PCTS uses a proprietary call center software platform purpose built for handling nursing triage calls. The software platform relies on the use of automation for its daily business and clinical processes, some of them involving electronic protected health information (ePHI). In order to stay in compliance with the HIPAA Security Regulation, we have established policies and procedures to safeguard ePHI within their systems.
Employees & Users
PCTS has a formal HIPAA Security and Compliance training program. All employees are required to complete the training program and pass an exam to prove their understanding of the policies. We performs an annual detailed HIPAA Risk Assessment, and perform administrative, physical, and technical assessments of the entire company along with its systems, processes and workflows against the HIPAA Security Regulations. The methodology used to perform the HIPAA Risk Assessments is based on risk assessment concepts and processes described in NIST Special Publication (SP) 800-30 Revision 1.
Data Centers
Our call center software platform is hosted in enterprise class data centers owned by HiVelocity Ventures Corporation. All systems are fully redundant across 2 of their data centers in Tampa and Atlanta. Both data centers are SSAE-16 SOC1 and SOC2 certified as well as HIPAA and PCI compliant. The servers are backed up regularly and patched quarterly. There are separate Development, Testing and Production environments for the applications.
Network
Networks in both data centers are protected by managed Juniper/CISCO firewalls. Network traffic, including application traffic and VPN tunnels, is encrypted with SSL encryption. The network and servers are also monitored by Avertium using AlienVault Cloud Software, which is a Security Information and Event Management (SIEM) platform and Intrusion Detection System (IDS). These systems are monitored 24/7 in the Security Operations Center (SOC).
Applications & Data
We capture the least amount of ePHI required to provide effective triage information to patients and their providers. Data is encrypted during transit and at rest. Patient data is only stored on database servers and never on workstations or mobile devices. Multi-factor authentication (MFA) is required in order to access the data and applications in the software platform. If a provider requests that we send patient information to them, it will only be provided over a secure connection. The applications are regularly scanned for vulnerabilities and misconfigurations as well as automated PEN testing using Qualys Web Application Scanning (WAS) tools.
End User Requirements
The software we use requires a fast internet connection and is built and tested using up to date Chrome and Edge Chromium browsers.