Complying with 45 CFR 164 HIPAA Security Standards; Final Rule

Transcription

1 Complying with 45 CFR 164 HIPAA Security Standards; Final Rule Implement best practices by using FileMaker Pro 7 as the backbone of your HIPAA compliant system. By Todd Duell This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearing houses, and certain health care providers, otherwise known as covered entities. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. The Final Rules to consider for your HIPAA compliant systems are 21 CFR 11, 45 CFR 160, 162, and 164. The Electronic Records and Signatures Rule, 21 CFR 11, became effective on August 20, Although not specifically mentioned by the HIPAA standards it does provide specific details that apply directly to the audit trail required by HIPAA. The Rule is really about good software development practices, which will certainly help any project of this nature. The HIPAA Rules, 45 CFR 160, 162, and 164 become effective on April 21, Compliance to the rule takes effect for covered entities, with the exception of small health plans by April 21, Small health plans must comply with the requirements of this final rule by April 21, With such a short time period in which to implement a HIPAA compliant system this white paper will discuss how FileMaker Pro 7 can be used to comply with all the required and addressable HIPAA Security Rules. The vast majority of the Rules will create new procedures, policies, SOP s (standard operating procedures), and training for your organization. This means that you as the business owner and operator will have a significant amount of work to perform. This is not a project that you hand off to your IT department and software vendor and expect a 100% compliant system in return. It is a project whereby you collaborate with your IT department and software vendor to determine the best practices for your organization. From there, each group will implement the technical, physical, and administrative requirements that directly affect their role in the development and implementation of the software and compliance program. Todd Duell is the Vice President & CIO of Formulations Pro, Inc and has been creating powerful commercial and custom solutions using FileMaker Pro since He holds an MBA in Technology Management, is a Certified FileMaker Pro 7 Developer, and has been an Associate member of the FileMaker Solutions Alliance since Todd may be reached at tduell@formulationspro.com 2004 Formulations Pro, Inc. All rights reserved.

2 Technical Access Control (a)(1) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). FileMaker Pro 7 has built-in account authentication and privileges that control access to the files based on a user name and encrypted password (Figure 1). The developer should also implement account administration scripts that allow controlled access to add, delete, reset, change passwords, enable and disable accounts, and re-login to the system. Technical Unique User Identification (a)(2)(i) Assign a unique name and/or number for identifying and tracking user identity. FileMaker Pro s internal account authentication will only allow the creation of unique account names. By using the Get(AccountName) function in scripts or using the built-in Creation Account Name or Modification Account Name to log the user activity FileMaker Pro 7 is more than capable of identifying and tracking the user s identity (Figure 2). Figure 1 Accounts and Privileges Users are authenticated by FileMaker, Active Directory, or Open Directory. Technical Emergency Access Procedure (a)(2)(ii) and Software Developer Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. Every FileMaker Pro 7 solution is required to have an Admin account with full access to the system. The developer may choose to either provide a separate account and password for unrestricted access to the data, as may be the case for commercial software, or the master account name and password that grants the business owner unrestricted access to Page 2

3 the software, as may be the case for custom software development. Technical Audit Controls (b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. This Rule is essentially the same as the audit trail as outlined in 21 CFR 11, whereby changes to the data in the records are maintained in a log file. This requires custom programming for FileMaker Pro 7. Logged changes should include a timestamp, the account name, the original data and what was changed, record identification number, and field or layout identification. The log files must be searchable. The log files must be maintained for as long as the data is required to be retained. This means that log files cannot be overwritten or deleted. Formulations Pro has well established best practices to implement a robust audit trail. Figure 2 User Identity Users can be identified through logs and scripts with their account name. Technical Integrity (c)(1) and Software Developer Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. The developer should take the time to create the software to match the workflow of the business. By providing features such Page 3

