compliance considerations

Cloud Fax Compliance GuideWhite Paper

Table of Contents Introduction 3

Concord Security 5

HIPAA Compliance 8

PCI DSS Compliance 12

SSAE 16 SOC 2 Audited 17

Privacy Shield Active Participant 20

Glossary 21

Summary 27

Introduction

The role of IT has been rapidly evolving. The organization whose core responsibility used to be to “keep the trains running” now plays a key, strategic role in shaping the technology used to run the business. As for the running of the trains, that responsibility is being assumed by external, third-party providers offering dedicated, scalable platforms which can be consumed as a service. The shift to cloud-based platforms does not mean that IT no longer plays a role; the organization is critical in the selection and due-diligence process, ensuring providers meet requirements, facilitating the integration of cloud solutions into business processes and applications and most importantly, protecting that data.

Moving to Cloud Fax

Firms transitioning from on-premise faxing (be it legacy fax servers or even fax machines) to a cloud-based fax service quickly eliminate many of the challenges they have traditionally faced. At a minimum, there’s no longer a need to maintain servers, support resources or fax telephony infrastructure. An enterprise-grade cloud fax service will also ensure that spikes in fax traffic volume cease to expose scaling limitations, as well as offering superior overall system uptime.

Compliance however, is one area that continues to raise questions from potential service users operating in highly regulated industries. Outsourcing the transportation of documents containing protected information (be it patient information or credit card data) to a third party also means outsourcing the accompanying risk. Given these challenges, what can buyers do to take advantage of the benefits of a cloud-based fax service without assuming unnecessary risk?

A Holistic Approach to Compliance

In order to provide maximum clarity, the majority of compliance standards and regulations exist as a series of bullet-point requirements. While this may be a concise approach for documenting requirements, it can often lead to cloud-providers adopting a “check-box” approach. The check-box approach involves making changes to the cloud service solely for the purpose of meeting one or more compliance requirements, rather than developing a service where security and data-governance are baked into the core of the product and the organization itself. On a practical level, the check-box approach leads to a patchwork of features, security options and operational procedures which then become challenging for the provider to adequately maintain and evolve as requirements change.

Concord’s Holistic Approach to Security and Data Governance

In contrast to the “check-box” approach, a holistic approach to security and data-governance results in a service which a) far exceeds most compliance requirements and b) simplifies the process of making changes to the platform in order to meet next standards or changes in existing regulations.

Concord Technologies’ core of business is providing document transport, processing and management services to organizations operating in highly-regulated industries. Concord serves the healthcare and finance community extensively, and this has been the focus for more than a decade. As a result of this mature focus on these industries, data security and governance are core components of our products, processes and operational culture. Concord believes that Security is not an add-on or project-specific requirement. Security should be a holistic and systemic function that operates at the core of everything the organization does. It affects how customers are supported, how applications are designed and built and how infrastructure is extended.

Concord’s security-first approach means users can be confident in the knowledge that we exceed the vast majority of users’ requirements with regards to HIPAA and PCI DSS, as well as other stringent security and privacy standards.

Concord Security For optimum data security to exceed even rigorous HIPAA and PCI standards, Concord is committed to a multi-faceted approach: Physical Security, Network Security and Application and Logical Security are fully aligned so that these three elements work in concert to provide comprehensive protection from all angles. Physical Security pertains to the actual brick and mortar component of the business, ensuring that no one can physically access user info from datacenters or offices; Network Security safeguards cloud and internal networks from potential cyberattacks or threats; Application and Logical Security is in place to prevent unauthorized users from accessing data while it is at rest within the Concord system, outside of the actual fax transmission. Together, these three prongs of security work to ensure that data can only be viewed at the proper time, by the intended user.

Concord Physical SecurityPhysical security is in place to keep out anyone who should not be present in buildings where information is housed, including offices and datacenters. For cloud computing companies, it is easy to think about data breaches as only pertaining to network security or hacking attempts; however, it is important to remember that a physical security breach can have equally devastating effects. Both Concord’s offices and datacenters utilize security measures that include guards, key cards for entry, security cameras and multiple locks. Tight physical security is in place to protect Concord’s datacenters, offices and everything housed in them from unwanted—and even unintentional—visitors.

