HIPAA/HITECH
OverviewofCapabilitiesandProtectedHealthInformation
April2017
Rev1.5.2
©2017DragonFlyAthletics,LLC
©2017,DragonFlyAthletics,LLC.oritsaffiliates.Allrightsreserved.
Notices
This document is provided for informational purposes only. It represents
DragonFly’scurrentproductofferingsandpracticesasofthedateofissue
ofthisdocument,whicharesubjecttochangewithoutnotice.Customers
are responsible for making their own independent assessment of the
information in this document and any use of DragonFly’s products or
services, each of which is provided “as is” without warranty of any kind,
whether express or implied. This document does not create any
warranties, representations, contractual commitments, conditions or
assurances from DragonFly, its affiliates, suppliers or licensors. The
responsibilitiesandliabilitiesofDragonFlytoitscustomersarecontrolled
byDragonFly’sagreements,andthisdocumentisnotpartof,nordoesit
modify, any agreement between DragonFly Athletics and its customers.
DragonFlyAthletics,LLC–OverviewofCapabilitiesandProtectedHealthInformation–April2017
DragonFlyAthleticsprovidesapremiermobilecommunicationplatform,focusedonthe
StudentAthleteEcosystem.DragonFlyisdeliveredviamobilesmartphones,mobiletablets,and
awebsite.Mobiletoolshavebecomecriticallyimportantintoday’sworld.Studiesshowthat
peoplewholeaveapurseorwalletathomemaynotreturnforit.However,ifasmartphoneis
leftathome,chancesareonewillreturnforit.Withsomuchofourlivestetheredtothese
devicesthereisnowagreatopportunitytoutilizethistechnologytoimproveStudentAthlete
Health.
TheStudentAthlete(SA)Ecosystemcontainsmanypeoplewhoworktohelpathletesperform
attheirtoplevels.Commonly,aspartoftheseservices,theAthleticTrainers,Coaches,and
Administratorswhoworkwithathletesmusttreatinjuriessustainedonthefieldofplay.These
injuriesrangefrominsignificantbumpsandbruisesto,onoccasion,severemedical
emergencies;requiringthecoordinationofEmergencyTechnicians,Physicians,hospitalstaff,
PhysicalTherapists,andmanyotherhealthcareprofessionals.Likewise,parentsplayanequally
vitalroleinthisprocess.Throughtimelycommunication,itiseasierforcareprovidersto
leverageparent’sinherentinfluenceonstudentathletes.
TheneedforandcomplexityofcommunicationbetweenallpartiesintheSAEcosystemhas
growninrecentyearsasAthleticTrainershaveincreasinglybecomethefirstpointsofcontact,
notonlyforsportsrelatedcare,butalsoforahostofmedicalandpsychologicalissues.
Increasingly,theAthleticTrainerrepresentstheonlyhealthprofessionalwithwhommany
athleteshavemeaningfulcontact.
DragonFlyrecognizesthemanyrolesthatvariouspartiesplayintheSAEcosystem.Oftentimes,
thesepartiessharedutiesandresponsibilitiesinthecareecosystem.Somecareprovidersmay
beemployedbyhighschoolsorthecollectiveschoolsystem,whileothersareindependent
thirdpartyemployees,providingcareonschoolpremises.Onoccasion,aprovidermaybe
unrelatedtotheprimaryorganization,yetprovidecareduetoawaygamesortournamentplay.
Injuriesrequiringeventhemostbasicofcare,suchastapeorice,areoftenperformedinfront
ofthousandsofspectators.Thispublicdeliveryofcarecanquicklyblurlinesintermsofwhatis
consideredprotectedhealthinformation.
Fromthebeginning,DragonFlymadethechoicetobuildasystemwiththeassumptionthatALL
informationcontainedwithinwouldbeconsideredProtectedHealthInformation(PHI).Atits
core,DragonFlyMAXstrivestoprotecttheconfidentialityofhealthinformationbyrestricting
PHIaccesstoonlythosewhohaveappropriateauthorization.
