beyond hipaa, protecting data key points from the hipaa security rule
TRANSCRIPT
Beyond HIPAA,Protecting DataKey Points from the HIPAA Security Rule
Introduction
The following presentation looks at the major provisions of the Health Insurance Portability and Privacy Act of 1996 (HIPAA) and compares it with the respective features of WebChartMD designed to provide compliance.
Risk Analysis & Management (§164.306)
Dedicated software test team Continuous testing of codebase in Production Contracted with 3rd party vendor Digital Defense,
Inc. for Network Penetration Testing Automated security tests conducted regularly Manual analyst security penetration test
conducted each quarter
Access Control (§ 164.312(a))
“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access Management].”
WebChartMD allows clients to define user access across four dimensions Define access by Ability (What can they do) Define access by Care Provider Associations Define access by Document Status Define access by Patient Location
Access Control (§ 164.312(a))
Unique User Identification (§ 164.312(a)(2)(i)) “Assign a unique name and/or number for identifying
and tracking user identity.” WebChartMD allows clients to use either simple to
remember usernames or complicated usernames depending on corporate policy
Access Control (§ 164.312(a))
Emergency Access Procedure (§ 164.312(a)(2)(ii)) “Establish (and implement as needed) procedures for
obtaining necessary electronic protected health information during an emergency.”
WebChartMD provides access to full support resources M-F from 8am to 8pm
WebChartMD provides emergency contact numbers to page an on-call technical support representative 24/7
Fully redundant datacenter in a geographically diverse location with continuous data replication
Access Control (§ 164.312(a))
Automatic Logoff (§ 164.312(a)(2)(iii)) “Implement electronic procedures that terminate an
electronic session after a predetermined time of inactivity.”
WebChartMD automatically logs users off the system after a period of inactivity.
Users are required to login again before being able to access system resources
Access Control (§ 164.312(a))
Encryption and Decryption (§ 164.312(a)(2)(iv)) “Implement a mechanism to encrypt and decrypt
electronic protected health information.” All dictations and transcriptions are embedded in
the main database All dictations and transcriptions are encrypted
using AES-256 bit encryption standards before they are stored
In the unlikely event our database is compromised, PHI will still be unrecoverable
Audit Controls (§ 164.312(b))
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
WebChartMD contains full audit trail functions, logging each time a dictation and transcription is ‘touched’ by a user
All staff actions performed using internal tools are fully logged with pre and post states logged as well
Integrity (§ 164.312(c)(1))
“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
WebChartMD allows users & internal staff to only perform logical deletes
Ability to perform Physical Deletes is only given to database administration staff
When each transcribed document is modified and stored, the system performs a full virus and integrity check on the document
Any anomalies are detected by WebChartMD staff and our clients are immediately alerted
Person or Entity Authentication (§ 164.312(d))
“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
WebChartMD enforces a strict password policy that requires the use of strong passwords
All passwords are stored as salted one-way hashes Our staff, including database administrators, are
unable to see a user’s password
Transmission Security (§ 164.312(e)(1))
Integrity Controls (§ 164.312(e)(2)(i)) “Implement security measures to ensure that
electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
WebChartMD uses standards based protocols for all data transmission
Network layer protocols contain checksums to ensure that the data packet has not been modified during transmission
Transmission Security (§ 164.312(e)(1))
Encryption (§ 164.312(e)(2)(ii)) “Implement a mechanism to encrypt electronic
protected health information whenever deemed appropriate.”
WebChartMD servers use Extended Validation Certificates from VeriSign
All data that is transmitted over the public Internet is encrypted using 128-bit SSL encryption
Web Portal and Web Service access is strictly over 128-bit SSL encryption