penelope athena software case management software

Size: px
Start display at page:

Download "penelope athena software case management software www.athena-software.net info@athenasoftware.net"

Transcription

1 penelope case management software P R I VA C Y A N D S E C U R I T Y W H I T E PA P E R athena software 1st floor, 33 Dupont Street East Waterloo, Ontario Canada N2J 2G8 NORTH AMERICA AUSTRALIA UK FAX December 2013

2 introduction software as a service (SaaS) easy to use highly configurable secure ready for the enterprise comprehensive & feature-rich flexible well supported Penelope Case Management Software is a leading mobile client information and practice management CMS / CIS system used successfully by a broad range of social service providers - including case management, disability support, mental and behavioral health, domestic violence programs / shelter services, outreach and education services. Penelope is powerful yet easy-to-use web-based software that can either be installed on your own server or hosted by Athena Software securely on 'the cloud'. Penelope delivers an impressive return on investment by integrating all a s p e c t s o f y o u r o r g a n i z a t i o n ' s scheduling / calendaring, clinical notes, service planning, service delivery tracking, billing, outcomes evaluation, reporting, referrals, wait-listing and documents management needs in one innovative and intuitive package. Athena clients around the globe store confidential client information in Penelope that is protected by data privacy and security legislation. Within the US, the majority of Athena s clients are Covered Entities under HIPAA/HITECH ACT for whom Athena is considered as a Business Associate. Data may be protected by PIPEDA in Canada, the Privacy Act 1988 in Australia, the E.U. Data Privacy Directive and/or other statutes. This document summarizes Athena s Risk Management Framework and describes the administrative, technical and physical safeguards used to ensure the confidentiality, integrity and availability of data stored in Penelope. Included are both the safeguards Athena has put in place as a trusted partner of your organization and also the ways in which Penelope can support your organization s efforts to implement secure policies and procedures and meet your legislative requirements. NOTE: It is up to each organization to ensure that they meet their own legislative requirements and that they are satisfied that the provisions described herein are reasonable and appropriate for their organization. Page 2 of 15

3 athena risk management better service less effort more time with clients "We deliver better service with less effort and spend more time with clients and less time on paper work. Athena case management software was easy to implement and my clinical workers and finance team are thrilled with the results. Every social service agency in the USA needs to understand how to do more with less, especially now and this is one way we can do our part to help those in need. " Athena Software uses a comprehensive risk management framework modelled after NIST SP rev1 and NIST SP A formal risk management team, with IT, R&D and executive management representation, evaluates ongoing audits and incidents, conducts an annual multi-faceted risk assessment and implements the resulting risk response plan. The risk assessment approaches used include threats-based analyses (as per NIST SP r1), business process and information system analyses and penetration testing for our hosting facilities. Risk owners are also identified within each business unit for monitoring and escalation, impact analysis and reporting to the risk management team. Athena has also developed a comprehensive set of policies and procedures with accompanying staff training programs that govern all activities relating to the protection of confidential data, including protected health information (PHI). Finally, Athena conducts periodic third party security audits; for example, a security review was conducted by Grant Thornton in Notes: Athena is continuously improving our practices and security provisions within Penelope, our hosting environments and our business operations, in part to respond to a continuously changing threat environment. As such, Athena s Policies and Practices are subject to change at Athena s discretion; Athena s policy changes will never result in a material reduction in the level of security specified herein. The level of security described herein also assumes that clients are running up-to-date versions of Penelope and is not claimed for older versions of the software. It is the responsibility of each organization to ensure that their software is up-to-date. John Adams Community Human Services Monterey, California, USA Page 3 of 15

4 data security ephi protection SaaS security HIPAA business associate HITECH This section describes how Athena Software, in its capacity as a trusted partner, Business Associate and Case Management Solution provider, can assist your organization, in achieving administrative, physical and technical safeguards that ensure the confidentiality, integrity and availability of your sensitive and protected client data. It is up to each organization to ensure that they meet HIPAA/HITECH or other legislative requirements and that they are satisfied that the provisions Athena/Penelope provides are reasonable and appropriate for their organizational requirements. Athena Software complies with HIPAA legislation as a Business Associate of Covered Entities. Athena/Penelope s role in assisting your organization in its efforts to be compliant with business and legislative requirements depends on the nature of the services being provided and whether we host your data. If you select the server license model (where Athena does not host your data), then you will benefit from the features and functions within Penelope that help you to become compliant but many of the physical and technical safeguards required will be the sole responsibility of your organization or its other vendors and Business Associates responsible for data security and not Athena Software. If Athena Software hosts your database (SaaS license), then your organization will benefit from the technical and physical safeguards afforded by our hosting environment as well as Penelope s security features. For U.S.-based clients, a Business Associate Agreement is always required for those organizations using our SaaS services and is also required if you host your own database where Athena accesses your server (e.g. to perform upgrades) or database (e.g. to build documentation) or provides professional services through which it is possible that PHI could be disclosed by your staff to us. Page 4 of 15