✓ Secure Datacenters located in Seattle, WA and Chicago, IL. ✓ Background checks performed on all employees prior to being granted

authorization to the datacenter ✓ Strictly controlled, logged and audited third party access (such as backup vendors,

service providers, equipment support maintenance, software maintenance vendors, data recovery vendors etc.) to the datacenters

✓ 24x7 staff and CCTV surveillance with ID and Authorization required to enter building

✓ Concord Private Suite accessed via Dual Authentication (Biometric and PIN). Unlike cloud vendors who house their servers in third party datacenters, Concord maintains its own SOC 2 compliant datacenters, so compliance and security are never in question.

✓ Access (and attempts) logged offsite ✓ Live video feed stored offsite

Concord Network SecurityAs the internet grows and evolves, tactics used by hackers to gain access to personal info have become increasingly sophisticated. Because of this, network security is a crucial element in protecting data from any type of network breach that could possibly occur, whether intentionally or by mistake. Concord handles sensitive data every day, from financial information to protected health info, and the network is designed to protect that information at every stage.

✓ Current and up-to-date firewalls (dual Cisco ASA) ✓ DMZs for logical components ✓ Intrusion Detection and Logging ✓ PCI-compliant levels of SSL and TLS security (AES 256 bit encryption) ✓ SSL encryption for internal communication between servers / data centers

Frequent vulnerability assessments performed on internal and production cloud fax networks

✓ Frequent security scans performed on internal and cloud fax networks ✓ Frequent penetration tests performed on internal and cloud fax networks ✓ Ongoing process of updating and patching the cloud fax network ✓ Documented procedures describing the control processes over network security

and administration processes ✓ Network and host intrusion detection and prevention (IDS / IPS) ✓ Systematic auditing and review of logged data including, but not limited to:

✓ Invalid access attempts ✓ Access to identification, authentication and authorization mechanisms ✓ Access attempts to the database ✓ Account changes ✓ All successful and unsuccessful logins

✓ Formal alerting and response process used in the event the Intrusion Detection System detects a suspicious event or exceeds normal thresholds for our environment.

Concord Application and Logical Security

Application and logical security are in place to ensure that all data is secure when at rest within Concord systems. When personal information and compliance concerns are involved, it is crucial that no one can access any info that they are not supposed to. Whether by intentional hacking or by accidentally accessing an incorrect system, if PHI or other sensitive information is viewed by someone who should not be able to view it, this presents a serious compliance issue. Concord takes care to make sure that any info in the system is properly secured at all times.

✓ All data and fax content is encrypted both in-transit (within Concord’s network and in the communication with clients’ networks) and is also encrypted while at-rest.

✓ Utilization of Secure Socket Layer (SSL) encryption for all web traffic (SSL v2/v3 are disabled for security best practices) and Transport Layer Security (TLS) for all email communication (opportunistic or enforced).

✓ AES 256-bit encryption support. ✓ Available zero image retention policy. ✓ Advanced encryption tools for managing and maintaining the cloud fax network. ✓ Strictly controlled users and administrator authentication on platform. ✓ Enforced minimum password standards for length, complexity, and characters. ✓ Controls in place to protect the authenticity of communications sessions. ✓ Multiple options available to fax customers to specify where their data will be

stored. ✓ Multiple options for customers to specify the duration of fax document storage. ✓ Security engineering principles embedded into the System/Software Development

Lifecycle (SDLC) to achieve the goal of "secure by design" when designing, building and updating systems Compliance.

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) was introduced in 1996 in an effort by Congress to implement national patient record privacy standards. Later, in 1999, the US Department of Health and Human Services (HHS) published proposed regulations to guarantee patients’ protection against misuse or disclosure of their health records. The law was designed to improve efficiency and reduce costs for healthcare organizations by stimulating and promoting the adoption of digital records management platforms. It also included extensive regulations governing how information should be safeguarded and that the confidentiality of Protected or Patient Health Information (PHI) is enforced.

