When we were designing the new version of ClinicJot as a cloud based system we were very conscious that the safety and security of your data had to be in the forefront of our development effort.
But we were faced with a problem. ClinicJot is available in virtually every country of the world, however there is no international convention governing the storage of medical/clinic data.
In the United Kingdom there is the Data Protection Act 1998, shortly to be replaced by the pan European EU General Data Protection Regulations, in Canada the Personal Information Protection and Electronic Documents Act and in Australia the Privacy Act. They all adopt a similar approach to the safeguarding of data in its broadest form.
Most jurisdictions recognize the special nature of Electronic Healthcare Records (EHR) and many are developing standards within the framework of existing national legislation, but it is only the United States that has already confronted the issue by developing and promulgating a specific set of rules to regulate EHR storage and access. These rules are commonly referred to as the HIPAA/HITECH rules.
HIPAA, or the Healthcare Insurance Portability and Accountability Act, was enacted in 1996. It requires that Personal Healthcare Information (PHI) be securely held and codifies a set of security conditions that must be met. HITECH, or the Health Information Technology for Economic and Clinical Health Act was enacted in 2009 and strengthens the privacy and security protections for PHI held under HIPAA. As part of the US Department of Health and Human Services, the Office for Civil Rights (OCR) is charged with enforcing the HIPAA security and privacy rules. Non-compliance can result in fines, imprisonment or both. To learn more about HIPAA have a look at the OCR website (http://www.hhs.gov/ocr/privacy/). It provides a wealth of information on HIPAA rules, gives guidance on compliance and even lists its enforcement activities and the penalties it has imposed for non-compliance.
Based on the highly developed security safeguards embodied in HIPAA, we concluded that if ClinicJot were to be HIPAA compliant then it would offer its users a world-class level of security.
Indeed commenting on HIPAA, the European Union Agency for Network and Information Security (ENISA) has said that “… since their data processing activities are subject to similar obligations under general European law (including the Privacy Directive), and since the underlying trends of modernisation and evolution towards electronic health files are the same, the HHS safeguards can be useful as an initial yardstick for measuring [Risk Management] strategies put in place by European health care service providers, specifically with regard to the processing of electronic health information.”
To provide all ClinicJot’s users with the same high level of security and to promote confidence in our provision of this service level we are proud to confirm that ClinicJot is HIPAA compliant. What this means to all users of the ClinicJot private cloud is that data in motion and at rest is encrypted and that data we hold is subject to prescribed administrative, physical and technical safeguards, which are enforced by the OCR, a regulatory body of the United States government. The Business Associate Agreement, which we offer free of charge to all United States based users reinforces this.