5 VALUE PROPOSITION data security powerful featureset deep industry knowledge mobile extensive configurability secure outstanding support proven track record advanced architecture continuous improvement great value for money we are dynamic and trusted business partners ADMINISTRATIVE SAFEGUARDS Security management process: Athena uses a risk management framework based on the guidelines specified in NIST SP rev1 and conducts comprehensive annual risk assessments following NIST SP and NIST SP rev1. Athena Software has adopted and implemented imformation security policies less and procedures in relation to: management responsibility for security, effort information asset ownership and classification, physical and logical access security, network, media and O/S security management and control, transmission and authentication, audit and monitoring, inventory, configuration management and change control, risk assessment, mitigation and remediation, vulnerability management, incident reporting and incident management, compliance reporting, workforce security training and sanctions. Assigned security responsibility: Athena s risk management framework identifies staff responsible for the development and implementation of policies and procedures within each business unit as well as those responsible for approval processes, compliance monitoring and application of sanctions for noncompliance. Workforce Security: Athena has implemented highly restrictive access policies and procedures based on the principle of Minimum Necessity in our provision of services. Least privilege access rights and secure access procedures are used in the maintenance of servers and application of database upgrades including controlled use of administrative privileges, encrypted sessions, secure authentication, auditing/monitoring and risk review. Using the principle of minimum necessity means that Athena limits our exposure to protected health information to the minimum necessary to accomplish the intended purpose, and in the majority of instances it is not necessary for us to view or acquire PHI at all while completing authorized service requests. Page 5 of 15

6 data security Penelope can assist your o r g a n i z a t i o n w i t h implementing your policies and procedures to ensure t h a t m e m b e r s o f i t s w o r k f o r c e h a v e appropriate access to electronic PHI and prevent those workforce members who do not have access from obtaining access. A u t h e n t i c a t e d a n d c o n fi g u r a b l e u s e r accounts: All staff requiring any level of access to Penelope can have a n a m e d u s e r a c c o u n t configured based on need to know access. Penelope s concurrent user pricing model ensures that even occasional users can h a v e t h e i r o w n authenticated user account f o r t h e s y s t e m ( s e e t e c h n i c a l s a f e g u a r d s below). Information Access Management: Athena Software has implemented policies and procedures for authorizing access to ephi and the databases and servers that store ephi based on need to know and least privilege. Athena authorizes our staff to perform specific types of service requests based on expertise and security training. Athena collects and stores the names of individuals within our client organizations that are authorized to make security related requests such as service requests involving use or disclosure of PHI as well as the individual that is authorized to make technical security related requests such as Penelope update requests and ODBC access requests. Athena uses a formal authorization and logging process with respect to all services that involve the creation, viewing, deletion, transmission of ephi as well as any requested services that require access to your database or server. (See also: Security incident tracking below.) Security awareness and training. Athena has implemented a security awareness and training program for all members of it s workforce (including management). General awareness and customized rolebased training is provided to staff as appropriate. Periodic retraining is implemented in response to environmental or operational changes that affect the handling or security of ephi. In addition, periodic security reminders are sent to staff to facilitate the implementation of policies and procedures, notify staff of any updates to them and implement training/retraining programs. Staff training includes topics covering staff roles in protecting against malicious software, secure password management and monitoring of log-in attempts. Additional one-on-one review is avalable as desired and a process is in place to collect feedback and provide clarification. All staff also sign a statement of understanding following training and review of relevant policies and procedures, ensuring that they not only receive training but confirm that they have understood expectations and have read and understood our policies and procedures. Role-based user groups in Penelope and detailed security classes allow organizations to create and enforce strict access controls both across and within client records. Altering authorized access or terminating access is easily maintained by workforce members with appropriate privileges. Optional ODBC access is also authenticated by user and can be restricted by IP. Page 6 of 15