The Office for Civil Rights (OCR) is responsible for enforcing the Rules, and according to OCR, the HIPAA compliance rules apply to:

“… health plans, healthcare clearinghouses, and to any healthcare provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA…”

HIPAA Code of Federal Regulations (CFR)

HIPAA requirements fall into four categories known as “Code of Federal Regulations”. They are:

‣ 45 CFR §164.308 - Administrative Safeguards ‣ 45 CFR §164.310 - Physical Safeguards ‣ 45 CFR §164.312 - Technical Safeguards ‣ 45 CFR §164.316 - Other Security Controls

Administrative Safeguards (45 CFR §164.308)

Administrative safeguards are the documented policies and procedures a fax service provider has in place to clearly identify how the organization will comply with HIPAA’s security requirements.

These policies and procedures cover the management, implementation and maintenance of the measures used in safeguarding Protected Health Information (PHI). Additionally, the fax provider’s administrative safeguards will provide a contingency plan for use in case of a breach or emergency.

Concord Technologies ensures the following elements are in place at all times to support 45 CFR §164.308 (Please note: this is a not an exhaustive list)

✓ Business Associate agreements in place with covered entity ✓ Documented security management process ✓ Documented risk assessment and risk management process ✓ Documented security incident procedures ✓ Documented contingency plans including data backup and disaster recovery ✓ Assigned security and compliance officer (Mr. Brian Stan) ✓ Information Access Management to control appropriate access ✓ Security training and awareness for company employees

Physical Safeguards (45 CFR §164.310)

HIPAA’s physical safeguards are designed to control physical access to the fax provider’s information systems. The physical policies and procedures limit access to related buildings, equipment (including hardware and software), and electronic media.


✓ Strictly controlled and audited access to all data center facilities and office locations ✓ Strictly controlled and audited access to Workstations ✓ Strictly controlled and audited access to devices and media

Technical Safeguards (45 CFR §164.312)

These policies designate who has access to the fax provider’s hardware and software. In addition, the technical safeguards will document the protection mechanisms in place to guard against unauthorized access or manipulation of patient data whether being stored inside the network or transmitted across the network. In the case of fax providers, it is frequently both.


✓ Strictly controlled and audited user access to target systems ✓ Strictly controlled event auditing policies ✓ Strictly controlled person and entity authentication ✓ Enforced data and storage integrity policies ✓ Enforced Transmission security

Other Security Controls (45 CFR §164.316)

In the context of online fax service providers, the primary focus of 45 CFR §164.316 is the retention of electronic documents. Providers should have a formally documented retention schedule indicating how long target documents will be kept in the system, and how they will be accessed over that period.


✓ Documented policies and procedures with structured review and assessment ✓ Document storage policy (6 years) ✓ Policy accessibility (Microsoft SharePoint)

With Concord’s extensive portfolio of healthcare users, HIPAA compliance has long been a top priority. For years, Concord has partnered with compliance-minded healthcare organizations such as Johns Hopkins, Anthem, McKesson and more, and these businesses rely on us for online fax that’s 100% HIPAA compliant throughout every step. Concord’s commitment to HIPAA is built into the network infrastructure, the program interface and the way business is done.

PCI DSS Compliance

If your organization accepts, transmits, processes or stores any payment card information, you are subject to PCI DSS compliance. And if you are subject to PCI compliance, any third party interacting with the payment card info you are responsible for needs to be PCI compliant as well. As a cloud fax provider, every day, Concord is responsible for transmitting payment card info for users, meaning that we understand the importance of PCI compliance throughout the process.

PCI DSS was established by the Payment Card Industry Security Standards Council (PCI SSC), an organization formed in 2006 by the five major credit card brands in the industry (Visa, MasterCard, American Express, Discover, and JCB). The PCI DSS standard is designed to safeguard the security of payment information throughout the entire process of a transaction, and is applicable to any entity that accepts, transmits, or stores payment information.

For PCI DSS, there are two types of applicable entities: Merchants and service providers. A merchant is any entity that that accepts Visa, American Express, MasterCard, JCB or Discover cards (one, some or all). A service provider is any entity (besides one of the five payment brands) that is directly involved in processing, transmitting or storing payment information, as well as any entity whose services might impact the security of the cardholder data. Concord Technologies and other fax platform services are qualified as service providers. If your organization is subject to PCI DSS compliance, your cloud fax service provider also needs to be PCI DSS compliant.

