HIPAA Technology Compliance Report

Shared by: mhl90984

Tags

hipaa compliance, security compliance, information technology, regulatory compliance, hipaa security, healthcare organizations, hipaa regulations, sox compliance, health insurance portability and accountability act, compliance requirements, pci compliance, how to, hipaa compliant, compliance management, hipaa security rule

Stats

views:: 8
posted:: 5/1/2010
language:: English
pages:: 10

Public Domain

Document Sample

HIPAA Technology Compliance Report
College of Optometry
University of Missouri - St. Louis

The Health Insurance Portability and Accountability Act (HIPAA) requires that any health care
provider, health care clearinghouse or health plan must comply with standards that have been
developed to protect the confidentiality, integrity and availability of individual health information.
The purpose of this report is to describe the data security requirements of the proposed Federal
standard and how these requirements are being met by the College of Optometry at the University
of Missouri - St. Louis.

Organizations that are entrusted with health information must protect it against deliberate or
inadvertent misuse or disclosure. The proposed standards require each covered organization to
establish clear procedures to protect patients’ privacy, designate an official to monitor that system
and notify their patients about their privacy protection practices. Compliance with HIPAA
standards will require actions in the following areas of Information Technology:

I. Ensuring system integrity
II. Protecting data in transmission
III. Protecting data
IV. Enforcing security policies

I. Ensuring system integrity
A. Virus protection.

1. All Windows servers in the campus-wide user domain run Symantec Anti-Virus
software. In addition to this, our Exchange servers run Sybari’s Antigen Anti-Virus
software to filter virus infected emails from reaching campus. These are all
automatically updated on a nightly basis.
2. Symantec Anti-Virus software is installed on the Optometry Database Server. Virus
definitions are updated daily and scans of all hard drives are performed daily.
Symantec Auto-Protect runs at all times and provides local email protection, anti-
spyware protection, as well as protection from other additional malware.

3. Symantec Anti-Virus software is installed on all workstations that access the
Optometry Database Server as well as all systems on campus. Virus definitions are
updated daily and scans of all hard drives are performed weekly or more often if the
user desires to do so. Symantec Auto-Protect runs at all times and provides local
email protection.

4. User documents are stored on a UNIX server which is protected by Sophos Anti-
Virus software. Virus definitions are updated and scans occur on a real-time basis.
HIPAA Technology Compliance Report
College of Optometry, University of Missouri - St. Louis

5. All users receive education in the importance of maintaining up-to-date virus
protection and performing frequent virus scans of their workstations.

6. All Optometry workstations are monitored on a daily basis from a central reporting
console for system health as it relates to virus, spyware, and malware and any issues
found are investigated and remediated immediately.

B. Workstation security.

1. State-of-the-art workstations were purchased in October 2003 and have since been
replaced in 2007 with updated hardware and installed to support the Optometry
Database Software. These workstations are running Windows XP SP2. The
operating systems on each workstation is kept current with security patches and
hotfixes through the use of Microsoft Windows Software Update Service (WSUS)
and are monitored through a central reporting console on a regular basis for patch
compliance. All systems are routinely patched. Local security policies are in place
on each workstation to limit workstation access to authorized staff only.

2. Workstations are physically secure during and after business hours. They are
protected by door locks, alarm systems, and where necessary by security cables.
Users log off the Optometry Database Software when it is not in use. Monitors in
public areas are angled so as not to be visible to unauthorized users. Password-
protected screen savers have been implemented to protect unauthorized viewing of
on-screen patient data at workstations left unattended for 5 minutes or more. User
identification and confidential passwords are not written or displayed near the
workstations. Windows XP SP2 firewall is running on all workstations.

C. Server system security.

1. All campus-wide domain servers are kept current with security patches and hotfixes
through the use of Microsoft Windows Software Update Service. This is a centrally
managed process.

2. The Optometry Database Server is kept current with security patches and hotfixes
through the use of Microsoft Windows Software Update Service. This is managed by
a Server Administrator who is a trained member of the ITS staff. The server was
scanned for security holes prior to being put into production and at least once per
month while in production.

3. The server and clients are encrypting data as it traverses the network by using IPSec.
In addition, the IPSec policy will also deny access to the server from machines that
are not within Optometry Clinic.

Page 2 of 10
HIPAA Technology Compliance Report
College of Optometry, University of Missouri - St. Louis

D. Firewall Security.

A campus-wide firewall is in place to provide centrally-managed protection. The firewall
is a redundant Cisco FWSM, which features stateful inspection, and failover. Security
policies are made from the administrator’s workstation and deployed campus-wide.

E. Remote Access Security.

The Optometry Database Software is accessible via modem at one workstation only.
This worktation is located in a secure area that is not accessible or viewable by the public
or unauthorized staff members. External access is provided only to the Optometry
Database Software Vendor. The modem is disabled when not in use. Dial-back
procedures are in place and staff has been trained in their use.

