HIPAA Security Matrix



Similar documents
Healthcare Compliance Solutions

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

VMware vcloud Air HIPAA Matrix

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

How To Write A Health Care Security Rule For A University

HIPAA Security Checklist

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Information Security Overview

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Compliance Guide

HIPAA Security Alert

HIPAA Security Rule Compliance

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Datto Compliance 101 1

SECURITY RISK ASSESSMENT SUMMARY

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

White Paper. Support for the HIPAA Security Rule PowerScribe 360

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

HIPAA Security. assistance with implementation of the. security standards. This series aims to

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

CHIS, Inc. Privacy General Guidelines

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

Krengel Technology HIPAA Policies and Documentation

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

An Effective MSP Approach Towards HIPAA Compliance

ITS HIPAA Security Compliance Recommendations

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Compliance Guide

HIPAA Compliance: Are you prepared for the new regulatory changes?

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Security Is Everyone s Concern:

Procedure Title: TennDent HIPAA Security Awareness and Training

HIPAA Privacy & Security White Paper

State HIPAA Security Policy State of Connecticut

HIPAA COMPLIANCE REVIEW

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Policies and Compliance Guide

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

A Technical Template for HIPAA Security Compliance

HIPAA Security and HITECH Compliance Checklist

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Cloud Computing in a HIPAA- Compliant World. NRTRC Telemedicine Conference Dean Oswald March 25, 2014

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

C.T. Hellmuth & Associates, Inc.

HIPAA and HITECH Regulations

HIPAA Security Series

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA/HITECH: A Guide for IT Service Providers

Complying with 45 CFR 164 HIPAA Security Standards; Final Rule

HIPAA Compliance for Mobile Healthcare. Peter J. Haigh, FHIMSS Verizon

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

HIPAA. considerations with LogMeIn

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

Policy Title: HIPAA Security Awareness and Training

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Projectplace: A Secure Project Collaboration Solution

HIPAA and Mental Health Privacy:

Supplier Security Assessment Questionnaire

AOA HIPAA SECURITY REGULATION COMPLIANCE MANUAL

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?

Transcription:

HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software solutions. Risk Management EVault technology provides a high degree of security by encrypting Protected Health Information (PHI) on the CE s servers. With EVault SaaS, data is transmitted over the network using additional over-the-wire encryption and is transferred to a secure, offsite data center thereby reducing risks and vulnerabilities for PHI. No EVault employee has access to the unencrypted PHI because the CE or business associate has the only encryption password. Sanction Policy EVault works with the CE to comply with sanction policies and procedures. Information System Activity Review Our licensed EVault Software and our EVault SaaS managed service both provide comprehensive reports for: Backup activity Restore activity Log files Late backup status 164.308(a)(2) Assigned Responsibility EVault Professional Services team will work with the CE s Officer to ensure that data protection policies adhere to the policy and procedures of the CE. www.evault.com 2011 EVault, Inc. All Rights Reserved.

HIPAA Matrix =Required, =Addressable 164.308(a)(3) Workforce Authorization and/or Supervision are designed to ensure that only those personnel with appropriate application as well as encryption passwords have access to PHI. Workforce Clearance Procedure The CE s Officer determines who has access to both application and encryption passwords. Termination Procedures As a part of the CE s termination procedures, allow authorized CE personnel to: Change encryption password and Change account password on the Vault 164.308(a)(4) Information Access Management Isolating Health Care Clearinghouse Function allow the CE to isolate data protection to authorized personnel and protect the electronic PHI (ephi) from the larger organization. Access Establishment and Modification easily allow the CE to implement policies and procedures for granting access to ephi through server as well as encryption password protection. The CE has the only password for encrypted ephi. Emergency Mode Operation Plan easily allow the CE to implement policies and procedures for granting and modifying a user s access to ephi through server as well as encryption password protection. The CE has the only password for encrypted ephi. 164.308(a)(5) Awareness and Training Reminders EVault will participate in a CE s periodic security updates on an as-needed basis. Protection from Malicious Software provide protection from malicious software by keeping a full copy of ephi encrypted and offsite. A CE can easily recover uncorrupted data online, 24 hours a day. Log-in Monitoring EVault records log-on activity for backup and restore tasks. This activity information can be provided to the CE as needed. Password Management EVault backup architecture is designed specifically so that only those personnel with appropriate application as well as encryption passwords have access to PHI. CEs can encrypt and store their passwords offsite with the EVault solution. 164.308(a)(6) Incident Procedures Response and Reporting EVault Software and EVault SaaS can mitigate harmful effects of security incidents by storing a full, encrypted copy of ephi offsite. Through EVault s managed service, this encrypted ephi is stored in secure data facilities.

HIPAA Matrix =Required, =Addressable 164.308(a)(7) Contingency Plan Data Backup Plan EVault Software and EVault SaaS are specifically designed to provide CEs better operational control of their data backup and recovery process. The automated process ensures that backups have occurred and are automatically transmitted offsite. The software facilitates customized data retention schedules. The solution limits human involvement, which can lead to error in the backup process or in tape transport. The backup and recovery process can be centrally controlled (through a graphical user interface) for remote locations. Data can be instantaneously recovered 24 x 7 x 365. Data is further secured by utilizing RAID arrays and redundant components. Data is encrypted and sent to secure data centers with limited physical access. Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedure Applications and Data Criticality Analysis EVault provides data protection and recovery as a part of the CE s Disaster Recovery Plan. EVault s main purpose is to protect data in the event of a full disaster or file and folder recovery. EVault will also work with the CE to test data restoration as a part of the DR Plan. With EVault s managed service, data is automatically transmitted offsite and easily accessed 24 hours a day, 7 days a week. Data can be instantaneously restored while operating in an emergency mode. With EVault, data can be protected at an offsite facility of the CE s choice. CE can contract with EVault for periodic testing of data recovery. EVault solutions easily allow the CE to identify critical data and design customized retention policies to meet the needs of other contingency plan components. 164.308(a)(8) Evaluation CE can contract with EVault Professional Services for periodic evaluation of backed-up data integrity and the recovery process. 164.308(b)(1) Business Associate Contracts and Other Arrangement Written Contract or Other Arrangement EVault employees do not have access to protected health information and are not considered business associates; however, EVault understands the criticality of protecting health data and will work with CEs to insure compliance with the HIPAA Act.

