HIPAA

What is HIPAA?

The Health Insurance Portability and Accountability Act (“HIPAA”) requires certain companies and individuals to take steps to protect medical records and other types of sensitive information.  Under HIPAA, this information is called “protected health information” or “PHI” for short.  HIPAA prohibits disclosing PHI under some circumstances and requires people and companies who handle PHI to take certain steps to protect PHI.  For example, HIPAA requires electronic PHI to be “encrypted” when it is in transit.  While HIPAA restricts who can access PHI and when it can be disclosed, doctors, counselors, and social workers can communicate with foster parents and each other for treatment purposes without a signed authorization. (45 C.F.R. § 164.502(a)(1)) (2009).)

Additionally, covered entities may disclose health care information to individuals, parents, and other representatives, including persons who are acting in loco parentis (persons having the authority to act on behalf of the child in making health care decisions), without a signed authorization.  HIPAA defers to state law in defining who is an appropriate representative for a minor. (45 C.F.R. § 164.502(g)(3) (2009).)

HIPAA also gives patients, parents, foster parents and guardians certain rights with respect to their, or their children’s, PHI. PHI belongs to patients, parents or other legal guardians.  This means they can share their children's PHI with whoever they want, including FosterCare.Team.  We encourage everyone to be careful about sharing PHI and other sensitive information and, as you will see below, we take steps to make sure any PHI or information you share with us is safe and secure.  Additionally, just because you can share PHI, it doesn't mean you should.  For example, we do not encourage counselors to upload unsecured session notes into FosterCare.Team for the entire team to read.  If it's not something you would share in person with everyone on the team, then don't share it on-line with everyone on your team.  Instead, session notes can be uploaded with custom access privileges limiting who on the team can access the information.

Does HIPAA apply to FosterCare.Team?

HIPAA applies to “covered entities” and “business associates.”  Covered entities include hospitals, doctors, insurers and, sometimes, employers.  Business associates are entities that perform certain tasks for covered entities.  Business associates include lawyers, accountants, medical record companies and other entities that store or transmit PHI to and/or from covered entities. 

FosterCare.Team is not considered a covered entity or a business associate.  This is the assessment of multiple HIPAA attorneys and multiple consulting firms that specializes in making companies HIPAA compliant.  FosteCare.Team is a private, pay to access site where professionals responsible for the care, well-being, and supervision of a foster child can upload information, including PHI, for viewing by other members of their private foster care team who are also responsible for the care, well-being, and supervision of the foster child.

Does FosterCare.Team still comply with HIPAA?

The short answer is, yes!  FosterCare.Team recognizes foster parents, guardians, caseworkers and others use our website to share sensitive information and sometimes PHI.  We want to make sure that information is safe and secure and viewed by people you have authorized to view it.  We also want our agency partners to feel comfortable working with us, so we take steps required by HIPAA to protect your information and we are willing to sign a BAA with your agency.

Often, the consequences of the loss or compromise of protected health information could cause irreparable damage to an agency's reputation, if not even more serious legal penalties. In order to ensure our customers are protected, we make sure the technical controls, backup management, safeguards and physical security policies are in place, all to verify that your data is secured to industry standards.

Securing Your Healthcare Data

green checkmarkUS-based data center
green checkmark24/7/365 on-site data center support
green checkmarkFully Managed Server
green checkmarkInstant offsite backup
green checkmarkServer secured in a locked cabinet
green checkmarkHigh Availability Infrastructure
green checkmarkBusiness Associate Agreement (BAA) Available
green checkmarkExtensive Safeguards

 

Data Center Physical System Security

Minimize Risk of Loss and Theft

  • 24/7/365 Manned Facility
  • Closed Circuit TV Security Cameras
  • Monitored 24/7/365 by 3rd Party Security Company
  • Site Entrance Controlled by Electronic Perimeter Access Card System

Minimize Risk of Damage

  • High Security Facility
  • Privately Owned and Operated Data Centers
  • Durable, Poured Concrete External Walls
  • Disaster Neutral Geographic Locations

Advanced Fire Prevention Infrastructure

  • Dry Pipe Preaction, Double Interlock System
  • NFPA 13 Compliant

Security Zones

  • Office Space Separate from Data Center Space
  • Advanced Proximity Credentials Required to Access Data Center
  • All Employees Receive Full Background Check
  • Key Locked Physical Server Rack Enclosures Available
  • Component Level Redundancy Available for Hard Drives
  • Hot and Cold Spare On-site Servers Available

Entry Security - Access Controls

  • Exterior Entrances Secured by Mantraps with Interlocking Doors
  • Access to the Data Center Space Requires Secure Credentials

Uninterruptible Power Supplies (UPS)

  • Multiple N+1 MPS Generators
  • Multipl Fuel Contracts Ensure Fuel Availability for Generators
  • Multiple N+1 UPS Systems with 30 Minute Minimum Runtime
  • Server Chassis Feature Redundant Power Supplies
  • Server Chassis Have A/B Power Configurations
  • Redundant ASCO Closed Transition Bypass Isolation Transfer Switches
  • Capability to Provide Tier-4 Power
  • Four 10 Megawatt Feeds Available
  • Diverse Paths from Substation
  • 2N Power Available

 

Network Configuration and Technical Security

  • Fully Managed Hardware Cisco Firewall
  • Qualified Engineers Available 24/7/365
  • Outbound and Inbound Traffic Filtering
  • Intrusion Detection/Intrusion Prevention Modules
  • Network Redundancy Ensures Failover
  • Diverse Connectivity Fiber Paths Into Building
  • Dedicated Meet-Me Room
  • Carrier Neutral
  • On-net transport to most major global cities

 

Backup Management

Your data is continuously protected our robust Guardian backup solution. Guardian continuously captures our entire system configuration to an off-site facility for disaster recovery.  Guardian uses replication, synchronization, and point-in-time snapshots to provide protection of our complete server environment, so our Sonar® Monitoring team can recover our exact server configuration in the case of a catastrophic event.  When you pair the Guardian backup solutions with our state-of-the-art, secure Data Center - featuring SSAE-16, PCI compliance, Safe Harbor Certification, and 24x7x365 on-site support - our data center can ensure unparalleled uptime and safeguard against data loss in even the most extreme circumstances.

 

Security Services

  • Brute Force Detection and Evasion
  • Apache DOS Prevention/Protection
  • Daily CXS Scan
  • Hardened SSH/cPanel/FTP
  • Hardened Webserver & PHP
  • Monthly Nessus® Vulnerability Scans
  • DDOS Attack Protection/Mitigation
  • Detect and Block Emerging Application-Layer DDoS Attacks
  • Prevent Illegitimate Botnet Communications
  • Leverage Real-time Security Intelligence
  • Mitigate Volumetric Attacks
  • Block Illegitimate traffic

 

Site Features

  • Banking-level encryption to secure data in transit
  • Username and password required for access
  • All login attempts are monitored and logged
  • IP address tracking
  • Automatic temporary lock out after 5 failed login attempts
  • Page views and file downloads tracked by user ID
  • Automatic logout after a period of inactivity
  • All employees and contractors are HIPAA trained
  • We have a disaster recovery plan in place
  • We have a privacy policy listed on our website