Is SIM Software HIPAA Compliant?

SIM Software maintains ongoing compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) and is able to process, maintain and store protected health information for any entities restricted by those regulations.

General Overview

What's involved in HIPAA compliance?

We complete annual risk assessments and employee training as required by HIPAA.  Additionally, we've gone to great lengths to ensure that data is properly secured and encrypted.

Where is SIM Software customer data hosted?

With the exception of off-site backup and redundancy infrastructure, SIM Software is hosted on Amazon Web Services (AWS), a highly scalable cloud computing platform with end-to-end security and privacy features built in.

What sort of application security is in place?

All SIM Software web application communications are encrypted over 256 bit SSL, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.

Who has access to our SIM Software Account?

All Dynamic Intelligence Web & IT Solutions employees with elevated privileges are able to access customer accounts for the sole purpose of lending a hand.  We do not access customer accounts unless we are explicitly asked for help to do so.

Security

Does SIM Software, by Dynamic Intelligence Web & IT Solutions, have a policy that identifies and determines controls regarding the proper use of workstations to support access and protection of ePHI?

All production data is in a VPC (Virtual Private Cloud).  Internal access is firewalled and users must be authenticated on the VPN and via multi-factor authentication to access anything.

Do you have a Security Policy to help ensure the confidentiality, integrity, and availability of ePHI?  Do you have a SOC2/3 report?

For documentation on how data is stored and protected in use, and at rest, refer to our company's privacy policy.  A company security policy is available with a written formal request.  A formal request may be made by contacting us at info@dynamic-intelligence.com.  For SOC2/3 reports, refer to: AWS Cloud Security.

Does SIM Software, by Dynamic Intelligence Web & IT Solutions, have a security control policy (locked doors, surveillance cameras, alarms) to prevent theft of ePHI?

For documentation regarding physical location security, facility maintenance, and access control, refer to this white paper: Amazon Web Services: Security Overview

Do you have procedures for terminating access to systems containing ePHI when a team member is no longer employed at Dynamic Intelligence Web & IT Solutions?

End of employment processes are in place.  VPN access is disabled, AWS and administrator access keys are terminated, and all access to PHI is revoked.  Upon termination, employees are required to destroy remaining local data and return hardware to Dynamic Intelligence Web & IT Solutions.

Have you taken steps to protect the organization from malicious software, including the application security patches?

Per internal IT policy, we only upgrade instances to stable release versions, or hosted HIPAA compliant SaaS offerings, and apply all security patches when released.

Have passwords been implemented that are unique to a user and comply with the best practice components including password length, complexity, and duration?

Our employees are trained on CIS Critical Security Controls and NIST.  We follow all NIST password guidelines for login based systems: https://pages.nist.gov/800-63-3/sp800-63b.html.

A copy of the most recent version of the CIS Controls manual can be found on our website: https://dynamic-intelligence.com/cybersecurity.

Do you routinely conduct audits of your application, such as code reviews, static or dynamic code analysis, penetration tests, or vulnerability scans?

Yes.  Code reviews and analysis are conducted by all engineers as a part of the development process.  SIM Software, by Dynamic Intelligence Web & IT Solutions, does application scans penetration tests at least quarterly.