HealthStream Research implements industry-best practices for data security and integrity, in order to assist clients in their overall HIPAA compliance strategies.  These include:

Secure data transmission

• 128 bit SSL (Secure Socket Layer) encrypted communications to our file upload web site
• ID and password-protected file transfer area
• Separate 128 bit SSL (Secure Socekt Layer) encrypted site for transfer of files containing any patient identification information (such as patient complaint files)

Internal safeguards

• Physical access restrictions to data servers, network equipment and telephone equipment
• Restricted access to individually identifiable health care information (IIHI)
• User ID and passwords for access to network and data resources
• Secure document disposal via third-party vendor — certified destruction
• Firewalled Internet connection
• Frequent review and analysis of system logs for suspicious activity and intrusion detection
• Formal security policies and procedures for employees

Disclosure — HealthStream Research protects the strict confidentiality of all data and does not release any data to any third party without written consent.

Disaster recovery

• Daily backups of all data storage systems
• Secure and safe storage of archived data—backup media are stored in a fireproof, locked safe within a locked room
• Backup battery power and redundant power supplies
• Hot-swap disk storage systems (RAID level 5)

The following notes are based on the final HIPAA Privacy Rule that was approved and entered into the Federal Register on August 14, 2002, and that became effective on April 14, 2003:

According to HIPAA regulation section § 164.506 (c)(1), “A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.”  As a “business associate” bound by written contract, HealthStream Research’s use of patient data for purposes of conducting quality-improvement research is considered “health care operations” as defined in HIPAA regulation section § 164.501 (1).

As a covered entity under HIPAA, a health care organization’s responsibility is to ensure that any business partner, to whom patient data are sent, implements appropriate safeguards to ensure that data remain secure.¹   We at HealthStream Research have taken steps that go well above and beyond standard security practices, in order to provide our clients the highest degree of confidence that their data are being handled properly.

¹ HIPAA section § 164.502  (e)(1)(i): “A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information.”