HIPAA Compliant Statement

 

We at Soberlink, Inc. realize that most of our customers are required to ensure the confidentiality of patient healthcare data pursuant to HIPAA. We understand the sensitivities and the seriousness associated with keeping patient healthcare data private and secure.

 

This Soberlink HIPAA Compliance Statement is intended to inform our customers who are “covered entities” under HIPAA that we are aware of their HIPAA requirements and will do our part to help ensure that their patient data is kept confidential. This Statement is not intended to take the place of a Business Associate Agreement.

 

We have instituted policies and procedures to ensure that such data is kept confidential, including but not limited to the following:

 

Privacy and Security Rule(s):

To protect the privacy and security of the PHI we have implemented the following processes:

 

• Support for 128 bit encryption for all reports

• Random generated PINs

• No PHI persisted on phone applications

• E-mail address verification

• Restricted access to PHI on a need to know basis (via passwords and company policy)

• Automatic expiration of passwords

• Restricted outside access to all servers and production workstations

• Automated data backups

• Data backups stored in secured safe, world class data centers

• Automated virus checking

• Report any non-compliance of which we become aware

• Upon reasonable notice and during normal business hours, allow the Secretary of the United States Department of Health and Human Services the right to audit our records and practices related to the use and disclosure of PHI to ensure compliance

• Named a HIPAA Security Official who creates, maintains, and trains regarding our HIPAA policies and procedures

• All employees with access to PHI receive training on our policies and procedures according to HIPAA mandates

• All Soberlink employees required to sign a confidentiality agreement as part of their employment contract

 

Data is Protected From Unauthorized Viewing:

Soberlink access is restricted via password to only those employees who have a need to know. Servers and data storage units are in a secured computer room with limited access. Data is received and forwarded via automated, electronic processes where no direct human intervention is required. Access or viewing of PHI is only allowed when required to provide further support to the Covered Entity.

 

Proper Disposal of Data:

At the end of a Covered Entity’s contract with Soberlink, their data is deleted from the Soberlink Servers. No printed reports or paper copies are ever retained in our facility. If reports are ever printed to further support the Covered Entity, they are shredded immediately upon completion of the task that required the paper output.

 

How Our Security Works

HIPAA requires that careful attention be paid to data that is in motion and at rest. This requirement mandates the data to be encrypted as it is transmitted between computers and devices. In order to implement encryption, you often need to pass a secret key that both sides recognize. It is important to find a secure method that the device processors can handle, so we chose to implement random generated PINs. This ensures that no data is communicated across the network and, therefore, has 0% chance of being “sniffed”. An added bonus is that, with the PIN methodology, if one account were to be compromised, all the others would not.

 

Upon the initial registration of a device, the phone application will generate a random PIN and display it to the user. The user must enter this PIN into the registration portal at which point the mobile app and the server communicate and confirm this value. Once the Soberlink server and device agree, the device becomes successfully registered. Once both the server and the app contain the agreed upon PIN, they can use it to safely communicate information across the airwaves without ever having to send the key across the network.

 

Data is sent from the Soberlink device to the Smartphone over standard Bluetooth encryption, and the payload is also encrypted with XTEA. When it arrives to the Smartphone, the BrAC level is recorded in the application record store. At this point, the picture is removed and no longer accessible once the app shuts down. The application sends the data to the server in its XTEA encrypted format, where it is saved server-side in its encrypted state as well.