Get documents about "Cedara Software HIPAA Compliance Statement
Document Sample
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Cedara Software HIPAA Compliance Statement
Document Number: 2002-00040
Revision: 10.0
Revision Type: Major
Document Status: Approved
Date: June 26, 2007
Effective Date: Upon Approval
Author: Chris Wiedmann
Note: When printed, this is an uncontrolled copy, unless accompanied by approval signatures.
Approvals
Product Manager, I-Response Chris Wiedmann
Mandatory Reviewers
RA/QA Project Manager Jodi Coleman
Director of Quality & Regulatory Affairs Carol Nakagawa
Engineering Manager, I-Response Pinar Crombie
Subject Matter Expert, I-Response Doug Hussey
Optional Reviewers
Director/Solutions Architect Lorelle Lapstra
Cedara Software Corp. – Confidential Page 1 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Revision History
Date Revision Author Changes
25/12/01 1.0 Initial draft
01/12/02 2.0 Add in I-Store comments from Michael Wong
Added documentation from Microsoft White Paper
Added Carol Nakagawa’s comments to document
03/11/2003 3.0 Sabrina Updated as per Health Insurance Reform: Security Standards; Final Rule
Cannistraro http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/pdf/03-
3877.pdf
Added I-Acquire information.
Edited I-Acquire audit trail information.
07/14/2004 4.0 Ken Fairbairn For the inclusion of Cedara I-ReadMammo.
Updated section 2.1
02/16/2005 5.0 Ken Fairbairn For the inclusion of Cedara OrthoWorks Spine Analyzer and Cedara OrthoWorks Care
Manager.
07/28/2005 6.0 Ken Fairbairn • Added Cedara PET/CT
• Re-formatted table in 2.2.
04/28/2006 7.0 Scott Illsley Added Cedara OrthoWorks ProPlanner
Changed status to Approved
10/18/2006 8.0 Kinga Changed Status to Approved
Szekely
Currently PET/CT 1.3 does not log the following actions – these items have been removed:
Study status is modified; Installation or upgrade; When users have chosen to mark all the
studies as READ without actually viewing all of them
03/27/2007 9.0 Harald Changed Status to Approved
Zachmann
Removed “study status” info from PET-CT audit trail
06/26/2007 10.0 Chris Added I-Response to doc and sent for review. Changed wording of first requirement. Per
Wiedmann Mirela, removed “Print” from list of logged actions
Cedara Software Corp. – Confidential Page 2 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Cedara Software
HIPAA Compliance Statement
Document Number: 2002-00040
Revision: 10.0
Date: June 26, 2007
Cedara Software Corp. – Confidential Page 3 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
TABLE OF CONTENTS
REVISION HISTORY................................................................................................................................................. 2
1. INTRODUCTION............................................................................................................................................... 5
1.1 PURPOSE OF THIS DOCUMENT .................................................................................................................. 5
1.2 SOURCE DOCUMENTS ............................................................................................................................... 5
1.3 DEFINITIONS ............................................................................................................................................... 6
1.4 IMPORTANT NOTE TO THE READER ............................................................................................................ 7
2. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT ................................................. 8
2.1 HIPAA........................................................................................................................................................ 8
2.2 CEDARA SOFTWARE’S APPLICATIONS COMPLIANCE WITH HIPAA........................................................... 9
Cedara Software Corp. – Confidential Page 4 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
1. Introduction
1.1 Purpose of this Document
This document is the HIPAA Compliance Statement for Cedara Software’s Applications. The purpose of this document is to
describe how the different applications meet or exceed the standards defined by the Health Insurance Portability and
Accountability Act.
1.2 Source Documents
Reference Author Date Revision Document
1. Robert Segal November 1.2 I-SoftView Software Requirements Document for
2001 HIPAA
2. Microsoft Corporation April 2000 6 HIPAA Technology Review White Paper
3. SCAR-Reiner, Bruce 2000 1 Security Issues in the Digital Medical Enterprise
et al
4. United States December n/a Standards for Privacy of Individually Identifiable Health
Department of Health 2000 Information
and Human Services
5. Hubert Chu September 1.4 I-Reach Software Requirements Document
2001
6. U.S. Department of April 17, n/a Security Standards for the Protection of Electronic
Health and Human 2003 Protected Health Information
Services
Cedara Software Corp. – Confidential Page 5 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
1.3 Definitions
Word Definition
HIPAA Health Insurance Portability and Accountability Act
HHS Department of Health and Human Services
Cedara Software Corp. – Confidential Page 6 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
1.4 Important note to the reader
The use of this compliance statement by itself does not guarantee complete coverage of those regulations issued under the HIPAA Act.
