Orbograph HIPAA/HITECH Compliance, Resiliency and Security Version 1.0 August 2013
Legal Notice This document is delivered subject to the following conditions and restrictions: The document contains proprietary information belonging to Orbograph, Ltd. Such information is supplied solely for explicitly and properly assisting authorized users of Orbograph products No part of the document contents may be used for any other purpose, disclosed to any person or firm, or reproduced by any means, electronic or mechanical, without the express prior written permission of Orbograph Ltd. The text and graphics are for the purpose of illustration and reference only. The specifications on which they are based are subject to change without notice. Corporate and individual names and data used in examples herein are fictitious unless otherwise noted. The software described in this document is furnished under license. The software may be used or copied only in accordance with the terms of the license agreement specified in this document. This Document is provided for informational purposes only and is subject to change without notice. Copyright 2013 Orbograph Ltd. All rights reserved. All trademarks used herein are the property of their respective owners.
Table of Contents Chapter 1. Introduction... 2 Chapter 2. HIPAA/HITECH Considerations... 3 HIPAA... 3 HITECH... 5 Chapter 3. Resiliency and Security... 7 Administrative Safeguards... 7 Physical Safeguards... 8 Logical Safeguards... 9 Resiliency... 9 Conclusion...10 Page i
Introduction 1 Regulatory compliance is a critical consideration for solution vendors in the healthcare and dental payments space. Compliance standards create the requirements for the industry by creating regulations. Chapter 2 of this document will first address the compliance requirements behind HIPAA and HITECH. After these regulations are described, Chapter 3 will provide an overview on how Orbograph s healthcare payments solutions meet these requirements. Although processing healthcare payments in today s environment may not require real-time processing in all areas, it does require a strong resiliency plan for the system to eliminate processing disruptions. This document will also address how the Orbograph solution is configured on a software and hardware platform which assures high system availability for end-to-end payment processing. Orbograph s Healthcare and Dental Revenue Cycle Management solutions are comprised of two solutions for processing explanation of benefits (EOBs) forms as well as electronic remittance advices (ERAs). These offerings are listed below. Orbograph P2Post converts scanned images of paper EOBs into EDI 835 files. Both the original image of the EOB as well as output is stored in the HRCM Portal. Additionally, X.12 EDI 837 claim files are many times used to improve the EDI 835 output. These claim files are typically stored in the portal as well. Orbograph E2Post provides matching and reconciliation of electronic claim files (837) with and remittance advices (835) at the service line level. These files are stored in the portal. All of these Orbograph components are hosted in a secure cloud-based environment with the HRCM Portal serving as the user interface which displays the workflow status of all processing. Files generated during this process are archived as well. The HRCM Portal also offers a wide range of search options to support the revenue cycle management process of a biller, healthcare provider or medical lockbox. Page 2
HIPAA/HITECH Considerations 2 This chapter will examine key industry events and legislation which drove the requirements around HIPAA and HITECH. HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Privacy Rule A major goal of the Privacy Rule is to assure that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. In addition, The HIPAA Privacy Rule establishes national standards to protect individuals medical records and other personal health information. This rule applies to health plans, clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Security Rule The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Page 3
The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations, called covered entities, must put in place to secure individuals electronic protected health information (e-phi). Protected Health Information (PHI) is health information about a patient created or received by healthcare providers and health plans. PHI includes information: Sent or stored in any form (written, verbal, electronic): o o o o That identifies the patient or can be used to identify the patient That generally is about a patient s past, present and/or future treatment and payment of services Individually identifiable health information Transmitted or maintained in any form or medium by a Covered Entity, Clearinghouse or its Business Associate PHI includes all of the following patient specific details: Patient names or initials Patient date of birth Home addresses including Zip Codes Telephone & Fax Numbers Email Addresses Social Security Numbers Medical Record Numbers Health Plan Numbers Patient names or initials Patient date of birth Home addresses including Zip Codes Telephone & Fax Numbers Email Addresses Social Security Numbers Medical Record Numbers Health Plan Numbers When creating test sets of data for pre-system processing or for sharing examples between vendor and healthcare provider, the following precautions must be taken: Removal of certain identifiers so that the individual who is subject of the PHI may no longer be identified Page 4
