HIPAA Information

The following outlines what provisions exist in Telephone Message Pad to support the standards of HIPAA (Health Insurance Portability and Accountability Act). Please Contact our officer responsible for security, Dennis Reinhardt for further information.

Encryption over the internet All web pages on our service at telemsgpad.com are encrypted with TLS (successor to SSL) and require a name and password to log on.

For disaster recovery, the live servers in Dallas and Orlando are replicated in real time to a warm standby south of San Francisco. That replication is transferred securely via TLS (encrypted channel).

Email is sent via out standard service using own direct SMTP service and a commercial backup. Our own direct SMTP will send securely if your end supports it. Our backup service is not secure. Thus, for HIPAA compliance, we ask that you either supply us with a secure direct SMTP account on your server, forego backup, or forego outbound email (most secure option). We are happy to advise you to insure your email setup is secure.

Disaster recovery As noted, we maintain a real time standby server that is physically remote from the main servers (Texas/Florida vs. California). We also maintain hourly, daily, and weekly snapshots of both code and data so that a roll back is possible.

Security Telephone Message Pad requires name and password to access all features. The code has been developed on top of the Python socket and standard libraries with no 3rd party libraries used for essential functions. This means that there is no existing hacker's "toolkit". The Telephone Message Pad service is on its own dedicated IP address with a dedicated operating system environment(VPS).

Integrity The system contains over 650 internal consistency tests where any test failure triggers a review by our technical lead. We also verify that the site is responding every 2.5 minutes and issue an alert message to the tech on duty. We isolate users from each other both at the file system and thread level with exception handling so that user accounts are isolated from each other.

Patient Record Access HIPAA requires patient access to their own records ... and only their own records. The Telephone Message Pad search function allows you to isolate patient records to a list. You can use this to compile a list of URLs the patient may use to access their records without access to any other records.

Note that we are not the patient contact point. We generally do not have enough personal information about your patients in our system to verify identity and grant access. You do. Patients need to go through you to gain record access.

Pricing and BAA Telephone Message Pad is built on top of commercial components where a supplier Business Associate Agreement (BAA) is not possible.

We have located alternate suppliers. Unfortunately, the suppliers who will sign BAA with us represent an 8X (!) increase in cost and require a 2 year commitment. We must pass along those costs to you. We also offer a Managed Server option. In either case, contact us for a quote.

If you do not require a signed BAA, please consider our standard Telephone Message Pad service.