The user or integrator of Cedara products should keep the following issues in mind:
1. Certain functions will require integration work on the Customer side in order to get full benefit of the features implemented in Cedara’s
applications.
2. HIPAA regulations are currently open to interpretation and Cedara makes no guarantee that its interpretation of those regulations is
correct or will be found to be all-inclusive of the requirements.
3. Each installed site requires protocols and policies in place to ensure that security features enabled in Cedara’s applications are fully
utilized.
4. The HIPAA requirements will continually evolve to meet new user requirements. Cedara will follow the changes in the Act by
implementing new features as specified. Cedara reserves the right to make changes to its products or to discontinue its delivery. The
user or integrator should ensure that any non-Cedara device providers, which connect with Cedara devices, should also follow HIPAA
regulations. Failure to do so will likely result in future security problems.
5. Only those applications identified within this document have been considered for compliance. Any other products that Cedara offers
that are not covered in this document require interested parties to contact Cedara’s marketing department for more information.
Applications covered in this document include:
• Cedara I-Acquire • Cedara OrthoWorks Care Manager
• Cedara I-Reach • Cedara PET/CT
• Cedara I-SoftView • Cedara OrthoWorks ProPlanner
• Cedara I-Store • Cedara I-Response
• Cedara I-ReadMammo
• Cedara OrthoWorks Spine Analyzer
Cedara Software Corp. – Confidential Page 7 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
2. Health Insurance Portability and Accountability Act
2.1 HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US Federal Law that requires that health care providers and
other covered entities protect the privacy and security of patient health information.
Areas that require specific control include:
• Control of authorization of users to access data;
• Chain of trust agreements;
• Data availability;
• Contingency plans;
• Continuity of operation plans;
• Unauthorized changes to data;
• Organizational policies; and
• Human resources changes;
HIPAA Privacy Standards came into complete effect on April 14, 2004. Covered entities have until April 21, 2005 to comply with the
HIPAA Security Standards. Small covered entities have until April 21, 2006.
As a manufacturer of medical imaging software, Cedara Software Corp. has integrated security features into its medical applications to
help covered entities ensure their compliance with HIPAA requirements.
This HIPAA Compliance Statement is intended to indicate Cedara product features that could be implemented to address certain HIPAA
privacy and security requirements.
Cedara Software Corp. – Confidential Page 8 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
2.2 Cedara Software’s Applications Compliance with HIPAA
Security Standards for the Protection of Electronic Healthcare Information: Technical Safeguards
Currently
Requirement Description Cedara Implementation
Available
Access Control Implementation Specifications
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to
those persons or software programs that have been granted access rights.
Unique user Assign a unique Cedara I-Acquire Available. Must be
identification name and/or enforced by the
(Required). number for Cedara I-Acquire authenticates users based on their Windows passwords. Each user in the hospital healthcare
identifying and enterprise should have a unique username and password. enterprise.
tracking user Cedara I-Reach
identity.
Each Cedara I-Reach user must have a unique username and password in order to use the system. Only
one Cedara I-Reach session may be run for each user at any given time.
Cedara I-SoftView
Cedara I-SoftView authenticates users based on their Windows passwords. Each user in the hospital
enterprise should have a unique username and password.
Cedara I-Store
Cedara I-Store authenticates users based on their Windows administrative rights. Each administrator should
have a unique username and password.
Cedara I-ReadMammo
Cedara I-ReadMammo authenticates users based on their Windows passwords. Each user in the hospital
enterprise should have a unique username and password.
Cedara OrthoWorks Spine Analyzer
Cedara OrthoWorks Spine Analyzer authenticates users based on their Windows passwords. Each user in
the hospital enterprise should have a unique username and password.
