HIPAA Compliance
Note that, determining whether SpeedBase is HIPAA (Health Insurance Portability and Accountability Act) compliant is not just about the software features,
it's largely about how your organization handles data.
Here are the key aspects about HIPAA compliance and tools provided by SpeedBase to help you to make your organization HIPAA compliant.
Access Control:
SpeedBase provides you with a restricted data access with a login window as well as Role-Based Access Control (RBAC) to limit data access to authorized staff only,
based on their role within the organization.
This (Least Privilege Principle) ensures users to have the minimum level of access necessary to perform their job functions, reducing the potential for accidental or
malicious data changes.
For SQL Server Backend: The SQL server has it's own encryption mechanisms for transmitting and saving data securely.
SpeedBase provides you with an additional security feature by encrypting/hiding selected data fields that hold sensitive information (Data Masking).
Duplicate login sessions are prevented by auto-logging off the former login session.
Audit Controls:
SpeedBase can create event logs for which you may adjust the detail level. Example for such events are: logons, configuration changes, data inserts, updates or deletion.
For built-in Database Backend (default): A historical data view is available to display a record as it was saved in the past.
Integrity Controls:
You may classify information in separate catalogs, filtered views and save data into different types of data fields each of which having their own data validation options/methods (Input Validation).
It is also possible to add additional, more complicated data validation methods by implementing short scripts on top of that.
Backup and Disaster Recovery:
For built-in Database Backend (default): A robust backup and recovery system is provided when the snapshot backup system as well as automated cloud backup is enabled.
For SQL Server backend: You may implement any desired backup system to periodically backup and safeguard the historical backup files of the SQL Server database.
Transmission Security & Encryption:
For built-in Database Backend (default): Since data transfer is only possible within local network, it is not possible to intercept the transmission by any internet user outside your local network.
In case you have set up a VPN connection to access your database remotely, the VPN software is responsible to apply encryption to the transmitted data.
You are recommended to use an encrypted media to keep your database and related data.
For SQL Server Backend: SQL Server applies encryption to the transmitted/saved data.
You are recommended to use SQL Server as the backend for better compliance to HIPAA.
Business Associate Agreement (BAA):
If the database software is provided by a third party, that third party must sign a Business Associate Agreement with the covered entity (the organization handling the PHI).
This BAA ensures that the third party also adheres to HIPAA regulations.
A BAA is not needed if you are using the default built-in database backend or host your SQL Server database on your premise, because there are no 3rd party sites
(including SpeedBase Software) that is hosting or having access to your database. Your data stays with you only.
You may need such an agreement in case your SQL server database is hosted by a 3rd party hosting provider.
Physical Safeguards:
These include facility access controls, workstation use policies, and device and media controls to protect the physical hardware that stores PHI.
You may consult HIPAA documentation to understand how to make your workplace HIPAA compliant at a physical level.