DragonFlyHIPAAComplianceSummary
TheHealthInsurancePortabilityandAccountabilityActof1996(HIPAA)isasetofU.S.lawsthat
protectthesecurityandprivacyofhealthinformationheldbyCoveredEntities.Theterm
P a g e |1
DragonFlyAthletics,LLC–OverviewofCapabilitiesandProtectedHealthInformation–April2017
coveredentityreferstothreespecificgroups:healthplans,healthcareclearinghouses,and
healthcareprovidersthattransmithealthinformationelectronically.
Highschoolsaregenerallynotconsidered“CoveredEntities”inthecontextofHIPAA.However,
otherregulations,suchasFERPA(TheFamilyEducationalRightsandPrivacyActof1974),
providesimilarguidelinesoverStudentAthletedata.Yourorganizationshoulddetermineifitis
considereda“CoveredEntity”.Forcoveredentities,DragonFlyofferstheoptiontosigna
BusinessAssociatesAgreement.SeetheDragonFlyHITECHCompliancesectionbelowformore
details.
DragonFlyincludesmanyfeaturesandprecautionstoprotectPHIandassistcoveredentities
withHIPAArelatedcompliance.Thesefeaturesinclude:
PhysicalSecurity
DragonFly’sserviceinfrastructureishostedinsecurefacilitiesbyAmazonWebServices
(AWS).AWSoperatesnumerousstate-of-the-artDataCentersaroundtheUnitedStates,
whichprovidemilitarygrade,physicallyrestrictedaccesstoallinfrastructure
componentshostingPHI.Authorizedemployeesofthedatacentermustpasstwofactor
authenticationtogainaccesstothedatacenters,nolessthan3separatetimespriorto
entering.
• NoPHIisstoredatDragonFlyofficesoronthecomputers,smartphones,tablets
orotherdeviceofDragonFlyemployees.AllPHIishostedinsideAWSdata
centers.
MobileDevices
AkeyDragonFlycommunicationcomponentistheabilitytobeginthecareprocess
instantlyuponinjuryoccurrence.Appropriatepartiesarenotifiedimmediatelyaftercare
providers,typicallyanAthleticTrainer,initiatedocumentationfromtheirsmartphone.
Thisprocessmayevenbeginfromthesidelinesofanathleticvenue.
• AlldatastoredinsideDragonFly,onsmartphoneandothermobiledevices,is
encryptedonthephysicaldeviceutilizingthecryptographiccomponentsof
modernsmartphonesusing256-bitAESencryption.
• Anymobiledevicecanberemotewiped,suchthatthedataonthedeviceis
permanentlyerased.
• Onlydataassociatedwiththeindividualwhoisauthorizedonthemobiledevice
isstored.
P a g e |2
DragonFlyAthletics,LLC–OverviewofCapabilitiesandProtectedHealthInformation–April2017
TechnicalSecurity
DragonFlyimplementsvariouspoliciesandprocedurestoensureaccesstothesystemis
restrictedtoonlyauthorizedparties.
• Usersmustbeaddedtothesystemandreceiveprivateauthenticationcredentials
knownonlytothatspecifieduser.Formostusers,physicalaccesstomobiledevices
mustbeavailablewheninstallingthesystemforthefirsttime.
• DragonFlyusersessionsautomaticallytimeoutafteracertainamountofidletime,
requiringtheusertologintotheirdeviceagain.
• Usersarerequiredtopass“two-factorauthentication”priortogainingaccessto
DragonFly.
• Eachuseraccountmustbeconfiguredwithaspecificsetofsecurityparameters.For
instance,Coachesareonlyallowedaccesstoathletesassociatedwiththesportheor
sheinstructs.AthleticTrainersonlyhaveaccesstospecificteams,forwhichthey
providecare.Parentshaveaccessonlytotheirindividualathlete.
• AllaccesstoanyserviceintheDragonFlyinfrastructureisauditlogged,providinga
recordoftherequestor.Theseaccesslogsareproactivelymonitoredtodetect
unauthorizedactivity.
• NotificationssentviaTextorIn-AppnotificationnevercontainPHI.
• AllPHIisredundantlybackedupdaily.MultipleencryptedcopiesaremaintainedingeoredundantavailabilityzonesofAWSdatacenterstoprotectagainstaccidental
destruction.
