Is FileStuff.ca PIPEDA, HIPAA and HITECH compliant?
As our business has grown, we have come to host many clients that transfer highly critical information which must remain confidential under strict privacy standards for both Canadian and USA companies. We follow strict guidelines and work closely with clients to ensure their application remains compliant. We are confident our software can be used as a key tool in our client's compliance arsenal as it was built with PIPEDA ("Personal Information Protections and Electronic Documents Act"), HIPAA ("Health Insurance Portability and Accountability Act") and HITECH Act ("Health Information Technology for Economic and Clinical Health" Act) in mind. We serve data for a wide range of professions each day, including the legal industry, government, health care and life sciences.
Generally speaking, compliance is determined by the adherence to the privacy and security rules outlined by PIPEDA, HIPAA and HITECH Act. Hosting your data in a compliant hosting environment such as ours does not make your data compliant by default as this only addresses the physical safeguard requirements of the PIPEDA and HIPAA security rules. There are many aspects to these privacy acts, requiring individual organizations to take administrative steps to ensure they are also compliant.
We have implemented the following PIPEDA and HIPAA Standards:
Implementation of a Secure Facility Plan, which includes:
- High security facilities located in disaster neutral geographic locations (Saskatoon, Saskatchewan)
- Closed circuit TV security cameras, redundantly covering highly secure locations, with offsite camera backups
- Sensitive data room access with biometric scanners
- Police background checks for employees and approved contractors
- Local (Canadian) programmers and contractors only
- Canadian data centres privately owned and operated
- Multi Level transport layer and data storage AES encryption technologies
- SSAE 16 compliance in mind
Implementation of Access Control and Validation Procedures, which include:
- Site entrance controlled by electronic perimeter access card system
- Server room access by 'need to know, need to access' admins only
- Logging access to the data centres, requiring secure credentials
- Multi level employee and contractor sign in and sign out processes
- Visitor control, with SSAE 16 in mind
Implementation of Contingency Operations, which include:
- Multi-pathed fiber to locations and between data room spaces
- Dry pipe pre-action fire systems, tested regularly
- Continuous backup to alternate BlackSun facility
- Incremental snapshots
- Custom backup controls for specific client requirements
- Create a backup of highly sensitive data prior to equipment move if applicable
- Note: AES military grade encryption for "FileStuff" data may not be recoverable if client does not give access to BlackSun Admin
Implementation of Maintenance Records, which include:
- Service records related to electronic and physical door locks
- Service records relating to all internal network routing, security and delivery upgrades
- Addition, removal, upgrade and maintenance of security cameras
Implementation of Media re-use and destruction policies, which include:
- Removal/destruction of workstation data prior to servicing offsite
- Implementation of policies to track and handle equipment that may contain sensitive client data (health care industries, etc)
- Data destruction on failed or decommissioned equipment
Health Care and Life Science Case Studies, which include:
- Doctors, researchers and other experts need to share sensitive data internally and with external peers
- Mobile physician knowledge-base
- Sharing patient test results, research findings and confidential clinical information
Consider the scenario where patient information must be shared among a radiologist, an oncologist and a neurosurgeon who are consulting on a time-critical case. Some experts need to view data, while others need the ability to enhance raw data with new information, insights and revisions. Email is commonly used today for document sharing but is notoriously insecure, non-compliant and prone to data leakage.
Cloud-based file sharing services are convenient, but using them for sensitive data exposes organizations to privacy violations and associated consequences. Using FileStuff.ca, healthcare and life science collaborations can be achieved in a secure, compliant, auditable manner. All content is available on physicians' smart phone, tablet and desktop system at the push of a button. Using our file syncing application, doctors can improve patient care and save lives by sharing critical care content from anywhere, any time.