Complying with 45 CFR 164 HIPAA Security Standards; Final Rule

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Complying with 45 CFR 164 HIPAA Security Standards; Final Rule"

Transcription

1 Complying with 45 CFR 164 HIPAA Security Standards; Final Rule Implement best practices by using FileMaker Pro 7 as the backbone of your HIPAA compliant system. By Todd Duell This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearing houses, and certain health care providers, otherwise known as covered entities. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. The Final Rules to consider for your HIPAA compliant systems are 21 CFR 11, 45 CFR 160, 162, and 164. The Electronic Records and Signatures Rule, 21 CFR 11, became effective on August 20, Although not specifically mentioned by the HIPAA standards it does provide specific details that apply directly to the audit trail required by HIPAA. The Rule is really about good software development practices, which will certainly help any project of this nature. The HIPAA Rules, 45 CFR 160, 162, and 164 become effective on April 21, Compliance to the rule takes effect for covered entities, with the exception of small health plans by April 21, Small health plans must comply with the requirements of this final rule by April 21, With such a short time period in which to implement a HIPAA compliant system this white paper will discuss how FileMaker Pro 7 can be used to comply with all the required and addressable HIPAA Security Rules. The vast majority of the Rules will create new procedures, policies, SOP s (standard operating procedures), and training for your organization. This means that you as the business owner and operator will have a significant amount of work to perform. This is not a project that you hand off to your IT department and software vendor and expect a 100% compliant system in return. It is a project whereby you collaborate with your IT department and software vendor to determine the best practices for your organization. From there, each group will implement the technical, physical, and administrative requirements that directly affect their role in the development and implementation of the software and compliance program. Todd Duell is the Vice President & CIO of Formulations Pro, Inc and has been creating powerful commercial and custom solutions using FileMaker Pro since He holds an MBA in Technology Management, is a Certified FileMaker Pro 7 Developer, and has been an Associate member of the FileMaker Solutions Alliance since Todd may be reached at 2004 Formulations Pro, Inc. All rights reserved.

2 Technical Access Control (a)(1) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). FileMaker Pro 7 has built-in account authentication and privileges that control access to the files based on a user name and encrypted password (Figure 1). The developer should also implement account administration scripts that allow controlled access to add, delete, reset, change passwords, enable and disable accounts, and re-login to the system. Technical Unique User Identification (a)(2)(i) Assign a unique name and/or number for identifying and tracking user identity. FileMaker Pro s internal account authentication will only allow the creation of unique account names. By using the Get(AccountName) function in scripts or using the built-in Creation Account Name or Modification Account Name to log the user activity FileMaker Pro 7 is more than capable of identifying and tracking the user s identity (Figure 2). Figure 1 Accounts and Privileges Users are authenticated by FileMaker, Active Directory, or Open Directory. Technical Emergency Access Procedure (a)(2)(ii) and Software Developer Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. Every FileMaker Pro 7 solution is required to have an Admin account with full access to the system. The developer may choose to either provide a separate account and password for unrestricted access to the data, as may be the case for commercial software, or the master account name and password that grants the business owner unrestricted access to Page 2

3 the software, as may be the case for custom software development. Technical Audit Controls (b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. This Rule is essentially the same as the audit trail as outlined in 21 CFR 11, whereby changes to the data in the records are maintained in a log file. This requires custom programming for FileMaker Pro 7. Logged changes should include a timestamp, the account name, the original data and what was changed, record identification number, and field or layout identification. The log files must be searchable. The log files must be maintained for as long as the data is required to be retained. This means that log files cannot be overwritten or deleted. Formulations Pro has well established best practices to implement a robust audit trail. Figure 2 User Identity Users can be identified through logs and scripts with their account name. Technical Integrity (c)(1) and Software Developer Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. The developer should take the time to create the software to match the workflow of the business. By providing features such Page 3

4 as logical tab orders, pop-up menus, and controlled access to specific areas of the software improper alteration of the information can be minimized. One issue must be made extremely clear; data entry errors are the combined result poor software user interface and lack of training. Because of these human elements data entry errors cannot be completely eliminated from any software system. They can only me minimized. However, removing access to delete records can prevent the improper destruction of data. information that is being transmitted over and electronic communications network. FileMaker Pro 7 s network settings allow you to implement a system that limits access to the files over the network. You can specify users based on their privilege set (Figure 3). If the user is not in the privilege set they will not be able to view the file in the network (host) dialog box nor access the system via any means such as ODBC, JDBC, Mobile, FMNet, IWP, etc. Technical Person or Entity Authentication (d) Implement procedures to verify that a person or entity seeking access to electronic health information is the one claimed. As mentioned in the section for Unique User Identification, FileMaker Pro 7 uses industry standard methods to authenticate users. You can either use the built-in account name and encrypted password or use external authentication with Open Directory or Active Directory. Technical Transmission Security (e)(1) Figure 3 Network Access FileMaker Pro 7 can limit the access of users trying to access the system. Implement technical security measures to guard against unauthorized access to electronic protected health Page 4