4 as logical tab orders, pop-up menus, and controlled access to specific areas of the software improper alteration of the information can be minimized. One issue must be made extremely clear; data entry errors are the combined result poor software user interface and lack of training. Because of these human elements data entry errors cannot be completely eliminated from any software system. They can only me minimized. However, removing access to delete records can prevent the improper destruction of data. information that is being transmitted over and electronic communications network. FileMaker Pro 7 s network settings allow you to implement a system that limits access to the files over the network. You can specify users based on their privilege set (Figure 3). If the user is not in the privilege set they will not be able to view the file in the network (host) dialog box nor access the system via any means such as ODBC, JDBC, Mobile, FMNet, IWP, etc. Technical Person or Entity Authentication (d) Implement procedures to verify that a person or entity seeking access to electronic health information is the one claimed. As mentioned in the section for Unique User Identification, FileMaker Pro 7 uses industry standard methods to authenticate users. You can either use the built-in account name and encrypted password or use external authentication with Open Directory or Active Directory. Technical Transmission Security (e)(1) Figure 3 Network Access FileMaker Pro 7 can limit the access of users trying to access the system. Implement technical security measures to guard against unauthorized access to electronic protected health Page 4

5 Technical Automatic Logoff (a)(iii) Implement electronic procedures that terminate an electronic session after a predetermine time of inactivity. FileMaker Pro 7 and FileMaker Server 7 can be used in conjunction to set the amount of inactive time before disconnecting a user from the system (Figure 4). How long you allow the user to be inactive depends on your environment. For example, if you are in a hospital where unauthorized individuals may have access to unattended computers you may want to set the idle time to 1 to 3 minutes. If you are in an office setting where unauthorized individuals never have access to the software a more appropriate amount of inactive time may be 90 minutes. In either case, it s always a good idea to log off users at some amount of time of inactivity to free up network traffic and the total number of users accessing FileMaker Server 7. Technical Encryption and Decryption (a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information. Although encryption is addressable, FileMaker Server 7 has a built-in encryption capability that can be turned on with one click (Figure 5). It uses a state-of-the-art Triple-DES cipher and HMAC-SHA1 algorithm to encrypt the data from FileMaker Server 7 to FileMaker Pro 7 and IWP clients. If you are using custom web publishing you will need to implement additional SSL encryption on your Apache or IIS web server. Figure 4 Idle Time Set the idle disconnect time to match the environment in which your business operates. Technical Mechanism to Authenticate Electronic Protected Health Information (d)(2) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Page 5

6 Technical Integrity Controls (e)(2)(i) Implement security measures to ensure that transmitted electronic protected health information is not improperly modified without detection until disposed of. Using a client-server system on your local area network with FileMaker Server 7 and FileMaker Pro clients there is no risk of transmitted data being improperly modified without detection. If the data is being transmitted over a wide area network it is highly advisable to use virtual private network (VPN) security to protect the data while it is outside your network. If data is being transmitted over the Internet via a web browser, SSL should be used to encrypt the data. Figure 5 Encryption Turn on encryption with one click of the mouse. Enabling encryption in the only function that requires that you restart the service. FileMaker Pro 7 can be utilized to track the creation and modification account name and timestamp for every record. By combining the modification information with a log file (audit trail) and scripting that manages access to edit and delete records you can easily implement a mechanism to authenticate the data. Technical Encryption (e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. As shown in Figure 5, FileMaker Server 7 can enable encryption with one click of the mouse. In most firewall protected LAN settings, encryption may be overkill in terms of security requirements. In WAN connections where VPN is not used the encryption function of FileMaker Server 7 should be turned on. For Internet access SSL should be enabled on your web server. Page 6

7 Workstation Use (b) and Software Developer Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. The business owner must specify which types of devices they wish to have to access the software. For example, Computers accessing the software over the LAN or WAN with FileMaker Pro clients, client computers or servers with ODBC or JDBC access, Intranet web browsers with IWP, Internet web browsers with custom web publishing, and/or personal digital assistants with FileMaker Mobile. Once these communication sources have been determined, FileMaker Pro can manage the extended privileges to selectively grant or deny access to any of these sources for each individual account (Figure 6). Workstation Security (c) Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. Figure 6 Extended Privileges Enable or disable access for individual users to the desired entry points. All companies should upgrade to Windows 2000 Professional, XP Professional, and/or Max OS X. All of these operating systems utilize account authentication as part of the core operating system. For more advanced networks you may also utilize Active Directory or Open Directory to authenticate users with a single sign-on authentication scheme that selectively allows users to have access to the various parts of your network and enterprise applications. In all cases a minimum of login authentication at the operating system level should be implemented. FileMaker Pro 7 can also be utilized for user authentication with either the built-in account name and password login or with external authentication (Figure 7). Page 7

