Support for the HIPAA Security Rule



Similar documents
White Paper. Support for the HIPAA Security Rule PowerScribe 360

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

HIPAA COMPLIANCE REVIEW

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Healthcare Compliance Solutions

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA Security Matrix

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Healthcare Compliance Solutions

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

CHIS, Inc. Privacy General Guidelines

HIPAA Compliance Guide

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Krengel Technology HIPAA Policies and Documentation

HIPAA Information Security Overview

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

VMware vcloud Air HIPAA Matrix

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security Alert

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security Checklist

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

How To Write A Health Care Security Rule For A University

Procedure Title: TennDent HIPAA Security Awareness and Training

A Technical Template for HIPAA Security Compliance

Complying with 45 CFR 164 HIPAA Security Standards; Final Rule

HIPAA: The Role of PatientTrak in Supporting Compliance

Retention & Destruction

HIPAA Security Series

Telemedicine HIPAA/HITECH Privacy and Security

HIPAA Security Rule Compliance

Datto Compliance 101 1

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Security It s an ecosystem thing

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HIPAA Security and HITECH Compliance Checklist

HIPAA Compliance Guide

HIPAA Security Rule Compliance and Health Care Information Protection

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

ITS HIPAA Security Compliance Recommendations

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

An Introduction to HIPAA and how it relates to docstar

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

HIPAA Security Compliance for Konica Minolta bizhub MFPs

An Effective MSP Approach Towards HIPAA Compliance

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Print4 Solutions fully comply with all HIPAA regulations

HIPAA Compliance for the Wireless LAN

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904)

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

Implementing HIPAA Compliance with ScriptLogic

How Managed File Transfer Addresses HIPAA Requirements for ephi

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

State HIPAA Security Policy State of Connecticut

Client Security Risk Assessment Questionnaire

WHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule...

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

SECURITY RISK ASSESSMENT SUMMARY

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

DeltaV Capabilities for Electronic Records Management

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Policy Title: HIPAA Security Awareness and Training

DeltaV Capabilities for Electronic Records Management

Policies and Compliance Guide

GE Measurement & Control. Cyber Security for NEI 08-09

HIPAA Privacy & Security White Paper

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

Exhibit B5b South Dakota. Vendor Questions COTS Software Set

System Overview. Security

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

HIPAA Compliance: Are you prepared for the new regulatory changes?

Security Overview Enterprise-Class Secure Mobile File Sharing

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

Hang Seng HSBCnet Security. May 2016

HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Transcription:

WHITE PAPER Support for the HIPAA Security Rule PowerScribe 360 Reporting v2.0 HEALTHCARE

2

SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe 360 Reporting as part of their risk analysis required for Health Information Portability and Accountability Act (HIPAA) Security Rule compliance. The paper describes specific features of PowerScribe 360 Reporting in the context of the security standards and provides an analysis on how the system can support an organization s efforts to attain HIPAA Security Rule compliance. Nuance Communications understands that compliance presents a significant challenge confronting our customers. We continue to enhance PowerScribe 360 Reporting product features and services to address security and compliance efforts of our customers. HIPAA Security Rule Compliance The HIPAA Security Rule ( the rule ) was published to protect the confidentiality, integrity and availability of electronic protected health information (ephi). The rule defined in 45 CFR Parts 160, 162 and 164 establishes the minimum national standards for information systems with access to ephi. PowerScribe 360 Reporting manages and stores ephi as dictations and medical reports in an electronic form and thus must be included in the risk assessment activities of our customers pursuant to HIPAA Security Rule compliance. Compliance with the rule was required no later than April 21, 2005. Small health plans were required to comply no later than April 21, 2006. The rule establishes a minimum set of administrative, technical and physical standards and implementation specifications which must be addressed. However, it is written in terms that are as generic as possible and which, generally speaking, may be met through various approaches or technologies. 1 Thus the rule is not prescriptive. The steps an institution will actually need to take to comply with these regulations will be dependent upon its own particular environment and circumstances and risk assessment. 2 An Institution cannot simply purchase HIPAA certified hardware or software to achieve compliance. Rather, it must implement policies and procedures which are consistent with the rule and evaluate technology decisions based upon a risk assessment process. The standards do not allow organizations to make their own rules, only their own technology choices. 3 HIPAA is flexible. According to the rule, Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. What is reasonable and appropriate is based upon the findings of a risk assessment which considers size, complexity, capability, technical infrastructure, probability of risk, criticality of data and cost of the security measure. In other words, an institution must demonstrate that its choices are reasonable and appropriate given the cost and the benefit. PowerScribe 360 Reporting was introduced to the market in November 2010 as a speechenabled dictation system with completely integrated transcription functionality. The product and its features have evolved from two mature radiology reporting platforms that have been merged to meet complex customer needs. The application is designed to capture dictated audio and use speech recognition to generate text reports in order-centric environments. 1 Federal Register / Vol. 68, No. 34, pp 8336 2 IBID 3 Federal Register / Vol. 68, No. 34, pp 8343 3