Service providers (like Concord) are categorized as either “PCI DSS Level 1 Service Providers” or “PCI DSS Level 2 Service Providers”. Concord Technologies is a Level 2 provider. The level is determined by the annual volume of credit card transactions processed. Providers processing in-excess of 300,000 transactions per year are considered to be a PCI DSS Level 1 Provider. Providers processing less than 300K/year are classed as a PCI DSS Level 2 Providers.

PCI DSS Goals and for Service Providers The PCI DSS goals (listed below) are identical for both Level 1 and Level 2 providers.

PCI DSS Goal Concord Measures for PCI DSS

Build and Maintain Secure Network and Systems

1. Concord actively maintains a firewall configuration to protect cardholder data2. Concord never uses vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Concord’s physical, network and logical security work together to protect stored cardholder data4. Transmission of cardholder data across open, public networks is encrypted

Maintain a Vulnerability Management Program

5. Concord protects all systems against malware and regularly updates antivirus software or programs6. Secure systems and applications are maintained

Implement Strong Access Control Measures

7. Concord restricts access to cardholder data by business need-to-know8. Concord identifies and authenticate access to system components9. Physical access to cardholder data is restricted

Regularly Monitor and Test Networks

10. Concord tracks and monitors all access to network resources and cardholder data11. Security systems and processes are regularly tested

Maintain an Information Security Policy

12. Concord maintains a policy that addresses information security for all personnel

PCI DSS Compliance Requirements

Level 1 Providers are required to undergo an external audit by a PCI Qualified Security Assessor (QSA). Level 2 Providers are required to submit an Annual Self-Assessment Questionnaire (SAQ) D.

Report on Compliance completed by QSA - Level 1: This document includes a detailed report of PCI audit and how the network meets the PCI requirements, prepared by the QSA.

The CoC, AoC and RoC are all valid for one year. Other documents that can demonstrate PCI DSS compliance include:

Annual Self-Assessment Questionnaire (SAQ) D - Level 2: There are currently 8 Self-Assessment Questionnaire categories. As a fax service provider, Concord is required to complete the “D” version which includes 329 website and data storage questions.

Concord submits an updated Self-Assessment Questionnaire each year as part of the PCI DSS compliance process.

Requirement Level 1 Provider Level 2 Provider

Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) ✓Annual Self-Assessment Questionnaire (SAQ) D ✓Attestation of Compliance (AOC) Form ✓ ✓Quarterly network scan by Approved Scanning Vendor (ASV) ✓ ✓Penetration Test ✓ ✓Internal Scan ✓ ✓

Attestation of Compliance form - Level 1 & 2: The AoC will provide a detailed attestation to the results of the PCI assessment completed by the QSA. The AoC includes the following information:

‣ QSA-validated PCI Compliance for Concord Technologies ‣ Services that were included in the scope of Concord’s PCI DSS assessment ‣ Services that are provided by the Concord, but were not included in the scope of the

PCI DSS Assessment ‣ A list of the locations of the offices and datacenters included in assessment ‣ Relevant Payment Applications used ‣ Description of Concord’s environment ‣ Third Party Services utilized by Concord ‣ Report on Concord’s Compliance details ‣ Validation and Attestation details (Signed by PCI SSC and Concord)

Concord possesses a valid Attestation of Compliance

ASV or external Network vulnerability scans - Level 1 & 2: This is a report conducted by an Approved Scanning Vendor (ASV) to check for any potential network vulnerabilities. This report is valid for 90 days at a time, meaning that an ASV scan is done quarterly.

Concord has current and historical ASV scans demonstrating PCI compliance.

Wireless Scans - Level 1 & 2: This scan is also performed quarterly to identify any wireless access points for facilities and systems within PCI scope. These points can be manually identified and authorized, or done by any Wireless Access Points Identifiers.

Concord does not utilize wireless access points within PCI scope and is therefor exempt from this requirement.

Internal Network Vulnerability Scans - Level 1 & 2: This scan needs to be performed quarterly at a minimum, as well as after a significant network modification. This report can be conducted by an internal department that is qualified to do so.