8 access to decipher the data. Therefore, Formulations Pro has a several recommendations for media handling. Figure 7 Login Authentication FileMaker Pro systems require either manual login with a valid account name and password or external authentication with Active or Open Directory. Device and Media Controls (d)(1) Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. Any floppies disks, CD s, DVD s, tape drives, hard drives, etc. that have protected health information should only be handled by authorized individuals. The data on these medias in most cases will be in machine-readable format. In other words, unless the data is encrypted on these medias anyone with hardware and software to read these devices may have First, do not allow protected health information to be exported from the software and taken off site for activities such as data analysis and reports. Second, data exported from the system must be stored on approved media that is labeled as HIPAA protected information. This media should be used on a check out and check in basis to control the location and accountability for the media. Third, all used, unused, and back-up media should be stored in a secure, locked, cabinet with accountability for the individuals that have access to the media. The same holds true for media that is stored off site for disaster contingency plans. Fourth, if the media is taken to a company that specializes in data recovery, they should be required to sign a non-disclosure agreement as well as be informed that the material they are working with contains protected health information. You may wish to specify that any of their hardware or software used in the process of recovering your data be erased after the data recovery has been performed and that they may not retain back-up copies. Disposal (d)(2)(i) Implement policies to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. This policy not only applies to your server and back-up media, but the client computers that have been used to access the Page 8

9 protected health information. Any time a client computer is transferred to a different employee or disposed of the hard drive should be securely erased. Since data may be recovered from drives that have been erased the preferred methods to erase the drive is a secure deletion method such as those provided by the Partition Magic software from Symantec or the built-in Secure Delete in OS X. Since CD s and DVD s may not be re-writable to securely delete the data your policy should specify that these types of media must be physically destroyed. There are devices similar to paper shredding machines that will allow you to destroy these medias. Media Re-use (d)(2)(ii) Implement policies and procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. As mentioned above, there is commercially available software that will allow you to securely delete the media before it is re-used. However, this does not mean that you must securely delete the media every time it is used for server back-ups. Securely deleting back-ups that are multiple terabytes in size could take a substantial amount of time. The intent of this policy is if the media is being transferred between individuals or intended uses. In these cases the data must be securely deleted. We recommend that the media be labeled for it s intended use and identified whether secure deletion is required upon transfer to a new user or purpose. Facility Access Controls (a)(1) Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. access can be as simple as a lock on the door to the server room or more exotic biometric or electronic card access protection systems whereby user access is logged into and out of the server room and/or to specific server racks. This is an area where we recommend that you determine through risk and budget analysis the extent of the technology that you believe should be implemented to control access to the server room. Contingency Operations (a)(2)(i) and Software Developer Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. This simply means that more than one person should know how to access the server room, back-up media, and perform the data Page 9

10 recovery procedures. For companies with only one IT person or outsourced IT support, the power user or person responsible for overseeing the software should be responsible to know how to perform these procedures. Your disaster recovery SOP should detail the exact steps required to restore the data. Facility Security Plan (a)(2)(ii) Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft. This is a policy that details the company s plan to secure the server room, protected media and equipment, protection against tampering of the servers. Implementing account names and passwords for network access to the servers can minimize tampering with the servers. Account names and passwords should only be given to people that are authorized to access the server through the network. Although theft of equipment cannot be entirely prevented, many companies use a combination of locked equipment rooms with limited access, permanent property tags on the equipment, and inspections of all bags, briefcases, and containers that are leaving the premises by the security staff. One easy-to-implement technology is magnetic security tags placed on or inside protected equipment. If the equipment passes a detector the alarm will sound to alert security. Access Control and Validation Procedures (a)(2)(iii) and Software Developer Implement procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Many companies have security badges that grant employees and visitors access to specific area of the company. Some software programs can also log the entry and exit time and location the employee for review at any time. In the case of server access, FileMaker Server 7 has the ability to monitor the activity of employees accessing the server as well as many other performance statistics (Figure 8). To protect the server against unauthorized upgrades of hardware, software, drivers, and changes to critical settings, the server should be controlled by the Quality Assurance change management policy. What is controlled should be dictated by best practices rather than the fear of change. For example, any change that would require the restart of the server and interrupt services should be approved and communicated to the users prior performing the procedure. The reason for this is two-fold; to review the impact of the change and to prevent unintended data loss. In the case of FileMaker Server 7, the only change that would require prior approval would be changing the setting for encryption, which requires a restart of the server. All other settings can be changed on the fly without any consequences to the databases being served. For example, you can add more Page 10

