PCTS uses a proprietary call center software platform purpose built for handling nursing triage calls. The software platform relies on the use of  automation for its daily business and clinical processes, some of them involving electronic protected health information (ePHI). In order to stay in compliance with the HIPAA Security Regulation, we have established policies and procedures to safeguard ePHI within their systems.

 

Employees & Users

 

PCTS has a formal HIPAA Security and Compliance training program. All employees are required to complete the training program and pass an exam to prove their understanding of the policies. We performs an annual detailed HIPAA Risk Assessment, and perform administrative, physical, and technical assessments of the entire company along with its systems, processes and workflows against the HIPAA Security Regulations. The methodology used to perform the HIPAA Risk Assessments is based on risk assessment concepts and processes described in NIST Special Publication (SP) 800-30 Revision 1.

 

Data Centers

 

Our call center software platform is hosted in enterprise class data centers owned by  HiVelocity Ventures Corporation. All systems are fully redundant across 2 of their data centers in Tampa and Atlanta. Both data centers are SSAE-16 SOC1 and SOC2 certified as well as HIPAA and PCI compliant. The servers are backed up regularly and patched quarterly. There are separate Development, Testing and Production environments for the applications.

 

Network

 

Networks in both data centers are protected by managed Juniper/CISCO firewalls. Network traffic, including  application traffic and VPN tunnels, is encrypted with SSL encryption. The network and servers are also  monitored by Avertium using AlienVault Cloud Software, which is a Security Information and Event Management (SIEM) platform and  Intrusion Detection System (IDS). These systems are monitored 24/7 in the Security Operations Center (SOC).

 

Applications & Data

 

We capture the least amount of ePHI required to provide effective triage information to patients and  their providers. Data is encrypted during transit and at rest. Patient data is only stored on database servers and never on workstations or mobile devices. Multi-factor authentication (MFA) is required in order to access the data and applications in the software platform. If a provider requests that we send patient information to them, it will only be provided over a secure connection. The applications are regularly scanned for vulnerabilities and misconfigurations as well as automated PEN testing using Qualys Web Application Scanning (WAS) tools.

 

End User Requirements

 

The software we use requires a fast internet connection and is built and tested using up to date Chrome and Edge Chromium browsers.