HIPAA Compliance Declaration
What is Metadvice?
Metadvice is a suite of precision medicine applications that facilitates comprehensive and precise diagnostic and therapeutic evaluations. Metadvice uses artificial intelligence to transform big data into actionable insights for both doctors and patients.
With the rapid advance of healthcare technologies such as mobile medical apps and cloud computing and their increasing integration with social media such as Facebook – personal data protection has become of paramount importance.
The Centers for Medicare & Medicaid Services (CMS) provide guidance on Security Standards for the Protection of EPHI (Electronic Protected Health Information). This guidance is described in 45 CFR Parts 160 and 164 Subparts A and C and is commonly known as the Security Rule. The Security Rule implements provisions for data protection in HIPAA (Health Insurance Portability and Accountability Act).
The first required safeguard in the Security Rule is a risk analysis – “As part of the risk management process, the company performs an annual risk analysis for its products analyzing software and data security”. The Security Rule details specific requirements for security safeguards. Items marked (R) are required and items marked (A) need to be addressed according to the results of the risk analysis.
To reduce risks to EPHI, covered entities and their business associates such as Metadvice must implement the appropriate technical safeguards for their business situation – this is the raison d’être of risk analysis. The most effective safeguard is to store as little EPHI as possible. To this extent:
Metadvice does not store EPHI, such as name, address, dates and identifying numbers, unless the user request for an account and the user has obtained an appropriate consent.
EPHI uploaded by users of Metadvice are stored in encrypted format and are not accessible by other users of Metadvice by default, unless explicitly and actively designated otherwise by the end-user. An automatic learning algorithm is applied anonymously on de-identified medical records stored in its Metadvice’s file volume in order to train and improve the Metadvice® Technology.
Metadvice has performed a threat analysis of the Metadvice mobile app and services. The threat analysis considered attack scenarios involving system availability, EPHI confidentiality, integrity and availability, as well as attacks on code and service configurations. The results of the threat analysis guide Metadvice in their implementation of Security Rule safeguards.
Person or Entity authentication (R)
This safeguard requires a covered entity and its suppliers to “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
Authentication in Metadvice ensures that a person is in fact who he or she claims to be before being allowed access certain features in Metadvice. This is accomplished by providing satisfactory proof of identity, to attest that a new user is a healthcare professional or his/her patient. After completing the in-app registration, a new user is vetted by Metadvice for use of the app. User authentication is based on an email username and strong passwords with a minimum of 8 characters.
The Security Rule defines access as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource”.
Metadvice has implemented access control in the Metadvice system as follows:
- Unique User Identification (R) – Unique user identification is provided for end users in the Metadvice mobile app and for system administrators and software developers. Authentication and grant of access to Web services consumed by the handset app are performed using a token exchange protocol.
- Two-Factor Authentication – Users can activate two-factor authentication using a Time-based One-Time Password (TOTP) mechanism.
- Emergency Access Procedure (R) – End users of the Metadvice mobile app have an online password recovery procedure.
- De-identification (R) – The identity of users (who have obtained an appropriate consent) is stored separately from de-identified data.
- Encryption and Decryption (A) – All EPHI (identities and de-identified medical records) are stored in encrypted format.
Mobile device policy
In addition to Security Rule requirements for access control, Metadvice realizes that innovative mobile apps such as Metadvice are part of a diverse mobile IT environment that introduces new threats and requires appropriate security countermeasures. In the event a user has a lost or stolen mobile device, a user can de-authenticate the device remotely, through Metadvice’s support.
Users of Metadvice are encouraged to use device-level security features such as requiring a password or PIN when the screen is turned on to provide an additional layer of protection.
The Audit Controls safeguards require a covered entity to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Metadvice maintains comprehensive audit logs on its cloud servers:
- Content of audit controls: Access and all failed login attempts. System level messages such as scheduled job execution and mail server-related messages.
- Audit reduction and report generation: Logs are retained and cycled through a 7 day retention cycle.
- Audit record retention: Logs cycle through a 7 day retention period.
Transmission security safeguards require a covered entity to: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” These include:
- Integrity Controls (A) – Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposal.
- Encryption (A) – Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
Metadvice encrypts the connection between the applications and the cloud services using TLS (Transport Layer Security) / SSL (Secure sockets layer). The connection is encrypted using an RSA 2048 bits key issued by Letsencrypt. An independent assessment can be obtained from SSL Labs under this link.
Metadvice is a unique and innovative search and reference application for precision medicine, powered by artificial intelligence. Metadvice has implemented the appropriate Security Rule safeguards as part of a corporate commitment to protecting personal data through a strong security and compliance management program.
Updated January 24, 2019