Compliance Standards

GDPR

Our products and services make it easier for our customers to comply with the European Union’s General Data Protection Regulation (GDPR).

The GDPR, which became active May 25, 2018, gives individuals (data subjects) in the European Union more control (rights) over how their personal data is used, and places obligations on businesses that process that data. The GDPR calls businesses that determine  what and how personal data is processed ‘data controllers’. Businesses that handle personal data only under the direction of a data controller are called ‘data processors’. Data controllers and data processors each have different obligations under GDPR.

In different scenarios, with different categories of data, Access Anywhere and our customers may play roles either as a data controller or data processor.

Software (Access Anywhere)

Organizations who run Access Anywhere software in their own data centers, or on cloud platforms such as AWS EC2, Google Compute or Azure, are determining how personal data will be processed. Under GDPR, they are classified as data controllers.

For information on how our software supports data controllers see GDPR Compliance.

CCPA

AB-375, California’s new privacy law came into effect on January 1st 2020. The CCPA allows anyone who resides in the state to access and obtain copies of data that companies may store on/about them with the right to delete the data as well as opting out of companies selling or monetizing their data.

Companies are required to comply with the CCPA if they comply with any of the following:

(i) They have gross revenues over $25M

(ii) They are a for-profit company that does business in California and collect the information of more than 50,000 consumers, devices or households.

(iii) 50% of their income is derived from selling personal information.

Unlike the GDPR the CCPA doesn’t require companies to go through steps such as data collection consent, having a valid reason to collect user information, or requires companies to minimize data collected, although this may occur in future revisions.

The Access Anywhere provides functionality that helps in satisfying CCPA requirements such as providing a mechanism to understand ‘who’ is accessing data, ‘when’, and ‘how’ through a combination of Access Anywhere's Audit event logs and Policies.

Additionally when connected to Access Anywhere data content is indexed so that it can be checked for PII / PHI which can then be flagged and quarantined until it can be dealt with.

Encryption (FIPS)

Access Anywhere product’s cryptographic module has been validated by a third-party, as conforming to the Advanced Encryption Standard (AES) algorithm. The validation registration is No. 4854. (#cmnt6)The AES algorithm, as specified in Federal Information Processing Standard Publication 197, Advanced Encryption Standard (FIPS PUB 197), is used to protect electronic data. It is a symmetric block cipher that can encrypt and decrypt information with cryptographic keys. Access Anywhere uses 256-bit keys (AES-256). AES is mandatory for electronic products and services provided to the federal government. It is also required by other highly secure organizations.

For more information see File Based Encryption Overview.

Healthcare

HIPAA and HITECH are U.S. Federal Government standards for the security and privacy of Protected Health Information (PHI). HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For more information on HIPAA and HITECH, visit http://www.hhs.gov/ocr/privacy/.

General Compliance guidelines for HIPAA

  • Ensure confidentiality, integrity and availability of all electronically protected health information that the covered entity either creates, receives, maintains or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such aforementioned information.
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
  • Ensure that there is compliance by the workforce.

Ways in which the Access Anywhere Cloud Appliance satisfies HIPAA:

Data Access: This can be controlled using access control lists, to enable data to be only accessed by authorised personnel over https. Also IP GEO-restrictions can be implemented to restrict geographic access. The actual legislative wording regarding restricted access to data is:

“Allow access only to those persons or software programs that have been granted access right.” (Section 164.312(a)(2)(1))

Remote / Offsite Access to data: Access Anywhere provides a service which can be configured to be part of a disaster recovery plan enabling data to be accessed in the event of fire, flood, natural disaster, inadvertent deletions, viruses, hacking, theft or any other contingency. The actual legislative wording is:

”Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” (HIPAA, Section 164.308(a)(7)(i)).

Event Logging: HIPAA solutions should enabled audit logging and drill down of file events to enable checks on file access and change and from which IP Address these were made. Such audit and event logging is built into the Access Anywhere solution.

Encryption: The privacy rules regulations describe ensuring data is encrypted when “in flight” and when “at rest”.   Access Anywhere and Amazon directly both support AES 256 bit encryption at a file level and data can be sent over secure channels.

Disclaimer

This information is not intended to constitute legal advice.   You are advised to seek the advice of counsel regarding compliance with HIPAA or refer to the HIPAA section of the U.S. Department of Health and Human Services' website, which can be found at: http://www.hhs.gov/ocr/hipaa/

Download HIPAA Statement

Auditing & Family Education Rights & Privacy Act (FERPA)

FERPA is the federal privacy law for educational institutions and has regulatory compliance requirements for student educational records.

The Access Anywhere's detailed audit event logs and access polices can be used to help track 'who' had access to data , 'when', and 'why'.

Note that FERPA compliance regulations specifically prohibit educational institutions from disclosing “personally identifiable education information” without a student's written permission.

Also See