inner-banner-bg

HIPAA & SOC2 Compliance Datasheet

Introduction
Nynja is HIPAA and SOC2 Compliant. Nynja uses a Qualified Security Assessor Company (QSAC), accredited ISO 27001, ISO 27701 and ISO 22301 certification body, certified HITRUST Assessor firm, and accredited FedRAMP 3PAO.

HIPAA

Currently, the agencies that certify health technology, the Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology, do “not assume the task of certifying software and off-the-shelf products” (p. 8352 of the Security Rule), nor accredit independent agencies to do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as Nynja is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies.

However, the following list demonstrates how Nynja supports HIPAA compliance based on the HIPAA Security Rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).

SOC 2

More formerly known as Service Organization Control 2, it reports on various organizational controls related to security, availability, processing integrity, confidentiality or privacy. The standard for regulating these five issues was formed under the AICPA Trust Services Principles and Criteria.

The purpose of this document is to understand how Nynja supports the goals of HIPAA and SOC 2 compliance.
Access Control

HIPAA and SOC2 Standards

  1. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to authorized persons or software programs.

  2. Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.

  3. Emergency Access Procedure: Establish (and implement as needed) procedures for obtaining necessary electronic health information during an emergency

  4. Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

  5. Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information.

How Nynja Supports the Standard

  1. Data in transit is encrypted at the application layer using Advanced Encryption Standard (AES 256).

  2. Web and application access are protected by verified email address and password.

  3. Meetings are not listed publicly by Nynja.

  4. Nynja is built on a microservices architecture to offer a high level of redundancy and availability.

  5. Meeting hosts and group admins can easily remove attendees or terminate meetings.

  6. Meetings end automatically with timeouts.
Audit Controls

HIPAA and SOC2 Standards

  1. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

HIPAA and SOC2 Standards

  1. Platform connections are logged for audio and quality-of-service purposes.

  2. Account admins have secured access to manage individual, group, or organization level management.
Integrity

HIPAA and SOC2 Standards

  1. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

How Nynja Supports the Standard

  1. Multi-layer integration protection is designed to protect both data and service layers.

  2. Controls are in place to protect and encrypt meeting data.
Integrity Mechanism

HIPAA and SOC2 Standards

  1. Mechanism to authenticate electronic protected health information.

  2. Implemented methods to corroborate that information has not been destroyed or altered.

How Nynja Supports the Standard

  1. plication executables are digitally signed.

  2. Data connections leverage TLS encryption and PKI Certificates issued by a trusted commercial certificate authority.
Person Or Entity Authentication

HIPAA and SOC2 Standards

  1. Verify that the person or entity seeking access is the one claimed.

How Nynja Supports the Standard

  1. Meeting host must log in to Nynja using a unique email address or phone number.

  2. Access to the desktop or window for screen sharing can be locked by the host.
Transmission Security

HIPAA and SOC2 Standards

  1. Protect electronic health information that is stored on the Nynja platform.

  2. Integrity controls: Ensure that protected health information is not improperly modified without detection.

  3. Encryption: Encrypt protected health information.

How Nynja Supports the Standard

  1. Data encryption protects against passive and active attacks on confidentiality.

  2. Data connections leverage TLS encryption and PKI Certificates issued by a trusted commercial certificate authority.

  3. AES 256-GCM encryption for all data.