5 Technical Automatic Logoff (a)(iii) Implement electronic procedures that terminate an electronic session after a predetermine time of inactivity. FileMaker Pro 7 and FileMaker Server 7 can be used in conjunction to set the amount of inactive time before disconnecting a user from the system (Figure 4). How long you allow the user to be inactive depends on your environment. For example, if you are in a hospital where unauthorized individuals may have access to unattended computers you may want to set the idle time to 1 to 3 minutes. If you are in an office setting where unauthorized individuals never have access to the software a more appropriate amount of inactive time may be 90 minutes. In either case, it s always a good idea to log off users at some amount of time of inactivity to free up network traffic and the total number of users accessing FileMaker Server 7. Technical Encryption and Decryption (a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information. Although encryption is addressable, FileMaker Server 7 has a built-in encryption capability that can be turned on with one click (Figure 5). It uses a state-of-the-art Triple-DES cipher and HMAC-SHA1 algorithm to encrypt the data from FileMaker Server 7 to FileMaker Pro 7 and IWP clients. If you are using custom web publishing you will need to implement additional SSL encryption on your Apache or IIS web server. Figure 4 Idle Time Set the idle disconnect time to match the environment in which your business operates. Technical Mechanism to Authenticate Electronic Protected Health Information (d)(2) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Page 5

6 Technical Integrity Controls (e)(2)(i) Implement security measures to ensure that transmitted electronic protected health information is not improperly modified without detection until disposed of. Using a client-server system on your local area network with FileMaker Server 7 and FileMaker Pro clients there is no risk of transmitted data being improperly modified without detection. If the data is being transmitted over a wide area network it is highly advisable to use virtual private network (VPN) security to protect the data while it is outside your network. If data is being transmitted over the Internet via a web browser, SSL should be used to encrypt the data. Figure 5 Encryption Turn on encryption with one click of the mouse. Enabling encryption in the only function that requires that you restart the service. FileMaker Pro 7 can be utilized to track the creation and modification account name and timestamp for every record. By combining the modification information with a log file (audit trail) and scripting that manages access to edit and delete records you can easily implement a mechanism to authenticate the data. Technical Encryption (e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. As shown in Figure 5, FileMaker Server 7 can enable encryption with one click of the mouse. In most firewall protected LAN settings, encryption may be overkill in terms of security requirements. In WAN connections where VPN is not used the encryption function of FileMaker Server 7 should be turned on. For Internet access SSL should be enabled on your web server. Page 6

7 Workstation Use (b) and Software Developer Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. The business owner must specify which types of devices they wish to have to access the software. For example, Computers accessing the software over the LAN or WAN with FileMaker Pro clients, client computers or servers with ODBC or JDBC access, Intranet web browsers with IWP, Internet web browsers with custom web publishing, and/or personal digital assistants with FileMaker Mobile. Once these communication sources have been determined, FileMaker Pro can manage the extended privileges to selectively grant or deny access to any of these sources for each individual account (Figure 6). Workstation Security (c) Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. Figure 6 Extended Privileges Enable or disable access for individual users to the desired entry points. All companies should upgrade to Windows 2000 Professional, XP Professional, and/or Max OS X. All of these operating systems utilize account authentication as part of the core operating system. For more advanced networks you may also utilize Active Directory or Open Directory to authenticate users with a single sign-on authentication scheme that selectively allows users to have access to the various parts of your network and enterprise applications. In all cases a minimum of login authentication at the operating system level should be implemented. FileMaker Pro 7 can also be utilized for user authentication with either the built-in account name and password login or with external authentication (Figure 7). Page 7

