House of Representatives Pending Bill:
"To prohibit the transfer of personal information to any person outside the United States, without notice and consent, and for other purposes."
Health Insurance Portability and Accountability Act (HIPAA)
"(2) SAFEGUARDS.--Each person described in section 1172(a) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards--
(A) to ensure the integrity and confidentiality of the information;
(B) to protect against any reasonably anticipated--
(i) threats or hazards to the security or integrity of the information; and
(ii) unauthorized uses or disclosures of the information; and..."
Kegel, Kelin, Almy & Grimm LLP Attorney's At Law:
"VII. HIPAA ENFORCEMENT
Under the new privacy regulations, the Secretary of HHS can impose civil monetary penalties against covered entities for up to $25,000 per standard per year. Criminal penalties may also be imposed in certain cases which could result in penalties of up to $250,000 and/or imprisonment of up to 10 years.
Private suits are not authorized by the regulations. However, covered entities could certainly sue business associates for damages incurred by them as a result of unauthorized disclosure of PHI. Likewise, individuals are likely to cite HIPAA regulations as the applicable "standard of care" in tort suits alleging invasion of privacy involving unauthorized release of medical information."
HIPAA STATEMENT
FTGU combines the best outsourced billing and collection service with a HIPAA compliant, secure Internet-based document management and distribution system. This document provides information on the systems and procedures FTGU has implemented to comply with HIPAA requirements related to the FTGU services. These systems and procedures fall into three categories: Administrative Procedures, Physical Safeguards and Technical Data Security.
Each of these categories is described briefly below:
I. Administrative Procedures:
This category includes systems and procedures used to guard data integrity, confidentiality, and availability. These are formal procedures for selecting and executing information security measures. These procedures also address staff responsibilities for protecting data.
- All personnel with access to customer data or customer records are required to sign a confidentiality agreement.
All business partners with access to protected information must enter into a business associate agreement that requires full compliance with all HIPAA requirements and safeguards.
II. Physical Safeguards:
This category includes safeguards to protect physical computer systems and related buildings and equipment from intrusion as well as fire and other environmental hazards. The use of locks, keys, and administrative measures used to control access to computer systems and facilities are also included.
FTGU servers are housed in a data center providing a secure, climate-controlled environment that is operational 24 hours a day, 7 days a week, 365 days a year.
Daily HANDS-ON inspections are performed to insure no tampering with the physical servers.
III. Technical Data Security:
This category includes systems and procedures used to protect, control, and monitor information access and include processes used to prevent unauthorized access to data transmitted over a communications network. Security is addressed at all layers: physical, network, database, application, and user.
Network Security
All FTGU servers are located on a secured internal network that is controlled by Microsoft Internet Information Services Manager (IIS) on a Microsoft 2003 Enterprise Server.
If files are transferred, they are done so via a SSL 128-bit encryption Virtual Private Network (VPN). This means that you are directly connected to our servers and there is no risk of someone else being able to "capture" the files sent through the internet.
Database Security
Every user within the IIS database are assigned minimum account access, only the users assigned to the individual clients are allowed access to those clients files. Each user is required to have a username and password that meets the maximum complexity requirements.
There a minimum number of administrative accounts that can override and maintain the security settings above. The following users have the proper credentials to be granted this access: CEO, CFO and Technology Director. These are the ONLY accounts that have complete access to the entire network. This is to have a redundant system of management for the secured files on our servers.
A complete access log is maintained including user session information. All database transactions are tracked and logged. If at anytime you feel that your files have been accessed without the proper authorization we can track EVERY access to your files.