This white paper provides a brief analysis of how PowerScribe 360 Reporting supports an organization s efforts to comply with HIPAA s Security Rule standards. The paper also describes HIPAA-related security features in the latest versions of software and includes the following product components: PowerScribe 360 Reporting Dictation / Correction Client Administration Portal PowerScribe 360 Reporting contains multiple levels of system security to protect patient confidentiality and user or group privileges that grant or restrict access to specific product features. The system is equipped with comprehensive audit and reporting capabilities to provide details related to documentation creation, users, editors, signers, timestamps, viewing, distribution, etc. PowerScribe 360 Reporting HIPAA Security Rule Compliance Features/Offering Nuance Communications, in collaboration with an independent consulting firm specializing in IT security and the HIPAA Security Rule, conducted an assessment of PowerScribe 360 Reporting and developed this white paper. The paper describes HIPAArelated security features in the above mentioned version of PowerScribe 360 Reporting software; however, it does not discuss security features in previously released versions. The following table identifies the HIPAA standards, implementation specifications, marks each implementation specification as required (R) or addressable (A) and identifies the key PowerScribe 360 Reporting product features that will complement efforts to achieve HIPAA Security Rule compliance. PowerScribe 360 Reporting features alone do not ensure HIPAA Security Rule compliance and are only features that may be useful as the customer takes steps toward compliance. 4

ADMINISTRATIVE SAFEGUARDS Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) This white paper provides details intended to assist an institution in completing a HIPAA risk analysis of the PowerScribe 360 Reporting product. PowerScribe 360 Reporting includes a number of configurable security measures that improve an institution s ability to manage risks and vulnerabilities. These security measures include user and password management, session encryption, audit and logging mechanisms, and configurable workflow processes that can improve data integrity. Passwords can be administratively changed to revoke access in support of a sanction policy. User accounts can be administratively disabled to revoke access in support of a sanction policy. Various audit reports provide information vital to implementing Information System Activity Review specifications. Two levels of authority, Site Administrator and System Administrator, are provided for administration the various security mechanisms featured in PowerScribe 360 Reporting. Workforce Security Authorization and/or Supervision (A), Workforce Clearance Procedures (A) Termination Procedures (A) PowerScribe 360 Reporting s role-based user accounts can be easily incorporated into the access authorization and workforce clearance processes procedures that an institution implements to determine appropriate access to protected information. Passwords can be administratively changed to revoke access in support of termination procedures. User accounts can be administratively disabled or completely removed to revoke access in support of termination procedures. 5

Information Access Management Isolating Healthcare Clearinghouse Functions (R), Access Authorization (A) Access Establishment and Modification (A) PowerScribe 360 Reporting helps support the access authorization specifications by providing the capability to implement centralized role-based security through the use of user accounts that can be created based on roles, departments, geographic locations or other identifying criteria, such that users are granted unique user rights and privileges. PowerScribe 360 Reporting helps support the access authorization specifications PowerScribe 360 Reporting provides a comprehensive capability to create and manage user accounts and associated roles and privileges via two levels of administration (Site Administrators, System Administrators) which have groupings of functions applied to each administrative level. The following roles can be added or revoked by administrators depending on their privileges, per user. Author enables report authors to the Dictation/Correction client to create reports. Includes roles for Attending, Resident, and Fellow. Transcriptionist enables access to the Dictation/Correction Client for editing and correction of dictated reports. Order Entry enables access to the Order Entry application to enter new patients and orders into PowerScribe 360 Reporting. Site Administrator enables access to perform site administrator functions. System Administrator enables access to perform system administrator functions. Technologist enables access to create draft reports and set field values. Front Desk Staff enables access to scan patient documents. Note: See PowerScribe 360 Reporting Administrator Guide for privileges associated with roles. 6

Security and Awareness Training Security Reminders (A) Protection from Malicious Software (A) The PowerScribe 360 Reporting administration guide and periodic information articles sent to customers provide security related recommendations and instructions. The Nuance Professional Services Group can also be contracted to provide installation and/ or operational process and procedural expert guidance to support customer s unique implementation requirements and training activities. PowerScribe 360 Reporting is certified to work with the following anti-virus packages: Symantec Norton Antivirus McAfee (known to work but not certified) Log-in Monitoring (A) The Dashboard page in the administration portal can be used to monitor all users using the system. The following login statistics can be viewed at any time: Login ID the user s Login ID Name the user s name Session length duration the user has been logged in Workstation the name of the user s client machine Report info information about the report the user is currently working on Last action the last workflow action by the user. The Account Audit page in the administration portal can be used to view a history of events related to a user s account, including logon, logoff, failed logon attempts, and password. Password Management (A) The following password management features are available: Masked password entry Password aging and forced expiration Administrative password reset and change Strong password option requiring minimum length of 6 characters with at least one letter and one digit Password encrypted in storage 7

