Is Comodo One HIPAA compliant?

I am doing some research on whether or not Comodo One MSP software is HIPAA compliant. Any other info on MSP compliancy with HIPAA or good guides to become compliant are welcomed.

That is a very complicated question. I’m generalizing so please don’t try to pick this apart for flaws and FYI, I’m not a lawyer, I’m not trying to interpret laws and give you advice in a legal capacity. Dealing with doctors means you have to deal with HIPAA, HITECH, the new Omnibus rule and whatever state level regulations you might have. You as a BA to your doctor’s office have a responsibility to ensure that you are compliant with all regulations that a doctor must comply with. I recommend that you look at your policies and procedures to determine if you are accessing ePHI in a manner that is HIPAA compliant. If you aren’t following the regs it doesn’t matter whether or not the tool is compliant. However assuming you have covered your bases I think it is a fair question. It comes down to information access: Does the One Platform have access to ePHI? The answer is maybe. If you are using the Acronis backup the answer is yes. Valkyrie, probably. The RMM and remote access tools are a definite maybe.

I would boil it down into a couple of questions:

  1. Do any of the Comodo agents have the capacity to take data off of these machines, if so is it encrypted and is there an audit trail?
  2. Is the Remote viewer encrypted (covering data in transit rules)? Is there or will there be an audit trail for accessing machines?
  3. If it is determined that Comodo One platform has the potential to “create, maintain, transfer or receive” of PHI then there should be a process put in place to sign a BA agreement. Does that process exist?

Josh

In Germany we have a document / contract provided by the BSI . We sign that for our customers / clients. But good to know if c1 is HIPAA safe.

best

Michael

I would like a staff member’s response too

Hi @jtlogic
Your questions are too complicated to answer in a forum post since we won’t be able to get and provide complete information which might lead to inaccurate answers. If you’re really interested, we could ask someone from our Sales and Marketing team to contact you to answer all your queries and possibly set-up a demo for you. You may contact our sales department via sales@comodo.com

Set up a demo? I already use Comodo One MSP, I want to know if the RMM software is HIPAA compliant such as the remote feature, the data stored like umm, customer info, machine info etc, if it is secure on Comodo’s side. What is complicated about that?

Hi @jtlogic
We are pleased to inform you that the feature you have requested (C1 portal HIPAA compliant) is on our roadmap and planned to be delivered by the end of 2017Q3. We will reach back to you with more updates regarding the development progress as soon as possible.

Any updates on this?

Hi @jtlogic
It is planned to be delivered by the end of Q3. We appreciate your patience and your understanding in this matter!

looking forward to hearing when c1 will be hipaa compliant

@geekpoint

We are glad that more and more users are contributing their requests to improve the platform. We will notify you once this feature becomes available

@Carl_C, is this still on track for the end of Q3?

Hello @RTT,

The planned release of “C1 portal HIPAA compliant” was recently moved to 2018Q3. We will be adding you to the list of interested partners and we will be sending the updates through the email.

Thank you,

So… what specifically isn’t HIPAA compliant?

@jtlogic @easterntech50 @hm @geekpoint @RTT ,

HIPAA compliancy would not apply to Comodo ONE Platform itself since we are not storing any HIPAA related PI data. So, each MSP should review their processes to be sure they are compliant with HIPAA on their operation including Comodo ONE usage.

In addition, Comodo ONE provides the necessary back end support to help with compliancy like two-factor authentication, encrypted communication, etc…

What other specific queries encompassing your compliancy upon using our platform do you wish to ask?

@Jimmy What is planned for this release?

@Jimmy and @easterntech50 I agree with you (97% ) So what is Riley making reference to?
Both the Remote and File browse functions make the MSP a BA which must be bound by a BAA provided by the CE. We should have seperate controls in the profiles for enabling and disabling File Browsing. File Browse could place the CE at possible HIPAA violation (Breach) by MSP accidentally accessing data deemed non sharable by a patient (who is the final authority on his/her privacy).
HIPAA Policy and Procedure will cover most of it but the more granular the controls to data the better.
Furthermore End Point Encryption will aid in achieving HIPAA Safe Harbour and eliminating the reporting requirements.
With that said: What is the HIPAA Compliance roadmap and what can we expect?

Thanks.
@Riley_C Please put me on that list too.

Thanks.

This is a god point, C1 is only storing information about devices and not the data on them so it should be compliant already no?
The main thing I would say is making sure that data transmitted to and from the device for C1 is encrypted in transport.

Good day @hitechpr ,

We have created a support ticket and we already added you on the loop.

KRegards,

@wendelin ,

We’ll make sure to provide you a notification as well.