Nurse-1-1 HIPAA Compliance Technical Summary

Last Updated: November 13, 2023

NOTICE
The information in this document is the property of Videwell, Inc. Unauthorized use is prohibited.

Introduction

Videwell, Inc. (herein referred to as “Nurse-1-1”) is committed to ensuring the confidentiality, integrity, and availability of all electronic protected health information (“ePHI”) it receives, maintains, processes, and/or transmits. As a provider of secure health chats between nurses and advanced practitioners (“Health Experts”), agents of Nurse-1-1’s customers (“Agents”), and individual users (“Users”), we understand and take seriously our obligation to provide a secure and confidential software communication platform for our Customers, Agents, Health Experts, and Users. This document addresses core policies and procedures implemented by Nurse-1-1 to maintain compliance with the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) and assure that proper protections of infrastructure are in place when receiving, storing, processing, and/or transmit ePHI using Nurse-1-1 technology.

Nurse-1-1 strives to comply with applicable standards and implementation specifications of the HIPAA Security Rule set forth in 45 C.F.R. § 164, Subpart C by implementing administrative, physical and technical safeguards that reasonably and appropriately protect the ePHI it receives, maintains, processes, and/or transmits, and to build a solid security infrastructure that passes HITRUST CSF Self-Assessment and Certification. Nurse-1-1 signs business associate agreements (“BAAs”) with its covered entity customers (“Customers”), and any Nurse-1-1 subcontractors that receive, maintain, process and/or transmit Customer ePHI on behalf of Nurse-1-1. These BAAs outline the respective obligations of the parties concerning the use and disclosure of ePHI, as well as liability in the case of a breach.

Nurse-1-1 periodically reviews its policies and procedures, updating them as needed, in response to environmental or operational changes affecting the security of ePHI.  All Nurse-1-1 workforce members receive initial and ongoing HIPAA and security training and are expected to fully comply with Nurse-1-1’s policies and policies set forth herein.

As a lead-in, below is a high-level summary of our major architecture, our guiding principles, and how it maximizes our security posture.

NeedNurse-1-1 Approach
EncryptionAll ePHI data is encrypted in transit, end to end, and at rest using AES 256 CBC encryption. At this time, audit logs of usernames are not encrypted, however, the logs do not include any ePHI.
Minimum Necessary Access
Access to recordings of interactions with Users is limited only to Agents, Nurse-1-1 auditors, the Health Experts who have been given proper authorization and undergone training, and the Nurse-1-1 Security Team. Once the viewer of ePHI data has logged in and logged their reasoning to the Nurse-1-1 PHI Access logs, encrypted PHI will be decrypted during the viewers audit session
System Access TrackingAll access authorizations and changes of access, as well as access to un-encryption keys, are tracked and retained.
Access to chats result in logs to the Nurse-1-1 PHI Access logs. Prior to access, the viewer will need to enter their login information (username and password) and provide a reason for accessing the given chat.
PHI access logs are accessible to Customers in their Nurse-1-1 dashboard.  Accessing the PHI access logs also results in logs to the Nurse-1-1 PHI Access logs. 
At this time, PHI access logs of usernames are not encrypted, however, the logs do not include any ePHI.
MonitoringAll successful logins are tracked and retained. A plan is currently under construction for regular review for any suspicious activity.
AuditingePHI is encrypted and stored to maintain integrity, enabling secure access to full historical health interactions. Audit log data is not encrypted, but does not include any ePHI.
Minimum Risk to ArchitectureAccess to encrypted ePHI by anyone other than the User, Customer, Agent, and Health Expert involved in the exchange of that ePHI is limited to the Nurse-1-1 Security Team. Access to a personalized un-encryption key that is securely stored may only be requested by the Nurse-1-1 Security Team or other senior personnel that has been authorized by the Nurse-1-1 HIPAA Security Officer. All access is logged, retained, and frequently reviewed to prevent any breach. 
Vulnerability ScanningA protocol is currently under construction that will employ a vulnerability scanning tool that periodically scans the Nurse-1-1 environment to ensure security measures are in place.
Intrusion DetectionA protocol is currently under construction that will employ an intrusion detection tool that alerts the Nurse-1-1 Security Team of any suspicious activity.
BackupNurse-1-1 employs Amazon Web Services (“AWS”) for server management and data storage that is HIPAA-compliant through a BAA. Nurse-1-1 relies on AWS’ established protocols for data backup.
Disaster RecoveryIn the case of a disastrous event, our Amazon Elastic Compute Cloud (“Amazon EC2”) instances would be restarted and databases would be restored from the most recent Snapshot (defined below).  While the Nurse-1-1 service is disabled an error page will be displayed which informs Users of the proper steps to take in order to receive an immediate response to their health need.
DocumentationAll policies and procedures that make up our security and compliance program are stored and in Nurse-1-1’s shared, secure Google drive (Nurse-1-1 has signed a BAA with G Suite).
Risk ManagementWe proactively perform risk assessments to assure changes to our infrastructure do not expose new risks to ePHI. Risk mitigation is done before changes are pushed to production.
Workforce TrainingAlthough limited workforce members have access to the ePHI of our Users, all Nurse-1-1 workforce members receive initial and ongoing HIPAA and security training.