7 data security Each organization will also need to develop policies and procedures around creating or accessing: (i) a t t a c h m e n t s i n Penelope (which can be downloaded locally to a workstation) (ii) pivot tables and other data queries/export files (iii) information printed from Penelope. If you host your own Penelope database, you will also need to develop policies and procedures around handling of and access to backups, audit l o g s a n d t h e s e r v e r configuration files that store access information. N O T E : u s e r a c c o u n t passwords are encoded a n d a r e t h e r e f o r e irretrievable by anyone irrespective of access rights. Security incident procedures: Athena has implemented security incident policies and procedures that include detailed logging of all actual and suspected incidents with breach risk assessment and compliance reporting where applicable as per the specifications in the HIPAA omnibus rule. Athena s security incident tracking includes (but is not limited to) logging of all uses and disclosures of ephi to or by Athena whether authorized or not. Provisions within Penelope applicable for your staff training and awareness program: Part of your staff training and awareness program will include providing best security practice information about creating and protecting secure passwords, avoiding malware, workstation security and login monitoring among other topics. In addition to the information provided elsewhere in this document, users should be made aware that Penelope monitors all login/logout activity and tracks unsuccessful login attempts. Users are locked out after 5 unsuccessful attempts and accounts must be unlocked by a system administrator. All log-in attempts are logged in the stdout audit log and the user access audit log. Contingency Planning. Athena has developed emergency response and disaster recovery policies and procedures for both nonadversarial (e.g. natural disaster) and adversarial (e.g. vandalism) threats to ephi stored in databases at our hosting facilities.the policies and procedures include ER/DR exercises with test databases to ensure team readiness in the face of an emergency resulting from a variety of scenarios and an emergency mode operation plan to ensure business continuity in the face of disruption or disaster. Daily backups of all databases and attachment directories are stored at a secure co-location 4000km from the production site.. Athena s ER/DR plan is reviewed annually as part of our annual risk assessment and also on an ongoing basis in response to any applicable system changes. For selfhosted clients, this standard is the responsibility of the party that maintains the server. Athena is not responsible for maintaining server security or contingency planning. However, Athena does provide information and advice about taking proper Penelope backups and restoring from a backup. Page 7 of 15

8 secure high performing well supported minimal setup costs reliable all you need to access the system is a web browser (like Internet Explorer or Firefox) there is nothing else to install for users no data cache is left on any workstation no touch screen devices are required (but can be used if desired) excellent reliability / uptime and outstanding performance system can be configured to encrypt all data in transit using SSL backups can be done online / while system is in use ask for a spec sheet on our top tier data centers data security Periodic technical and nontechnical evaluation: Athena s risk management framework identifies security officials within each business unit responsible for ongoing monitoring of compliance, impact and effectiveness of privacy and security policies and procedures that are developed by the risk management team. Periodic feedback is provided to the risk management team and incorporated into the annual risk assessment unless more immediate action is deemed appropriate by the team. In addition, all technical changes made by Athena through component upgrades, server environment changes, network configuration and Penelope enhancements are evaluated for their impact on the security of ephi. Business associate contracts: Athena provides all U.S. clients that are covered entities under HIPAA with a Business Associate Agreement updated as per the requirements of the HIPAA omnibus rule. Organizations can also provide their own BA Agreement for Athena to review. It is the responsibility of each organization that is a Covered Entity under HIPAA to ensure that there is a Business Associate Agreement in place with Athena where required. PHYSICAL SAFEGUARDS Facility access controls: Athena uses the principle of least privilege that limits physical access to the hosted Penelope servers and the facilities in which they are housed on a strict need to know basis. Physical access is centralized to one authorized person, with a few additional staff authorized only under exceptional circumstances (eg. where required by our contingency plan). Athena s data hosting facilities have many physical safeguards including staff authentication via multiple methods (eg. photo ID, retinal scanner), escorted access, video surveillance and networked security cameras (low-light technology). Within the facilities, additional safeguards restrict access to the Penelope servers to Athena staff. Physical access to the facilities occurs for the purposes of installation or support of the servers and all activities are welldocumented by Athena. Most access to the facilities occurs via secure remote access rather than physical access (see technical safeguards below). Page 8 of 15

