White Paper. Support for the HIPAA Security Rule PowerScribe 360

Similar documents
WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

HIPAA COMPLIANCE REVIEW

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Healthcare Compliance Solutions

HIPAA Security Matrix

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

CHIS, Inc. Privacy General Guidelines

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Compliance Guide

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

VMware vcloud Air HIPAA Matrix

HIPAA Security Alert

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Information Security Overview

Krengel Technology HIPAA Policies and Documentation

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

A Technical Template for HIPAA Security Compliance

Procedure Title: TennDent HIPAA Security Awareness and Training

HIPAA Security Checklist

How To Write A Health Care Security Rule For A University

An Introduction to HIPAA and how it relates to docstar

Complying with 45 CFR 164 HIPAA Security Standards; Final Rule

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

ITS HIPAA Security Compliance Recommendations

HIPAA Security Series

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

HIPAA Security Rule Compliance

Datto Compliance 101 1

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

An Effective MSP Approach Towards HIPAA Compliance

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

HIPAA Compliance Guide

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policy Title: HIPAA Security Awareness and Training

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

HIPAA Security Compliance for Konica Minolta bizhub MFPs

Client Security Risk Assessment Questionnaire

DeltaV Capabilities for Electronic Records Management

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

How Managed File Transfer Addresses HIPAA Requirements for ephi

Retention & Destruction

HIPAA Security and HITECH Compliance Checklist

State HIPAA Security Policy State of Connecticut

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

HIPAA Compliance for Mobile Healthcare. Peter J. Haigh, FHIMSS Verizon

SECURITY RISK ASSESSMENT SUMMARY

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA Security COMPLIANCE Checklist For Employers

SECURITY DOCUMENT. BetterTranslationTechnology

HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Implementing HIPAA Compliance with ScriptLogic

DeltaV Capabilities for Electronic Records Management

HIPAA Privacy & Security White Paper

Policies and Compliance Guide

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

Security Overview Enterprise-Class Secure Mobile File Sharing

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

Cloud Computing in a HIPAA- Compliant World. NRTRC Telemedicine Conference Dean Oswald March 25, 2014

Transcription:

White Paper Support for the HIPAA Security Rule PowerScribe 360

2

Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as part of their risk analysis required for Health Information Portability and Accountability Act (HIPAA) Security Rule compliance. The paper describes specific features of the PowerScribe 360 system in the context of the security standards and provides an analysis on how the system can support an organization s efforts to attain HIPAA Security Rule compliance. Nuance Communications understands that compliance presents a significant challenge confronting our customers. We continue to enhance PowerScribe 360 product features and services to address security and compliance efforts of our customers. HIPAA Security Rule Compliance The HIPAA Security Rule ( the rule ) was published to protect the confidentiality, integrity and availability of electronic protected health information (ephi). The rule defined in 45 CFR Parts 160, 162 and 164 establishes the minimum national standards for information systems with access to ephi. PowerScribe 360 manages and stores ephi as dictations and medical reports in an electronic form and thus must be included in the risk assessment activities of our customers pursuant to HIPAA Security Rule compliance. Compliance with the rule was required no later than April 21, 2005. Small health plans were required to comply no later than April 21, 2006. The rule establishes a minimum set of administrative, technical and physical standards and implementation specifications which must be addressed. However, it is written in terms that are as generic as possible and which, generally speaking, may be met through various approaches or technologies. 1 Thus the rule is not prescriptive. The steps an institution will actually need to take to comply with these regulations will be dependent upon its own particular environment and circumstances and risk assessment. 2 An Institution cannot simply purchase HIPAA certified hardware or software to achieve compliance. Rather, it must implement policies and procedures which are consistent with the rule and evaluate technology decisions based upon a risk assessment process. The standards do not allow organizations to make their own rules, only their own technology choices. 3 HIPAA is flexible. According to the rule, Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. What is reasonable and appropriate is based upon the findings of a risk assessment which considers size, complexity, capability, technical infrastructure, probability of risk, criticality of data and cost of the security measure. In other words, an institution must demonstrate that its choices are reasonable and appropriate given the cost and the benefit. The PowerScribe 360 system was introduced to the market in November 2010 as a speechenabled dictation system with completely integrated transcription functionality. The product and its features have evolved from two mature radiology reporting platforms that have been merged to meet complex customer needs. The application is designed to capture dictated audio and use speech recognition to generate text reports in order-centric environments. 1 Federal Register / Vol. 68, No. 34, pp 8336 2 IBID 3 Federal Register / Vol. 68, No. 34, pp 8343 3