Technical Safeguards

This section of HIPAA outlines the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. It is important to note that these requirements are not prescriptive, and there is flexibility in implementation. The key is that measures that are reasonable and appropriate are implemented to safeguard ePHI.

Transmission Security 

StandardDescription
Integrity Controls (A)Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
Encryption (A)Implement a mechanism to encrypt ePHI whenever deemed appropriate.

All data used by Nurse-1-1 is transferred using TLS1.2 encryption security protocol.

Access Controls 

StandardDescription
Unique User Identification (Req)Assign a unique name and/or number for identifying and tracking user identity.
Emergency Access Procedure (Req)Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Automatic Logoff (A)Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Encryption and Decryption (A)Implement a method to encrypt and decrypt electronic protected health information.

User Identification

All users within the Nurse-1-1 environment, including workforce members, Users, Agents, and Health Experts, create a unique user-name and password upon first log-in.

Emergency Access

Nurse-1-1 has procedures and a process for obtaining access to ePHI should an emergency or disaster occur.

Automatic Logoff

Nurse-1-1 is currently building session timeout features to terminate both User and Health Expert sessions after a period of 24 hours of inactivity. 

Encryption

Nurse-1-1 encrypts data in its environment using AES 256 CBC encryption. Additionally, all data in transit is encrypted end to end.

Integrity

StandardDescription
Mechanism to Authenticate Electronic Protected Health Information (A)Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Accessing ePHI for Authentication

Internally at Nurse-1-1, only Nurse-1-1 workforce members with proper authorization have access to an electronic key that can decrypt chats on the database that may contain ePHI. Those with authorization will regularly review chats containing ePHI to ensure quality as well as corroborate that ePHI has not been altered or destroyed in an unauthorized manner. The electronic keys are the only way to access encrypted PHI and decrypt for review.

Customer agents have access to ePHI while using the Nurse-1-1 dashboard. The Nurse-1-1 dashboard offers Agents to access chats containing ePHI after they re-enter their username and password as well as state their reason for accessing a given chat. A log is then created that records the Agent account, a timestamp, and the reason given for the access. At that time, the contents of the chat and any contained ePHI will be decrypted for the Agent to audit. The decrypted contents of the chat will only remain decrypted during that given session.

Decryption Access Log

Access to the keys is logged, tracked, and reviewed. Access can only be granted to new workforce members after Nurse-1-1’s HIPAA Security Officer and Chief Executive Officer grant authorization. The log is also used to track when, where, and why a key is used.

Security Incident Procedures

StandardDescription
Response and Reporting (req)Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to Nurse-1-1; and document security incidents and their outcomes.

Nurse-1-1 has implemented a formal incident response plan (“IRP”), which discusses the procedures for identifying, responding to, and escalating suspected and confirmed security incidents. Nurse-1-1’s Incident Response Team is responsible for implementing and following the IRP. Please see Appendix A for details of the IRP.

Reporting Security Incidents

All suspected or known security incidents will be reported to the HIPAA Security Officer and the Security Team as soon as possible. The HIPAA Security Officer will discuss these incidents with the Security Team and Nurse-1-1 management, and determine whether the IRT/IRP should be activated. The following types of incidents are benchmark examples (by no means an exhaustive list) of when the IRT/IRP should be activated:

  • Unauthorized access to Nurse-1-1’s environment or workstations
  • Malicious code
  • Improper or inappropriate usage of Nurse-1-1’s software
  • Suspected breach of ePHI or other personal information
  • Suspected loss of sensitive information (not ePHI or personal information)

Notification in the Case of Breach

Nurse-1-1 has a formal Incident Response Plan that addresses the requirements and procedures for notifying appropriate parties in the event of a breach of unsecured PHI. This policy outlines the relevant and responsible parties in case of a breach of and complies with the applicable requirements set forth in 45 C.F.R. 164, Subpart D.