ShieldQ is provided to US-based clients by Interfax US Inc., a subsidiary of Interfax Communication Ltd. We are committed to helping clients comply with the HIPAA Regulations and ensuring that our services comply with each of the regulation standards.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 amends the Internal Revenue Service Code of 1986. The Administrative Simplification section of this act that has a pervasive effect on health plans, billing agencies, information systems vendors, and other providers. Within the provisions in this section, HIPAA requires improved efficiency in healthcare delivery by standardizing electronic data interchange (EDI) and protection of confidentiality and security of health data through setting and enforcing standards. More specifically HIPAA calls for: * Standardization of electronic patient health, administrative and financial data * Unique health identifiers for individuals, employers, health plans and health care providers * Security and Privacy standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future, (e.g. Encryption of data during transmission, Authentication and Verification of the sender and receiver)

Who is affected by HIPAA?

The Act specifies the following as "covered entities": * Health care providers * Health plan * Health care clearinghouses Although ShieldQ does not fall into any of the above categories, as a provider of internet faxing services that handle patient data, HIPAA indirectly affects us. As a "business associate" of covered entities, our products must be able to HIPAA's requirements. As an organization, our own security measures must comply with the law since we have the capability of storing, accessing and transmitting patient information.

ShieldQ and HIPAA ShieldQ is fully committed to complying with relevant regulations.

Should you wish for more information or clarification on any HIPAA related issues that involve InterFAX, please do not hesitate to contact Mr. Ernest Palla, Managing Director of InterFAX US Inc.

ShieldQ Patient Confidentiality and Security Measures:

ShieldQ recognizes that security of personal medical record information is of great concern to both patients and providers in the health care industry. To address these concerns, ShieldQ implements 3 levels of security to messages handled by its systems:

  1. Technical

  2. Physical

  3. Procedural

Technical:

The ShieldQ system provides a full audit trail of messages received through the system. This information is visible online. ShieldQ accepts messages submitted to its systems in encrypted transport, whether by SSL or signed email (PKI). ShieldQ does not enable its customer service staff access to viewing patient-identifying content, and deletes messages with patient-identifying content immediately after their completion, based on a user-level setting indicating 'Delete image after completion'. ShieldQ uses security methods to determine the identity of its users and operators so that appropriate rights and restrictions can be enforced for that user. ShieldQ uses both password protection and usernames in its authentication process.

Physical:

All ShieldQ servers are housed in secure environments, which can be accessed by approved personnel only.

Procedural:

ShieldQ does not retain copies of faxes containing patient health information. This is achieved by requiring clients who are covered entities to apply the following measures as prerequisites for transmitting patient-identifying health information through our systems:

1. Use SSL or PKI to send messages to InterFAX - InterFAX enables SSL-secured communication to our Web Service servers via https://ws.interfax.net, and public-key encryption of email messages, so that potentially patient-identifying information can be submitted securely for faxing.

2. Use the 'Delete image after completion' feature - This setting may be selected through your account sending preferences. It is intended to keep patient-identifying information on our servers no longer than is necessary to send a fax or to announce its failure (several minutes). When this feature is set, images of faxes sent through the service, as well as precursor and temporary files, will immediately be deleted from our servers upon completion.

3. Avoid placing patient-identifying information into any data fields - Verify that patient-identifying information is only present in the body of an outgoing fax. All other parts of a transaction are retained indefinitely for billing and archival purposes. Since InterFAX does not address HIPAA requirements in the handling of its archives, patient-identifying information must not reside anywhere except in the fax itself. At clients' request, InterFAX will agree to enter into a "Business Associate" contract, a sample of which can be viewed on the HHS web site.