|
PrecisonCare
and HIPAA Compliance
PrecisionCare Software
is committed to protecting the confidentiality
of consumer data and assisting agencies
in achieving HIPAA compliance. PrecisionCare
utilizes the latest advances in technology
to protect your consumer data and incorporates
end user features to assure privacy and
compliance. PrecisionCare Software consults
with regulatory experts to ensure that
our software meets the most current guidelines
and standards.
HIPAA Security Regulations
The following is a list of some of the
proposed Security Regulations that
pertain to computer and software technology.
These regulations have to do with the
security of information, physical location,
encryption etc. PrecisionCare Software
has studied the proposed rules and
in anticipation we have taken the following
measures to ensure compliance even
though the finalized regulations have
not yet been published. We expect the
measures we have taken will exceed
the final HIPAA security guidelines.
Authentication
Authentication is the process of identifying
the staff member accessing the system
and the computer from which they are
accessing it. Computers are authenticated
using a Digital Certificate, which
is a unique identifier that serves
as a digital fingerprint to identify
the computer. PrecisionCare utilizes
a three point system of authentication.
First the user is assured the server
they are logging onto is the actual
server by use of a Server Side Digital
Certificate. Second the user is authenticated
to the server via a unique, encrypted
User Id and Password. Finally, PrecisionCare
authenticates the computer from which
the user is logging on through the
use of a Client-Side Digital Certificate
to ensure it has been approved by the
agency for accessing confidential consumer
records.
Encryption (encipherment)
Encryption refers to the process of encoding
information sent over the Internet
or a network to prevent an unauthorized
person from intercepting it. Encryption
transforms confidential plaintext into
ciphertext to protect it. An encryption
algorithm combines plaintext with other
values called keys, or ciphers, so
the data becomes unintelligible. Once
encrypted, data can be stored or transmitted
over unsecured lines. Decrypting data
reverses the encryption algorithm process
and makes the plaintext available for
further processing.
§142.308(c)(1)(i)(c), Encryption
must be used over an open network.
PrecisionCare utilizes Secure Socket
Layer (SSL) 128-bit encryption on all
information transferred, which is the
most secure encryption technology available
today. 128-bit SSL encryption is commonly
used for secure transactions such as
on-line banking and purchases over the
Internet.
Digital Signatures
A digital signature is simply an electronic
way of certifying a document in the
same manner that a paper document is
certified with a handwritten signature.
The HIPAA security regulations identify
three key elements to a Digital Signature:
Proposed Rule §142.310:
• Authentication - Establishes Identity
of the signer
• Non-Repudiation - Signer cannot
deny signing the record
• Integrity - Detects Changes in
content
Authentication is used to establish the
identity of the signer. The signature
must be implemented is such a way that
the signer cannot deny signing the record
(non-repudiation). Finally the system
must detect any changes made after the
record was saved and record the signature
of the person who made the changes. This
is to ensure that an audit trail can
be produced showing any modifications
made to the document, who made each change
and when.
PrecisionCare identifies the user at
log on through the username and password.
When a record is created or updated it
records the author's username and date/time
for audit trail purposes. Printed reports
then contain the user's name and title
for signature. Note: Current OMH and
OMRDD regulations still require a printed
and signed paper record of each form
for the case record. PrecisionCare is
ready to support the use of digital signatures
as a replacement for paper records in
the future if this is approved by OMH
and OMRDD.
Physical Security: Server
§142.308(b) Physical safeguards
to guard data integrity, confidentiality,
and availability: intends to ensure the
protection of computer systems and related
physical structures in which these systems
are housed from fire, other natural and
environmental hazards, and intrusion.
These safeguards also include the use
of locks, keys, and administrative measures
used to control access to computer systems
and facilities
When using PrecisionCare, consumer information
will not be stored on individual PCs
or Disks. So you only have to be concerned
with the physical security of one machine:
the Server, which stores the consumer
database. You have three server hosting
options with PrecisionCare. Whichever
option you choose, you always have the
ability to change where your system is
hosted at any time.
Option1: You
can host PrecisionCare on your agency's own
Server. In this case, you are responsible
for the physical security of your server.
Option 2: You
can host at the Internet Service Provider
(ISP) of your choice. In this case, you
are responsible to ensure that your ISP
follows all the necessary physical security
requirements.
Option 3: PrecisionCare
Software can host. In this case, we are
responsible for physical security of the
server.
PrecisionCare servers are housed in separate
fire retardant locked enclosures within
a secured hosting facility.
Firewall
A firewall protects the server from unauthorized
access from computer hackers on the
Internet. PrecisionCare Software servers
utilize enterprise-class firewall protection
to prevent unauthorized intrusion.
