1. Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule

2. Introduction  The following presentation looks at the major provisions of the Health Insurance Portability and Privacy Act of 1996 (HIPAA) and compares it with the respective features of WebChartMD designed to provide compliance.

3. Risk Analysis & Management (§164.306)  Dedicated software test team  Continuous testing of codebase in Production  Contracted with 3 rd party vendor Digital Defense, Inc. for Network Penetration Testing  Automated security tests conducted regularly  Manual analyst security penetration test conducted each quarter

4. Access Control (§ 164.312(a))  “Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)[Information Access Management].”  WebChartMD allows clients to define user access across four dimensions  Define access by Ability (What can they do)  Define access by Care Provider Associations  Define access by Document Status  Define access by Patient Location

5. Access Control (§ 164.312(a))  Unique User Identification (§ 164.312(a)(2)(i))  “Assign a unique name and/or number for identifying and tracking user identity.”  WebChartMD allows clients to use either simple to remember usernames or complicated usernames depending on corporate policy

6. Access Control (§ 164.312(a))  Emergency Access Procedure (§ 164.312(a)(2)(ii))  “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”  WebChartMD provides access to full support resources M-F from 8am to 8pm  WebChartMD provides emergency contact numbers to page an on-call technical support representative 24/7  Fully redundant datacenter in a geographically diverse location with continuous data replication

7. Access Control (§ 164.312(a))  Automatic Logoff (§ 164.312(a)(2)(iii))  “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”  WebChartMD automatically logs users off the system after a period of inactivity.  Users are required to login again before being able to access system resources

8. Access Control (§ 164.312(a))  Encryption and Decryption (§ 164.312(a)(2)(iv))  “Implement a mechanism to encrypt and decrypt electronic protected health information.”  All dictations and transcriptions are embedded in the main database  All dictations and transcriptions are encrypted using AES-256 bit encryption standards before they are stored  In the unlikely event our database is compromised, PHI will still be unrecoverable

9. Audit Controls (§ 164.312(b))  “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”  WebChartMD contains full audit trail functions, logging each time a dictation and transcription is ‘touched’ by a user  All staff actions performed using internal tools are fully logged with pre and post states logged as well

10. Integrity (§ 164.312(c)(1))  “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”  WebChartMD allows users & internal staff to only perform logical deletes  Ability to perform Physical Deletes is only given to database administration staff  When each transcribed document is modified and stored, the system performs a full virus and integrity check on the document  Any anomalies are detected by WebChartMD staff and our clients are immediately alerted

11. Person or Entity Authentication (§ 164.312(d))  “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”  WebChartMD enforces a strict password policy that requires the use of strong passwords  All passwords are stored as salted one-way hashes  Our staff, including database administrators, are unable to see a user’s password

12. Transmission Security (§ 164.312(e)(1))  Integrity Controls (§ 164.312(e)(2)(i))  “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”  WebChartMD uses standards based protocols for all data transmission  Network layer protocols contain checksums to ensure that the data packet has not been modified during transmission

13. Transmission Security (§ 164.312(e)(1))  Encryption (§ 164.312(e)(2)(ii))  “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”  WebChartMD servers use Extended Validation Certificates from VeriSign  All data that is transmitted over the public Internet is encrypted using 128-bit SSL encryption  Web Portal and Web Service access is strictly over 128-bit SSL encryption