9 athena s hosting services Let us take the worry and stress out of hosting your data - by using our Tier 1 data centres, we can offer a degree of physical security, service redundancy, advanced server configuration, availability and disaster preparedness that is truly world class. No need to worry about purchasing, configuring and maintaining a server Tier 1/ Class "A" Data Centres used by Athena Software feature redundant internet connectivity, redundant power supply (including diesel generator backup), escorted access, advanced temperature control, non-liquid fire suppression, exceptional physical security. Penelope can be accessed securely anywhere, anytime on the web - All you need is an internet connection and a web browser (such as Internet Explorer or Firefox) to use Penelope! Daily backups securely stored off site (4,000 km away!) Server features high performance and high redundancy components and configuration (e.g. redundant power supplies, raid controllers, disk arrays). production servers in Tier1/Class A data centre with ISAE 3402, SSAE 16 (Soc1 Type 2 and SOC 2 Type 2) and CSAE3416 certifications redundant internet connectivity, redundant power supply (including diesel generator backup), escorted access, advanced temperature control, non-liquid fire suppression, exceptional physical security (eg. retinal scan authentication) high-speed symmetrical broadband bandwidth encrypted daily backups and log files stored off-site (4,000km/ 2500miles away) in secure data facility industry standard secure data encryption in transit and at rest multi-layered access control with highly restricted access IDS/IPS and Firewall protection with system monitoring and alerts virtualized environment optional restriction by IP address 99.99% uptime over past 5 years backend- access via secure, authenicated ODBC accounts audited access based on principles of least privilege and minimum necessity occurs over encrypted sessions component redundancy, secure configuration and upgrades as available vulnerability assessment and penetration testing 128 bit with 2048-bit key SSL encryption verified by Network Solutions Firewall configuration, maintenance and monitoring performed by Athena Software No additional licensing costs (e.g. for server operating systems or other software) 99.99% uptime over past 5 yrs Easy start up, rapid ramp up time - your version of Penelope will be made accessible to you within one business day of payment. Annual subscription price includes technical support and upgrades Page 9 of 15

10 Provisions within Penelope t h a t a s s i s t y o u r o r g a n i z a t i o n i n implementing policies and procedures to ensure the p h y s i c a l s e c u r i t y o f workstations: Penelope is a browserbased web-application. No data is stored on any workstations or mobile devices and no cache is left in the browser. This mitigates the risks of loss or improper disclosure of PHI if a workstation or mobile device is lost or stolen. (ODBC access and external fi l e s ( d o w n l o a d e d attachments), however, may result in PHI being stored on the workstation.) Penelope also has a lock button that masks the screen if the workstation is in a physical location or orientation that allows unauthorized viewing of the screen (eg. where someone can walk into a room and see the screen or where the user leaves the workstation for a brief period in a location that is not private). The lock is released when t h e u s e r e n t e r s t h e i r password or logs out. It is up to each organization to use reasonable and appropriate practices to ensure the physical security the workstations used to access ephi Workstation use: Athena has implemented policies and procedures to ensure the physical security of workstations used to maintain the servers, perform services that may involve ephi and store access information to Penelope databases. The specific functions, authorized roles, procedures for performing and documenting those functions and the physical environment of the workstations are defined. Workstation security: Athena s policies and procedures ensure that workstations used to maintain the servers containing ephi, perform services that may involve the viewing or acquisition of ephi or store access information to Penelope databases are accessed only by authorized staff using authenticated accounts both for the workstation itself and for the ephi or server. Workstations are in locked and alarmed premises only accessible to Athena staff and sensitive data is stored on encrypted drives. Device and media controls: Athena has implemented policies and procedures to address the final disposition of ephi and/or hardware on which it is stored. Unsolicited ephi sent via is immediately deleted from the staff workstation and removed from the trash. EPHI that is transmitted to us to complete an authorized service request (e.g. data migration) is deleted and permanently removed from the workstation upon service completion. All copies of a Penelope database (including backups and attachments) are deleted from our servers and the disk is scrubbed following termination and acknowledgement that data has been received and can be accessed by the former licensee. All services and other incidents involving deletion of ephi are documented in detail as per our security incident tracking protocol. If you transmit ephi to Athena via electronic media, we will delete all ephi from the media prior to disposal. Athena maintains records of the movements of all hardware and electronic media. A retrievable exact backup copy of Penelope databases containing ephi is created before any maintenance, upgrades or movement of equipment is performed. Page 10 of 15

