The OnTime system of products and services are designed for general purpose use and do not explicitly enforce all HIPAA requirements for software used exclusively within a medical environment. However, OnTime does provide HIPAA compliant features that an organization can use to gain compliance. Under HIPAA Security requirements there are specific provisions for administrative safeguards (§164.308), physical safeguards (§164.310), and technical safeguards (§164.312). OnTime’s HIPAA compliant features are included under these provisions.
Administrative Safeguards (§164.308)
- User Access Authorization: All OnTime programs and services are protected by role-based access controls. Access is provided through user name/password, security keys, and trust tokens.
- Access Termination: Halt access to software and services within minutes by revoking user access.
- Log-in Monitoring: Logs containing user log-in attempts.
- Password Management: Create, change, and safeguard passwords.
- Password Complexity Requirements: Enforce password complexity requirements on a user and customer level. Requirements may include minimum length, mixed case (upper and lower), alphanumeric, and special character.
- Data Backup Plan: In addition to local program data backups, data is protected at the server level automatically. Backups are transactional, ensuring point-in-time restoration. Incremental backups are taken ever three hours and full backups every 24 hours.
- Disaster Recovery Plan: Data may be quickly restored from server backups as needed by contacting customer support.
- Emergency Mode Operation Plan: In the event of local disruption of network connectivity, OnTime applications can continue to operate, saving data locally until it can be securely synchronized with servers.
- Risk Assessment and System Review: Preformed at the server level at least once every 30 days.
Physical Safeguards (§164.310)
- Facility Security Plan: Procedures in place at our data center facility in Medford, Oregon prevent unauthorized users from gaining access. The facility is secured and requires in-person photo identification to gain access.
- Data Backup and Storage: Duplicate copies of data are made before any physical movement of equipment.
Technical Safeguards (§164.312)
- Access Control: Role-based user accounts, ensuring users access only features to which they have permission.
- Unique User Identification: Unique identity for each user, ensuring accountability during audits.
- Emergency Access Procedure: In the event of local disruption of network connectivity, OnTime applications can continue to operate and access data locally.
- Audit Controls: Logging of all changes with timestamp and identification of the user who made the change.
- Encryption: Transmission of data between server and client is performed with SHA 256-bit encryption across TLS 1.2.
Business Associate Agreement/Contract
If it is determined that a Business Associate Agreement (BAA) or Contract is required, forward the contract through OnTime customer support. Vesigo Studios will review the contract and determine if it can agree to be bound by its terms.