An Introduction to HIPAA and how it relates to docstar



Similar documents
HIPAA: In Plain English

The Second National HIPAA Summit

HIPAA Security Alert

HIPAA Compliance Guide

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA Information Security Overview

How To Write A Health Care Security Rule For A University

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

CHIS, Inc. Privacy General Guidelines

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Datto Compliance 101 1

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Compliance Guide

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Healthcare Compliance Solutions

DRAFT. HIPAA Impact Determination Questionnaire (Gap Analysis)

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Copyright Telerad Tech RADSpa. HIPAA Compliance

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security Rule Compliance

An Effective MSP Approach Towards HIPAA Compliance

VMware vcloud Air HIPAA Matrix

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Security Series

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

C.T. Hellmuth & Associates, Inc.

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Circular to All Licensed Corporations on Information Technology Management

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

HIPAA Privacy & Security White Paper

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

A Technical Template for HIPAA Security Compliance

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

HIPAA COMPLIANCE REVIEW

How Managed File Transfer Addresses HIPAA Requirements for ephi

HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?

HIPAA. considerations with LogMeIn

Procedure Title: TennDent HIPAA Security Awareness and Training

Legal and Ethical Issues in Computer Security

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA PRIVACY AND SECURITY AWARENESS

Intel Enhanced Data Security Assessment Form

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Newcastle University Information Security Procedures Version 3

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

State HIPAA Security Policy State of Connecticut

LogMeIn HIPAA Considerations

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Krengel Technology HIPAA Policies and Documentation

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Client Security Risk Assessment Questionnaire

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

FINAL May Guideline on Security Systems for Safeguarding Customer Information

HIPAA Security Checklist

HIPAA and Mental Health Privacy:

Policies and Compliance Guide

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Policy Title: HIPAA Security Awareness and Training

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Healthcare Security and HIPAA Compliance with A10

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

HIPAA Audit Risk Assessment - Risk Factors

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Security and Privacy: An Introduction to HIPAA

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Transcription:

Disclaimer An Introduction to HIPAA and how it relates to docstar This document is provided by docstar to our partners and customers in an attempt to answer some of the questions and clear up some of the mystery of HIPAA. The information provided herein is only intended to be a general summary of the subject matter. While every effort has been made to provide accurate information, no guaranty or warranty, express or implied, is made about the accuracy, currency, completeness or adequacy of the information provided, and no liability is assumed for any errors or omissions with respect to that information. The information is intended for educational purposes only and is not legal advice and should not be used as a substitute for legal or other professional advice. Each person and/or business should consult with counsel, as appropriate, concerning the applicability of this information to the particulars of their situation. Summary Some people may be under the mistaken impression that HIPAA compliance can be solved solely with technology. On the contrary, HIPAA compliance is primarily an organizational issue, over 70% of it being operational in nature. This means that in order to be compliant, the entire organization needs to be HIPAA compliant. Technology can help an organization get there, but it is only a small part of the solution. In fact it is impossible for any technology vendor to claim that their product is HIPAA compliant. The best a technology vendor can do is to design their products to make it easier for the customer to achieve HIPAA compliance. Toward that end, docstar has been enhanced for use within a HIPAA compliant organization. Introduction The issue of HIPAA is something that has been troubling industries for several years now. Companies know that there is this new set of regulations that they need to adhere to, but there is much confusion about the specifics of these regulations. As a result many organizations don t know what they need to do, if anything, to achieve compliance. This whitepaper will attempt to answer questions that you might have about HIPAA and how it relates to document imaging. The Health Insurance and Portability Act of 1996 (HIPAA) was passed as federal law on August 21, 1996. It contained the following general objectives: Guarantee health insurance portability Reduce healthcare fraud and abuse

Guarantee the security and privacy of health information Introduce standards for the administration of health information to increase the efficiency of health care organizations HIPAA was originally created primarily to make it easier for employees to move from one job to another without fear of losing health coverage. Most of HIPAA revolves around these considerations, however many other provisions were added to the law that deals with the other three areas listed above. Although the law was passed several years ago, as of this writing, not all of its rules have been finalized. Since the law is not yet complete, organizations have some time to get up to speed with the new regulations. Additionally, the law will not be enforced until two years after all the rules have been written and finalized. This is important for the obvious reason that it is impossible to be in compliance with a law that has not yet been fully defined. With this in mind, we can discuss what we do know about HIPAA. Administrative Simplification HIPAA contains a large subset of rules called Administrative Simplification. It is in here that we find the rules that are applicable to our needs. The rules are defined in three separate sections: Standards for Electronic Transactions Standards for Privacy of Individually Identifiable Health Information Security and Electronic Signature Standards Of these rules, the first two have been finalized but do not really affect us, as they apply mostly to procedural issues surrounding health care organizations. The third rule is of the most interest to us, but has been languishing since 1998 and has not been finalized. As a result, the best information we have is from the proposed rule as published in the Federal Register on August 12, 1998. Details on these regulations can be found at http://aspe.hhs.gov/admnsimp/ Specifics of Security Standard (not yet finalized) The following tables contain the items that are required for compliance with HIPAA. Items of interest to document imaging applications are in bold. After each table it is noted what, if any, items relate to docstar. ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY Certification Chain of trust partner agreement

Contingency plan (all listed Applications and data criticality analysis. Data backup plan. Disaster recovery plan. Emergency mode operation plan. Testing and revision. Formal mechanism for processing records. Information access control (all listed Access authorization. Access establishment. Access modification. Internal audit Personnel security (all listed Security configuration mgmt. (all listed Security incident procedures (all listed Security management process (all listed Termination procedures (all listed Assure supervision of maintenance personnel by authorized, knowledgeable person. Maintenance of record of access authorizations. Operating, and in some cases, maintenance personnel have proper access authorization. Personnel clearance procedure. Personnel security policy/procedure. System users, including maintenance personnel, trained in security. Documentation. Hardware/software installation & maintenance review and testing for security features. Inventory. Security Testing. Virus checking. Report procedures. Response procedures. Risk analysis. Risk management. Sanction policy. Security policy. Combination locks changed. Removal from access lists. Removal of user account(s). Turn in keys, token or cards that allow access.