HIPAA Matrix =Required, =Addressable 164.310(a)(1) Facility Access Controls Contingency Operations EVault SaaS customer data is stored in vaults located in highly secure data centers that provide limited physical access but have redundant systems and power. In the event of a disaster, using EVault Software and EVault SaaS solutions, data can be recovered via the network or the public Internet to a location selected by the CE. Only authorized personnel with application and encryption passwords can recover the data. Facility Plan EVault utilizes state-of-the-art data centers with limited physical access to host vaults. Access Control and Validation Procedures EVault s data center partners all maintain strict procedures to limit physical access to EVault storage vaults. Maintenance Records These state-of-the-art data centers feature best-in-class maintenance, security, and repair procedures. 164.310(b) Workstation Use n/a 164.310(c) Workstation Backed-up data is protected via application and encryption passwords that are restricted to authorized CE representatives. 164.310(d)(1) Device and Media Controls Disposal Subscribers to EVault SaS can receive a certificate that confirms that data has been deleted. Data deletion is done upon customer request only. Media Re-use EVault can provide a certificate to its EVault SaaS customers that confirms that data has been deleted before media is reused. Accountability EVault can provide to CE a record of the movements of hardware and electronic media utilized to perform backup and recovery upon request. Data Backup and Storage 164.312(a)(1) Access Control Unique User Identification EVault Software can provide a retrievable, exact copy of electronic PHI, when needed, before movement of equipment. EVault Software technology encrypts ephi at the source of the information, on the CE s computer servers. Only authorized CE representatives have server and encryption passwords. The CE assigns the unique user identification. In providing our managed data backup service, EVault SaaS, no EVault employee has access to the unencrypted PHI because the CE or business associate has the only encryption password.

HIPAA Matrix =Required, =Addressable Emergency Access Procedure are designed to provide fast, easy data recovery in case of an emergency. Access to information stored at EVault data centers can be done online at anytime. An authorized administrator at the CE can take advantage of EVault CentralControl to search through the data stored on the vault and recover the lost data online. Only the authorized system administrator can enter the vault account username and password as well as the encryption password to authenticate and get the data back. Automatic Logoff The EVault Software Agent scans the server on which it is installed to gather the blocks within files requiring backup. It compresses the files, encrypts them and then sends them over the network using network encryption to the storage vault. As soon as the transmission has been completed, it automatically disconnects from the customer server and logs off. Encryption and Decryption The Agent encrypts all data to be backed up on the server before sending it over the network. ephi is encrypted at two levels: Data is encrypted on the vault to ensure that only the CE system administrator has access to the information. Over-the-wire encryption ensures that the data is safe during transmission. The encryption password is entered by the system administrator while configuring the back up. If the need to recover data arises, only the system administrator can start a restore job and enter the encryption password to allow the software to bring back decrypted data to the server. 164.312(b) Audit Control EVault records information about users who back up and restore data. 164.312(c)(1) Integrity Mechanism to Authenticate Electronic Protected Health Information EVault uses two levels of authentication to protect health care information: Vault account authentication Encryption authentication The CE will implement policies and procedures to ensure that ephi has not been altered or destroyed in an unauthorized manner. If the CE finds that data has been altered on the originating server, original data can be restored online from the EVault backup. Data is destroyed only at the request of the CE. EVault will issue a certificate of data destruction if the CE requests that destruction.

HIPAA Matrix =Required, =Addressable 164.312(d) Person or Entity Authentication Authentication is required to back up and recover data to and from the vault as well as to decrypt the data. The CE s system administrator will authenticate with the vault when configuring a backup job by entering the username and password recorded on the vault. The user also enters an encryption password while configuring the backup job. It is impossible to decrypt the data while doing the restore without this key. 164.312(e)(1) Transmission Integrity Controls Controls can be run periodically to ensure data integrity. For example, the system administrator can run test restores to ensure that the data is intact and has not been corrupted. The CE system administrator has 24x7 access to the data stored on the vault and can start restores at any time through CentralControl), an easy-to-use graphic user interface. Encryption EVault delivers encryption in two levels at no additional cost: Over-the-wire encryption ensures that data can t be read during transmission over a network or public Internet. Encryption at storage location (vault) ensures that the data can only be decrypted by the owner of the encryption key (CE entity system administrator). EVault utilizes the following encryption: 128-bit or 256-bit AES 56-bit or 128-bit Blowfish 56-bit or 112-bit Triple-DES Take the Next Step To learn more about EVault storage solutions, call 1.877.901.DATA (3282), email concierge@evault.com, or visit www.evault.com. Headquarters 3101 Jay Street, Suite 110 Santa Clara, CA 95054 877.901.DATA (3282) www.evault.com Netherlands (EMEA HQ) +31 (0) 73 648 1400 France +33 (0) 1 55 27 35 24 UK +44 (0) 1932 445 370 EVault and the EVault logo are registered trademarks of EVault Inc. All other trademarks or registered trademarks are the property of their respective owners. 2011.11.0099_Soln (updated 11/30/2011)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information