8 access to decipher the data. Therefore, Formulations Pro has a several recommendations for media handling. Figure 7 Login Authentication FileMaker Pro systems require either manual login with a valid account name and password or external authentication with Active or Open Directory. Device and Media Controls (d)(1) Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. Any floppies disks, CD s, DVD s, tape drives, hard drives, etc. that have protected health information should only be handled by authorized individuals. The data on these medias in most cases will be in machine-readable format. In other words, unless the data is encrypted on these medias anyone with hardware and software to read these devices may have First, do not allow protected health information to be exported from the software and taken off site for activities such as data analysis and reports. Second, data exported from the system must be stored on approved media that is labeled as HIPAA protected information. This media should be used on a check out and check in basis to control the location and accountability for the media. Third, all used, unused, and back-up media should be stored in a secure, locked, cabinet with accountability for the individuals that have access to the media. The same holds true for media that is stored off site for disaster contingency plans. Fourth, if the media is taken to a company that specializes in data recovery, they should be required to sign a non-disclosure agreement as well as be informed that the material they are working with contains protected health information. You may wish to specify that any of their hardware or software used in the process of recovering your data be erased after the data recovery has been performed and that they may not retain back-up copies. Disposal (d)(2)(i) Implement policies to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. This policy not only applies to your server and back-up media, but the client computers that have been used to access the Page 8

9 protected health information. Any time a client computer is transferred to a different employee or disposed of the hard drive should be securely erased. Since data may be recovered from drives that have been erased the preferred methods to erase the drive is a secure deletion method such as those provided by the Partition Magic software from Symantec or the built-in Secure Delete in OS X. Since CD s and DVD s may not be re-writable to securely delete the data your policy should specify that these types of media must be physically destroyed. There are devices similar to paper shredding machines that will allow you to destroy these medias. Media Re-use (d)(2)(ii) Implement policies and procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. As mentioned above, there is commercially available software that will allow you to securely delete the media before it is re-used. However, this does not mean that you must securely delete the media every time it is used for server back-ups. Securely deleting back-ups that are multiple terabytes in size could take a substantial amount of time. The intent of this policy is if the media is being transferred between individuals or intended uses. In these cases the data must be securely deleted. We recommend that the media be labeled for it s intended use and identified whether secure deletion is required upon transfer to a new user or purpose. Facility Access Controls (a)(1) Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. access can be as simple as a lock on the door to the server room or more exotic biometric or electronic card access protection systems whereby user access is logged into and out of the server room and/or to specific server racks. This is an area where we recommend that you determine through risk and budget analysis the extent of the technology that you believe should be implemented to control access to the server room. Contingency Operations (a)(2)(i) and Software Developer Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. This simply means that more than one person should know how to access the server room, back-up media, and perform the data Page 9

10 recovery procedures. For companies with only one IT person or outsourced IT support, the power user or person responsible for overseeing the software should be responsible to know how to perform these procedures. Your disaster recovery SOP should detail the exact steps required to restore the data. Facility Security Plan (a)(2)(ii) Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft. This is a policy that details the company s plan to secure the server room, protected media and equipment, protection against tampering of the servers. Implementing account names and passwords for network access to the servers can minimize tampering with the servers. Account names and passwords should only be given to people that are authorized to access the server through the network. Although theft of equipment cannot be entirely prevented, many companies use a combination of locked equipment rooms with limited access, permanent property tags on the equipment, and inspections of all bags, briefcases, and containers that are leaving the premises by the security staff. One easy-to-implement technology is magnetic security tags placed on or inside protected equipment. If the equipment passes a detector the alarm will sound to alert security. Access Control and Validation Procedures (a)(2)(iii) and Software Developer Implement procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Many companies have security badges that grant employees and visitors access to specific area of the company. Some software programs can also log the entry and exit time and location the employee for review at any time. In the case of server access, FileMaker Server 7 has the ability to monitor the activity of employees accessing the server as well as many other performance statistics (Figure 8). To protect the server against unauthorized upgrades of hardware, software, drivers, and changes to critical settings, the server should be controlled by the Quality Assurance change management policy. What is controlled should be dictated by best practices rather than the fear of change. For example, any change that would require the restart of the server and interrupt services should be approved and communicated to the users prior performing the procedure. The reason for this is two-fold; to review the impact of the change and to prevent unintended data loss. In the case of FileMaker Server 7, the only change that would require prior approval would be changing the setting for encryption, which requires a restart of the server. All other settings can be changed on the fly without any consequences to the databases being served. For example, you can add more Page 10