11 TECHNICAL SAFEGUARDS access controls encryption ephi need to know permissions 2 factor authentication Access controls: Athena s access control and authentication policies and procedures ensure that access to Penelope servers at any of our data facilities is restricted to authorized staff via multilayered, 2-factor authenticated accounts. ODBC access to Athena hosted databases to perform a service in response to a written authorized request from your organization is authenticated by name/password and IP. Access to a client hosted Penelope server and/or access to a client database through the UI (e.i. via a Penelope login account) is provided by, and is therefore the responsibility of, your organization. However, Athena does require minimum secure standards for server access and a secure user account configured based on need to know access with secure login credentials for UI access. All access is documented in detail. All access to Penelope servers at our hosting facilities is automatically terminated after a period of inactivity if not manually terminated. ODBC access to Penelope databases on our servers also expire on a predetermined date based on the specific request if not manually terminated. User login sessions to Penelope also terminate after a period of inactivity determined by the organization. All access to ephi stored on servers hosted by Athena is encrypted in transit as per Athena s transmission policies and procedures. Access to your hosted database must use SSL encryption; the minimum level of encryption used is 128 bit AES or RC4 with a 2048 bit key. Any data that is transported on physical media from Athena to your organization is encrypted using a minimum of 128 bit AES encryption and requires a lengthy passkey to open composed of a random mix of alpha-numeric, upper and lower case letters as well as special characters. If you host Penelope on your own servers, you will be responsible for ensuring that reasonable and appropriate technical safeguards are in place to ensure proper access control. Page 11 of 15

12 Provisions within Penelope that assist your organization with implementing technical policies and procedures to allow access only to those persons that have been granted access rights to systems containing ephi: unique user identification encryption passwords session time-out Unique user identification: Penelope login accounts uniquely identify users via a system generated unique ID number as well as by their login name and password. Organizations determine the login name for each user. Password settings can be configured by an organization to enforce secure standards including minimum length, number of letters, numbers and nonalphanumeric characters. Organizations can also implement a password reset schedule. Encryption: Passwords are encoded (ie. not stored in clear text and cannot be unencrypted) and are therefore not accessible to anyone irrespective of access. Within Penelope many screens contain a user login name and timestamp for record creation and modification. Data stored in Penelope databases on Athena s servers are securely encrypted in transit using industry best practice standards. Any data transferred to an Athena client outside of Penelope is encrypted. Tracking of User Actions: All user activities within the system are tracked in a comprehensive chronological stdout audit log. Access Control: Access to information within Penelope is hierarchical based on need to know and alterations to access can easily be made by users with the appropriate authorization. As such, access to client records in an emergency, for example, can be accomplished via escalation or alternations in account permissions. Penelope user sessions are automatically terminated after a period of inactivity set by the organization through a combination of system and server configuration settings. Page 12 of 15

13 P r o v i s i o n s w i t h i n Penelope that assist your organization in auditing access to and within Penelope: A stdout chronological audit log tracks all activities occurring w i t h i n a P e n e l o p e database. Additional login/logout audit logs summarize user login activities including successful a n d f a i l e d l o g i n attempts. Within Penelope, record c r e a t i o n a n d l a s t modification is often displayed onscreen in the form of a user login name and date/time stamp. Audit controls: Athena has implemented audit controls on our servers that record and examine the activity in information systems that contain ephi. Multiple controls have been implemented to track both authorized and unauthorized or suspicious activities. Audit logs track backend access via postgres user accounts and front end access via activity logs. Detailed records of incidents involving access to ephi, databases storing PHI and servers housing information systems with PHI are also kept. Data Integrity: Athena has implemented policies and procedures to protect ephi from improper alteration or destruction and to verify that a person or entity seeking access to ephi is the one claimed. Electronic mechanisms are in place to corroborate that ephi has not been altered or destroyed in an unauthorized manner. Athena has implemented policies and procedures that require staff to obtain written authorization from an organization s documented HIPAA or designated security official via their organizational account on file to verify that a person seeking access to Penelope is the one claimed, in the event that a request is made of Athena to reset a password for a system administrator account where no staff have access to create accounts or login as a system administrator. Athena also requires that all ODBC accounts are authorized by the documented HIPAA or designated security official on file and that all accounts are named, password protected and restricted to the external IP of the site requiring access. Transmission security: Athena has implement technical security measures to guard against unauthorized access to ephi that is being transmitted over an electronic communications network. Data integrity controls are in place that ensure that electronically transmitted ephi is not improperly modified without detection. A security certificate from a valid signing authority verifies the connection to the appropriate server. All data is encrypted in transit using a minimum of 128-bit AES encryption. Data is also encrypted at rest on HIPAA servers. Data may be temporarily stored on Athena staff workstations as required to complete an authorized service request. Athena s policies and procedures ensure that any data temporarily on Athena client machines remains within Athena s secure network and is stored in an encrypted drive. Page 13 of 15

