IHC web site provides it users, members, health providers, schools, corporate and other organizations a platform for secure health information exchange to use the power of the internet to so that the benefits of modern medicine are seamlessly available to all, to provide improved healthcare to USERS and their families and to provide an electronic bridge between all stakeholders in the healthcare domain, namely the USER, healthcare provider and allied health services. We firmly believe that health is a personal and private matter, and we do not want our members to be concerned about the security or use of any information they provide to us. Except as required by law and to maintain the Web site (as discussed in detail in the “Disclosure” section below), no one, except you and those you authorize can access the encrypted subscriber information. The following discloses our information gathering and dissemination practices for the web site, www.indianhealthcentre.com or www.ihc.io .
This site has adequate security measures in place to protect the loss, misuse and alteration of the information on the Web site. All areas of the site where member data transfer takes place are secured with 256-bit Secure Socket Layer (“SSL”) encryption technology. SSL encryption is an industry standard technology and is used by financial institutions to protect your data. To prevent loss of information, all data is backed up periodically. All the data is stored at three different places across the world to maintain continuity even during accidental loss or damage to it.
IP Addresses, Domain, Host and Other Information
Registration Information and E-Mail
The site’s registration form requires users to provide us contact information, such as a name, gender and pincode/zipcode. By subscribing to the Company’s products and services, you have agreed to receive e mail, sms, facebook notifications that are necessary for the Company to communicate important information to you, such as the receipt of Analogue/Digital data,. These messages are notifications only. You will have to login to your health account to review these messages. On your acceptance, the Company also may use this information to send periodic newsletters and/or promotional material from third party partners or sponsors. You may opt-out of receiving future mailings by changing your account settings. Contact information may also be used by the Company to contact you, when necessary.
Passwords and Account Information
You are solely responsible to maintain the secrecy of your passwords and/or account information. Please be aware that the Company is providing you the ability to store any relevant information, including sensitive information, on the Web site, and has adopted many levels of security to protect this information. However, any individual with your account information and password can access this information. Please be careful and responsible whenever you are online and change your password frequently.
Personal information entered on the Web site, such as information about your medical history, doctors and prescriptions is used to provide you with IHC services such as access to doctors panel, online consultation, chat and manage your and your families health. Personal information will not be disclosed without your permission or as otherwise specified in the “Disclosure” section below.
IHC collects non-personally identifiable information from site visitors to track the total of number of visitors to the site in aggregate form and identify the type of Internet web browser (e.g., Internet Explorer ) and operating system (e.g., Windows ) used by the visitor. This information allows us continuously to improve our Web site.
Removal/Change of Personal Information
You can remove or change any information you store or provide to us by deleting the file or files you stored or changing the personal information you have provided. When you remove or change information, the Company may retain that information in the form of back-up or archival data offsite, but it will not be available readily on the Web site. In case the organization request deletion of records the same will be deleted completely except for contact information, after the consent of the USER/MEMBER.
Except as specified below, the Company will not disclose your personally identifiable information without your permission. First, In the course of providing products or services to the Company, the Company’s technical and maintenance staff and contractors may have limited access to the information you provide. These contractors include technicians, vendors and suppliers that provide the Company with hosting hardware and/or content related to enhancing operation and maintenance of the Web site. Access to your Personal Information by these contractors is limited to the information reasonably necessary for the contractor to perform its limited functions for the Company. Second, the Company may disclose your personal information in connection with legal action against someone who may be violating Company policy or applicable law. Third, the Company will release your personal information if required to do so by law or court order. In such cases, the Company will notify you of this disclosure.
Collection of Personal Information From Children and Use By Children
The Web site is not intended for use by individuals under the age of 13 unless parental consent is provided. The Web site is a storage facility and only contains information about children to the extent you, the user, provides that information. It is your responsibility to protect your passwords and account information to prevent such use.
Security Policy and Internal Guidelines
Key data for personal information include the following:-
- racial or ethnic origin; or
- political opinions; or
- membership of a political association; or
- religious beliefs or affiliations; or
- philosophical beliefs; or
- membership of a professional or trade association; or
- sexual preferences or practices; or
- criminal record;
- health records
- genetic information
- contact information
IHC records include (1), (9) and (11).
Data points (1 ) & (11) are recorded by IHC staff but can be removed by the USERS/MEMBERS except for Pin code. Pin code helps in identifying USER/MEMBER location for association with health providers in their vicinity.