11 files, close files, change RAM settings, manually start backups, change the number of guests that can access the server, etc. facility, which are related to security (for example, hardware, walls, doors, and locks). Even your facilities group and/or contractors are not immune to your Quality Control department. All changes as specified must be documented by Quality Control. Accountability (d)(2)(iii) Maintain a record of the movements of hardware and electronic media and any person responsible therefore. As mentioned above, all controlled media should be marked appropriately and handled on a check out and check in basis. Critical materials that contain protected health information should not leave the facility without approval. Figure 8 Clients FileMaker Server 7 can monitor real-time clients and server statistics. Maintenance Records ( (a)(2)(iv) Implement policies and procedures to document repairs and modifications to the physical components of a Data backup and Storage (d)(2)(iv) Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. Before you swap hard drives or change servers you should first backup the data. This ensures that if there is a problem with the move that you can restore the data back to its original state. Although this is addressable, this should be a common practice. Page 11

12 Security Management Process (a)(1)(i) Implement policies and procedures to prevent, detect, contain, and correct security violations. To prevent security violations you can place locks, security cards, or biometric devices on all physical access routes to the server room. On the server you can require that only the administrator know the account name and password to access the server. Unauthorized users should never be given the account name and password to the server. Accessing the database through FileMaker Server 7 should require both an account name and password to log into the file or implement Active or Open Directory account authentication. To detect security violations you can use the FileMaker Server 7, core operating system, or network hardware logging capabilities. To contain security breeches you can create strategies with multiple firewalls between systems to limit them from getting to other areas of your network. For example, if you are hosting FileMaker Server 7 via custom web publishing you might have a static IP address dedicated for that server. With the server sitting behind a dedicated router and firewall and the router not connected to the rest of the local area network, you can contain a security breech to only that server. Thus, you must perform risk analysis and devise an appropriate strategy to protect your system and your network, while still allowing for appropriate administration and access to the system. The correction of security violations usually comes after the violation has been discovered. In the mean time, implementing best practices and securing your network should prevent or limit the risk of a security problem. Risk Analysis (a)(1)(ii0(A) and Software Developer Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Risk analysis and contingency plans should be considered for every required and addressable section of the HIPAA Rule. For example, if your database is only accessed on your local area network, the risk that the data will be corrupted, unknowingly modified, or captured by a hacker is extremely low. Thus, you might justify that encryption of the data using FileMaker Server 7 is unnecessary. Performing risk analysis and creating contingency plans is not about labeling everything as a problem. It is used to aid you in focusing your budget and effort on the critical items, while still understanding and addressing the noncritical items. Risk Management (a)(1)(ii)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a) Page 12

