The Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) define requirements for the appropriate use and safeguarding of protected health information (PHI). The provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act include updates to the HIPAA Standards that further strengthen the privacy and security of health information. According to the Department of Health and Human Services, HIPAA/HITECH privacy and security rules apply not only to covered entities but also to their business associates. The latter are defined as organizations that perform functions or activities on behalf of, or provide certain services to, covered entities that involve access to PHI. Below is a summary of Bright Pattern features that enable contact centers of covered entities and their business associates to be HIPAA/HITECH-compliant.
Bright Pattern supports multi-tier/zone operation for HIPAA/HITECH-compliant enterprise and multi-tenant deployments. Tenants have access only to their own resources and the critical system level-functions can be firewalled independently. API access can be restricted to specific IP ranges. Each tenant has its own data encryption key that can be changed at any time and is protected by a key encryption key, which is stored separately.
- multi-tier/zone operation support
- separation of system and tenant-level functions
- independent firewalling of system-level functions
- per-tenant data encryption keys
- data encryption keys are protected by separately-stored key encryption keys
- data encryption keys can be changed at any time
Bright Pattern uses a role-based system to control access to specific contact center functions, where access to client data is protected by special privileges. All user accounts are password protected and password complexity rules can be enforced at the service provider level for all system- and tenant-level accounts. Passwords are never displayed or stored in clear text. Accounts can be locked out after a pre-defined number of unsuccessful login attempts. Compromised accounts can be deactivated without losing any configuration or historical data associated with them. Inactive admin-level user sessions are terminated automatically.
- password-protected user accounts
- password complexity rules enforceable at service provider level
- account lock-out with a configurable number of unsuccessful login attempts
- account deactivation without loss of configuration or historical data
forced log-out of inactive user sessions
- role-based access control system
dedicated privileges for access to sensitive client data
Storage and Transmission of Sensitive Data
All data elements where protected health information (PHI) may appear can be encrypted for storage. This includes voice and screen recordings, email content, chat transcripts, as well as custom fields of calling lists and activity forms. Use of secure protocols can be enforced for all external interfaces involving transmission of this data. Logging of such data can also be completely disabled in production mode.
- encryption of all data elements where PHI may appear
- use of secure protocols for all external interfaces (SSL/TLS, HTTPS, SFTP)
- rendering PHI unreadable in logs
Audit logs contain information about all login sessions including unsuccessful attempts. For successful logins, all admin-level operations are logged including the date/time, type of operation, and affected resources. Access to audit log is protected by a dedicated privilege.
- system-level and tenant-level audit logs
- information about all login sessions including unsuccessful login attempts
- logging of all admin-level operations
- complete audit records (timestamp, user, operation type, and affected resource)
- dedicated privilege for access to audit trail configurable audit trail storage time