Health Records (9), are recorded and uploaded by IHC as per terms of contract. They can be completely deleted by the USER/MEMBER any time. Deleting the same also deletes the records shared with any health provider.
Guidelines to secure following key threats to information security by IHC
- Unauthorized access
- Misuse of information
- Data loss
- Storage of records
- Incorrect disposal
- Loss or theft of hard copy or portable storage devices
- Hacking of computer database.
Physical Security Servers
- Multi-factor authentication systems
- Biometric security scanners
- Bullet-resistant glass and surfaces
- 24x7x365 onsite security personnel
- Camera surveillance system
- PCI DSS validated service provider
- SAS 70 type II certified
Physical Security Health Record Documents
- Limiting people who handle information reduces the chance of theft or misuse of personal information.
- IHC ensures this by not outsourcing collection and drop of documents.
- Documents are collected by IHC staff from pre-designated locations identified and agreed with the clients.
- As far as possible the one team consisting of runners and digitizers as assigned to one client.
- QC person may have one or more associated client.
- Reliable courier services will be used where courier of documents is required.
- Records received by soft copy
- A dedicated email address will be provided at the time of signing the contract.
- All soft copies sent to this email will be processed by the same digitizing team and the email deleted.
- USERS/MEMBERS will be advised not to reply to any other similar sounding email ID.
- Scanning of documents, radiology films and other health records is also not outsourced.
- Scanning, compressing of documents is carried out in a separate room only accessible by the digitizing team of one client.
- These computers are normally not connected to the internet lan.
- Staff designated for QC checks the documents for quality and uploads them to the USER/MEMBER accounts.
- Upload date and uploading QC person’s name is recorded in the audit trail. This information can also be viewed by the USER/MEMBER anytime by logging into the health account.
- Every effort is made to reduce the TAT and secure the physical records and return then back to clients as soon as possible.
- Computers are shut down when the team takes tea and lunch breaks. Physical records are removed from envelopes, scanned and put back immediately after scan. Team is advised to maintain a clean desk with no other documents in the vicinity of their desks. Documents before and after scan are kept in a locked safe.
- Use of USB drives is not allowed. No digitizing computer has writable CD/DVD drives. No BOYD devices are allowed within the digitization area.
Digital Online Security and Back Up
- 256 bit SSL encryption certification has been provided for encryption of data in transmission. IHC will move to Extended Validation with green address bar in the first quarter of 2014.
- Folders of individuals are named by 12 to 14 digit numerical ID and not by names. The scanned documents are not OCR’d. This makes is difficult or virtually impossible for an individual to search for a particular person. OCR is done only if requested by the client as a service.
- Scanned data is provided in PDF Archive format. It ensures the electronic documents can be reproduced exactly the same way in years to come.
- Data Back for Managing Data Loss
- Data is located in three different physical locations. This ensures availability of data during critical times.
- Data is currently synchronized twice a day. The interval can be reduced as per requirements.
- One back up is initiated weekly and stored in archive quality DVD. DVD is stored in a bank locker.
- IHC Servers are routinely and automatically scanned for malware. Scanning of continuous and large number of hits from random IP addresses especially from unfriendly locations. A log is maintained and identified IP addresses are blacklisted.
Access to Server
- The super admin grants partial or limited access to users AND access revoked promptly when no longer required. Therefore no administrator or developer has continuous access to the server.
- All admin ports are closed except those required by the USER/MEMBER & Account Managers to view and upload records.
- Passwords are regularly changed.
- USERS/MEMBERS will be adviced to change the passwords on activation of account. They will be encouraged to have longer and difficult passwords.
Sharing of Health records
- Only USER/MEMBERS can share their records with health providers and other people they trust.
- A panel of health providers is provided within the secure system for consultation. However the purpose of internet enabled healthcare platform is limited if USERS/MEMBERS are not allowed to explore the world wide web and seek 2nd opinon and advice outside the provider panel.
- Therefore the USERS/MEMBERS can request us to add their preferred doctors and health providers to be included in the panel.
- This enables the normal conversation between the USER/MEMBER and the health provider to remain within the SSL and is not exposed. The normal conversation is recorded and stored in the database.
- The same is valid for chat conversations. However chat conversations can be stored or deleted as per client requirements.
Monday, September 30, 2013