Cedara OrthoWorks Care Manager
Cedara OrthoWorks Care Manager authenticates users based on their Windows passwords. Each user in
the hospital enterprise should have a unique username and password.
Cedara Software Corp. – Confidential Page 9 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Currently
Requirement Description Cedara Implementation
Available
Cedara PET/CT
Cedara PET/CT authenticates users based on their Windows passwords. Each user in the hospital
enterprise should have a unique username and password
Cedara OrthoWorks ProPlanner
Cedara OrthoWorks ProPlanner authenticates users based on their Windows passwords. Each user in the
hospital enterprise should have a unique username and password.
Cedara I-Response
Cedara I-Response authenticates users based on their Windows passwords. Each user in the hospital
enterprise should have a unique username and password. It also requires an additional username and
password, specific to I-Response, at the application level.
Emergency access Establish (and Healthcare facility
procedure implement as must implement
(Required). needed) procedure and
procedures for process for this.
obtaining
necessary
electronic
protected health
information during
an emergency.
Automatic logoff Implement Cedara I-Acquire Available
(Addressable). electronic
procedures that The system administrator can create screen savers that are invoked after a certain time-period, thus
terminate an requiring the user to re-enter their Windows domain password.
electronic session Cedara I-Reach
after a
predetermined time The application automatically times out after a time-period designated by the system administrator. After this
of inactivity. time-out period, the user must login again.
Passwords automatically expire after a configurable amount of time (default is 90 days).
Cedara I-SoftView
The system administrator can create screen savers that are invoked after a certain time-period, thus
requiring the user to re-enter their Windows domain password.
Cedara I-Store
Cedara Software Corp. – Confidential Page 10 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Currently
Requirement Description Cedara Implementation
Available
The system can be configured to automatically logoff the archive console after a predetermined time of
inactivity.
The Web Status page can be configured to automatically timeout after a predetermined period of inactivity.
Cedara I-ReadMammo
The system administrator can create screen savers that are invoked after a certain time-period, thus
requiring the user to re-enter their Windows domain password.
Cedara OrthoWorks Spine Analyzer
The system administrator can create screen savers that are invoked after a certain time-period, thus
requiring the user to re-enter their Windows domain password.
Cedara OrthoWorks Care Manager
The system administrator can create screen savers that are invoked after a certain time-period, thus
requiring the user to re-enter their Windows domain password.
Cedara PET/CT
The system administrator can create screen savers that are invoked after a certain time-period, thus
requiring the user to re-enter their Windows domain password.
Cedara OrthoWorks ProPlanner
The system administrator can create screen savers that are invoked after a certain time-period, thus
requiring the user to re-enter their Windows domain password.
Cedara I-Response
The system administrator can create screen savers that are invoked after a certain time-period, thus
requiring the user to re-enter their Windows domain password.
Encryption and Implement a Cedara I-Acquire The healthcare
decryption mechanism to facility must
(Addressable). encrypt and N/A implement such a
decrypt electronic Cedara I-Reach mechanism if
protected health necessary.
information. When using the https protocol to access information, Cedara I-Reach uses a 128-bit SSL to send encrypted
data.
Cedara I-SoftView
N/A
Cedara Software Corp. – Confidential Page 11 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Currently
Requirement Description Cedara Implementation
Available
Cedara I-Store
When using the https protocol to access the Web Status information, Cedara I-Store uses a 128-bit SSL to
send the encrypted data.
Cedara I-ReadMammo
N/A
Cedara OrthoWorks Spine Analyzer
N/A
Cedara OrthoWorks Care Manager
Cedara OrthoWorks Care Manager uses a 128-bit SSL to send the encrypted data on a local area network.
Cedara PET/CT
N/A
Cedara OrthoWorks ProPlanner
Cedara OrthoWorks ProPlanner supports the following for encryption/decrption:
1) DICOM Media Security (encrypted P10 files)
2) DICOM Transport Security (SSL sockets).