11 files, close files, change RAM settings, manually start backups, change the number of guests that can access the server, etc. facility, which are related to security (for example, hardware, walls, doors, and locks). Even your facilities group and/or contractors are not immune to your Quality Control department. All changes as specified must be documented by Quality Control. Accountability (d)(2)(iii) Maintain a record of the movements of hardware and electronic media and any person responsible therefore. As mentioned above, all controlled media should be marked appropriately and handled on a check out and check in basis. Critical materials that contain protected health information should not leave the facility without approval. Figure 8 Clients FileMaker Server 7 can monitor real-time clients and server statistics. Maintenance Records ( (a)(2)(iv) Implement policies and procedures to document repairs and modifications to the physical components of a Data backup and Storage (d)(2)(iv) Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. Before you swap hard drives or change servers you should first backup the data. This ensures that if there is a problem with the move that you can restore the data back to its original state. Although this is addressable, this should be a common practice. Page 11

12 Security Management Process (a)(1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations. To prevent security violations you can place locks, security cards, or biometric devices on all physical access routes to the server room. On the server you can require that only the administrator know the account name and password to access the server. Unauthorized users should never be given the account name and password to the server. Accessing the database through FileMaker Server 7 should require both an account name and password to log into the file or implement Active or Open Directory account authentication. To detect security violations you can use the FileMaker Server 7, core operating system, or network hardware logging capabilities. To contain security breeches you can create strategies with multiple firewalls between systems to limit them from getting to other areas of your network. For example, if you are hosting FileMaker Server 7 via custom web publishing you might have a static IP address dedicated for that server. With the server sitting behind a dedicated router and firewall and the router not connected to the rest of the local area network, you can contain a security breech to only that server. Thus, you must perform risk analysis and devise an appropriate strategy to protect your system and your network, while still allowing for appropriate administration and access to the system. The correction of security violations usually comes after the violation has been discovered. In the mean time, implementing best practices and securing your network should prevent or limit the risk of a security problem. Risk Analysis (a)(1)(ii0(A) and Software Developer Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Risk analysis and contingency plans should be considered for every required and addressable section of the HIPAA Rule. For example, if your database is only accessed on your local area network, the risk that the data will be corrupted, unknowingly modified, or captured by a hacker is extremely low. Thus, you might justify that encryption of the data using FileMaker Server 7 is unnecessary. Performing risk analysis and creating contingency plans is not about labeling everything as a problem. It is used to aid you in focusing your budget and effort on the critical items, while still understanding and addressing the noncritical items. Risk Management (a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a) Page 12

13 This is a high-level requirement for this section. If you comply with the other parts of the Rule you will in essence comply with Risk Management (1) You must ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security of integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under (E). (4) Ensure compliance with this subpart by its workforce. This means that you must provide the users with training and monitor their use of the system. Sanctioning Policy (a)(1)(ii)(C) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. Because the cost of non-compliance is enforced with stiff monetary and jail-time penalties we highly suggest that your sanctioning policy be immediate termination of employees that intentionally fail to comply with your policies. To ensure that management communicates the polices to the employees we also recommend to immediately terminate the direct manager or supervisor who fails to provide appropriate initial and on-going training and education prior to granting access to the employee. Information System Activity Review (a)(1)(ii)(D) and Software Developer Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. The audit trail created as a part of your system is the first place to review who has created, modified, and deleted records in the system. Managers should have ready access to the audit trail to run reports on a daily, weekly, monthly, or ad-hoc review. Other areas to review are the FileMaker Server 7 log file, access logs for the server, and any reports from your network hardware logs. Assigned Security Responsibility (a)(2) Identify the security official who is responsible for the development and implementation of the policies required by this subpart for the entity. Most companies have a Security Officer or Quality Assurance Officer that oversees security issues and implements security best practices for both the facility and technology deployments. Each SOP, policy, or procedure should identify who is responsible for overseeing and administering the security. Page 13

14 Workforce Security (a)(3)(i) and Software Developer Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. Meeting this rule starts with best practices when programming the software. FileMaker Pro 7 is uses industry standard account authentication for each user. Each authorized user receives a unique account name and password for each file. To back this up, systems built by Formulations Pro all contain robust account administration features that are controlled by a central system administrator. The administration functions can be used to create, delete, enable, and disable user accounts on the fly. Information Access Management (a)(4)(i) Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. Assess the relative criticality of specific applications and data in support of other contingency plan components. This gets back to the notion of risk management and contingency plans. Every element of your HIPAA requirements and addressable rules must contain a section that estimates the risk and provides an appropriate contingency plan in the event of a problem. Isolating Health Care Clearinghouse Functions (a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Security Awareness Training (a)(5)(i) Implement a security awareness and training program for all members of it workforce (including management). Formulations Pro highly recommends that users not be given access to any software, printed or electronic reports that contain protected health information until they receive appropriate training. We also recommend that all employee s account names and passwords be suspended on an annual basis to Page 14