Security Incident Response Response and Reporting (R) The PowerScribe 360 Reporting exam explorer and reporting engine can be utilized in responding to incidents and supports the forensics and investigation processes by generating very detailed standard or custom reports. Reports can also be exported for additional processing and analysis. Contingency Plan Data Backup Plan (R) Backups of critical PowerScribe 360 Reporting files can be made with any software which can successfully handle SQL Server databases and Windows. PowerScribe 360 Reporting has been tested with the following backup product: Veritas Backup Exec Disaster Recovery Plan (R) Emergency Mode Operations Plan (R) Testing and Revision Procedures (A) Application Data Criticality Analysis (A) Disaster Recovery procedures for PowerScribe 360 Reporting can be crafted which are based upon standard Windows and SQ Server disaster recovery technologies, strategies and third party solutions. PowerScribe 360 Reporting is compatible with backup and disk imaging products that are certified to work with the current Windows desktop and server operating systems. Evaluation Response and Reporting (R) Nuance continually reviews customer requests for security features and enhancements based upon the results of internal risk assessment activities. 8

Business Associate Contract and Other Arrangements Written Contract or Other (R) Nuance will execute HIPAA Business Associate Agreements with its customers who purchase Maintenance, or other services. PHYSICAL SAFEGUARDS Physical Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation (A) Procedures (A) Maintenance Records (A) N/A Workstation Use (R) N/A Workstation Security (R) PowerScribe 360 Reporting uses standard Windows workstations which support a variety of physical security mechanisms. PowerScribe 360 Reporting supports session termination after a specified time of inactivity. Device and Media Controls Disposal (R) Media Reuse (R) Accountability (R) Data Backup and Storage (R) N/A 9

TECHNICAL SAFEGUARDS Access Controls Unique User Identification (R) Emergency Access Procedures (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (R) PowerScribe 360 Reporting fully supports the creation, maintenance and use of unique user identifiers. PowerScribe 360 Reporting also supports standard Lightweight Directory Access Protocol (LDAP) services to authenticate users (username/password). Administrator accounts can be used to provide full access to system features in the event of an emergency. PowerScribe 360 Reporting has a configurable inactivity timeout feature that can be utilized to automatically logoff idle users within the application. Third party encryption and decryption solutions can be used at the customer s discretion but are not supported by PowerScribe 360 Reporting. In addition to the standard audit and logging features found in a Windows operating system and SQL server database system, PowerScribe 360 Reporting includes a robust auditing feature that records activities performed by administrators and users of PowerScribe 360 Reporting. Database tables capture detailed information concerning the activities performed in each of the PowerScribe 360 Reporting application areas Administrator (ADM), PowerScribe 360 Reporting API (API), Dictation/ Correction (DC), Order Entry (OE), and System (SYS). The following information is captured for every event: Date and time Computer name Application area User name Admin user name Description of event Other activities recorded include: User logins, logouts, and failed logon attempts Password changes Add, modify, delete users Preference changes Order information created or updated by RIS Reports created, edited, viewed, or deleted Reports signed Reports faxed 10

Integrity Mechanisms to Authenticate ephi (A) Person or Entity Authentication (R) PowerScribe 360 Reporting utilizes both application and operating system features to restrict access rights to authorized users as a preventative integrity control. Application and operating system audit logs can be used to track the activity of authorized users and detect the activity of unauthorized users as a detective integrity control. Purging of audio and text files is system configurable at the administrative level and can be totally disabled. Configurable workflow processes can be implemented to facilitate integrity checking by requiring transcribed reports to be reviewed for accuracy prior to being signed. PowerScribe 360 Reporting is compatible with all Windowsbased biometric and multi-factor authentication schemes when they are used as pre-scribed by the vendor. PowerScribe 360 Reporting supports Lightweight Directory Access Protocol (LDAP) for those institutions that leverage LDAP services to authenticate users. Transmission Integrity Control (A) Encryption (A) The PowerScribe 360 Reporting Web portal supports Secure Sockets Layer (SSL) communication between browser-based clients and servers to protect data integrity and data confidentiality. The PowerScribe 360 Reporting Windows client connects to the database without encryption, and therefore relies upon lower level integrity and encryption services such as VPN, Windows operating system and TCP/ IP network devices for transmission. 11

WP-PSR-HIPAASECURITY-V2-11/13 DTM Copyright 2013 Nuance Communications, Inc. All rights reserved. Nuance, the Nuance logo, and PowerScribe are trademarks and/or registered trademarks, of Nuance Communications, Inc. or its affiliates in the United States and/or other countries. All other brand and product names are trademarks or registered trademarks of their respective companies. HEALTHCARE

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information