13 This is a high-level requirement for this section. If you comply with the other parts of the Rule you will in essence comply with Risk Management (1) You must ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security of integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under (E). (4) Ensure compliance with this subpart by its workforce. This means that you must provide the users with training and monitor their use of the system. Sanctioning Policy (a)(1)(ii)(C) Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. Because the cost of non-compliance is enforced with stiff monetary and jail-time penalties we highly suggest that your sanctioning policy be immediate termination of employees that intentionally fail to comply with your policies. To ensure that management communicates the polices to the employees we also recommend to immediately terminate the direct manager or supervisor who fails to provide appropriate initial and on-going training and education prior to granting access to the employee. Information System Activity Review (a)(1)(ii)(D) and Software Developer Implement procedures to regularly review records of information systems activity, such as audit logs, access reports, and security incident tracking reports. The audit trail created as a part of your system is the first place to review who has created, modified, and deleted records in the system. Managers should have ready access to the audit trail to run reports on a daily, weekly, monthly, or ad-hoc review. Other areas to review are the FileMaker Server 7 log file, access logs for the server, and any reports from your network hardware logs. Assigned Security Responsibility (a)(2) Identify the security official who is responsible for the development and implementation of the policies required by this subpart for the entity. Most companies have a Security Officer or Quality Assurance Officer that oversees security issues and implements security best practices for both the facility and technology deployments. Each SOP, policy, or procedure should identify who is responsible for overseeing and administering the security. Page 13

14 Workforce Security (a)(3)(i) and Software Developer Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. Meeting this rule starts with best practices when programming the software. FileMaker Pro 7 is uses industry standard account authentication for each user. Each authorized user receives a unique account name and password for each file. To back this up, systems built by Formulations Pro all contain robust account administration features that are controlled by a central system administrator. The administration functions can be used to create, delete, enable, and disable user accounts on the fly. Information Access Management (a)(4)(i) Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. Assess the relative criticality of specific applications and data in support of other contingency plan components. This gets back to the notion of risk management and contingency plans. Every element of your HIPAA requirements and addressable rules must contain a section that estimates the risk and provides an appropriate contingency plan in the event of a problem. Isolating Health Care Clearinghouse Functions (a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Security Awareness Training (a)(5)(i) Implement a security awareness and training program for all members of it workforce (including management). Formulations Pro highly recommends that users not be given access to any software, printed or electronic reports that contain protected health information until they receive appropriate training. We also recommend that all employee s account names and passwords be suspended on an annual basis to Page 14

15 ensure that they receive continual training and updates to any company policies or changes in the law. Security Incident Procedures (a)(6)(i) Implement policies and procedures to address security incidents. Response and Reporting (a)(6)(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Contingency Plan (a)(7)(i) Typically what this entails is a back-up and disaster recovery procedure as required by the next two sections of the HIPAA Rules. Data Backup Plan (a)(7)(ii)(A) and Software Developer Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. FileMaker Pro Server 7 can be used to make automated backups on any schedule that your system requires (Figure 9). Formulations Pro recommends that the backup be performed by saving the files to the same hard drive of the server. Then use some type of third party software such as Retrospect Remote to copy the backup folder to a device such as a tape drive in the middle of the night to maximize system performance for the users. If there is no activity on the server in the middle of the night you can also backup the files directly to the tape drive to save space on your server. The tape drive can then be taken off site to a secure, fireproof, location to provide mitigated disaster protection. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Page 15

16 Figure 9 Schedules Use FileMaker Server 7 to automatically backup your data for disaster recovery. Disaster Recovery Plan (a)(7)(ii)(B) and Software Developer Establish (and implement as needed) procedures to restore any loss of data. Some companies prefer to use software from Veritas or Network Appliance that takes a snapshot backup of the hard drive. This type of software makes pseudo-copies of very large amounts of data in a very short period of time. However, FileMaker Server 7 serves an open database, which can become corrupted if it is copied when it is live. Therefore, if you use this type of approach we highly recommend that you validate the entire backup and recovery procedure to ensure that the files do not get corrupted in the process. No database is 100% free from data loss. If you have issues with the RAM, power supply, loss of hard drives, network problems, etc., data can be lost. Your job is to minimize the potential of this loss through best practices. Thus, installing a RAID (Redundant Array of Independent Disks) on your server to protect the data is highly recommended. We typically recommend RAID 5 because it provides excellent performance and good fault tolerance by striping the data across multiple disks and providing error correction. By adding more drives you can significantly increase your storage capacity and performance. Emergency Mode Operation Plan (a)(7)(ii)(C) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. Evaluation (a)(8) Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that established the extent to Page 16

