Encryption, Compliance, HIPAA & HITECH Safe Harbor

ZSentry
Secure

NMA ZSentry Compliance and
Certification of Business Data Security

  • NO MESSAGE SCANNING, DLP (Data Leak Prevention) available after encryption
  • Your data is protected by End-to-End encryption, onsite, online, and at rest
  • The user and not ZSentry or a provider holds the keys
  • No protected data is permanently stored with ZSentry, although encrypted
  • Secure two-factor login
  • Reach any user device securely with anyway mobility
SUMMARY
End-to-End Sans Target Encryption

ZSentry services are provided using the ZSentry End-to-End Sans Target encryption technology in which ZSentry does not have the keys to decrypt and no protected data is permanently stored with ZSentry, although encrypted. The user and not ZSentry or a provider holds the keys.

HIPAA/HITECH Omnibus Final Rule

ZSentry is HIPAA certified by the Office of the National Coordinator for Health Information Technology and CHPL listed. ZSentry does not obtain, scan, use, collect, disclose, store, share, own, control, or create Protected Health Information (PHI). During performance of services, ZSentry does not require access to PHI. ZSentry works both as a “conduit” and as a “sealed service” for PHI and satisfies the Safe Harbor provision of the HITECH Act. Provided that ZSentry services are correctly configured and used with your providers, these reasons can:
  1. exempt your organization of duties of breach notification rules and reporting, under HIPAA, HITECH Safe Harbor, US State Breach Notification Laws, EU rules, and other jurisdictions worldwide;
  2. exempt your organization of the need to sign a Business Associate Agreement (BAA) for HIPAA compliance with NMA ZSentry, although a BAA can be signed if desired; and
  3. exempt your organization of the need to sign a Business Associate Agreement (BAA) for HIPAA compliance with cloud providers that do not comply with HIPAA, or would otherwise ask you to sign their BAA.
ZSentry HIPAA advisory

We provide a ZSentry HIPAA advisory for customer configuration choices using Google Apps and other services.

HIPAA and ARRA certified

ZSentry is ONC/CHPL certified to provide a HIPAA-compliant EMR (Electronic Medical Records) solution (CHPL Product Number: IG-2482-11-0040), including encryption when exchanging electronic health information (170.302.v) and providing an electronic copy of health information (170.304.f).

The ZSentry service interface and the data viewed or generated for transmission are ONC/CHPL certified to constitute fully compliant Standard Transactions under HIPAA.

ZSentry is ONC/CHPL certified to satisfy ARRA requirements in U.S. Federal incentive payment programs with Medicare and Medicaid, where ZSentry works with partners providing qualified solutions for meaningful use of HIPAA-certified EMR.  ZSentry can also be used with the U.S. Federal incentive program for Eligible Professionals (EP) who are successful electronic prescribers.

American Recovery and Reinvestment Act (ARRA)
EU Data Protection Directive 95/46/EC
Family Educational Rights and Privacy Act (FERPA)
Federal Financial Institutions Examination Council (FFIEC)
Gramm-Leach Bliley Act (GLBA)
Health Information Technology for Economic and Clinical Health Act (HITECH) & HITECH Safe Harbor
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA/HITECH Omnibus Final Rule (March 2013)
International Standards Organization (ISO) 17799
PCI Data Security Standard
Personal Information Protection and Electronic Documents Act (PIPEDA)
Sarbanes-Oxley Act (SOX)
U.S. State Security Breach Notification Laws

THIS DOCUMENT IS INCORPORATED BY REFERENCE IN THE NMA ZSENTRY PREMIUM TERMS OF SERVICE AND DOES NOT EXIST INDEPENDENTLY. UNLESS OTHERWISE DEFINED HEREIN, THE PROVISIONS OF THE NMA ZSENTRY PREMIUM TERMS OF SERVICE APPLY TO THIS DOCUMENT.

In this Compliance Statement, ZSentry demonstrates the level and extent limits in safeguarding protected information, including protected health information and business data, regarding privacy, security, and integrity, for regulatory compliance. Regulatory compliance including HIPAA requires the ZSentry Premium service with at least one-year service.

Compliance is provided on a technical level, under HIPAA, HITECH Safe Harbor, and other rules as well. ZSentry Premium provides per-message encryption, de-identification, two-factor authentication, control, auditing, data loss protection, secure data destruction, secure long-term archiving and other services protecting information in transit and at rest. No protected data is permanently stored with ZSentry, although encrypted. The user and not ZSentry or a provider holds the keys. ZSentry Premium operates in full HIPAA compliance without requiring users to sign a Business Associate Agreement (BAA), although a BAA can be signed if desired.

1. SERVICE: NMA ZSentry offers users online access to on-demand services, providing for secure reception and transmission of messages electronically (the "Service"), using ZSentry technology and a variety of technologies and methods. Each Service may be web-, desktop-, server-, or mobile-based. Each Service utilizes an interface (the "Interface") accessed through compatible and allowed means, such as a web-browser, an email client, or a server.

2. SERVICE LICENSE: License to use the Service (the "Service License") is regulated and provided in terms of the NMA ZSENTRY PREMIUM TERMS OF SERVICE, which current copy may be found at zsentry.com (the "Website").

