HIPAA Compliance
HIPAA Compliance is the adherence to the U.S. Health Insurance Portability and Accountability Act, which requires the protection of patient health information, a process supported in co-browsing through security controls like data masking, encryption, and vendor Business Associate Agreements.
What you need to know about HIPAA Compliance
HIPAA Compliance affects any U.S. healthcare provider, health plan, or clearinghouse (Covered Entities) and any of their business partners that handle patient data (Business Associates). The regulation establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
The regulation specifically protects Protected Health Information (PHI), any identifiable health information held or transmitted by a covered entity or its business associate. This includes common identifiers like names, addresses, and social security numbers, as well as medical record numbers, diagnoses, lab results, and other data point that could be linked to a specific individual's health status.
Key HIPAA Compliance Rules
HIPAA's framework is primarily enforced through three major rules:
- Privacy Rule: Sets standards for when PHI may be used and disclosed. It gives patients rights over their own health information.
- Security Rule: Defines safeguards that must be in place to protect electronic Protected Health Information (ePHI). It requires technical, administrative, and physical security measures.
- Breach Notification Rule: Requires covered entities and business associates to provide notification following a breach of unsecured PHI.
The importance of HIPAA Compliance
For healthcare organizations and their technology partners, adhering to HIPAA is a legal requirement. Non-compliance can result in severe financial penalties, corrective action plans, and a major loss of patient trust. Surfly's platform provides the technical controls necessary to conduct collaborative online sessions while upholding the data protection standards of HIPAA.
Safeguarding Protected Health Information (PHI)
The core mandate of the HIPAA Security Rule is to ensure the confidentiality, integrity, and availability of all ePHI. During a co-browsing session, there is a high risk of exposing this data to a support agent. Surfly’s architecture is designed to prevent this exposure.
- Server-Side Data Masking: Specific fields containing PHI, such as patient names, medical record numbers, or diagnoses, can be redacted before the webpage is displayed to an agent. This masking occurs on the proxy server, ensuring the ePHI never reaches the agent’s device, a critical technical safeguard required by the Security Rule.
- End-to-End Encryption: All data in transit during a co-browsing session is protected using TLS 1.3 encryption. This secures the communication channel between the patient, the Surfly proxy, and the healthcare portal, meeting the Security Rule’s requirements for encrypting ePHI.
- Business Associate Agreement (BAA): Surfly signs a BAA with covered entities, which is a contractual requirement under HIPAA. This agreement establishes Surfly's legal responsibility to safeguard any PHI processed through its platform on behalf of the healthcare organization.
Ensuring Accountability and Administrative Safeguards
HIPAA mandates administrative safeguards, including access controls, policies, and audit trails to monitor who is accessing ePHI. The Surfly platform provides the tools to implement and enforce these administrative requirements.
- Comprehensive Audit Logging: Every session generates a detailed, immutable log that documents which agent interacted with which patient, when the session occurred, and what actions were taken. This provides a clear audit trail for security incident investigations and demonstrates accountability.
- Granular Access Controls: Administrators can use allowlists to restrict co-browsing to approved healthcare portals and applications. Combined with role-based permissions, these controls ensure that only authorized personnel can initiate sessions and that interactions are limited to their intended scope.
- Zero-Storage Architecture: By not persistently storing session data, Surfly’s architecture inherently limits the risk of unauthorized access to historical ePHI, simplifying security management and aligning with the principle of using data only for its immediate, intended purpose.
A Practical Example of HIPAA Compliance
A patient navigator at a large hospital is assisting an elderly patient with completing a pre-operative questionnaire on the hospital's online portal. The patient is confused about the section on pre-existing conditions and medication allergies. The navigator initiates a Surfly co-browsing session.
As the patient fills in their social security number, medical history, and prescription details, these fields are automatically blacked out on the navigator's screen. The navigator can see the layout of the form and which field the patient is on, allowing them to provide clear guidance without ever seeing the Protected Health Information. The entire interaction is completed in one secure session, and no data from the form is stored on Surfly's servers.
Frequently asked questions about HIPAA Compliance
We’ve compiled answers to the most frequently asked questions about
HIPAA Compliance
.
PHI includes any individually identifiable health information, such as names, addresses, birth dates, Social Security numbers, medical record numbers, diagnoses, and lab results. Any information that can link a person to their health data is PHI.
A BAA is a legal contract between a Covered Entity (like a hospital) and a Business Associate (like Surfly). It requires the Business Associate to maintain the same level of protection for PHI as the Covered Entity and details the responsibilities of each party in case of a data breach.
The Minimum Necessary Rule requires limiting PHI access to what's needed for a task. Surfly's data masking directly enforces this by using its proxy to redact sensitive HTML fields before the content is streamed to the agent. This allows the agent to guide a patient through a form without ever viewing their specific diagnosis or other PHI.
Surfly's co-browsing confines the shared view to a single browser tab and uses data masking to hide PHI within that tab. Screen sharing broadcasts the user's entire desktop, risking exposure of other open applications, desktop notifications, or personal files that may contain PHI, creating a major compliance risk.