The Health Insurance Portability and Accountability Act "HIPAA" was designed to promote the confidentiality and portability of patient records, to develop standards for consistency in the health care industry, and to provide incentive for electronic communications. eSilo conforms with Title II of HIPAA, the Administrative Simplification provisions, which is divided into three main parts: the Privacy Rule, the Transactions and Code Sets Rule, and the Security Rule. The Security Rule outlines a technical check list in regards to securely sharing Public Health Information (PHI).

Requirement	eSilo Compliance
When PHI flows over open networks, some form of encryption must be utilized.	eSilo uses 256-bit AES encryption for all network communications.
Data should not been changed or erased.	Once data is sent to eSilo's data centers, it cannot be modified and it's removal is completely controlled by the customer.
Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature should used to ensure data integrity.	eSilo's EFS protocol implements secure RSA handshakes, checksums and 256-bit short-lived keys.
Covered entities must also authenticate entities it communicates with. Examples include: password systems, two or three-way handshakes, telephone callback, and token systems.	eSilo uses a triple token user authentication system: username, password, encryption key.
HIPAA requires that retained content must be stored in a robust data center that provides minimum guaranteed uptime and very high security.	All data sent to eSilo resides in World Class Data Centers with 99.99999% uptime, 24/7 security guards and biometric security.

HIPAA affects all entities that transmit, store, process or exchange personal health information including hospitals, employers, public health authorities, health plan administrators, billing agencies, physicians, etc.

HIPAA requires that a wide range of documents, including email messages, be kept for six years. Among the documents that must be maintained for six years are contracts with business associates, all documents related to policies and procedures, communications from patients who wish to modify the information held by a health care provider, authorizations and consumer complaints. Also, HIPAA requires that all records about a patient must be retained for two years after a patient's death.

HIPAA requires that retained content must be stored in a robust data center that provides minimum guaranteed uptime and very high security, among other requirements. HIPAA also imposes strict data disposal requirements; including overwriting or physically destroying all magnetic media that is no longer in use or that is given away or sold.

The Medicare Conditions of Participation requires hospitals to retain medical records for five years. Medicare requires that medical records be retained for five years as they relate to radiological and nuclear medicine services, and inpatient and outpatient services, among others. Psychiatric hospitals must also retain a variety of medical records for five years. Further, Medicare and Medicaid reimbursement to rural health clinics requires that these clinics maintain medical records for six years.

Department of Health & Human Services