14 Provisions within Penelope that assist your organization in ensuring that ephi is not improperly altered or destroyed and that the person seeking access to ephi is the one claimed. Penelope authenticates users via password protected user accounts and provides an audit trail for all activities within the system. authentication deletion controls locks referential integrity controls date/ time stamps On-screen user and date/time stamps are available in many areas of the program. In addition, for notes, documents, letters, surveys, assessments and other clinical documentation, information can be locked with the name of the user(s) that created and locked the information displayed on the screen with a date/time stamp. Copies and revisions can be created retaining the original nonmodifiable version. Digital signature functionality is available for documentation that corroborates the user that completed the form and, if desired, a manager or supervisor that reviewed the information. Deletion passwords can be set for key components of health records. Penelope also has been designed with robust referential integrity that assists in protecting against inadvertent or malicious deletion of data. Within Penelope, user access is authenticated by login and passwords. It is recommended that login names identify the user (as these are often displayed onscreen for users that created or last modified records) and that passwords are complex. The default password settings enforce strong passwords, however it is up to each organization to apply password restrictions that are consistent with their own policies and procedures Page 14 of 15

15 data privacy Privacy of individually identifiable health information incident policies disclosure protection privacy controls ephi HIPAA/ omnibus rule Athena Software is highly committed to ensuring that protected health information remains confidential, is not viewed, acquired or otherwise accessed by any Athena staff except in response to a specific authorized request from your organization or otherwise as required by law. Athena Software s Business Associate Agreement defines permitted and non-permitted uses and disclosures of protected health information based on the principle of Minimum Necessity. These terms form our standard practices irrespective of jurisdiction. As such, data is not used or disclosed by Athena staff except as authorized by your organization to perform specific service requests or as required by law. Furthermore, all incidents that involve either a use or disclosure of ephi to or by Athena staff as well as all activities involving access to information systems that store ephi are tracked by Athena as per the security incident tracking and breach assessment requirements of the HIPAA omnibus rule, allowing for timely and accurate accounting of disclosures of PHI for all clients, irrespective of jurisdiction. It is up to each organization to ensure that their staff comply with organizational policies and procedures in their interactions with Athena Software. However, Athena supports your efforts by logging any incidental or otherwise unauthorized uses and disclosures to Athena by staff or third parties associated with your organization in our security incident tracking tool. Still have questions? Please do not hesitate to contact us with questions or concerns about Athena s security and privacy standards. We will be pleased to provide additional information as appropriate. For additional information, please contact our risk management team at: Page 15 of 15

penelope athena software SOFTWARE AS A SERVICE INFORMATION PACKAGE case management software

penelope athena software SOFTWARE AS A SERVICE INFORMATION PACKAGE case management software penelope case management software SOFTWARE AS A SERVICE INFORMATION PACKAGE athena software "I've worked with major corporations and universities and I am really impressed with Athena's hosted server and

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

HIPAA Security Matrix

HIPAA Security Matrix HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance

More information

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA Security and HITECH Compliance Checklist

HIPAA Security and HITECH Compliance Checklist HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

Procedure Title: TennDent HIPAA Security Awareness and Training

Procedure Title: TennDent HIPAA Security Awareness and Training Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

An Effective MSP Approach Towards HIPAA Compliance

An Effective MSP Approach Towards HIPAA Compliance MAX Insight Whitepaper An Effective MSP Approach Towards HIPAA Compliance An independent review of HIPAA requirements, detailed recommendations and vital resources to aid in achieving compliance. Table

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

Krengel Technology HIPAA Policies and Documentation

Krengel Technology HIPAA Policies and Documentation Krengel Technology HIPAA Policies and Documentation Purpose and Scope What is Protected Health Information (PHI) and What is Not What is PHI? What is not PHI? The List of 18 Protected Health Information

More information

HIPAA: Bigger and More Annoying

HIPAA: Bigger and More Annoying HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL

More information

efolder White Paper: HIPAA Compliance

efolder White Paper: HIPAA Compliance efolder White Paper: HIPAA Compliance October 2014 Copyright 2014, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within

More information

BOWMAN SYSTEMS SECURING CLIENT DATA

BOWMAN SYSTEMS SECURING CLIENT DATA BOWMAN SYSTEMS SECURING CLIENT DATA 2012 Bowman Systems L.L.C. All Rights Reserved. This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered

More information

How Managed File Transfer Addresses HIPAA Requirements for ephi

How Managed File Transfer Addresses HIPAA Requirements for ephi How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts

More information

C.T. Hellmuth & Associates, Inc.

