RADSpa HIPAA Compliance
1. Introduction 3 1.1. Scope and Field of Application 3 1.2. HIPAA 3 2. Security Architecture 4 2.1 Authentication 4 2.2 Authorization 4 2.3 Confidentiality 4 2.3.1 Secure Communication 4 2.3.2 Encryption 4 2.4 Non-Repudiation 4 2.4.1 Data Audit 4 2.4.2 Event Audit 4 2.5 Safeguards 5 2.5.1 Physical Safeguards 5 2.5.2 Technical Safeguards 5 3. HIPAA Compliance 6 3.1 Privacy Rule 6 3.1.1 Data at Rest 6 3.1.2 Data in Transit 6 3.2 Security Rule 6 3.2.1 Audit Trail Error! Bookmark not defined.
1. Introduction 1.1. Scope and Field of Application This document explains how RADSpa complies with HIPAA regulations. It elaborates architecture and design decisions that ensure compliance with the HIPAA act 1.2. HIPAA According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
2. Security Architecture 2.1 Authentication Users have to be authenticated to access patient data in RADSpa. User passwords are one-way encrypted and stored in the database. 2.2 Authorization Upon authentication, RADSpa checks if users are allowed to access patient data. This check is based on static roles provided to users and/or dynamic roles associated with other attributes of the patient data (e.g. patient s medical images) 2.3 Confidentiality 2.3.1 Secure Communication All patient data transmitted to and from RADSpa servers and RADSpa clients are encrypted using 128-bit SSL or TLS. Data displayed on the browser is transmitted using HTTPS protocol. Images are transmitted either via secure VPN (from point to point) or through TLS ports. 2.3.2 Encryption All sensitive patient data and user passwords (to access patient data) are encrypted and stored in the database 2.4 Non-Repudiation All user actions related to patient data are audited. This ensures non-repudiation. There are 2 kinds of audits 2.4.1 Data Audit Data audit captures a trail of changes made to patient-related data including Data changes Who changed it When was it changed 2.4.2 Event Audit All events related to patient data (e.g. viewing study etc.) are logged in an event tracker database.
2.5 Safeguards 2.5.1 Physical Safeguards The location where the RADSpa product is manufactured and tested is controlled and restricted to only those involved in the software design, development and testing. In addition, servers are hosted in secure data centers where access is restricted. All systems and desktops have strong passwords and are always locked when not in use. All systems run anti-virus software and they are updated on a periodic basis. 2.5.2 Technical Safeguards Access to features in RADSpa is governed by roles provided to the users. Roles define whether the user can view and perform actions on patient data.
3. HIPAA Compliance 3.1 Privacy Rule 3.1.1 Data at Rest Patient data stored in RADSpa falls under 2 categories Patient metadata: This is stored in database and can be accessed only by a user who is authorized to access patient data Medical images: Stored in the file system and can be accessed only by authorized users 3.1.2 Data in Transit All patient data transmitted from RADSpa servers to RADSpa clients (like browsers) and to other systems is via SSL or TLS protocol only 3.2 Security Rule Access to RADSpa patient data to authenticated users is protected based on physical and technical safeguards mentioned in the previous section