Cedara I-Response
N/A
Audit Control Implementation Specifications
Audit Control Implement Cedara I-Acquire The healthcare
hardware, facility must
software, and/or N/A implement such
procedural Cedara I-Reach mechanisms if
mechanisms that necessary.
record and An audit trail is created that includes the following information: Username; Action performed (e.g. printing);
examine activity in Date and time the action was performed; Name of workstation; Patient name; Study UID; GSPSS UID;
information Unsuccessful login attempts. Mechanisms for
systems that Cedara I-SoftView this are currently
contain or use under review.
electronic An audit trail is created that includes the following information: Username; Action performed (e.g. printing);
Cedara Software Corp. – Confidential Page 12 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Currently
Requirement Description Cedara Implementation
Available
protected health Date and time the action was performed; Name of workstation Cedara I-SoftView is running on; Patient
information. name of the study; UID of the study; GSPSS UID; Study status new and old.
Data is sent to logging component when the following actions are executed: Study is viewed; Study is
printed; Study is consulted; Study status is modified; Modified GSPSS data of a study has been saved;
Invoking I-SoftView DICOM transfer has been made; Installation or upgrade of I-SoftView; When users have
1
chosen to mark all the studies as READ without actually viewing all of them.
Cedara I-Store
An audit trail is created to track modifications to the patient or study demographic information. The location
where studies that are transferred are also logged.
Cedara I-ReadMammo
An audit trail is created that includes the following information: Username; Action performed (e.g. printing);
Date and time the action was performed; Name of workstation Cedara I-ReadMammo is running on; Patient
name of the study; UID of the study; GSPSS UID; Study status new and old.
Data is sent to logging component when the following actions are executed: Study is viewed; Study is
printed; Study is consulted; Study status is modified; Modified GSPSS data of a study has been saved;
Invoking I-ReadMammo DICOM; transfer has been made; Installation or upgrade of I-SoftView; When users
have chosen to mark all the studies as READ without actually viewing all of them.
Cedara OrthoWorks Spine Analyzer
N/A
Cedara OrthoWorks Care Manager
An audit trail is created that includes the following information: Login; operation performed (delete a patient );
Date and time the action was performed; Name of workstation Cedara Care Manager is running on;
Data is sent to logging component when the following actions are executed: a user has logged in; A user has
logged out; A patient file has been created; A patient file has been deleted; A patient file has been viewed;
Has been updated; Has been exported; A module has been installed; A module has been updated.
Cedara PET/CT
An audit trail is created that includes the following information: Username; Action performed (e.g. printing);
Date and time the action was performed; Name of workstation Cedara PET/CT is running on; Patient name
of the study; UID of the study; UID.
Data is sent to logging component when the following actions are executed: Study is viewed; Study is
printed; Invoking PET/CT DICOM transfer has been made; Saving a Secondary Capture image; Saving
registration information.
Cedara Software Corp. – Confidential Page 13 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Currently
Requirement Description Cedara Implementation
Available
Cedara OrthoWorks ProPlanner
An audit trail is created that includes the following information: Username; Action performed (e.g. printing);
Date and time the action was performed; Name of workstation OrthoWorks ProPlanner is running on; Patient
name of the study (if available); UID of the study (if available); UID of the series (if available); Study status
new and old (if available).
Data is sent to logging component when the following actions are executed: Study is viewed; Study is
printed; Study status is modified; Invoking/Exiting OrthoWorks ProPlanner; DICOM transfer has been made;
DICOM Secondary Capture Series Created; Installation, upgrade or uninstallation of OrthoWorks
ProPlanner; When users have chosen to mark all the studies as READ without actually viewing all of them;
When user saves the presentation state of a study (GSPS)
Cedara I-Response
An audit trail is created that includes the following information: Username; Action performed (e.g. printing);
Date and time the action was performed; Name of workstation application is running on; Patient name of the
study (if available); UID of the study (if available); UID of the series (if available); UID of the registration (if
available); Study status new and old (if available).
Data is sent to logging component when the following actions are executed: Installing, upgrading or
uninstalling the application; Invoking/Exiting the application; Load patient data for display; DICOM transfer;
DICOM Secondary Capture series created; Saving Presentation State series; Saving ADC series; and
Saving Registered series.
Integrity Implementation Specifications
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
Mechanism to Implement Mechanisms for
authenticate electronic this are currently
electronic mechanisms to under review.
protected health corroborate that
information electronic
(Addressable). protected health
information has not
been altered or
destroyed in an
unauthorized
manner.