C.T. Hellmuth & Associates, Inc. Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.

More information

HIPAA and Cloud IT: What You Need to Know

HIPAA and Cloud IT: What You Need to Know HIPAA and Cloud IT: What You Need to Know A Guide for Healthcare Providers and Their Business Associates GDS WHITE PAPER HIPAA and Cloud IT: What You Need to Know As a health care provider or business

More information

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0 WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of

More information

HIPAA Security Education. Updated May 2016

HIPAA Security Education. Updated May 2016 HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)

More information

HIPAA RISK ASSESSMENT

HIPAA RISK ASSESSMENT HIPAA RISK ASSESSMENT PRACTICE INFORMATION (FILL OUT ONE OF THESE FORMS FOR EACH LOCATION) Practice Name: Address: City, State, Zip: Phone: E-mail: We anticipate that your Meaningful Use training and implementation

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

HIPAA: Compliance Essentials

HIPAA: Compliance Essentials HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

SECURITY DOCUMENT. BetterTranslationTechnology

SECURITY DOCUMENT. BetterTranslationTechnology SECURITY DOCUMENT BetterTranslationTechnology XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

White Paper. Support for the HIPAA Security Rule PowerScribe 360

White Paper. Support for the HIPAA Security Rule PowerScribe 360 White Paper Support for the HIPAA Security Rule PowerScribe 360 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as

More information

Hosted Testing and Grading

Hosted Testing and Grading Hosted Testing and Grading Technical White Paper July 2014 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

Support for the HIPAA Security Rule

Support for the HIPAA Security Rule WHITE PAPER Support for the HIPAA Security Rule PowerScribe 360 Reporting v2.0 HEALTHCARE 2 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe

More information

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards

More information

Telemedicine HIPAA/HITECH Privacy and Security

Telemedicine HIPAA/HITECH Privacy and Security Telemedicine HIPAA/HITECH Privacy and Security 1 Access Control Role Based Access The organization shall provide secure rolebased account management. Privileges granted utilizing the principle of least

More information

ITS HIPAA Security Compliance Recommendations

ITS HIPAA Security Compliance Recommendations ITS HIPAA Security Compliance Recommendations October 24, 2005 Updated May 31, 2010 http://its.uncg.edu/hipaa/security/ Table of Contents Introduction...1 Purpose of this Document...1 Important Terms...1

More information

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture 2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

The CIO s Guide to HIPAA Compliant Text Messaging

The CIO s Guide to HIPAA Compliant Text Messaging The CIO s Guide to HIPAA Compliant Text Messaging Executive Summary The risks associated with sending Electronic Protected Health Information (ephi) via unencrypted text messaging are significant, especially

More information

HIPAA Audit Risk Assessment - Risk Factors

HIPAA Audit Risk Assessment - Risk Factors I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your

More information

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

More information

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive. SERVICEPOINT SECURING CLIENT DATA This document and the information contained herein are the property of and should be considered business sensitive. Copyright 2006 333 Texas Street Suite 300 Shreveport,

More information

Hang Seng HSBCnet Security. May 2016

Hang Seng HSBCnet Security. May 2016 Hang Seng HSBCnet Security May 2016 1 Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Proc - A edures, dministrativ and e Documentation Safeguards

More information

Healthcare Management Service Organization Accreditation Program (MSOAP)

Healthcare Management Service Organization Accreditation Program (MSOAP) ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant The federal Health Insurance Portability and Accountability Act (HIPAA) spells out strict regulations for protecting health information. HIPAA is expansive and can be a challenge to navigate. Use this

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

HIPAA COMPLIANCE AND

HIPAA COMPLIANCE AND INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery

More information

Keyfort Cloud Services (KCS)

Keyfort Cloud Services (KCS) Keyfort Cloud Services (KCS) Data Location, Security & Privacy 1. Executive Summary The purposes of this document is to provide a common understanding of the data location, security, privacy, resiliency

More information