DataEncryption
AllPHItransmittedinDragonFlyissecuredwhileinmotionwithTLS1.2security.Often,the
termSSLisutilizedtoimplysecurecommunications.However,SSLisbeingphasedout
industrywide,infavorofTLS.
AllPHIstoredwithinDragonFlyisencryptedutilizing256-bitAESencryptionwhensitting
onstoragemedia,suchasharddrivesandbackupdevices.
Wheninfrastructurecomponentsarereplaced,DragonFlyutilizesprocedurestodestroy
thedevicesandalldatacontainedonthedevices.
P a g e |3
DragonFlyAthletics,LLC–OverviewofCapabilitiesandProtectedHealthInformation–April2017
Firewalls
AllinfrastructurecomponentsintheDragonFlysystemareprotectedbyextensive
firewalls.Thesefirewallsareplacedinmultiplelayersatpointsinourinfrastructureto
isolateourinternaldataprocessingsystemsfromthecomponentsofourinfrastructure,
whichcommunicatewithendusers.Firewallsareconfiguredtobemaximallyrestrictive.
AdministrativePolicy
OnlyEmployeesneedingaccesstoPHIaregrantedaccess,andonlytotheminimum
extentnecessarytocompletetheirtasks.Thisaccessisonlyfortheoperationand
maintenanceoftheDragonFlyinfrastructurebyEngineeringstaff.
AllemployeeswhomaytypicallycomeintocontactwithPHIarerequiredbyDragonFly
tosignconfidentialityagreementsandNon-DisclosureAgreements.
EmployeesmustparticipateinHIPAAawarenesstrainingconcerninghowDragonFly
protectssensitivedata.
AccesstoallDragonFlyInfrastructurewithinAWSislogged.Employees,whenrequired
andnecessary,useSecureShelltoolsimplementingTLS1.2encryptiontoaccess
infrastructurecomponentsattheAWSdatacenter.
Peer-reviewofactivityisrequiredforemployeesofDragonFly.Whenworkisbeing
performedthereisaminimumoftwoindividualsprovidingpeeroversight.
DragonFlyHITECHComplianceSummary
TheHealthInformationTechnologyforEconomicandClinicalHealthAct(HITECH)provisionsof
theAmericanRecoveryandReinvestmentActof2009(ARRA)conferadditionalresponsibilities
toBusinessAssociateswhohaveaccesstoCoveredEntities’ProtectedHealthInformation.
BusinessAssociatesAgreement
Insomecases,DragonFlymayqualifyasaBusinessAssociate.Atthecustomer’srequest(ifthe
customerisacoveredentity),DragonFlywillsignaBusinessAssociateAgreement,
acknowledgingthat:
1. DragonFlywillactasthecustodianofthecustomer’sPHIdata(becauseDragonFly
managesthehostinginfrastructure)
P a g e |4
DragonFlyAthletics,LLC–OverviewofCapabilitiesandProtectedHealthInformation–April2017
2. CertainDragonFlyemployeeshaveaccesstothedataonanas-neededandMinimum
Necessarybasis
3. DragonFlywillprotecttheprivacy,confidentiality,integrity,andavailabilityofthatdata,
andwillsafeguardthePHIfromunauthorizedaccessanddisclosure
DragonFlyInfrastructurePartner–AmazonWebServices
DragonFlyhaschosenAmazonWebServicesasourpartnerinprovidingasecure,managed
infrastructureforourbackendsystems,whichpermitsthedeliveryoftheDragonFlysystem.
DragonFlyhasenteredintoaBusinessAssociatesAgreementwithAmazonWebServices,
providingcertifiedHIPAAcompliantandcapableinfrastructurecomponents.
Amazonprovides“SecurityoftheCloud”,whichensuresthattheservicesweutilizeunderour
BAAagreementprotectallPHItransmittedandprocessedthroughtheirinfrastructure.
MoreabouttheextensivedetailsofAWSHIPAAcertificationsmaybefoundatthefollowing
resources.
https://aws.amazon.com/compliance/hipaa-compliance/
https://aws.amazon.com/compliance/shared-responsibility-model/
https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf
P a g e |5