The Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) define requirements for the appropriate use and safeguarding of protected health information (PHI). The provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act include updates to the HIPAA Standards that further strengthen the privacy and security of health information. According to the Department of Health and Human Services, HIPAA/HITECH privacy and security rules apply not only to covered entities but also to their business associates. The latter are defined as organizations that perform functions or activities on behalf of, or provide certain services to, covered entities that involve access to PHI. Below is a summary of Bright Pattern features that enable contact centers of covered entities and their business associates to be HIPAA/HITECH-compliant.
Bright Pattern supports multi-tier/zone operation for HIPAA/HITECH-compliant enterprise and multi-tenant deployments. Tenants have access only to their own resources and the critical system level-functions can be firewalled independently. API access can be restricted to specific IP ranges. Each tenant has its own data encryption key that can be changed at any time and is protected by a key encryption key, which is stored separately.
Bright Pattern uses a role-based system to control access to specific contact center functions, where access to client data is protected by special privileges. All user accounts are password protected and password complexity rules can be enforced at the service provider level for all system- and tenant-level accounts. Passwords are never displayed or stored in clear text. Accounts can be locked out after a pre-defined number of unsuccessful login attempts. Compromised accounts can be deactivated without losing any configuration or historical data associated with them. Inactive admin-level user sessions are terminated automatically.
Storage and Transmission of Sensitive Data
All data elements where protected health information (PHI) may appear can be encrypted for storage. This includes voice and screen recordings, email content, chat transcripts, as well as custom fields of calling lists and activity forms. Use of secure protocols can be enforced for all external interfaces involving transmission of this data. Logging of such data can also be completely disabled in production mode.
Audit logs contain information about all login sessions including unsuccessful attempts. For successful logins, all admin-level operations are logged including the date/time, type of operation, and affected resources. Access to audit log is protected by a dedicated privilege.