Person or entity Authentication Implementation Specifications
Cedara Software Corp. – Confidential Page 14 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Currently
Requirement Description Cedara Implementation
Available
Person or entity Implement Cedara I-Acquire Available
Authentication procedures to
verify that a person Users must enter their unique username and password when logging in to the system. Cedara I-Acquire then
or entity seeking authenticates the user prior to allowing access to electronic protected health information.
access to Cedara I-Acquire can be integrated with biometric devices to ensure access to PHI is the one claimed.
electronic
protected health Cedara I-Reach
information is the Users must enter their unique username and password when logging in to the system. Cedara I-Reach then
one claimed. authenticates the user prior to allowing access to electronic protected health information. Upon a
configurable number, (default is 8) of unsuccessful login attempts, the user account is automatically made
inactive. Each user’s predefined role limits the information to which they have access.
Cedara I-Reach can be integrated with biometric devices to ensure access to PHI is the one claimed.
Cedara I-SoftView
Users must enter their unique username and password when logging in to the system. Cedara I-SoftView
then authenticates the user prior to allowing access to electronic protected health information.
Cedara I-SoftView can be integrated with biometric devices to ensure access to PHI is the one claimed.
Cedara I-Store
Users must enter their unique username and password when logging in to the system. Cedara I-Store then
authenticates the user prior to allowing access to electronic protected health information.
Cedara I-Store can be integrated with biometric devices to ensure access to PHI is the one claimed.
Cedara I-ReadMammo
Users must enter their unique username and password when logging in to the system. Cedara I-
ReadMammo then authenticates the user prior to allowing access to electronic protected health information.
Cedara I-ReadMammo can be integrated with biometric devices to ensure access to PHI is the one claimed.
Cedara OrthoWorks Spine Analyzer
N/A
Cedara OrthoWorks Care Manager
Users must enter their unique username and password when logging in to the system. Cedara OrthoWorks
Care Manager then authenticates the user prior to allowing access to electronic protected health information.
Cedara PET/CT
Users must enter their unique username and password when logging in to the system. Cedara PET/CT then
Cedara Software Corp. – Confidential Page 15 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Currently
Requirement Description Cedara Implementation
Available
authenticates the user prior to allowing access to electronic protected health information.
Cedara PET/CT can be integrated with biometric devices to ensure access to PHI is the one claimed.
Cedara OrthoWorks ProPlanner
Users must enter their unique username and password when logging in to the system. Cedara OrthoWorks
ProPlanner then authenticates the user prior to allowing access to electronic protected health information.
Cedara I-Response
Users must enter their unique Windows username and password when logging in to the system. Users must
enter their unique I-Response username and password when logging in to the application.
Transmission security Implementation Specifications
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an
electronic communications network.
Integrity controls Implement security Mechanisms for
(Addressable). measures to this are currently
ensure that under review.
electronically
transmitted
electronic
protected health
information is not
improperly
modified without
detection until
disposed of.
Encryption Implement a Cedara I-Acquire Available
(Addressable) mechanism to
encrypt electronic N/A
protected health Cedara I-Reach
information
whenever deemed When using the https protocol to access information, Cedara I-Reach uses a 128-bit SSL to send encrypted
appropriate. data.
Cedara I-SoftView
N/A
Cedara Software Corp. – Confidential Page 16 of 17
Cedara Software HIPAA Compliance Statement
Document No. 2002-00040 Rev 10.0
Currently
Requirement Description Cedara Implementation
Available
Cedara I-Store
When using the https protocol to access the Web Status information, Cedara I-Store uses a 128-bit SSL to
send the encrypted data.
Cedara I-ReadMammo
N/A
Cedara OrthoWorks Spine Analyzer
N/A
Cedara OrthoWorks Care Manager
Cedara OrthoWorks Care Manager uses a 128-bit SSL to send encrypted data on local network area.
Cedara PET/CT
N/A
Cedara OrthoWorks ProPlanner
Cedara OrthoWorks ProPlanner supports the following for encryption/decrption:
1) DICOM Media Security (encrypted P10 files)
2) DICOM Transport Security (SSL sockets).
Cedara I-Response
N/A
Cedara Software Corp. – Confidential Page 17 of 17