F. Intrusion Detection System.

No Intrusion Detection System is currently in place. We are watching this technology
closely. There is a potential to deploy this at a later date.

II. Protecting Data in Transmission
A. LAN connections.

1. All campus-based LAN users are protected behind our existing firewall. All data
transmitted by LAN users to and from the Optometry Database Server are therefore
physically secure behind the firewall. In addition, we have implemented IPSec
encryption for further protect the data as it traverses the network.

2. LAN Email connections are protected by secure login. In addition, department policy
requires that no patient related data be sent through email.

B. WAN connections.

1. All data transmissions by remote WAN users are secured behind 2 levels of
protection through the use of Virtual Private Network (VPN) tunnel. VPN provides
end-to-end security by protecting every link in the network including clients, servers
and gateways.
a. The first level of protection at remote WAN sites is accomplished by the use of
routers that provide peer-to-peer VPN access to the VPN server on campus.
Encryption of data is implemented at the router level. These routers can route,
filter, encrypt and authenticate IPSec and plain-text data. Remote access to these
routers is not enabled, and local access is restricted through the use of a unique,
secure password.
b. A second level of protection is provided by the use of a secure VPN client on all
remote WAN workstations, which provides encryption of data between the
workstations and the router.

Page 3 of 10
HIPAA Technology Compliance Report
College of Optometry, University of Missouri - St. Louis

2. IPSec with 168-bit 3DES or IPSec/UDP with 168-bit 3DES is in use at all WAN
sites. Faculty and staff can access the VPN with IPSec/UDP with 168-bit 3DES,
RC4-40, or RC4-128.

3. WAN Email connections are protected by secure login.

C. Communications with Software Vendor.

All communications between campus users and the Optometry Database Software
Vendor is certified to be HIPAA compliant by the Vendor.

III. Protecting Data
A. Hardware access.

The Optometry Database Server is located in a secure Machine Room. Physical access to
the Machine Room is limited to authorized Information Technology Services (ITS)
personnel only and is made by swipe-card access at all entrances and exits to the room.
The server itself is located in a locked cabinet to which only approved ITS staff have
keys. The Machine Room is located on the 4th floor of the Campus Computer Building
(CCB). Access to this floor after normal work hours is available only to authorized staff
and is made by key (elevator) and swipe card (stairwells and hallways). All entrances to
the machine room are monitored by video cameras and the machine room is staffed
24X7X365.

B. Software Access.

Access to the software and data stored on the Optometry Database Server is limited to
approved members of the College of Optometry staff and faculty. Administration of the
Optometry Database Software is restricted to authorized administrators only.

C. Visibility of Patient Records.

Visibility of on-screen patient information is controlled and restricted by the use of
password protected screen savers in place on all workstations in public areas. Monitors
in public areas are angled so as not to be viewable by anyone other than authorized staff
or faculty. Users have been instructed to turn off their workstations at the end of the day,
and in the event this does not occur they are automatically logged out of the patient
database software at assigned times.

Page 4 of 10
HIPAA Technology Compliance Report
College of Optometry, University of Missouri - St. Louis

D. Backups and Disaster Recovery.

1. All campus-wide servers are backed up to either a Network Attached Storage array,
which is then backed up to tape, or they are backed up to tape directly. This occurs
across an isolated switched network. Weekly full backups are shipped off site to a
secure facility for Catastrophic Disaster Recovery.

2. The Optometry Database Server is backed up daily to a physical hard drive and to
tape media. One set of full backup tapes is stored off-site, and this set is rotated
monthly. Weekly full backups are shipped off site to a secure facility for
Catastrophic Disaster Recovery. Alternate equipment is available in the case of total
system hardware failure.

E. Emergency Operations.

All campus-wide Windows servers and the Optometry Database Server are located in the
Machine Room in 403 Campus Computer Building. The Machine Room receives power
from an MGE Comet 50kVA Uninterruptible Power System (UPS). The UPS serves as
a power conditioner and a backup source for the Machine Room in case power is
interrupted for any reason. The UPS is capable of supplying power instantaneously to all
of the equipment in the Machine Room for approximately 10-15 minutes, depending
upon the load. Once the UPS is solely providing the Machine Room power, the Onan
Natural Gas Generator, located on the north side of the Computer Center Building, starts
and provides power to the room, thereby taking the load off of the UPS. The generator is
capable of supplying the Machine Room with power as long as the natural gas supply is
available. In addition to power supply protection, the Machine Room is staffed 24 hours
a day, 7 days a week, 365 days a year. The staff is trained to take initial steps to remedy
problems and notify system administrators as needed in case of server malfunction or
equipment failure. The Machine Room is accessible to authorized personnel only via
swipe card at all entrances and exits. A sprinkler system provides necessary fire
protection, and several large air conditioning units maintain the desired room
temperature.