15 ensure that they receive continual training and updates to any company policies or changes in the law. Security Incident Procedures (a)(6)(i) Implement policies and procedures to address security incidents. Response and Reporting (a)(6)(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Contingency Plan (a)(7)(i) Typically what this entails is a back-up and disaster recovery procedure as required by the next two sections of the HIPAA Rules. Data Backup Plan (a)(7)(ii)(A) and Software Developer Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. FileMaker Pro Server 7 can be used to make automated backups on any schedule that your system requires (Figure 9). Formulations Pro recommends that the backup be performed by saving the files to the same hard drive of the server. Then use some type of third party software such as Retrospect Remote to copy the backup folder to a device such as a tape drive in the middle of the night to maximize system performance for the users. If there is no activity on the server in the middle of the night you can also backup the files directly to the tape drive to save space on your server. The tape drive can then be taken off site to a secure, fireproof, location to provide mitigated disaster protection. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Page 15

16 Figure 9 Schedules Use FileMaker Server 7 to automatically backup your data for disaster recovery. Disaster Recovery Plan (a)(7)(ii)(B) and Software Developer Establish (and implement as needed) procedures to restore any loss of data. Some companies prefer to use software from Veritas or Network Appliance that takes a snapshot backup of the hard drive. This type of software makes pseudo-copies of very large amounts of data in a very short period of time. However, FileMaker Server 7 serves an open database, which can become corrupted if it is copied when it is live. Therefore, if you use this type of approach we highly recommend that you validate the entire backup and recovery procedure to ensure that the files do not get corrupted in the process. No database is 100% free from data loss. If you have issues with the RAM, power supply, loss of hard drives, network problems, etc., data can be lost. Your job is to minimize the potential of this loss through best practices. Thus, installing a RAID (Redundant Array of Independent Disks) on your server to protect the data is highly recommended. We typically recommend RAID 5 because it provides excellent performance and good fault tolerance by striping the data across multiple disks and providing error correction. By adding more drives you can significantly increase your storage capacity and performance. Emergency Mode Operation Plan (a)(7)(ii)(C) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Evaluation (a)(8) Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that established the extent to Page 16

17 which an entity s security policies and procedures meet the requirements of this subpart. The easiest method to meet this rule is to expire all your SOP s, procedures, policies, and contingency plans as part of your Quality Assurance program. This will ensure that every procedure related to HIPAA compliance is reviewed on an annual or recurring basis. Business Associate Contracts and Other Arrangements (b)(1) A covered entity, in accordance with , may permit a business associate to create, retrieve, maintain, or transmit electronic protected health information on the covered entity s behalf only if the covered entity obtains satisfactory assurances, in accordance with (a) that the business associate will appropriately safeguard the information. If you are the parent company and have subsidiaries or contracts with third-party businesses you must audit these companies for compliance to the HIPAA rules and regulations. We suggest that you require (at a minimum) the same review and implementation standards that you require for your own organization. Best practices always start with your own company. Written Contract or Other Arrangement (b)(4) Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of (a). Any time you require a subsidiary or third party business to be HIPAA compliant or maintain your HIPAA compliance you should create a contract that details the HIPAA rules for which you expect them to be in compliance. You should also specify that they are responsible for any and all damages directly associated with their non-compliance. As part of this contract you should also be allowed to audit their systems, policies, and procedures during routine and surprise inspections. Authorization and/or Supervision (a)(3)(ii)(A) Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Because the users will be working with a database, we highly recommend that users (workforce as well as management) not be allowed to work with the software until they have received both HIPAA awareness training and training specific to the use Page 17

18 of the software. As part of the training, Formulations Pro creates a sand box environment of the software that enables the users to train in a simulated environment until they are approved to work with live data. Workforce Clearance Procedure (a)(3)(ii)(B) Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. During the design phase it is critical to describe to the Formulations Pro consultants the workflow, environment in which the software will be used, and the types of users that will work with the software. From this information privilege sets will be created for each distinct work group that have specific access granted to specific area of the software. Typically, access to areas such as client or patient contact information should have the highest level of protection. Users that have access to protected information should be required to have the highest level of clearance to be assigned a privilege set that can access this information. Lower levels of access may be granted with a less stringent or a more intuitive policy. Termination Procedures (a)(30(ii)(C) and Software Developer Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends of as required by determinations made as specified in paragraph (a)(3)(ii)(b) of this section. Systems built by Formulations Pro allow access by the system administrator to delete and deactivate accounts. If an employee is terminated we recommend that the account be deleted from the system to prevent any potential future identify falsification. If the user is transferred to a role that no longer has access to the system we recommend that the account be deactivated. This keeps the account in the system, but not accessible until the system administrator re-activates the account. In either case, your Human Resources department should trigger the termination or transfer procedures by sending a notice to the appropriate system administrator(s) in the IT department. If the user changes roles the system administrator can change the user s privilege set to modify their access to the system. Access Authorization (a)(4)(ii)(C) and Software Developer Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. Page 18