Concord has current and historical Internal Network Vulnerability scans demonstrating PCI compliance.

Certificate of Compliance - Level 1 & 2: This certificate is issued by an approved QSA after a Service Provider’s PCI compliance has been validated.

Concord possesses a valid Certification of Compliance

When it comes to PCI DSS compliance, Concord takes infrastructure and policies seriously. As a Service Provider under PCI DSS, we know that our users’ compliance depends on ours, and we go above and beyond PCI standards to ensure that every user has peace of mind. Concord successfully meets and exceeds every PCI DSS goal, so compliance is never in question.

SSAE 16 SOC 2 Audited

Completing the SSAE 16 SOC 2 audit should be a top priority for any Software as a Service (SaaS) organization, including cloud fax services like Concord. The SOC 2 audit requires that organizations establish and adhere to strict guidelines around information security. With the unique and shifting landscape of cloud technology, SOC 2 ensures that an organization’s measures of information security extend to cloud requirements.

For some organizations, partnering with a cloud fax service that is SOC 2 audited is essential: If your organization is subject to SSAE 16 SOC 2 compliance, any third-party service you utilize will need to be compliant, too. If you partner with a cloud fax service that is not SSAE 16 SOC 2 audited, using their services effectively renders your own compliance null. Beyond the need for compliance, partnering with a SOC 2 audited organization also creates an added layer of reassurance regarding that service’s security.

SSAE 16 is a reporting platform created by the American Institute of Certified Public Accountants (AICPA) for use by US service organizations. To cover the wide variety of service organizations in the US, SSAE 16 has three reporting options, or Service Organization Control (SOC) types: SOC 1, SOC 2 and SOC 3. Fax platform providers, such as Concord Technologies, For Software as a Service (SaaS) organizations. The SOC 2 audit examines the security, availability, processing integrity, confidentiality and privacy of an organization’s relevant information systems, as well as personal information transmitted or stored by the organization. A successful SSAE 16 SOC 2 audit results in a certificate for that organization, which is valid for one year. In order to maintain a valid SSAE 16 SOC 2 successfully audited status, the audit must be conducted annually.

While SSAE 16 SOC 2 is not a compliance standard like HIPAA or PCI DSS, it does have a set of requirements that are used by the auditor. For SOC 2 reports, the standards used are the Trust Services Criteria (TSC), which include the following categories:

Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.

Availability: Information and systems are available for operation and use to meet the entity’s objectives.

Processing integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

Confidentiality: Information designated as confidential is protected to meet the entity’s objectives.

Privacy: Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.‑ 1

Concord takes a variety of measures to meet and exceed the requirements in each of these categories. Concord ensures that the following elements are in place at all times to support all of the SOC 2 standards (Please note: this is a not an exhaustive list)

✓ Concord’s documented security management process ✓ Documented risk assessment and risk management process ✓ Documented security incident procedures ✓ Extensive contingency plans, including data backup and disaster recovery ✓ Concord employs an assigned security and compliance officer (Mr. Brian Stan) ✓ Concord enacts information Access Management to control appropriate access ✓ Regular security training and awareness for company employees is conducted ✓ Access to all data center facilities is strictly controlled and audited ✓ Access to Workstations is strictly controlled and audited ✓ Access to devices and media is strictly controlled and audited ✓ User access to target systems is strictly controlled and audited ✓ Event auditing policies are strictly controlled ✓ Person and entity authentication is strictly controlled ✓ Data storage integrity policies are strictly enforced ✓ Concord practices Enforced Transmission security ✓ Concord’s policies and procedures are fully documented with structured review and assessment ✓ A strict document storage policy is enforced (6 years max) ✓ Concord has complete policy accessibility (Microsoft SharePoint)

https://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/pages/trustdataintegritytaskforce.aspx1

Concord’s successful SSAE 16 SOC 2 audits are testament to how committed the business is to ensuring the absolute, holistic integrity of the security, availability, processing integrity, confidentiality and privacy of our business and its relevant systems. For organizations that are serious about protecting the data they transmit, Concord is the preferred choice.

