HIPAA Statement
The Health Insurance Portability and Accessibility Act (HIPAA) defines a set of policies, procedures, and processes that protects the privacy and security of electronic protected health information (ePHI).
While there is currently no official certification for HIPAA compliance, Chatnels Software Inc., (collectively “Chatnels,” “we,” ‘us,” or “our”) undergoes annual audits to ensure best practices for ongoing compliance.
Value & Commitment
Chatnels works with many organizations defined as a Covered Entity under HIPAA due to the nature of the services provided. Chatnels believes that protecting consumers’ personal information is a fundamental business requirement.
We are committed to ensuring that our customers’ data is safe, secure, and always available to them. We have instituted policies and procedures to ensure compliance, including, but not limited to, the following outlined below.
Chatnels has undergone a comprehensive review of all administrative, technical, and physical safeguards to ensure the protection of ePHI. This includes, but is not limited to:
- Ensuring the confidentiality, integrity, and availability of all ePHI we receive, maintain, or transmit
- Identifying and protecting against reasonably anticipated threats to the security or integrity of the information
- Protecting against reasonably anticipated impermissible uses or disclosures
- Ensuring compliance by our workforce
All policies and procedures related to information and physical security are frequently reviewed to ensure they are up to date and follow any new or revised regulations.
This HIPAA Compliance Statement is meant for informational purposes only and does not constitute any substitute, representation, warranty, or other professional assurance.
A. Protected Health Information (PHI)
Information about health is private, and it should remain private.
Protected Health Information (PHI) is defined as any individually identifiable health information including medical conditions, health status, claims experience, medical histories, physical examinations, genetic information, and evidence of disability.
Electronic Protected Health Information (ePHI) is PHI that is created, stored, transmitted, or received in any electronic format or media.
B. Risk Assessment
Chatnels is hosted in Amazon Web Services (AWS) in the Canada Central region. AWS has System and Organization Controls (SOC) that maintain the security and availability of its facility at all times. Chatnels leverages the standards and practices prescribed by AWS for SOC II compliance to meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria. AWS’ SOC II compliance provides Chatnels with the necessary tools and frameworks to regularly conduct audit procedures to examine Chatnels’ data security.
C. Business Associate Agreements
HIPAA requires health care providers to enter into “business associate” contracts with certain businesses to which they disclose patient health information. These business associate contracts generally require the recipients of such information to use appropriate safeguards to protect the patient health information they receive.
Chatnels personnel may need access to patient health information maintained by its customers to perform certain service and support functions. As a result, Chatnels is considered a “business associate” of customers to whom it provides such services. As a Business Associate, Chatnels supports the HIPAA requirements and establishes standards and policies according to the terms outlined in our Business Associate Agreements. Chatnels’ business associate agreement will assure its customers that the company will use patient information obtained from them to provide services and support only and will safeguard that information from misuse.
Chatnels customers subject to HIPAA and wish to use its Service with PHI must sign a Business Associate Agreement (BAA) with Chatnels. Chatnels customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Chatnels’ services in connection with PHI. Customers who have not signed a BAA with Chatnels must not use Chatnels’ services in connection with PHI.
Chatnels makes no warranty or representation on behalf of Covered Entities that they will be in compliance with the HIPAA regulations. Covered Entities, as defined by §164.501, are solely responsible for HIPAA compliance for their own purposes, regardless of their business relationship with Chatnels.
D. Administrative Safeguards
Chatnels has implemented a security management process, including appropriate standard operating procedures (SOPs) and policies. Internal reviews of all administrative safeguards are conducted regularly to ensure compliance and continual improvement.
All employees are required to sign a confidentiality agreement as a condition of employment. Chatnels ensures all members of our workforce comply with this requirement and maintain documentation supporting compliance. Chatnels includes training on safeguards in the Privacy training provided to all employees. Staff are trained in procedures for carrying out all the administrative, physical, and technical safeguards that Chatnels has in place to guard against unauthorized use or disclosure of individually identifiable health information. Moreover, Chatnels has initiated formal practices to assign appropriate personnel access to data, and actions are in place to govern that data’s proper movement and handling.
Chatnels has a formal established Employee Sanctions Policy should any HIPAA compliance violations occur.
E. Physical Safeguards
Chatnels is hosted in Amazon Web Services (AWS) in the Canada Central region. AWS has System and Organization Controls (SOC) that maintain the security and availability of its facility at all times. Chatnels leverages the standards and practices prescribed by AWS for SOC II compliance to meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria. AWS’ SOC II compliance provides Chatnels with the necessary tools and frameworks to regularly conduct audit procedures to examine Chatnels’ data security.
F. Technical Safeguards
Chatnels ensures technical safeguards such as secured access controls, integrity procedures, firewalls, information systems activity monitoring, and other audit mechanisms to record access in information systems that use ePHI, use of encryption, automatic logoffs, password management procedures, and VPN tunnel. To further protect sensitive data, Chatnels follows secured network and software best practices that include user identifications, various database audit logging, data integrity systems and verified backups, entity authentication programs, and increasing measures to provide better data integrity and encryption.
Data Security
All Chatnels personnel are trained on HIPAA privacy and security policies. Staff are sensitized to the rigorous standards required to maintain the security and confidentiality of customer data. Only employees with the highest clearance have access to the data, and employee access is logged, and passwords are strictly regulated. We limit access to customers’ data to select employees, only to provide support and troubleshooting for the customer.
Data access is restricted on several levels and is only accessible from a very restricted, secure intranet. We log and audit every instance of access to our systems, these audits are regularly performed, and management reviews the whole process.
Each employee’s level of administrative access is managed using identity access management (IAM) with multi-factor authentication (MFA).
Network Traffic Security
Firewall rules are used to control bi-directional networking communications to our servers, and between all internal IT infrastructure and application components. Our infrastructure is further partitioned and protected between public and private subnets.
Data Encryption
Chatnels data on user devices are encrypted where applicable. Data-in-transit between applications to clients and servers are protected using SSL/HTTPS. Chatnels data-at-rest on the server is encrypted using AES-256. Personal Identifiable Information (PII) is further encrypted at the application layer.
G. HIPAA Compliance Officer
Chatnels has a designated HIPAA Privacy and Security Compliance Officer, and any questions or issues regarding PHI should be presented to the HIPAA Compliance Officer for resolution.
The HIPAA Compliance Officer is also responsible for:
- Issuing procedural guidelines for access to PHI.
- Developing a matrix for personnel who will need access to PHI.
Developing guidelines for describing how and when PHI will be maintained, used, transferred or transmitted.
H. Records Retention
As required by law, personnel records and disclosures of PHI will be maintained for a period of six years, unless the law requires a longer retention period. Records that have been maintained for the maximum interval will be destroyed to ensure that such data are not compromised in the future in accordance with the company record destruction policy.
I. Revisions to this Statement
Chatnels reserves the right to change the terms of this Statement at any time, and the changes will be effective immediately and will apply to all PHI that we maintain. We encourage you to visit the website frequently as any material changes to the Statement will be promptly posted to our website.
J. Contacting Chatnels
We support your right to privacy of your PHI. For any further information or documentation regarding Chatnels’ HIPAA Compliance or information practices, contact us at support@qaw.chatnels.com.