A covered entity must comply with the applicable standards, implementation specifications, and requirements of this subpart with respect to electronic protected health information.
A covered entity must, in accordance with §164.306: (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
(2) Implementation specifications:
(i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.
All registered users of Open ACU have a unique username.
(ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Closed circuit televisions and 24x7x365 onsite security teams vigilantly protect our data centers. Military-grade pass card access and biometric finger scan units provide even further security.
Regulated Climate Control
Your servers will always be kept at the optimal temperature for performance. Our heating ventilation air conditioning (HVAC) systems have full particle filtering and humidity control. The climate within each of our data centers is maintained according to ASHRAE Guidelines.
Our on-site, diesel-powered generators and uninterruptible power systems (UPS) deliver redundant power if a critical incident occurs. We regularly test our infrastructure to perform as designed in the event of an emergency. And we back it all up with our 100% Power SLA and 100% Network Uptime SLA.
Total NOC Support
While the majority of data center sites are network neutral, we have our own on-site NOC (Network Operations Center), managing 13,000 route miles of fiber around the world. This network is supported by engineers and Level III system administrators that deliver support 24x7x365.
(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Open ACU has automatic logoff features. After an extended period of session time, a user will be automatically logged off.
(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
Open ACU encrypts secure data health information.
(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Open ACU tracks user activity for security auditing using logs.
(c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Only authorized Open ACU users have the ability to change information. The user is able to download copies of completed notes to their own computer to maintain their own records if they choose.
(2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
(d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Open ACU requires secure authentication before access is granted to health information.
(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
All communication is encrypted using 256-bit SSL for transmission.
(2) Implementation specifications:
(i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
After a clinical note has been finalized and saved, it is not possible to modify or delete that clinical note. However, an addendum may be added to that note.
(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Open ACU uses encryption methods to secure data.