F. Data Analysis and Criticality.

Applications and data criticality analysis is performed on a continuing basis by the
Optometry Database Server Administrator in conjunction with the Optometry Database
Software Vendor.

G. Testing.

Testing and revision procedures are performed on a continuing basis by the Optometry
Database Server Administrator in conjunction with the Optometry Database Software
Vendor.

Page 5 of 10
HIPAA Technology Compliance Report
College of Optometry, University of Missouri - St. Louis

H. Organization and Management.

The Department of Information Technology Services is a separate organization from the
College of Optometry. Significant structures are in place in ITS to provide planning,
management and control of IS operations. Current, accurate, written job descriptions of
ITS staff are available. Machine logs of all campus-wide servers and the Optometry
Database Server are maintained in a secure location, and these logs are reviewed on a
regular basis by management for unusual activity.

IV. Enforcing Security Policies
A. Administrative Procedures to Guard Data Integrity, Confidentiality and
Availability.

1. Chain of Trust Partner Agreement is in place between the University of Missouri and
the software vendor.

2. The Vendor has certified that the Optometry Database Software is HIPAA Compliant.
See the attached “HIPAA Readiness Statement” provided by the vendor, Compulink
Business Systems (Appendix I).

3. Contingency Plan is in place to protect critical data, backup data, provide emergency
recovery and test security procedures.

4. Information access control is in place to restrict access to patient data and
modification of patient data to authorized users only.
a) Campus-wide domain users: Domain Controllers and member servers reside on a
dedicated subnet. User Authentication is logged for both success and failure.
Passwords are protected in transit by Active Directory’s built in authentication
system and by the fact that it is passed from client to Domain Controller over a
switched network as opposed to a shared hub. Password policies require a
minimum of 8 characters in password length, as well as at least one special (non-
alpha) character in the password. Password changes are required every 180 days.
b) LAN Patient Database Users: Unique authentication for LAN user access to the
patient database must occur at two separate points on each workstation to permit
access to patient records. These points are: campus-wide domain authentication
and Optometry Database Server domain authentication. The Optometry Database
Server resides on a dedicated subnet. User Authentication is logged for both
success and failure. Passwords are protected in transit by Active Directory’s built
in authentication system and by the fact that it is passed from client to Domain
Controller over a switched network as opposed to a shared hub. Password
policies require a minimum of 6 characters in password length, as well as at least
one special (non-alpha) character in the password. Password changes are required
every 180 days.
c) WAN Users: Unique authentication for WAN users must occur at three separate
points on each workstation to permit access to patient records. These points are:

Page 6 of 10
HIPAA Technology Compliance Report
College of Optometry, University of Missouri - St. Louis

local workstation authentication, VPN server authentication, and Optometry
Database Server domain authentication. The Optometry Database Server resides
on a dedicated subnet. User Authentication is logged for both success and failure.
Passwords are protected in transit by Active Directory’s built in authentication
system and by the fact that it is passed from client to Domain Controller over a
switched network as opposed to a shared hub. Password policies require a
minimum of 8 characters in password length, as well as at least one special (non-
alpha) character in the password. Password changes are required every 180 days.

5. Personnel security is provided by limiting access to Optometry Database Server
hardware to authorized ITS personnel only, and by limiting access to patient database
software to those faculty and staff in the College of Optometry who are authenticated
users of the Optometry Database Server domain. System users have been trained in
security procedures to protect patient data.

6. Security management process: Group policies are in place on the Optometry
Database Server to protect and restrict access to patient data and server software.

7. Campus-wide termination procedures are in place to ensure that terminated
employees are locked out from sensitive data. An account review process occurs
every month. During this, accounts of staff members no longer employed with the
university are removed from the access groups for the Optometry Database Server;
the accounts are then disabled and removed through routine Human Resource
processes. If an employee transfers to another UM institution, their Exchange email
account will be moved to that institution’s Active Directory and all other accounts are
removed.

8. Security awareness training has been provided to all personnel who have access to
patient records. Security reminders are provided periodically.

9. Security Incident Procedures are implemented by the Optometry Database Server
Administrator. These procedures include documentation of security breaches and
how to handle them promptly. All campus-wide domain servers and the Optometry
Database Server are kept current with security patches and hotfixes through the use of
Microsoft Update Service. In addition to this, all Windows servers are scanned for
security holes prior to being put into production and at least once per month while in
production. The Optometry Database Server is also kept current with security
patches and hotfixes through the use of Microsoft Windows Software Update Service.

