Keeping Data Safe and Secure

HealthMark Group’s specialized team ensures secure, accurate, compliant, and efficient transfer of protected health information (PHI) while using its multi-layered approach to prevent unauthorized access and disclosures. We’ve safely transferred personal data for millions of patients and reduced compliance risks, saving healthcare organizations thousands of hours on administrative tasks in the process. 

Up to date on federal and state laws, Health Insurance Portability and Accountability Act (HIPAA) compliant, and SOC 2 certified, HealthMark Group’s patient-centered software meets the highest standards for compliance and data integrity.     

Watch the video to learn from Devin Hardin, HealthMark Group’s VP Release of Information. He’s kept healthcare organizations compliant for over a decade and serves on the Risk and HIPAA Committees.

And if you’d like to follow along, keep reading for a full transcript of Devin Hardin’s data integrity talk.


Introduction to Data Integrity and Compliance

You have to have data integrity 24/7. You can't have any network breaches or any interruptions.

What Information Security Measures Are in Place to Ensure PHI Is Protected?

Yeah, the way that we make sure that our data is secure is we have it encrypted throughout the process. So, during transit we use TLS 1.2 and when it's encrypted at rest, we use AES 256. We also have multi-factor authentication getting into our network on all of our emails, on MedRelease.

We have every access point, make sure that we have that multi-factor authentication on at all times. We do quarterly testing with our employees to make sure that they don't fall victim to any spamware or phishing attempts as well as making sure that they know the proper ways to get in and out of the network, and make sure they don't leave any back doors for anyone.

So they're tested on that on a quarterly basis.

We do have aggressive firewalls and protections in place with all of our emails, as well as that spam and malware protection that we constantly have working behind the scenes.

All of our employees do have DriveStrike installed on their computer. It's a way that we can remote wipe any computer at any given time. So that's at our corporate office, our employees that are on site using a HealthMark computer, as well as all of our employees who are out in the field either going from clinic to clinic or working from their house.

So if we ever need to wipe a computer, we can do that at a moment's notice.

The last thing I wanted to talk about was just our network and how it’s secure. We do use intrusion prevention software that we are constantly looking to make sure that there's no penetrations that we have not authorized.

How Does MedRelease Ensure Transparency During the Release of Information Process?

The way we make sure that we have full transparency to MedRelease is our robust Audit Trail feature. So, right now, if you log in as a client, or any of our employees log in and you open up a request ID, it's going to put that transaction in that Audit Trail. So even if you don't click update or you don't make a note you don't do anything, we will know that you touch that ID. So that happens with all of our employees.

Right now, they receive an incoming phone call or an email, they make sure that they make a note of every single time that they have any interaction with that request ID because we want to make sure that there is nothing left out with a story of that request.

So we can tell a story about an order that just happened yesterday and we can tell the story of a request that we fulfilled 10 years ago. We want to make sure that we constantly don't have any blind spots there.

You can see the status of any request ID, live 24/7.

So if you log in at 8 and you open up an ID, you see real-time status updates. You can see all the records that we pull. So if you're ever wondering what records we did release to a physician or a patient or attorney, you'll be able to see those records. You'll also be able to see any legals that we completed.

So if we filled out a set of deposition questions on your behalf as a qualified witness, you'd be able to see how we responded to those questions.

Does HealthMark Have MFA On All Connection Points Where PHI Is Viewed?

Multi-factor authentication is a huge hot button topic right now in the world of ROI.

We have made some recent changes over the last six months and everything is multi-factor on our end. So, logging into our emails, logging in to our remote desktop, any network access, MedRelease, everything is multi-factor authentication.

Does HealthMark Have a SOC2 or Similar Type of Certification?

We, at HealthMark, are SOC2 certified.

We are getting questions, gosh, weekly from current clients, from prospective clients, that want to see those SOC2 results. And we're happy to share those. 

As part of that SOC2 process, we do have meetings quarterly where we go over any risk that our clients or employees want us to review. We want to make sure that nothing has changed in the ROI landscape that might warrant a different response or different action.

We have a risk registrar that we put everything in that we’ve deemed a risk.

We have a weight and probability scale as well as any kind of action that we need to take now or something that we just need to be reactionary based on something happening in the future.

Does HealthMark Have a Team or an Individual That Handles all Compliance-Related Issues and Questions?

We do have a full HIPAA steering committee that meets on a quarterly basis. We also meet anytime there's any new information like with the Cures Act, or the HIPAA NPRM, discuss any implications that either one of those things might have on the industry.

Our COO Joe Licata also doubles as our general counsel. We also have outside counsel. She's the former acting Deputy Director of Health Information Privacy at HHS. 

I am also a member of the HIPAA steering committee. So anytime there's an incidental disclosure or anything at all that might arise with a client or a set of records that we release, we do meet as a HIPAA steering committee.

On each and every one of those we write up a privacy incident if an incident did occur. We have a hundred percent agreeance on every single one of these that goes out.

So before we send out any covered entity letters or notices, we make sure that everyone on the HIPAA steering committee agrees with the findings, and we tweak as needed. So sometimes, those are as easy as a 5-10 minute write up. Sometimes it might take two or three weeks if it's a complicated situation.

We want to make sure that there's no stone left unturned and we do investigate everything to the fullest extent.

How Does HealthMark Ensure Quality Assurance?

We get questions every single day from our clients about audits. There's a lot of misunderstanding of audits in our industry.

These third-party requesters, and sometimes the payers, they put some information out there that make it seem like they're trying to recoup money and things like that. But these are all for reporting purposes.

99 times out of a hundred there's no post-payment, recoupment.

We know what the RAF requests are, things like that, and we fully silo those in our workflow, but the normal MRA, HEDIS and those types of audits, we see on a regular basis.

We meet with every vendor that's requesting on behalf of these payers on a weekly basis to discuss due dates to discuss priorities on their end. Because on their end, not all things are created equal.

There's some, that even though the deadline is the same as everything else that they're working on, there's some things that are more important for them and they tell us on a weekly basis, which ones of those that we need to work on now, and which ones can wait.

But rest assured, we've never missed an audit deadline. We've processed well over a million audits over the last few years.

We're here to be a good partner and to be able to help you out where maybe you need some guidance.

24/7 Data Integrity Within Reach  

With the rapid pace of healthcare and rigorous compliance requirements, you can’t afford to fall short with patient information management. HealthMark Group’s record management solution, MedRelease, is HIPAA-compliant, easy-to-use, and designed to put accuracy at the forefront of your PHI management.

To learn more about Healthmark Group's 24/7 data integrity solutions, schedule a demo

Back to Blog

Related Articles

Digital Patient Engagement Solutions for Healthcare during COVID | HealthMark Group

While fall is typically a busy time of year, this fall is anything but typical yet again as the...

Zack Perry Joins the “Talking about PHI” Podcast

We’re excited to share that our own Zachary Perry was featured on the “Talking About PHI” podcast -...

PODCAST: The Impact of proposed HIPAA Changes on Record Requests

Zack Perry, SVP of Strategy for HealthMark Group and President of AHIOS, joins partners from the...