Systems and Operational Security
"Peoplechart is perfect for kids that see lots of doctors. Once, when I had one of the girls in the
emergency room, I made a call to the call center and had the summary report and most recent records faxed
right to the hospital."
– M. W. (Knoxville, TN)
HIPAA Compliance
Peoplechart is HIPAA compliant and meets all the guidelines as defined by AMIA (American Medical Informatics
Association) and AHIC (American Health Information Community). As a service provider to healthcare provider
organizations, Peoplechart takes the role of a Business Associate as governed by HIPAA stipulations on patient
privacy, confidentiality, and security.
Summary of Peoplechart Information Security Processes and Controls
Peoplechart’s security system provides a variety of rigorous information security features, including:
state-of-the-art firewall protection, stringent login credentials and verification process, advanced
encryption for all internet-based data communications, encryption within Peoplechart's systems
for "data at rest", and additional firewall protection between the user interface and system's
databases.
In addition, members can further protect their personal information by controlling exactly who
is authorized to have access and using the Peoplechart access event log to monitor the details of
each access event. Peoplechart's system also gives members the ability to limit the scope of
personal information and the systems features that they chose to make available to each authorized
user (through intricate table of roles and privileges). The system features also include the
ability for the member to set or limit the time period (start time and duration) during which
authorized information access is allowed. Finally, Peoplechart’s patented "Dual Channel Lock"
system provides an additional level of protection in the event of any unauthorized access to
Peoplechart’s systems.
Our "live" or production servers and database are guaranteed 99.9% uptime and protected by a
professional and secure data storage facility that is located in disaster-free zone state. The
facility includes video surveillance cameras, motion and temperature detectors, and continuously
monitoring for online intrusions.
Peoplechart’s Patented System for Protecting Medical Records
For systems that are used to store and provide access to medical records data, information
security is always a major concern, especially when that information is accessed or distributed
via the Internet. In addition to using state-of-the-art firewall and password protection
technology similar to those used by financial services companies for online banking transactions,
Peoplechart also employs a patented security system to add an extra rigorous layer of security
for protecting member information.
Peoplechart’s patented "Dual Channel Lock System" is specially designed to help minimize
the risks associated with systems that enable internet access for their authorized users.
With Peoplechart's system, a member's medical data is available to online servers only when
that information is needed by the member or the member's authorized care team. At all
other times, the member's medical information is safely stored on a database server that
is not internet accessible. Peoplechart's patented received issuance of patent for its
invention, "Method and System for Protecting Information on a Computer
System" (Patent no. 7370349)
List of Key Systems Security Features
System security and privacy controls are imbedded in the architecture and design of
the entire Peoplechart system to protect against the loss or misuse of, or unauthorized
access to personal health information. Here is a summary of key security features in all
of our applications:
- State-of-the-art firewall and rigorous login credential process
- SSL/HTTPS encryption technology for protecting all data transmittals between client browsers and Peoplechart servers
- Encryption of database and of backup disk storage for protection of "data-at-rest"
- Additional firewall protection between database and user interface tiers
- Production system operating in secure offsite facility, located in natural disaster-free zone state with
guaranteed 99.9% uptime and continuous data backup
- Patented (Dual Channel Lock) security system
- Ability to assign specific user roles and privileges to each authorized user
- Extensive audit trail and automatic notifications
- Ability for member to have explicit control over scope and timing of access to member’s personal
information for each authorized user. The member can:
- Mark certain types of information to be kept 'private' from users
- Remove user from care community
- Set length of access by date and time (duration) for each user
- Invite or add user to account with preset role-based privileges
- Change access by turning on/off specific privileges for each user
- Select emergency access options for unauthorized callers
What Happens if a Security Breach Occurs
Peoplechart's Dual Channel Lock system is especially designed to help mitigate the risks of information loss as
a result of unauthorized systems access. With the Peoplechart system, a member’s medical data is available to online
servers only when that information is needed by the member or by an authorized user of the member's account. As a
result, the information that is exposed to a security breach is limited to the information of members whose access
sessions are valid and active at the time a breach occurs.
However, regardless of the strength of a system's information security safeguards and controls, planning for
events of unauthorized access is still prudent. What happens in the event of a security breach depends on the
specifics of the breach. When unauthorized access or information breach happens, the Peoplechart staff responds
by evaluating the source, scope, and nature of the breach as depicted in the Audit Trail feature of each
member's account.
First, the Peoplechart staff reviews the scope of the breach by counting the number of member accounts that
are susceptible to the breach. Second, the IP addresses of all recent logins for each of the breached account
are logged and investigated in order to trace source. Finally, staff reviews the scope of personal information
being breached — viewed, edited, printed, or shared with others without member authorization. All of these
completed steps and results are to be documented in a Security Breach document as part of the investigation.
Any accounts in the Active Session server not impacted by breach are deleted from the Active Server so that
no other personal information can remain exposed while the breach is being investigated.
Once the breach is determined to be valid, Peoplechart will notify the members-at-risk with the investigation's
findings on source, scope, and nature of the breach. With member permission and help, Peoplechart will take
appropriate action steps to limit the damage from the breach; to address the issues at hand; and to set
up preventive measures for mitigating the reoccurrences of such risks in the future.