Privacy Shield Active Participant

For organizations that transmit information between the EU and Switzerland and the United States, participating in Privacy Shield is necessary. Organizations that are participating in Privacy Shield are qualified as providing “adequate” privacy protection, which is a requirement for any organization that transfers personal data outside of the European Union or Switzerland. This establishment of “adequacy” is mandatory for every state in the EU, as well as Switzerland, so if countries in the US want to conduct business that involves the transmission of personal information with the EU or Switzerland, Privacy Shield participation is necessary. Like other compliance measures, if your organization is bound to Privacy Shield participation, your fax provider will be also.

Concord Technologies is also a member of the Privacy Shield program. Designed by the US Department of Commerce, the European Commission and Swiss Administration, the Privacy Shield Frameworks provide companies in the US and Europe with a standard method to comply with data protection requirements. This ensures the heightened security of personal data—for example, PHI or payment card info—when it is being transferred between the European Union or Switzerland and the US. Previously, the Safe Harbor Frameworks were legally recognized under EU and Swiss law as adequate for the transfer of personal data, but that is no longer the case: The Privacy Shield Frameworks now govern the adequacy of privacy protection in place. Concord’s participation in the Privacy Shield program enables the lawful transfer data to and from Switzerland or the European Union.

The decision for a US-based organization to participate in the Privacy Shield program is voluntary, and organizations are required to go through a self-certification process. Once that organization makes a public commitment to adhering to Privacy Shield principles, they are subject to enforcement under US law by either the US Federal Trade Commission (FTS) or the Department of Transportation (DOT), depending on which is relevant to the organization.

Concord has undergone the self-certification process to ensure that the necessary standards to transmit sensitive date to and from both the EU and Switzerland are met. Even if this adequacy has no impact on your needs or business, it demonstrates just how seriously Concord takes issues of security, confidentiality and complying with privacy standards.

Glossary

Breach Notification Rule The requirement enacted by the HITECH Act, that covered entities and business associates notify patients when there has been an impermissible use or disclosure of protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Breach Notification can be triggered by simply losing control of protected health information (PHI) or electronic protected health information (e-PHI) or temporarily allowing others to have access the PHI or e-PHI.

Business Associate Any person or company, that is not a covered entity, that has access to e-PHI. Examples of business associates that might come into contact with e-PHI are: an IT company which supports computers that hold e-PHI; a document destruction company; a Software as a Service (SAAS) provider that deals with e-PHI; or an accountant or lawyer who comes into contact with e-PHI. Business associates are required by HIPAA to comply with the administrative, physical and technical safeguards required by the HIPAA Security Rule and are also required to comply with certain aspects of the HIPAA Privacy Rule and the HIPAA Breach Notification Rule.

Business Associate Agreement (BAA) The agreement between a covered entity and a business associate or between two business associates that clearly defines the roles and responsibilities of each of the parties to the agreement regarding the protection of e-PHI. Covered entities are required to execute business associate agreements with anyone who may come into contact with e-PHI that is not directly employed by the covered entity and who does not otherwise have the right to access the e-PHI in accordance with the HIPAA Privacy Rule. In addition, anyone who is a business associate is required by HIPAA to execute a business associate agreement with anyone else who might come into contact with the e-PHI due to their relationship with the business associate.

Covered Entity (CE) A covered entity under HIPAA is a Health Care Provider, Health Care Plan or Health Care Clearinghouse.

Healthcare Clearing House Anyone that processes or facilitates the processing of e-PHI received from another covered entity in a nonstandard format into a standard format. An example of a Healthcare Clearinghouse would be a billing company that modified medical entries into a standard billing format for processing.

HIPAA (Healthcare Insurance Portability and Accountability Act)

A federal law created in 1996 to ensure the portability of health insurance when employees change employers. HIPAA gives the Department of Health and Human Services the authority to mandate the use of standards for the interchange of patient health information and to mandate the steps entities should take to provide for the security and privacy of patient health information.

HITECH (Health Information Technology for Economic and Clinical Health) An update to HIPAA passed in 2009 that increases the civil penalties related to HIPAA non-compliance, adds criminal penalties for some violations, requires business associates to comply with specific administrative, physical and technical requirements and adds a requirement for covered entities and business associates to notify patients in the event of a security breach of the patient’s e-PHI.