The only access permitted by the firewall
is through secure socket layer (SSL)
128-bit encrypted communication from
an authenticated user. Each agency's
database runs on a separate process.
PrecisionCare servers incorporate state-of-the
art virus protection. The firewall
blocks any e-mail sent to the server,
which can be a frequent method of virus
transmission.
Plans for Backup and Disaster
Recovery
§142.308(a)(ii) Backup plan & §142.308(a)(iii)
Disaster Recovery Plan
Each covered entity must have a backup
plan and disaster recovery plan for electronic
information.
Copies of PrecisionCare Software's server
backup plan and disaster recovery plan
will be provided upon request.
We utilize
Iron Mountain Off-Site Data Protection
to securely protect your confidential data.
Physical Security: Workstations
Proposed Rule §142.308(b)(4) Each
covered entity must establish policy
and guidelines on workstation use §142.308(b)(5)
Each covered entity must position workstations
to minimize the possibility of unauthorized
access.
You are responsible to ensure that staff
only access confidential records from
a computer at an agency-approved location.
PrecisionCare can help ensure this by
utilizing a technology called client-side
digital certificates. Client side certificates
allow you to control which computers
are authorized to access PrecisionCare.
Client side certificates eliminate the
ability for anyone to access consumer
information from an unauthorized location
such as a home computer, a library or
a shopping mall. Client side certificates
can be applied to any computer without
the need for specialized software. Certificates
can be granted and revoked at anytime
by your agency. Note: We recommend checking
with OMH and/or OMRDD before authorizing
staff to access case records from home.
HIPAA
Privacy Regulations
PrecisionCare has incorporated functions
that will assist your agency in achieving
HIPAA regulatory compliance.
Minimum Necessary
Access
§164.514(d)(2 ) Minimum necessary
access privileges- A covered entity must
identify classes of persons who need
access to protected health information
to carry out their duties and must establish
the level of access needed by each
PrecisionCare has a highly customizable
security system. Each user is assigned
to a security group. Each security group
can be customized to have view, add,
edit, and delete functions to specific
areas of specific consumer records.
Disclosures
and Authorizations
§164.502 Uses and disclosures of
protected health information
PrecisionCare automatically generates
Consent for Release forms for all consumer
contacts, treatment providers, and entitlement
providers. Examples of PrecisionCare's
Consent for Release form will be provided
upon request.
§164.508(c)(1) Core Elements
(i)A description of the information to
be used or disclosed that identifies
the information in a specific meaningful
fashion
PrecisionCare allows each agency to create
a unique list of permissible information
to be disclosed
(ii)The name or other specific identification
of the person(s), or class of persons
authorized to make the use or disclosure
PrecisionCare's Consent for Release Forms
display the agency name, address and
the name and title of the person completing
the form.
(iii)The name or other specific identification
of the person(s), or class of persons,
to whom the covered entity may make the
requested use or disclosure
PrecisionCare's Consent for Release Forms
display the name, address, phone, and
affiliation, of the party to which the
disclosure will be made.
(iv)A description of each purpose of
the requested use or disclosure
PrecisionCare allows each agency to create
a unique list of permissible purposes
for disclosure.
(v)An expiration date
PrecisionCare automatically generates
expiration dates for Consent for Release
Forms and generates reminders.
(vi)Signature of the individual and date
PrecisionCare's Consent for Release Forms
display the name, of the individual and
corresponding signature lines.
An Individual's
Access to Protected Health Information
§164.524(a) (1) an individual has
a right of access to inspect and obtain
a copy of protected health information
about the individual in a designated
record set, for as long as the protected
health information is maintained in the
designated record set.
PrecisionCare's customizable security
system provides for an individual's access
to his or her own records. Temporary
or permanent permission can be granted
to an individual to access the system
and view only their records or particular
subsets of their record. An individual
can be granted the ability to view their
service plans yet be restricted from
viewing psychotherapy notes.
Business Associate
Agreement/Contract
§164.504(e)(2) covered entity must
document the satisfactory assurances
required through a written contract or
other written agreement or arrangement
with the business associate.
PrecisionCare provides all customers
with a business associate's nondisclosure
agreement. Copies are available upon
request
Chain of Trust Agreement
PrecisionCare provides all customers
for whom we host data, a chain of trust
agreement. Copies are available upon
request.
Code Sets/De-identification of
Personal Health Information
Code sets are a list of proposed codes
to be used for things like diagnosis
and treatments so that providers and
insurers are using universal codes when
transmitting information. A transaction
as defined by HIPAA means the exchange
of information between two parties to
carry out financial and administrative
activities related to health care. This
is exclusively dealing with transmission
to outside parties. PrecisionCare does
not transmit Personal Health Information
to any outside party. Consult with your
billing software vendor to make sure
they are compliant.
|
|
|
| |
|