3. RESTRICTIONS: The term "Service User" shall refer exclusively to Service use that is licensed in terms of the Service License and is not limited herein. This document does not apply to Service that is provided as a trial, or that is free of charge, or that is licensed for less than one-year, or that is not licensed in terms of the Service License. This document shall be applicable only under the laws or regulations cited herein, with applicable successor provisions, in the event and to the extent that the Service License meets with respect to the Service User. Service Users are asked to read and be familiar with this document; in case of any questions, check the Service guides online at the Support Center, the screen-by-screen icons, or request a Support Ticket.

4. HIPAA AND HITECH USE: The Interface and the data viewed or generated for transmission constitute fully compliant Standard Transactions as defined under the Health Insurance Portability and Accountability Act of 1996 and its Privacy Rule and Security Rule (HIPAA), as may be amended or otherwise modified by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and the HIPAA/HITECH Omnibus Final Rule of March 2013. Compliance is provided on a technical level, guarding data integrity, confidentiality and availability.

5. DEFINITIONS: Terms used, but not otherwise defined in this document, shall have the same meanings given them in HIPAA and the HITECH Act. Specifically, Covered Entity (HIPAA, 45 CFR 160.202) shall be limited to a Covered Entity that is a Service User. Further, Protected Health Information (HIPAA, 45 CFR 160.103), also called PHI, shall be limited to the PHI received through the Service from you, and exclude email headers; the latter information is protected through the Service PRIVACY POLICY specified in the Service License. "We", "Our" and "Us" as used herein refer to NMA,Inc. and NMA ZSentry Service, qualified herein.

6. HITECH SAFE HARBOR: HITECH addresses breach notification rules such as requiring that organizations notify customers of security breaches involving PHI, implements a tiered system that increases civil monetary penalties for noncompliance, and also allows state attorney generals to file civil actions on behalf of residents of their states who they believe were adversely affected by a HIPAA violation. The HITECH Act also defines a Safe Harbor provision (Section 13402, Title XIII), exempt of the breach notification rules and reporting (45 CFR Parts 160 and 164). The Service falls within the HITECH Safe Harbor provision because all PHI is encrypted to prevent disclosure, PHI decryption keys are not stored, and the PHI is de-identified, so that the Service has no PHI target that might be affected by a security breach.

7. FORWARD HIPAA COMPLIANCE: Our compliance with HIPAA includes modifications to the compliance deadlines that may be published in the future, and to maintain compliance from that point forward for as long as the HIPAA regulations are deemed to apply to the Service. Additional privacy and security enhancements, even if not currently required by HIPAA, may be provided as defined in the ZSENTRY TERMS OF SERVICE.

8. BUSINESS ASSOCIATE AGREEMENT: We do not obtain, scan, use, collect, disclose, store, share, own, control, or create PHI. PHI is encrypted and de-identified whether in transit or at rest, we do not have the keys to decrypt and no protected data is permanently stored with ZSentry, although encrypted. The user and not ZSentry or a provider holds the keys. During performance of services ZSentry does not require access to PHI, and the Service works solely as a conduit and sealed service between end points of a user's choosing, so that for multiple reasons we are not required to enter into a Business Associate Agreement (45 CFR 164.502(d) (2), 164.514(a) and (b)). The Service is also provided under the Safe Harbor provision of the HITECH Act, which is exempt of duties of breach notification rules and reporting. Nonetheless, if desired and for the same effect under HIPAA, NMA ZSentry can sign a Business Associate Agreement with your organization as a Service User. To request, submit a Support Ticket for "HIPAA BAA" and provide the organization's characterization as a Covered Entity under HIPAA.

9. U.S. STATE SECURITY BREACH NOTIFICATION LAWS: Since 2002, forty-six U.S. states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring that organizations notify customers of security breaches involving personal information. States with no security breach law as of 2011 are: Alabama, Kentucky, New Mexico, and South Dakota. In 2011, at least 14 states introduced legislation expanding the scope of laws, setting additional requirements related to notification, or changing penalties for those responsible for breaches. Legislation usually requires all organizations that collect certain personal information to protect it against possible impersonation fraud ("identity theft"). In addition, it stipulates that if there is a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained personal information. However, organizations can generally avoid breach notification duties under certain conditions called Safe Harbor. The Service complies with the Safe Harbor conditions, protecting personal information and other sensitive information by using ZSENTRY technology and a variety of technologies and methods. Further, during performance of services, ZSentry does not require access to personal information.

10. OTHER USES: The Service provides a proven anti-phishing solution with mutual authentication, two-factor authentication of users, and identity validation for email communications, guarding data integrity, confidentiality and availability. Further, the Service provides layered security so that if security is breached, no user access data or personal data can be recognized or accessed.

THIS DOCUMENT IS INCORPORATED BY REFERENCE IN THE NMA ZSENTRY PREMIUM TERMS OF SERVICE AND DOES NOT EXIST INDEPENDENTLY. UNLESS OTHERWISE DEFINED HEREIN, THE PROVISIONS OF THE NMA ZSENTRY PREMIUM TERMS OF SERVICE APPLY TO THIS DOCUMENT.

- ZSentry Premium Terms of Service

RESOURCES:
- ZSentry Technical Reference >>
- Support Center >>
- Request Support Ticket >>

Development and © by NMA

Trademarks and Copyrights as described in our Legal Statement. We protect Your Privacy.