19 The business owner must specify which types of devices they wish to have to access the software. For example, Computers accessing the software over the LAN or WAN with FileMaker Pro clients, client computers or servers with ODBC or JDBC access, Intranet web browsers with IWP, Internet web browsers with custom web publishing, and/or personal digital assistants with FileMaker Mobile. Once these communication sources have been determined, FileMaker Pro can manage the extended privileges to selectively grant or deny access to any of these sources for each individual account. Security Reminders (a)(5)(ii)(A) Implement periodic security updates. Formulations Pro recommends that the security reminders be a part of the annual training program for every employee. It s always a good idea to remind the employees about the importance and implications of having access to protected health information. Employees should also be reminded that in the systems built by Formulations Pro their electronic signature is the legally binding equivalent to their handwritten signature. Thus, if they share their account name and password with other users they are legally responsible for those users actions in the database. Sharing account names and passwords should be an offense that warrants termination. This includes terminating the management. Protection from Malicious Software (a)(5)(ii)(B) Implement procedures for guarding against, detecting, and reporting malicious software. Every computer should have up-to-date antivirus software. Although virus-checking software can only catch approximately 94% of existing viruses and is always vulnerable to new viruses, most virus problems occur from known viruses where the software has not been updated. It is reasonable to expect any corporation to have an enterprise account for anti-virus software from Norton or McAfee that provides daily updates to their virus definitions. Log-in Monitoring (a)(5)(ii)(C) Implement procedures for monitoring log-in attempts and reporting discrepancies. FileMaker Pro 7 has two built-in features to minimize the risk of invalid log-ins. For ease of use the login feature can be set to allow the user to attempt to log in 5 times before quitting the program. If your operating environment needs additional security you can change the setting to allow only one attempt to log in before the application quits. If you need to log the actual user account name that is accessing the FileMaker Server 7 Page 19

20 files you will need to monitor your operating system s log files. FileMaker Server 7 does log failed login attempts. Formulations Pro does not recommend programming your system with an open password and complex scripting to log user input at this critical juncture because it opens a much larger security issue that exceeds the risk of monitoring a log file. User s will get discouraged from trying to log into systems if the application quits after one false try. In many cases this should be sufficient risk reduction, while also minimizing your administrative costs. Password Management (a)(5)(ii)(D) Implement procedures for creating, changing, and safeguarding passwords. FileMaker Pro 7 has built-in account authentication and privileges that control access to the files based on a user name and encrypted password. The password is encrypted so that no user, not even the administrator, has access to view the password. If the user forgets their password the administrator must change it for them. Formulations Pro also installs best practices that requires that the next time the user opens the file they be prompted to change their password as an additional security mechanism to prevent administrators from using the password. Testing and Revision Procedures (a)(7)(ii)(D) Implement procedures for periodic testing and revision of contingency plans. The easiest method to meet this rule is to expire all your SOP s, procedures, policies, and contingency plans as part of your Quality Assurance program. This will ensure that every procedure related to HIPAA compliance is reviewed on an annual or recurring basis. Applications and Data Criticality Analysis (a)(7)(ii)(E) Assess the relative criticality of specific applications and data in support of other contingency plan components. Somewhere during the project you should step back from the fine details and look globally at your project to determine where this fits into the scope of your strategic business objectives. In many cases, developing best practices once that can be deployed across multiple applications will save you a lot of time and money. However, keep in mind that not all applications can support what you consider to be best practices if your implementation is too stringent. Thus, it must allow for some flexibility to work within the constructs of the software and your project requirements. That is, unless you have an unlimited Page 20