This white paper provides a brief analysis of how PowerScribe 360 supports an organization s efforts to comply with HIPAA s Security Rule standards. The paper also describes HIPAA-related security features in the latest versions of software and includes the following product components: PowerScribe 360 Dictation / Correction Client Administration Portal The PowerScribe 360 system contains multiple levels of system security to protect patient confidentiality and user or group privileges that grant or restrict access to specific product features. The system is equipped with comprehensive audit and reporting capabilities to provide details related to documentation creation, users, editors, signers, timestamps, viewing, distribution, etc. PowerScribe 360 HIPAA Security Rule Compliance Features/Offering Nuance Communications, in collaboration with an independent consulting firm specializing in IT security and the HIPAA Security Rule, conducted an assessment of the PowerScribe 360 system and developed this white paper. The paper describes HIPAA-related security features in the above mentioned version of PowerScribe 360 software; however, it does not discuss security features in previously released versions. The following table identifies the HIPAA standards, implementation specifications, marks each implementation specification as required (R) or addressable (A) and identifies the key PowerScribe 360 product features that will complement efforts to achieve HIPAA Security Rule compliance. The PowerScribe 360 system features alone do not ensure HIPAA Security Rule compliance and are only features that may be useful as the customer takes steps toward compliance. 4

Administrative Safeguards Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) this white paper provides details intended to assist an institution in completing a HIPAA risk analysis of the PowerScribe 360 product. the PowerScribe 360 product includes a number of configurable security measures that improve an institution s ability to manage risks and vulnerabilities. These security measures include user and password management, session encryption, audit and logging mechanisms, and configurable workflow processes that can improve data integrity. Passwords can be administratively changed to revoke access in support of a sanction policy. User accounts can be administratively disabled to revoke access in support of a sanction policy. Various audit reports provide information vital to implementing Information System Activity Review specifications. Two levels of authority, Administrator and System Administrator, are provided for administration the various security mechanisms featured in the PowerScribe 360 system. Workforce Security Authorization and/ or Supervision (A), Workforce Clearance Procedures (A) Termination Procedures (A) PowerScribe 360 s role-based user accounts can be easily incorporated or Supervision (A), into the access authorization and workforce clearance processes/workforce Clearance procedures that an institution implements to determine appropriate Procedures (A) access to protected information. Passwords can be administratively changed to revoke access in support of termination procedures. User accounts can be administratively disabled or completely removed to revoke access in support of termination procedures. 5

Information Access Management Isolating Healthcare Access Establishment PowerScribe 360 helps support the access authorization specifications Clearinghouse by providing the capability to implement centralized role-based Functions (R), Access security through the use of user accounts that can be created Authorization (A) based on roles, departments, geographic locations or other identifying criteria, such that users are granted unique user rights and privileges. PowerScribe 360 helps support the access authorization specifications and Modification (A) PowerScribe 360 provides a comprehensive capability to create and manage user accounts and associated roles and privileges via two levels of administration (Administrators, System Administrators) which have groupings of functions applied to each administrative level. The following roles can be added or revoked by administrators depending on their privileges, per user. Author enables report authors to the Dictation/Correction client to create reports. Includes roles for Attending, Resident, and Fellow. Transcriptionist enables access to the Dictation/Correction Client for editing and correction of dictated reports. Order Entry enables access to the Order Entry application to enter new patients and orders into PowerScribe 360. Administrator enables access to perform administrator functions. System Administrator enables access to perform system administrator functions. Technologist enables access to create draft reports and set field values. Front Desk Staff enables access to scan patient documents. Note: See PowerScribe 360 Administrator Guide for privileges associated with roles. 6

Security and Awareness Training Security Reminders (A) Protection from Malicious Software (A) The PowerScribe 360 administration guide and periodic information articles sent to customers provide security related recommendations and instructions. The Nuance Professional Services Group can also be contracted to provide installation and/or operational process and procedural expert guidance to support customer s unique implementation requirements and training activities. PowerScribe 360 is certified to work with the following anti-virus packages: Symantec Norton Antivirus McAfee (known to work but not certified) Log-in Monitoring (A) The Dashboard page in the administration portal can be used to monitor all users using the system. the following login statistics can be viewed at any time: Login ID the user s Login ID Name the user s name Session length duration the user has been logged in Workstation the name of the user s client machine Report info information about the report the user is currently working on Last action the last workflow action by the user. the Account Audit page in the administration portal can be used to view a history of events related to a user s account, including logon, logoff, and password. Password Management (A) The following password management features are available: Masked password entry Password aging and forced expiration Administrative password reset and change Strong password option requiring minimum length of 6 characters with at least one letter and one digit Password encrypted in storage 7

