The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and is designed to improve the effectiveness and efficiency of the U.S. healthcare system and mandates national standards in several areas.
Among HIPAA regulations are two important provisions:
Title I Cobra (portability) – designed to protect workers and families from the loss of health insurance coverage as the result of a job change or termination i.e. the Security Rule
Title II Administrative Simplification (AS) – designed to simplify the administration of healthcare and to protect the privacy of individually identifiable health information i.e. the Privacy Rule
Bonterra is compliant with all requirements of the HIPAA act signed into law in 1996. Bonterra is committed to maintaining the highest levels of information security.
The guiding principles of HIPAA can be summarized in the sections below and details on how each applies to ETO are included.
Tracking Who Did What
Audit trails for demographic information, participant program history, TouchPoints, and Collections includes tracking of the following: old value, new value, date changed and user who made the changes.
User Roles and Security
ETO software utilizes user name and password functionality to prevent unauthorized application access and roles to restrict user access to components within the application. Each unique user account is assigned access to particular programs and also assigned one of nine levels of access which can be customized to allow users access to certain features. Role levels typically range from the administrator, who manages all the structural elements of the system, or program managers who have access to individual and aggregate staff and client information, to end-users who have the narrowest access. A user or a local site administrator can change/reset a password as needed. Bonterra Customer Support Center will never reset a user’s password and provide them with the password, but Support will, instruct a user how to reset their own password
Password Controls
Bonterra recognizes the importance of maintaining secure and confidential access to client data. Toward that end, ETO software offers highly sensitive password protection and management functionality.
All users have a unique identifier (i.e. username)
Passwords can be set to have a minimum length and contain a minimum number of numeric and non-alpha-numeric characters
Passwords can be reset
Passwords can be set to expire
Passwords can be restricted to only be updated once per day
Passwords can be restricted so a user cannot use any of the previous four passwords
Passwords are stored encrypted
Passwords are not displayed upon entry
Program Security
Data housed in ETO is stored and processed separately by program. For example, users who are working on the ABC project access and process ETO data separately from users working on the XYZ project. Therefore users assigned to a program can only see data for the participants, services, or outcomes associated with that program. This protection can extend down to an optional caseload level, as needed, where one user can only see data related to participants assigned to his/her own caseload.
Email and Messaging
Internal emails that are sent within ETO require the recipient log in to ETO to read the message. These messages are maintained in history for 60 days. External emails that are sent within ETO do not contain full PII.
Backups and Uptime
Bonterra, Inc. uses Amazon Web Services (AWS) hosting facilities for data protection, disaster recovery, and backup strategy. As part of this partnership, Bonterra’s clients receive the benefit of a world class managed and fully redundant data center infrastructure.
All ETO software servers are backed up nightly using Quest/Dell NetVault Backup software. For added security, the backup data is encrypted using AES-256 algorithm.
Disaster & Data Recovery
Bonterra, Inc. uses Amazon Web Services (AWS) hosting facilities for data protection, disaster recovery, and backup strategy. As part of this partnership, Bonterra’s clients receive the benefit of a world class managed and fully redundant data center infrastructure.
Best Practices/Certification
AWS security certifications such as SOC1 allow us to remain compliant with your data. Standards such as AES 256, which enables encryption of data at rest, ensures no one can view your data. Amazon Virtual Private Cloud allows us to create a private facing subnet for databases and application servers, in order to have more security control around your mission critical workloads.
Redundant Infrastructure
24/7/365 monitoring of up-time across the infrastructure.
Fully redundant internet connections.
Redundant Utility Feeds and power backed up by multiple UPS and power generators.
Objects are redundantly stored on multiple devices across multiple facilities within a region.
Backups
All ETO software servers are backed up nightly using Quest/Dell NetVault Backup software. For added security, the backup data is encrypted using AES-256 algorithm.
Schedule
Nightly full backup of all ETO Data using AES-256 encryption algorithm.
Email eto@bonterratech.com if you have additional questions.