System Security in ChiroPractice Pro
Centers for Medicare and Medicade Services (CMS) have implemented what’s called “The Security Rule” or Security Standards for the Protection of Electronic Protected Health Information. This is codified in Federal regulations as 45 CF Part 160 and Part 164 Subparts A and C.
What this means to you and us is that there are requirements to protect your patients health data. This video shows you how ChiroPractice Pro partners with you and give you the tools to help implement Safeguards in your office. The Department of Health and Human Services have provided a series of guidance in form of 7 papers called the HIPAA Security Series. The list that we are going to go through is found in the 7th of these papers called Security Standards: Implementation for the Small Provider.
You can find all of their guidance at this website: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
Since this is comprehensive guidance for your whole practice some of these will be applicable to your interface with ChiroPractice Pro and other may not. There are some that are indicated as Required (R) and others as Addressable (A). Required is pretty self-explanatory and you must comply with the rule. Addressable means that you must provide reasonable and appropriate coverage of these items. You should also document your decisions and protections that you provide in relationship to security.
SECURITY MANAGEMENT PROCESS
Implement policies and procedures to prevent, detect, contain and correct security violations.
(R) RISK ANALYSIS – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
(R) RISK MANAGEMENT – implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Security Rules
(R) SANCTION POLICY – Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information
(A) AUTHORIZATION AND/OR SUPERVISION – Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
ChiroPractice Pro provides an access and permission based system to limit access to data.
SECURITY AWARENESS AND TRAINING
Implement a security awareness and training program for all members of its workforce (including management)
(A) PASSWORD MANAGEMENT – Implement procedures for creating, changing, and safeguarding passwords
ChiroPractice Pro provides you with the ability to monitor and change passwords.
(A) DATA BACKUP PLAN – Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
ChiroPractice Pro provides a method to back up locally and on cloud based servers.
BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS
A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.
(R) WRITTEN CONTRACT OR OTHER ARRANGEMENTS Document the satisfactory assurances required by this section through a written contract or other arrangement with the business associate that meets applicable requirements
ChiroPractice Pro user agreement obligates us and the user to abide by HIPAA Rules and Regulations regarding Protected Health Information.
FACILITY ACCESS CONTROLS
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed
(A) FACILITY SECURITY PLAN – Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft
(A) MAINTENANCE RECORDS – Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks)
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.
DEVICE AND MEDIA CONTROLS
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.
(R) DISPOSAL – Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored
(A) DATA BACKUP AND STORAGE – Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights
(R) UNIQUE USER IDENTIFICATION – Assign a unique name and/or number for identifying and tracking user identity.
ChiroPractice Pro provides you with the ability to create, monitor and change access for all users.
(A) AUTOMATIC LOGOFF – Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
ChiroPractice Pro terminates active sessions after a set time.
PERSON OR ENTITY AUTHENTICATION
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
ChiroPractice Pro Requires a unique login ID and password for each user.
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network
(A) ENCRYPTION – Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
ChiroPractice Pro implements and maintains a 128 bit SSL encryption scheme on our websites
While this is not an exhaustive list of requirements, it does cover the main topics and how you can address them. See http://www.cms.hhs.gov/SecurityStandard/ for more details on securing your PHI.
Security is an important part of ChiroPractice Pro. We put a lot of effort into giving you the best and most secure system that we can. Let us know if you have and questions or comments on the security in ChiroPractice Pro.