Security Incident Response Response and the PowerScribe 360 exam explorer and reporting engine can be utilized Reporting (R) in responding to incidents and supports the forensics and investigation processes by generating very detailed standard or custom reports. Reports can also be exported for additional processing and analysis. Contingency Plan Data Backup Plan (R) Backups of critical PowerScribe 360 files can be made with any software which can successfully handle SQL Server databases and Windowss. PowerScribe 360 has been tested with the following backup product: Veritas Backup Exec Disaster Recovery Plan (R) Emergency Mode Disaster Recovery procedures for PowerScribe 360 can be crafted which are based upon standard Windows and SQL Server disaster recovery technologies, strategies and third party solutions. PowerScribe 360 is compatible with backup and disk imaging products Operations Plan (R) that are certified to work with the current Windows desktop and Testing and Revision server operating systems. Procedures (A) Application Data Criticality Analysis (A) Evaluation Response and Reporting (R) Nuance continually reviews customer requests for security features and enhancements based upon the results of internal risk assessment activities. 8

Business Associate Contract and Other Arrangements Written Contract or Other (R) Nuance will execute HIPAA Business Associate Agreements with its customers who purchase Maintenance, or other services. Physical Safeguards Physical Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and validation (A) Procedures (A) Maintenance Records (A) N/A Workstation Use (R) N/A Workstation Security (R) PowerScribe 360 uses standard Windows workstations which support a variety of physical security mechanisms. PowerScribe 360 supports session termination after a specified time of inactivity. Device and Media Controls Disposal (R) Media Reuse (R) Accountability (R) Data Backup and Storage (R) N/A 9

Technical Safeguards Access Controls Unique User Emergency Access Procedures (R) Automatic Logoff (A) Encryption and Audit Controls (R) The PowerScribe 360 system fully supports the creation, maintenance Identification (R) and use of unique user identifiers. PowerScribe 360 also supports standard Lightweight Directory Access Protocol (LDAP) services to authenticate users (username/password). Administrator accounts can be used to provide full access to system features in the event of an emergency. PowerScribe 360 has a configurable inactivity timeout feature that can be utilized to automatically logoff idle users within the application. Third party encryption and decryption solutions can be used at Decryption (A) the customer s discretion but are not supported by PowerScribe 360. In addition to the standard audit and logging features found in a Windows operating system and SQL server database system, PowerScribe 360 includes a robust auditing feature that records activities performed by administrators and users of the Power- Scribe 360 system. Database tables capture detailed information concerning the activities performed in each of the PowerScribe 360 application areas Administrator (ADM), PowerScribe 360 API (API), Dictation/Correction (DC), Order Entry (OE), and System (SYS). the following information is captured for every event: Date and time Computer name Application area User name Admin user name Description of event Other activities recorded include: User logins and logouts Password changes Add, modify, delete users Preference changes Order information created or updated by RIS Reports created, edited, or deleted Reports signed Reports faxed 10

Integrity Mechanisms to Person or Entity PowerScribe 360 utilizes both application and operating system features Authenticate ephi (A) to restrict access rights to authorized users as a preventative integrity control. Application and operating system audit logs can be used to track the activity of authorized users and detect the activity of unauthorized users as a detective integrity control. Purging of audio and text files is system configurable at the administrative level and can be totally disabled. Configurable workflow processes can be implemented to facilitate integrity checking by requiring transcribed reports to be reviewed for accuracy prior to being signed. PowerScribe 360 is compatible with all Windows-based biometric and Authentication (R) multi-factor authentication schemes when they are used as pre-scribed by the vendor. PowerScribe 360 supports Lightweight Directory Access Protocol (LDAP) for those institutions that leverage LDAP services to authenticate users. Transmission Integrity Control (A) The PowerScribe 360 Web portal supports Secure Sockets Layer (SSL) Encryption (A) communication between browser-based clients and servers to protect data integrity and data confidentiality. The PowerScribe 360 Windows client connects to the database without encryption, and therefore relies upon lower level integrity and encryption services such as VPN, Windows operating system and TCP/IP network devices for transmission. Nuance and the Nuance logo, and PowerScribe are trademarks or registered trademarks of Nuance Communications, Inc. or its affiliates in the United States and/or other countries. All other trademarks referenced herein are the property of their respective owners. 11

L-3330 11/10 DTM The experience speaks for itself NUANCE COMMUNICATIONS, INC. ONE WAYSIDE ROAD 800 350 4836 BURLINGTON, MA 01803 NUANCE.COM/HEALTHCARE

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information