Qwil Messenger has been specifically designed to make communications safe and compliant when it matters most: between businesses, staff and their patients and partners. To achieve this, we have engineered our product from the ground up to ensure the protection and privacy of every user’s information. We take this responsibility very seriously, and are committed to be transparent about our approach and helping you understand how we deliver on this promise.
What is HIPAA compliant software?
HIPAA compliant software incorporates all the HIPAA guidelines for secure handling of patients’ PHI (Protected Health Information).
When considering “HIPAA-compliant communications channels” this refers to solutions used in healthcare-related businesses enabling secure patient messaging, document sharing and video with medical and non-medical personnel but without risking exposure of sensitive patients’ data.
However, as with GDPR, the term “HIPAA compliant” is misused as it is not the software which is compliant but it is software which enables businesses to be compliant, in this case HIPAA compliant.
Being compliant with HIPAA remains the sole responsibility of the software users who need to ensure that the app being used is done so according to HIPAA guidelines but equally that staff are training as most data breaches occur through unintentional human error!
What are the 5 main requirements for software to ensure HIPAA compliance?
HIPAA like data privacy requirements globally is there to ensure that all data remains confidential and is protected. It is indeed the responsibility of every firm to ensure the right tools are used, with the right settings but Qwil Messenger can make it really easy for all users!
We will enter into a Business Associate Agreement with you if required.
- Access Control
HIPAA guidelines say that parties handling PHI should only see the “minimum necessary” information to perform their duties.
At Qwil Messenger, it is your data, your control thus decreasing the potential misuse of information. A few example of how we enable you to ensure the full privacy of information of your users.
- Invitation-only access with multi-factor authentication for all users in your tenancy
- Centrally-managed access controls per organisation
- Participation rules to facilitate conversations with the right people as and when required
- 3 levels of staff administration access and controls (limiting errors and need for training)
- Enterprise-grade data controls (BYOD native app, IP access restrictions etc).
- And much more…
- Encryption
HIPAA compliant software calls for encryption of PHI at rest.
In Qwil Messenger we take encryption to the next level. It is security for everyone at all times (not just at rest) and built to banking grade standards.
At rest, data on our servers is encrypted both at block level and at a logical level where we own and maintain our encryption keys. Each and every server deployment has unique encryption and access keys. On mobile devices, the Qwil Messenger app uses a local database encrypted with AES-256 and the key is stored as a device API credentials secured by the manufacturer (i.e. keychain on iOS). The local mobile databases are also excluded from device backups to enforce an ongoing two-factor authentication model using the device itself as a factor post provisioning.
In-flight data is encrypted using standard SSL termination using TLS 1.2 with no downgrade allowed. Our mobile apps use public key pinning (also referred to as certificate pinning SSL pinning) to detect and block “man-in-the-middle attacks”.
Between server components, authentication is session-based, supported by subdomain cookies as a way of limiting the transmission of long-term cookies. All traffic transmitted for the platform uses either the HTTPS and WSS secure protocols.
- Audit Trail:
HIPAA compliant software needs to hold records of PHI-related activities for six years.
At Qwil Messenger every action is logged - whether they are successful or not, from new devices (or locations) and of course access to a full audit trail of all conversations and data and conversations on the platform with a simple search interface.
- Business continuity and breach handling
HIPAA specifies not only the privacy and security rules but also the breach notification rule. When an emergency situation like a data breach occurs, you need to follow specific procedures in accordance with HIPAA.
Qwil Messenger utilizes services provided by our hosting provider(s) to distribute production data/environments across multiple separate physical locations which protects our services from location-specific failures (power, environmental etc). Production environment (and client data) are replicated among these discrete operating environments whilst staying encrypted, to protect the availability of Qwil Messenger.
Qwil Messenger has established policies and procedures for responding to potential security incidents. Our information Security Incident Management Policy includes suspected or actual breach of confidentiality, integrity or interruptions to the availability of our services and apply to all employees, contractors and third-party users of our information systems, and other related infrastructure. Qwil Messenger will notify impacted customer within 48 hours of any suspected or actual breach of personal data breach.
- Data hosting security and location
HIPAA compliant software should store data in a secure storage environment. This includes the physical location of data storage, which must be within the US.
At Qwil Messenger, you can choose your data location including the US. All the data centers which we deploy to are ISO-27001 certified and HIPAA compliant and we have signed BAA with them. Physical security controls include but are not limited to perimeter controls such as fencing, walls, security staff, video surveillance, intrusion detection systems and other electronic means.
In our cloud-hosted production environments, control of network devices is retained by the hosting provider. For that reason, Intrusion Detection / Intrusion Prevention (IDS/IPS) are performed using host-based controls. For example, we have implemented tools to automatically assesses applications for vulnerabilities or deviations from best practice, and subscribe to all monitoring, track metrics and alerts so as to respond to any activity threatening the security of our operations.
To further reduce the risk of unauthorised access to data, Qwil Messenger fully utilises our cloud provider centralised mechanism for creating and managing individual users within our account. Each user has a unique name, and a unique set of security credentials not shared with other users. This eliminates the need to share passwords or keys. We define policies that control which cloud services our users can access and what they can do with them. We grant users only the minimum permissions they need to perform their jobs. We periodically review these permissions