HIPAA Compliance

HIPAA Compliance affects any U.S. healthcare provider, health plan, or clearinghouse (Covered Entities) and any of their business partners that handle patient data (Business Associates). The regulation establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

The regulation specifically protects Protected Health Information (PHI), any identifiable health information held or transmitted by a covered entity or its business associate. This includes common identifiers like names, addresses, and social security numbers, as well as medical record numbers, diagnoses, lab results, and other data point that could be linked to a specific individual's health status.

Key HIPAA Compliance Rules

HIPAA's framework is primarily enforced through three major rules:

• Privacy Rule: Sets standards for when PHI may be used and disclosed. It gives patients rights over their own health information.
• Security Rule: Defines safeguards that must be in place to protect electronic Protected Health Information (ePHI). It requires technical, administrative, and physical security measures.
• Breach Notification Rule: Requires covered entities and business associates to provide notification following a breach of unsecured PHI.

For healthcare organizations and their technology partners, adhering to HIPAA is a legal requirement. Non-compliance can result in severe financial penalties, corrective action plans, and a major loss of patient trust. Surfly's platform provides the technical controls necessary to conduct collaborative online sessions while upholding the data protection standards of HIPAA.

Safeguarding Protected Health Information (PHI)

The core mandate of the HIPAA Security Rule is to ensure the confidentiality, integrity, and availability of all ePHI. During a co-browsing session, there is a high risk of exposing this data to a support agent. Surfly’s architecture is designed to prevent this exposure.

• Server-Side Data Masking: Specific fields containing PHI, such as patient names, medical record numbers, or diagnoses, can be redacted before the webpage is displayed to an agent. This masking occurs on the proxy server, ensuring the ePHI never reaches the agent’s device, a critical technical safeguard required by the Security Rule.
• End-to-End Encryption: All data in transit during a co-browsing session is protected using TLS 1.3 encryption. This secures the communication channel between the patient, the Surfly proxy, and the healthcare portal, meeting the Security Rule’s requirements for encrypting ePHI.
• Business Associate Agreement (BAA): Surfly signs a BAA with covered entities, which is a contractual requirement under HIPAA. This agreement establishes Surfly's legal responsibility to safeguard any PHI processed through its platform on behalf of the healthcare organization.

Ensuring Accountability and Administrative Safeguards

HIPAA mandates administrative safeguards, including access controls, policies, and audit trails to monitor who is accessing ePHI. The Surfly platform provides the tools to implement and enforce these administrative requirements.

• Comprehensive Audit Logging: Every session generates a detailed, immutable log that documents which agent interacted with which patient, when the session occurred, and what actions were taken. This provides a clear audit trail for security incident investigations and demonstrates accountability.
• Granular Access Controls: Administrators can use allowlists to restrict co-browsing to approved healthcare portals and applications. Combined with role-based permissions, these controls ensure that only authorized personnel can initiate sessions and that interactions are limited to their intended scope.
• Zero-Storage Architecture: By not persistently storing session data, Surfly’s architecture inherently limits the risk of unauthorized access to historical ePHI, simplifying security management and aligning with the principle of using data only for its immediate, intended purpose.

A patient navigator at a large hospital is assisting an elderly patient with completing a pre-operative questionnaire on the hospital's online portal. The patient is confused about the section on pre-existing conditions and medication allergies. The navigator initiates a Surfly co-browsing session.

As the patient fills in their social security number, medical history, and prescription details, these fields are automatically blacked out on the navigator's screen. The navigator can see the layout of the form and which field the patient is on, allowing them to provide clear guidance without ever seeing the Protected Health Information. The entire interaction is completed in one secure session, and no data from the form is stored on Surfly's servers.