in Monitoring: Application and system access logs are monitored regularly and reviewed.
  • Password Management: Clients can configure password rules, expirations, and other security parameters for their employees. For more information: https://softslate.com/content/Login_Security_Features
  • Security Incident Procedures: A clear procedure outlines how the team becomes aware of incidents, and a step-by-step response plan for verification, mitigation, damage assessment, data restoration, prevention, documentation, and training.
  • Contingency Plan: Daily and weekly database backups are created. A disaster recovery plan details procedures for restoring data from these backups. The contingency plan is periodically tested and revised as part of ongoing risk management, and critical applications and data are identified and prioritized.
  • Evaluation: Security policies and procedures are periodically evaluated to ensure ongoing effectiveness and alignment with evolving threats.
  • Business Associate Contracts and Other Arrangements: SoftSlate maintains written agreements with business associates, ensuring their HIPAA compliance.

Physical Safeguards:

  • Facility Access Controls: Procedures for contingency operations, facility security plans, access control and validation, and maintenance records are managed by AWS, as SoftSlate's infrastructure is hosted on AWS.
  • Workstations: Policies require operations personnel's workstations with ePHI access to be in secure, locked buildings, and protected with password access and screen locking.
  • Device and Media Controls: Disposal, media re-use, accountability, and data backup and storage of devices and media containing ePHI are managed by AWS, with data backup and storage procedures detailed under the Contingency Plan.

Technical Safeguards:

  • Access Control: Unique user IDs are assigned for clients (via email invitation and logged actions) and SoftSlate operations team members. Emergency access procedures are outlined in the Contingency Plan. Automatic logoff is implemented for client and SoftSlate employee logins. Encryption is required for all traffic.
  • Audit Controls: Application audit logs and request logs are maintained and shipped to offsite for tracking system activity. Procedures for detecting and responding to security incidents are in place.
  • Integrity: The Agreements feature for clients includes a checksum to authenticate ePHI and ensure it has not been altered since submission. For more information visit: https://softslate.com/content/Agreements_Feature
  • Person or Entity Authentication: Client employees set/reset passwords via email, verifying their identity.
  • Transmission Security: SSL encryption is required for all incoming traffic and traffic between web and database servers, ensuring integrity and encrypting ePHI during transmission, with quarterly vulnerability scans for compliance.