21 amount of time and budget to customize the software. If the software cannot meet your best practices then you must assess the risk of not implementing the requirement in terms of the security of the data vs. the cost of non-compliance in the event of a security breech. Summary Either your company and its software is HIPAA compliant or it is not. There is no middle ground whereby you implement some of the required elements and claim to be in compliance. All required specifications are required to be implemented. specifications are not required only if your risk analysis finds they are unreasonable and/or inappropriate. During the evaluation phase of your project you will find there are certain specifications that are very clearly implemented by the software developer (i.e. account administration) and others that are clearly implemented by the business user (i.e. sanctioning policy). Others may be best solved by the integration of ideas and concepts from both the software developer and business owner. However, the ultimate responsibility to attain compliance falls squarely with the business owner. Therefore, this is not a project you hand off to your IT department or software developer and expect a compliant system in return. software, the workflow, and the user interface. Most notably, they will have a largest impact on the procedures and policies that govern your company and the employees that access the protected health information. Therefore we highly recommend that you understand the rules and implement what you feel are the best practices across your entire organization and any future software development that might fall under this regulation. This will save you a lot of time and money on your future projects. In the mean time, you can be assured that Formulations Pro can consult, build, customize, and install integrated database solutions to meet your HIPAA requirements Formulations Pro, Inc. Formulations Pro is a trademark of Formulations Pro, Inc., registered in the U.S.A. The Formulations Pro logo is trademarks of Formulations Pro, Inc. FileMaker Pro is a trademark of FileMaker Pro Inc., registered in the U.S.A and other countries. Product specifications and availability are subject to change without notice. Although you may find that many of the HIPAA requirements and addressable rules do not apply to your company they will have an enormous impact on the development of the Page 21

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Krengel Technology HIPAA Policies and Documentation

Krengel Technology HIPAA Policies and Documentation Krengel Technology HIPAA Policies and Documentation Purpose and Scope What is Protected Health Information (PHI) and What is Not What is PHI? What is not PHI? The List of 18 Protected Health Information

More information

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance

More information

An Effective MSP Approach Towards HIPAA Compliance

An Effective MSP Approach Towards HIPAA Compliance MAX Insight Whitepaper An Effective MSP Approach Towards HIPAA Compliance An independent review of HIPAA requirements, detailed recommendations and vital resources to aid in achieving compliance. Table

More information

Implement best practices by using FileMaker Pro 7 as the backbone of your 21 CFR 11 compliant system.

Implement best practices by using FileMaker Pro 7 as the backbone of your 21 CFR 11 compliant system. 21 CRF 11 Electronic Records and Signatures Implement best practices by using FileMaker Pro 7 as the backbone of your 21 CFR 11 compliant system. By Todd Duell What does Title 21 of the Code of Federal

More information

Meaningful Use and Core Requirement 15

Meaningful Use and Core Requirement 15 Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

ITS HIPAA Security Compliance Recommendations

ITS HIPAA Security Compliance Recommendations ITS HIPAA Security Compliance Recommendations October 24, 2005 Updated May 31, 2010 http://its.uncg.edu/hipaa/security/ Table of Contents Introduction...1 Purpose of this Document...1 Important Terms...1

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

HIPAA Security and HITECH Compliance Checklist

HIPAA Security and HITECH Compliance Checklist HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Proc - A edures, dministrativ and e Documentation Safeguards

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0 WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of

More information

Healthcare Management Service Organization Accreditation Program (MSOAP)

Healthcare Management Service Organization Accreditation Program (MSOAP) ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee

More information

White Paper. Support for the HIPAA Security Rule PowerScribe 360

White Paper. Support for the HIPAA Security Rule PowerScribe 360 White Paper Support for the HIPAA Security Rule PowerScribe 360 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as

More information

HIPAA Security Matrix

HIPAA Security Matrix HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

Support for the HIPAA Security Rule

Support for the HIPAA Security Rule WHITE PAPER Support for the HIPAA Security Rule PowerScribe 360 Reporting v2.0 HEALTHCARE 2 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

New Boundary Technologies HIPAA Security Guide

New Boundary Technologies HIPAA Security Guide New Boundary Technologies HIPAA Security Guide A New Boundary Technologies HIPAA Security Configuration Guide Based on NIST Special Publication 800-68 December 2005 1.0 Executive Summary This HIPAA Security

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA Security Rule Compliance and Health Care Information Protection HIPAA Security Rule Compliance and Health Care Information Protection How SEA s Solution Suite Ensures HIPAA Security Rule Compliance Legal Notice: This document reflects the understanding of Software

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

The HIPAA Security Rule Primer Compliance Date: April 20, 2005 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below

More information

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

HIPAA and HITECH Regulations

HIPAA and HITECH Regulations HIPAA and HITECH Regulations Implications for Healthcare Organizations and their Business Associates A Primer on Achieving Compliance by KOM Networks 1 Contents Table of Contents Preface... 3 Target audience...