17 which an entity s security policies and procedures meet the requirements of this subpart. The easiest method to meet this rule is to expire all your SOP s, procedures, policies, and contingency plans as part of your Quality Assurance program. This will ensure that every procedure related to HIPAA compliance is reviewed on an annual or recurring basis. Business Associate Contracts and Other Arrangements (b)(1) A covered entity, in accordance with , may permit a business associate to create, retrieve, maintain, or transmit electronic protected health information on the covered entity s behalf only if the covered entity obtains satisfactory assurances, in accordance with (a) that the business associate will appropriately safeguard the information. If you are the parent company and have subsidiaries or contracts with third-party businesses you must audit these companies for compliance to the HIPAA rules and regulations. We suggest that you require (at a minimum) the same review and implementation standards that you require for your own organization. Best practices always start with your own company. Written Contract or Other Arrangement (b)(4) Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of (a). Any time you require a subsidiary or third party business to be HIPAA compliant or maintain your HIPAA compliance you should create a contract that details the HIPAA rules for which you expect them to be in compliance. You should also specify that they are responsible for any and all damages directly associated with their non-compliance. As part of this contract you should also be allowed to audit their systems, policies, and procedures during routine and surprise inspections. Authorization and/or Supervision (a)(3)(ii)(A) Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. Because the users will be working with a database, we highly recommend that users (workforce as well as management) not be allowed to work with the software until they have received both HIPAA awareness training and training specific to the use Page 17

18 of the software. As part of the training, Formulations Pro creates a sand box environment of the software that enables the users to train in a simulated environment until they are approved to work with live data. Workforce Clearance Procedure (a)(3)(ii)(B) Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. During the design phase it is critical to describe to the Formulations Pro consultants the workflow, environment in which the software will be used, and the types of users that will work with the software. From this information privilege sets will be created for each distinct work group that have specific access granted to specific area of the software. Typically, access to areas such as client or patient contact information should have the highest level of protection. Users that have access to protected information should be required to have the highest level of clearance to be assigned a privilege set that can access this information. Lower levels of access may be granted with a less stringent or a more intuitive policy. Termination Procedures (a)(30(ii)(C) and Software Developer Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends of as required by determinations made as specified in paragraph (a)(3)(ii)(b) of this section. Systems built by Formulations Pro allow access by the system administrator to delete and deactivate accounts. If an employee is terminated we recommend that the account be deleted from the system to prevent any potential future identify falsification. If the user is transferred to a role that no longer has access to the system we recommend that the account be deactivated. This keeps the account in the system, but not accessible until the system administrator re-activates the account. In either case, your Human Resources department should trigger the termination or transfer procedures by sending a notice to the appropriate system administrator(s) in the IT department. If the user changes roles the system administrator can change the user s privilege set to modify their access to the system. Access Authorization (a)(4)(ii)(C) and Software Developer Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. Page 18

19 The business owner must specify which types of devices they wish to have to access the software. For example, Computers accessing the software over the LAN or WAN with FileMaker Pro clients, client computers or servers with ODBC or JDBC access, Intranet web browsers with IWP, Internet web browsers with custom web publishing, and/or personal digital assistants with FileMaker Mobile. Once these communication sources have been determined, FileMaker Pro can manage the extended privileges to selectively grant or deny access to any of these sources for each individual account. Security Reminders (a)(5)(ii)(A) Implement periodic security updates. Formulations Pro recommends that the security reminders be a part of the annual training program for every employee. It s always a good idea to remind the employees about the importance and implications of having access to protected health information. Employees should also be reminded that in the systems built by Formulations Pro their electronic signature is the legally binding equivalent to their handwritten signature. Thus, if they share their account name and password with other users they are legally responsible for those users actions in the database. Sharing account names and passwords should be an offense that warrants termination. This includes terminating the management. Protection from Malicious Software (a)(5)(ii)(B) Implement procedures for guarding against, detecting, and reporting malicious software. Every computer should have up-to-date antivirus software. Although virus-checking software can only catch approximately 94% of existing viruses and is always vulnerable to new viruses, most virus problems occur from known viruses where the software has not been updated. It is reasonable to expect any corporation to have an enterprise account for anti-virus software from Norton or McAfee that provides daily updates to their virus definitions. Log-in Monitoring (a)(5)(ii)(C) Implement procedures for monitoring log-in attempts and reporting discrepancies. FileMaker Pro 7 has two built-in features to minimize the risk of invalid log-ins. For ease of use the login feature can be set to allow the user to attempt to log in 5 times before quitting the program. If your operating environment needs additional security you can change the setting to allow only one attempt to log in before the application quits. If you need to log the actual user account name that is accessing the FileMaker Server 7 Page 19