B. Technical Security Services to Guard Data Integrity, Confidentiality and
Availability.

1. User-based and Role-based access is provided at the server and again at the patient
database level. Security zones are mapped to users according to these roles.

Page 7 of 10
HIPAA Technology Compliance Report
College of Optometry, University of Missouri - St. Louis

2. Encryption at remote WAN sites is provided at two points. Point one is the peer-to-
peer VPN tunnel between the router and the campus VPN server. Point two is
encryption between workstations and the router.

3. Entry authentication is provided by the following security policies:
a. Password security is implemented at 2 points for LAN users (campus domain
server and patient database domain server) and at 3 points for Wan USERS (local
workstation, campus VPN server and patient database domain server.
b. Unique user identification is required to access the patient database software.
c. Campus firewall is in place to control access at the network level.
d. Secure Machine Room restricts access to approved employees of ITS. This room
is alarmed and has 2 levels of backup power supply (UPS and backup power
generator).

Page 8 of 10
HIPAA Technology Compliance Report
College of Optometry, University of Missouri - St. Louis

APPENDIX I

HIPAA Compliance Statement from Compulink Business Systems

HIPAA Readiness Statement
Compulink Business Systems

HIPAA (Health Insurance Portability and Accountability Act of 1996) is a set of regulations
developed by various different government agencies and members of the health industry. It’s
designed to protect patient rights, and simplify the complicated web of communication systems
used by the industry for passing information from one entity to another. HIPAA contains a set of
standards to be used by all agents of the industry with regard to how the information is transferred
and protected. There are three main provisions of this Act, which will affect Compulink’s
software.

Transaction Standards
The most critical of these three provisions to Compulink are the new Transaction Standards. These
standards dictate how various different forms of EDI will be designed and implemented.
Specifically, these regulations require the use of the ANSI 004010X098 format for all EDI
transactions. We began developing programs which adhere to these regulations in October of 2001
and have since been certified by multiple carriers across the US. We continue our testing with
other carriers, and eventually will be certified for direct EMC with more than 80 carriers across the
country.

Privacy Regulations
The Privacy regulations dictate standards for keeping individually identifiable patient data private.
This means that patient data should only be visible on a need to know basis. With regard to
Compulink software, the privacy regulations dictate how information in our program is secured in
order to keep personal patient data private. Compulink has various different levels of security built
into our applications, which allow system administrators to allow access to only the parts of the
system that particular person or station needs to access. In other words, the person who adds the
demographic information into the system may or may not have access to the diagnostic or medical
record part of the system, etc. Many of the changes necessary in your office regarding the Privacy
regulations will not be related to your software, but instead related to the flow of the paperwork
through your office. It is very important that you assign a HIPAA officer in your office to regulate
these processes to ensure your policies meet the guidelines of the Privacy regulations.

Security Regulations
The Security regulations will dictate specific details as to how the electronic information used by
the healthcare industry should be stored, transferred, and used to ensure the privacy of individually
identifiable data related to a patient’s healthcare. These rulings have yet to become final, however,

Page 9 of 10
HIPAA Technology Compliance Report
College of Optometry, University of Missouri - St. Louis

we have adopted our own standards, and are continually evaluating our systems to help you ensure
the security of your patient’s data.

Compulink Software
Compulink Business Systems, Inc. provides Health Care Management Software to various
different specialties in the healthcare industry. Our role in HIPAA is that of a “business associate”,
and we are continually researching and testing our products to ensure our ability to provide
covered entities (our clients) with the proper tools for achieving HIPAA compliance. We employ a
staff of experienced programmers who are devoted to changing and improving our products to
meet or exceed the industry requirements and standards.

We have completed and released our HIPAA compliant claims module, and are currently
upgrading our clients across the country to that new program. Our claims module creates and
submits claims to our carriers in the ANSI 004010X098 version.

Our Advantage 8.0 product offers critical tools for assisting your practice in achieving compliance.

Here’s a list of some of those important features:

 User Login and Password 
 Ability to limit access to specific patient data depending upon Login ID 
 Chart logging – keep a complete log of who has accessed the patients paper charts 
 Track changes made to the Medical Record by login ID 
 Digital signatures 
 Exam Record Locking and Audit Trail 
 HIPAA compliant EMC

Here are some important deadlines you will want to put on your calendar.
 October 15, 2002 – Deadline for submitting an extension for Electronic Health Care
Transactions & Code Sets 
 April 14, 2003 – Deadline for meeting the Privacy Standards imposed by HIPAA 
 April 16, 2003 – Electronic Health Care Transactions and Code Sets – clients must be
testing by this date.

Frequently asked questions regarding HIPAA may be found here: http://www.cms.gov
Specifics regarding the formats of electronic data required under HIPAA may be found here:
http://www.wpc-edi.com
For more detailed information about HIPAA, you can visit http://www.hipaa.org.