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL

AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL August, 2013 HIPAA SECURITY REGULATION COMPLIANCE DOCUMENTS For (Practice name) (Street Address) (City, State, ZIP) Adopted (Date) 2 INTRODUCTION The federal

More information

Guide: Meeting HIPAA Security Rules

Guide: Meeting HIPAA Security Rules Networks Guide: Meeting HIPAA Security Rules Intelligent Network Security 100 West Harrison North Tower, Suite 300 Seattle, WA 98119 T 206. 285. 8080 F 206. 285. 8081 w w w. l ockdow nnet w o r k s. com

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

Develop HIPAA-Compliant Mobile Apps with Verivo Akula Develop HIPAA-Compliant Mobile Apps with Verivo Akula Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200 sales@verivo.com Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200

More information

HIPAA Assessment HIPAA Policy and Procedures

HIPAA Assessment HIPAA Policy and Procedures Sample Client HIPAA Assessment HIPAA Policy and Procedures Sample Client Prepared by: InhouseCIO, LLC CONFIDENTIALITY NOTE: The information contained in this report document is for the exclusive use of

More information

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

How Managed File Transfer Addresses HIPAA Requirements for ephi

How Managed File Transfer Addresses HIPAA Requirements for ephi How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 City of Pittsburgh Operating Policies Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 PURPOSE: To establish internal policies and procedures to ensure compliance

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

Security Manual for Protected Health Information

Security Manual for Protected Health Information Security Manual for Protected Health Information Revised September 2011 Contents PREFACE... 4 TTUHSC Operating Policy Regarding Privacy and Security... 5 1. DEFINITIONS:... 6 2. ADMINISTRATIVE SAFEGUARDS

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights

More information

Healthcare Network Accreditation Program (HNAP-EHN) Criteria

Healthcare Network Accreditation Program (HNAP-EHN) Criteria ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Network Accreditation Program (HNAP-EHN) Criteria For The HEALTHCARE INDUSTRY Version 10.0 Release date: January 1, 2009 Lee Barrett,

More information

ISLAND COUNTY SECURITY POLICIES & PROCEDURES

ISLAND COUNTY SECURITY POLICIES & PROCEDURES Health Insurance Portability and Accountability Act (HIPAA) ISLAND COUNTY SECURITY POLICIES & PROCEDURES Island County HIPAA Security Rule Page 1 Table of Contents Table of Contents... 2 Authority... 3

More information

C.T. Hellmuth & Associates, Inc.

C.T. Hellmuth & Associates, Inc. Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.

More information

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.

More information

HIPAA Security Compliance for Konica Minolta bizhub MFPs

HIPAA Security Compliance for Konica Minolta bizhub MFPs HIPAA Security Compliance for Konica Minolta bizhub MFPs Table of Contents Introduction... 1 What is HIPAA?... 1 HIPAA Security Standards that are applicable to Konica Minolta bizhub Multi-Functional Printers...

More information

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

HIPAA Compliance for the Wireless LAN

HIPAA Compliance for the Wireless LAN White Paper HIPAA Compliance for the Wireless LAN JUNE 2015 This publication describes the implications of HIPAA (the Health Insurance Portability and Accountability Act of 1996) on a wireless LAN solution,

More information

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum. For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.com 844-644-4600 This publication describes the implications of HIPAA (the Health

More information

Security Framework Information Security Management System

Security Framework Information Security Management System NJ Department of Human Services Security Framework - Information Security Management System Building Technology Solutions that Support the Care, Protection and Empowerment of our Clients JAMES M. DAVY

More information

Implementing HIPAA Compliance with ScriptLogic

Implementing HIPAA Compliance with ScriptLogic Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE

More information

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653 Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653 rusty@husemanhealthlaw.com use e Health care law firm fighting

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

itrust Medical Records System: Requirements for Technical Safeguards

itrust Medical Records System: Requirements for Technical Safeguards itrust Medical Records System: Requirements for Technical Safeguards Physicians and healthcare practitioners use Electronic Health Records (EHR) systems to obtain, manage, and share patient information.

More information

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Compliance and the Protection of Patient Health Information HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards

More information

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority

More information

FileMaker Security Guide The Key to Securing Your Apps

FileMaker Security Guide The Key to Securing Your Apps FileMaker Security Guide The Key to Securing Your Apps Table of Contents Overview... 3 Configuring Security Within FileMaker Pro or FileMaker Pro Advanced... 5 Prompt for Password... 5 Give the Admin Account

More information