20 files you will need to monitor your operating system s log files. FileMaker Server 7 does log failed login attempts. Formulations Pro does not recommend programming your system with an open password and complex scripting to log user input at this critical juncture because it opens a much larger security issue that exceeds the risk of monitoring a log file. User s will get discouraged from trying to log into systems if the application quits after one false try. In many cases this should be sufficient risk reduction, while also minimizing your administrative costs. Password Management (a)(5)(ii)(D) Implement procedures for creating, changing, and safeguarding passwords. FileMaker Pro 7 has built-in account authentication and privileges that control access to the files based on a user name and encrypted password. The password is encrypted so that no user, not even the administrator, has access to view the password. If the user forgets their password the administrator must change it for them. Formulations Pro also installs best practices that requires that the next time the user opens the file they be prompted to change their password as an additional security mechanism to prevent administrators from using the password. Testing and Revision Procedures (a)(7)(ii)(D) Implement procedures for periodic testing and revision of contingency plans. The easiest method to meet this rule is to expire all your SOP s, procedures, policies, and contingency plans as part of your Quality Assurance program. This will ensure that every procedure related to HIPAA compliance is reviewed on an annual or recurring basis. Applications and Data Criticality Analysis (a)(7)(ii)(E) Assess the relative criticality of specific applications and data in support of other contingency plan components. Somewhere during the project you should step back from the fine details and look globally at your project to determine where this fits into the scope of your strategic business objectives. In many cases, developing best practices once that can be deployed across multiple applications will save you a lot of time and money. However, keep in mind that not all applications can support what you consider to be best practices if your implementation is too stringent. Thus, it must allow for some flexibility to work within the constructs of the software and your project requirements. That is, unless you have an unlimited Page 20

21 amount of time and budget to customize the software. If the software cannot meet your best practices then you must assess the risk of not implementing the requirement in terms of the security of the data vs. the cost of non-compliance in the event of a security breech. Summary Either your company and its software is HIPAA compliant or it is not. There is no middle ground whereby you implement some of the required elements and claim to be in compliance. All required specifications are required to be implemented. specifications are not required only if your risk analysis finds they are unreasonable and/or inappropriate. During the evaluation phase of your project you will find there are certain specifications that are very clearly implemented by the software developer (i.e. account administration) and others that are clearly implemented by the business user (i.e. sanctioning policy). Others may be best solved by the integration of ideas and concepts from both the software developer and business owner. However, the ultimate responsibility to attain compliance falls squarely with the business owner. Therefore, this is not a project you hand off to your IT department or software developer and expect a compliant system in return. software, the workflow, and the user interface. Most notably, they will have a largest impact on the procedures and policies that govern your company and the employees that access the protected health information. Therefore we highly recommend that you understand the rules and implement what you feel are the best practices across your entire organization and any future software development that might fall under this regulation. This will save you a lot of time and money on your future projects. In the mean time, you can be assured that Formulations Pro can consult, build, customize, and install integrated database solutions to meet your HIPAA requirements Formulations Pro, Inc. Formulations Pro is a trademark of Formulations Pro, Inc., registered in the U.S.A. The Formulations Pro logo is trademarks of Formulations Pro, Inc. FileMaker Pro is a trademark of FileMaker Pro Inc., registered in the U.S.A and other countries. Product specifications and availability are subject to change without notice. Although you may find that many of the HIPAA requirements and addressable rules do not apply to your company they will have an enormous impact on the development of the Page 21