Digital Medical Record service provider a Unit of Effinland IP is an innovation-based Health-Tech Start-up, based in Coimbatore, Tamil Nadu (India).
General
This website www.xpressdoctors.com (hereinafter referred to as “Website” or “Site”), is owned by Effinland IP Please read these Terms of Service carefully before accessing or using our website. You can review the most current version of the Terms of Service at any time on this page.
Effinland IP offers this website, including all information, tools, and services available from this site to you, the user, conditioned upon your acceptance of all terms, conditions, policies and notices stated here. By accessing or using any part of the site, you agree to be bound by this Agreement, Privacy Policy as well as rules, guidelines, policies, terms, and conditions applicable to any service / module that is provided by or through this Website, including the Terms and Policies on the Website relating to standalone services that shall be deemed to be incorporated into this Terms of Service and shall be considered as part and parcel of this Terms of Service (collectively “Terms”). If you do not agree to all the terms and conditions of this agreement, then you may not access the website or use any services.
DATA PRIVACY AND SECURITY
Conformant to applicable data security law(s) and rules as well as policy of the organization where implemented. Audit log:
• All actions related to electronic health information in accordance with the standard specified in this document including viewing should be recorded.
• All actions based on user-defined events must be recorded.
• All or a specified set of recorded audit information, upon request or at a set period of time, must be electronically displayed or printed for user/administrative review.
• All actions related to electronic health information must be recorded with the date, time, record identification, and user identification whenever any electronic health information is created, modified (non-clinical data only), deleted (stale and non-clinical data only), or printed; and an indication of which action(s) took place must also be recorded.
• A cross-enterprise secure transaction that contains sufficient identity information such that the receiver can make access control decisions and produce detailed and accurate security audit trails should be preferably used within the system. The advisory standard for audit trail / log in health record system is: 4. ISO 27789:2013 Health informatics - Audit Trails for Electronic Health Records Integrity:
• During data transit the fact that the electronic health information has not been altered in transit in accordance with the standard specified in this document must be verifiable.
• Detection of events – all alterations and deletions of electronic health information and audit logs, in accordance with the standard specified in this document must be detected.
• Appropriate verification that electronic health information has not been altered in transit shall be possible at any point in time. A secure hashing algorithm must be used to verify that electronic health information has not been altered in transit and it is recommended that the Secure Hash Algorithm (SHA) used must be SHA-256 or higher. Encryption:
• Generally, all electronic health information must be encrypted and decrypted as necessary according to organization defined preferences in accordance with the best available encryption key strength (minimum 256-bits key).
• During data exchange all electronic health information must be suitably encrypted and decrypted when exchanged in accordance with an encrypted and integrity protected link.
• Secure Transmission standards and mechanisms must be used to allow access to health information as well as transmit data from one application / site to another. For this purpose HTTPS, SSL v3.0, and TLS v1.2 standards should be used. Please refer to relevant IETF, IEEE, ISO, and FIPS standards for same. Digital Certificates: Use of Digital Certificates for identification and digital signing is recommended in health record system. Health record system must use following standard where digital certificates are used: 5. ISO 17090 Health informatics - Public Key Infrastructure (Part 1 through 5) ADMINISTRATIVE SAFEGUARDS STANDARDS The Administrative Safeguards require healthcare providers to develop and implement a security management process that includes policies and procedures that address the full range of their security vulnerabilities. Being administrative in nature, these need to be internally designed and developed as standard operating procedure (SOP) that must be published for all users to see and adhere to. Conformance to adherence may be delegated to the Privacy Officer detailed in the Data Ownership chapter above. To comply with the Administrative Safeguards, a healthcare provider must implement the following standards.
• The security management process standard, to prevent security violations;
• Assigned security responsibility, to identify a security officer;
• Workforce security, to determine e-PHI user access privileges;
• Information access management, to authorize access to e-PHI;
• Security awareness training, to train staff members in security awareness;
• Security incident procedures, to handle security incidents;
• Contingency plan, to protect e-PHI during an unexpected event; and
• Evaluation, to evaluate an organization's security safeguards. PHYSICAL SAFEGUARDS STANDARDS Physical safeguards are security measures to protect a healthcare provider’s electronic information systems, related equipment, and the buildings housing the systems from natural and environmental hazards, and unauthorized intrusion. Healthcare providers must fulfill the following standards. However, since most of the implementation specifications in this category are addressable, healthcare providers have the flexibility in determining how to comply with the requirements as long as these are internally designed and developed as per the relevant SOP and published for all users to see and adhere to. Conformance to adherence may be delegated to the Privacy Officer detailed in the Data Ownership chapter above. The required physical standards are:
The facility access control standard, to limit actual physical access to electronic information systems and the facilities where they're located;
• The workstation use standard, to control the physical attributes of a specific workstation or group of workstations, to maximize security;
• The workstation security standard, to implement physical safeguards to deter the unauthorized access of a workstation; and
• The device and media controls standard, to control the movement of any electronic media containing ePHI from, to or within the facility.