HIPAA and .mdEmail^®

All MaxMD and .mdEmail^® products are 100% compliant with HIPAA, HITECH, NHIN Direct technical, security and policy standards, relative to the use, transmission, storage, and protection of ePHI.

HIPAA's Security Rule (Security Standards for the Protection of Electronic Protected Health Information, found at 45 CFR Part 160 and Part 164, Subparts A and C), requires covered entities and business associates to comply with these standards and implementation specifications. For more information and to review the specific requirements of the Security Rule

• STANDARD164.312(a)(1) Access Control. A covered entity is required to; "Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been grant ed access rights as specified in 164.308(a)(4) [Information Access Management]".
• EMERGENCY ACCESS PROCEDURE (R) - 164.312(a)(2)(ii) "Requires a covered entity to: Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency."
• AUTOMATIC LOGOFF (A) - 164.312(a)(2)(iii) Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must: "Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity."
• ENCRYPTION AND DECRYPTION (A) - 164.312(a)(2)(iv) Where this implementation specification is a reasonable and appropriate safeguard for a covered entity, the covered entity must: "Implement a mechanism to encrypt and decrypt electronic protected health information."
• STANDARD 164.312(b) Audit Controls The Audit Controls standard requires a covered entity to: "Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information."
• STANDARD 164.312(c)(1) Integrity The Integrity standard requires a covered entity to: "Implement policies and procedures to protect electronic protected health information from improper alteration or destruction." There is one addressable implementation specification in the Integrity standard.
• MECHANISM TO AUTHENTICATE ELECTRONIC PROTECTED HEALTH INFORMATION (A) - 164.312(c)(2) The covered entity must: "Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner."
• STANDARD 164.312(d) Person or Entity Authentication This standard requires a covered entity to: "Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed."
• STANDARD 164.312(e)(1) Transmission Security This standard requires a covered entity to: "Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network."
• INTEGRITY CONTROLS (A) - 164.312(e)(2)(i) The covered entity must: "Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of."
• ENCRYPTION (A) - 164.312(e)(2)(ii) The covered entity must: "Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."