Training (all listed implementation features must be implemented)... Awareness training for all personnel (including mgmt). Periodic security reminders. User education concerning virus protection. User education in importance of monitoring log in success/failure, and how to report discrepancies. User education in password management. Data Backup Plan docstar has a mechanism for backup of database and image files Disaster Recovery docstar has an ability to rebuild its database from archived files in the event of a serious database failure Access Authorization/Establishment/Modification docstar has a robust security mechanism for establishing and modifying user access to documents Internal Audit The standard suggests companies audit logins, file accesses, security incidents, etc. docstar has mechanisms for auditing all types of document access. In docstar, the auditing capabilities were enhanced to include modifications of user rights, logons, logoffs, and failed logon attempts Maintenance of record of access authorizations In docstar, (including later versions), the auditing capabilities were enhanced to include modifications of user rights, logons, logoffs, and failed logon attempts Virus Checking Virus checking of critical systems is a good idea and docstar has approved the use of certain versions of Norton AntiVirus on docstar Host systems. Removal from access lists/removal of user accounts docstar has a mechanism for removing user accounts PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY Assigned security responsibility Media controls (all listed implementation features must be Physical access controls (limited access) (all listed Access control. Accountability (tracking mechanism). Data backup. Data storage. Disposal. Disaster recovery. Emergency mode operation. Equipment control (into and out of site). Facility security plan. Procedures for verifying access authorizations prior to physical access. Maintenance records.

Need-to-know procedures for personnel access. Sign-in for visitors and escort, if appropriate. Testing and revision. Policy/guideline on work station use Secure work station location Security awareness training None of these items relate to document imaging applications, so there is nothing of interest to us here. TECHNICAL SECURITY SERVICES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY Access control (The following implementation feature must be implemented: Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented: Context-based access, Role-based access, User-based access. The use of Encryption is optional). Context-based access. Encryption. Procedure for emergency access. Role-based access. User-based access. Audit controls Authorization control (At least one of the listed Role-based access. User-based access. Data Authentication Entity authentication (The following implemented: Automatic logoff, Unique user identification. In addition, at least one of the other listed implementation features must be Automatic logoff. Biometric. Password. PIN. Telephone callback. Token. Unique user identification. Encryption This is optional, so there is nothing for us to be concerned with here User-Based Access docstar has a robust security mechanism for establishing and modifying user access to documents with docstar Access Management module

Audit Controls docstar has mechanisms for auditing all types of document access with docstar Audit Trail module Data Authentication docstar incorporates sophisticated Authentidate technology to ensure that documents have not been tampered with Data Authentication Additional security is added with the United States Postal Service Electronic Postmark (USPS EPM ) which is applied daily to provide trusted, third party verification for ultimate document integrity. Automatic Logoff docstar has a mechanism for automatically logging off users that are idle for too long Password docstar utilizes a password authentication mechanism Unique User Identification docstar s security system provides for assigning each user a unique ID. In addition, docstar has a mechanism for importing users directly from a Windows domain server. TECHNICAL SECURITY MECHANISMS TO GUARD AGAINST UNAUTHORIZED ACCESS TO DATA THAT IS TRANSMITTED OVER A COMMUNICATIONS NETWORK Communications/network controls (If communications or networking is employed, the following implementation features must be implemented: Integrity controls, Message authentication. In addition, one of the following implemented: Access controls, Encryption. In addition, if using a network, the following four implementation features must be implemented: Alarm, Audit trail, Entity authentication, Event reporting). Access controls. Alarm. Audit trail. Encryption. Entity authentication. Event reporting. Integrity controls. Message authentication. Since these items only apply to data transmitted across a network, they are mostly outside then realm of document imaging. In general, the security of the packets on a network is the responsibility of the network administrator. One exception to this would be if a client were to connect to a docstar host via NetConnect. In this case, use of SSL with NetConnect would be a requirement to be in compliance. Another area that this could apply to is docstar s Send To capability. If Send To is used to get documents outside of docstar, these documents would no longer be inside docstar s secure environment. For this reason use of Send To in certain environments might not be considered compliant. In docstar, any or all of the Send To features can be disabled system-wide.

ELECTRONIC SIGNATURE Digital signature (If digital signature is employed, the following three implemented: Message integrity, Nonrepudiation, User authentication. Other implementation features are optional.) Ability to add attributes. Continuity of signature capability. Countersignatures. Independent verifiability. Interoperability. Message integrity. Multiple Signatures. Non-repudiation. Transportability. User authentication. Electronic Signatures are not required for HIPAA compliance and are not currently implemented in docstar. Conclusion Understanding HIPAA can be a daunting task. This is largely because of the complexity of the legislation. Fortunately for a document imaging vendor, the majority of the effort in achieving and maintaining HIPAA compliance is administrative in nature for an organization that maintains health information. The technology used to store the health information is only a small part of the whole HIPAA equation. Some organizations that need to be HIPAA compliant will appoint people within their organization to be in charge of the privacy and security aspects of the HIPAA regulations. These people will become intimately familiar with all the rules (once they are final,) and will be the ones responsible for ensuring that their organization is compliant. Other organizations will opt to outsource these positions. There are already several companies offering HIPAA analysis and auditing services. Whatever route these organizations take, they can be sure that docstar will be helping them on their quest for HIPAA compliance.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information