Stripping of listed identifiers such as: Patient Names, Geographic subdivisions, all elements of dates and SSNs Guidelines for vendors processing healthcare payments should pay close attention to: Do not use or disclose PHI, other than as permitted by the agreement or required by law Use appropriate safeguards to protect the confidentiality of the information Report to the Covered Entity any use or disclosure not permitted by the agreement Ensure that any of its agents or subcontractors will agree to the same restrictions and conditions as the Business Associate Enforcement Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. Vendors must be aware of the penalties associated with violating HIPAA. They include: $100 fine per day for each standard violation (up to $25,000 per person, per year, per standard). $50,000 fine + up to one year in prison for improperly obtaining or disclosing health information. $100,000 fine + up to five years in prison for obtaining or disclosing health information under false pretenses. $250,000 fine + up to ten years in prison for obtaining health information with the intent to sell, transfer or use for commercial advantage, personal gain or harm. With this infrastructure in place, it is important to note that there is no HIPAA Certification. Each company must create their own policies & procedures and demonstrated compliance to manage their own liability. Audits must also be completed to ensure that the policies and procedures are in place and enforced to meet HIPAA requirements. Orbograph has implemented a strong set of policies and procedures in its software development, infrastructure and operations management processes. These policies can be provided upon request. HITECH The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009. It is designed to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Page 5
Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing: Four categories of violations that reflect increasing levels of culpability; Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and A maximum penalty amount of $1.5 million for all violations of an identical provision. It also amended section 1176(b) of the Act by: Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect. This interim final rule reconciles HIPAA s enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions. Page 6
Resiliency and Security 3 The three critical areas of HIPAA/HITECH which will be covered in this section include: Administrative Safeguards Physical Safeguards Logical Safeguards In addition to these security considerations, the resiliency and reliability factors of the Orbograph solution will be presented. Administrative Safeguards What are Administrative Safeguards? The Security Rule defines administrative safeguards as, administrative actions, and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. Administrative Security covers a wide range of considerations for an organization. Orbograph has addressed these topics very directly as summarized below: Risk Assessment: Orbograph management and IT teams have built a software platform which is currently deployed on the Amazon Web Services (AWS) platform. In both the software development model as well as the hardware hosting the solution, a strong plan is put in place to ensure reliability, uptime and provide security to any system data including PHI. Minimal Exposure Practice: Orbograph has implemented policies to minimize the amount of PHI that is necessary for specific tasks and functions. This is important in the operational aspects of the system. Departmental Procedures: These procedures are documented for end-user client review as well as for auditing purposes. Annual Training: Training is completed on HIPAA topics throughout the year via both onpremise training as well as web training. Page 7
Annual Testing: Testing of system components is completed as part of a comprehensive technical audit process. Examples within the Orbograph Portal application include (see Orbograph HRCM Portal User Guide): Daily Files Summary File Monitoring Audit Physical Safeguards What are physical safeguards? The Security Rule defines physical safeguards as physical measures, policies and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Physical Security addresses the location of the servers and IT infrastructure. Orbograph has two locations which are considerations for physical security including Amazon Web Services as well the Orbograph development facility. Physical security is addressed at both locations with the following processes: Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. Minimal Exposure Practice: Orbograph has implemented policies to minimize the amount of PHI that is necessary for specific tasks and functions. This is important in the operational aspects of the system. Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Page 8
Logical Safeguards What are Logical Safeguards? Logical Security consists of software safeguards for an organization s systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security. The Security Rule defines technical safeguards in 164.304 as the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Several key components to the Orbograph Logical Security considerations include: Intrusion detection Multiple firewalls Data is not directly accessible and is multiple layers deep The comprehensive approach deployed by Orbograph to address these considerations includes: AWS s TrustAdvisor covers security, system health Nagvis layer on top of Nagios this is system health (CPU, disk space, utilization, etc) monitoring and alerting SNORBY intrusion detection and prevention Graylog2 collects all logs from the system NOD32 monitoring Virus attacks DuoSecurity and OpenVPN Resiliency The Orbograph HRCM solution is built to be highly resilient to minimize any downtime. Considerations for resiliency include: AWS (Amazon) & Orbograph double layered redundancy Mirrored server farms Geographically diverse facility locations all within the USA Outstanding monitoring Proactive actions Page 9
The AWS platform is an impressive hosting solution. Orbograph has built its policies and procedures to leverage and complement the outstanding AWS monitoring tools. For a more detailed summary of the AWS risk, compliance, security and monitoring solutions, see http://aws.amazon.com/about-aws/whats-new/2008/09/05/amazon-web-services-securitywhitepaper/. Conclusion Because Orbograph is a part of a 400M publicly traded company, we approach our solution set as a data center entity. We have the resources to ensure our services and software solutions are designed to meet and exceed HIPPA/HITECH requirements. As each module for our system is developed and enhanced, the administrative, physical and logical safeguards are incorporated into the deliverable. The result is a secure and resilient system which can be relied upon not only to be fault-tolerant, but to meet service level agreements in system performance. Ultimately, our deliverable will reduce the risk of non-compliance and downtime for a healthcare provider, financial institution or biller. For a technical review of system details, please contact your Orbograph representative or email at info@orbograph.com. Page 10