Health and Human Services, The U.S. Department of (HHS) HHS is the government agency responsible for providing essential health services to Americans. HHS has several divisions, including ONC and OCR which enforce HIPAA compliance, oversee the adoption of information technology in the healthcare setting, as well as its impact on the privacy and security of protected health information.

Individually Identifiable Health Information Information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Office of Civil Right, The (OCR) OCR is a division of HHS that enforces federal laws that prohibit discrimination by health care and human services providers that receive funds from HHS. With regard to HIPAA, OCR has the ability to leverage civil and criminal penalties upon covered entities and/or business associates that fail to comply with this stringent set of requirements.

Omnibus Rule

On March 26, 2013 the long-awaited, Health Information Portability and Accountability Act’s (HIPAA) Omnibus Rule went into effect, giving HIPAA Covered Entities and HIPAA Business Associates until September 23, 2013 to achieve compliance under its new provisions. ONC (THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY) ONC is a division of HHS that provides counsel to the Secretary of HHS and departmental leadership for the development and nationwide implementation of an interoperable health information technology infrastructure. ONC’s work on health IT is authorized by the HITECH Act.

Privacy Rule The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Protected Health Information (PHI) ‣ Protected Health Information (PHI) that is created, maintained or transmitted electronically. ‣ Protected Health Information (PHI) is any information that identifies an individual (usually a

patient) and relates to at least one of the following: ‣ The individual’s past, present or future physical or mental health ‣ The provision of health care to the individual ‣ Past, present, or future payment for health care ‣ Information that can identify an individual includes either the individual’s name or any other

information that could enable someone to determine the individual’s identity. Data are “individually identifiable” if they include any one of 18 types of identifiers for an individual or for the individual’s employer or family member, or if the provider or researcher is aware that the information could be used, either alone or in combination with other information, to identify an individual.

continues on next page…

These 18 types of identifiers are: ‣ Name ‣ Telephone numbers ‣ FAX number ‣ Email address ‣ Social Security number ‣ Medical record number ‣ Health plan beneficiary number ‣ Account number ‣ Certificate/license number ‣ Any vehicle or other device serial number ‣ Device identifiers or serial numbers ‣ Web URL ‣ IP address ‣ Finger or voice prints ‣ Photographic images ‣ Any other characteristic that could uniquely identify the individual ‣ Address (all geographic subdivisions smaller than state, including street

address, city, county, or ZIP code) ‣ All elements (except years) of dates related to an individual (including birth

date, admission date, discharge date, date of death, and exact age if over 89)

About Concord At Concord Technologies, our primary mission is to simplify the way that organizations interact with their crucial documents, with a focus on those organizations in compliance-oriented industries. For over twenty years, we have been enabling businesses to simply send, receive and manage their crucial documents using our secure, compliance-optimized cloud network. Today, we have over a hundred thousand users in the enterprise and healthcare industries who rely on Concord every day. For businesses in need of 24x7 on-demand, secure, compliant cloud fax and document management services, Concord provides a solution. We go above and beyond multiple standards of compliance, including HIPAA, SOC2 and PCI DSS compliance. Because of this, Concord's users consist largely of businesses that require a highly secure, available and compliant cloud fax network.

Protected Health Information IIAny information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.

Security RuleThe HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Summary Whether your organization is most concerned with HIPAA or PCI, SOC 2 or Privacy Shield, compliance matters to Concord. From the network infrastructure to day-to-day operations, Concord builds compliance best practices into the organization throughout every facet of the business. Compliance—specifically, above-and-beyond compliance with multiple standards—is a key factor in what sets Concord apart from other online fax platforms. Any data transmitted or stored within Concord’s network is guaranteed to be protected by rigorous safeguards. This extensive and thorough approach to compliance is what makes so many tightly regulated, high profile organizations choose Concord again and again, helping Concord to uphold a 97% customer retention rate year after year. To learn more about the organizations Concord partners with, the industries we serve or how we can work with your business, contact us online or by phone to speak with a member of the Concord team. If you would like to see copies of our compliance certifications, you can also contact us to learn more about how to view our certifications under an NDA. We look forward to hearing from you.

compliance considerations

Documents