Support for the HIPAA Security Rule

Similar documents
Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security and Privacy Policies & Procedures

HIPAA Federal Security Rule H I P A A

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Security Checklist

HIPAA Security Checklist

Healthcare Privacy and Security:

HIPAA COMPLIANCE FOR VOYANCE

Data Backup and Contingency Planning Procedure

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Compliance Checklist

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Security Rule Policy Map

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Summary Analysis: The Final HIPAA Security Rule

HIPAA Security Rule s Technical Safeguards - Compliance

A Security Risk Analysis is More Than Meaningful Use

The simplified guide to. HIPAA compliance

University of Pittsburgh Security Assessment Questionnaire (v1.7)

How Managed File Transfer Addresses HIPAA Requirements for ephi

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

HIPAA Regulatory Compliance

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

HIPAA RISK ADVISOR SAMPLE REPORT

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Checklist: Credit Union Information Security and Privacy Policies

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

HIPAA Controls. Powered by Auditor Mapping.

Guide: HIPAA. GoToMeeting and HIPAA Compliance. Privacy, productivity and remote support. gotomeeting.com

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

SECURITY & PRIVACY DOCUMENTATION

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

HIPAA Security Compliance for Konica Minolta bizhub MFPs

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

Attachment 3 (B); Security Exhibit. As of March 29, 2016

efolder White Paper: HIPAA Compliance

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

HIPAA Privacy, Security and Breach Notification 2017

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

OpenLAB ELN Supporting 21 CFR Part 11 Compliance

Vendor Security Questionnaire

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Google Cloud & the General Data Protection Regulation (GDPR)

HIPAA Compliance and OBS Online Backup

HIPAA Privacy, Security and Breach Notification 2018

What s New with HIPAA? Policy and Enforcement Update

HIPAA Compliance Assessment Module

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Sparta Systems TrackWise Digital Solution

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The ABCs of HIPAA Security

WHITE PAPER AGILOFT COMPLIANCE WITH CFR 21 PART 11

Putting It All Together:

Manufacturer Disclosure Statement for Medical Device Security MDS²

HIPAA Privacy, Security and Breach Notification

December 2006 CMS HIPAA Security Guidance

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Keys to a more secure data environment

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Projectplace: A Secure Project Collaboration Solution

Department of Public Health O F S A N F R A N C I S C O

HIPAA COMPLIANCE AND

Morningstar ByAllAccounts Service Security & Privacy Overview

HIPAA Security Manual

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

System Overview. Security

NMHC HIPAA Security Training Version

The Dell KACE Appliance HIPAA Approach. First published: 2007 Revised: November 2011

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

NW NATURAL CYBER SECURITY 2016.JUNE.16

Cyber security tips and self-assessment for business

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Virginia Commonwealth University School of Medicine Information Security Standard

MiContact Center Business Important Product Information for Customer GDPR Compliance Initiatives

Virginia Commonwealth University School of Medicine Information Security Standard

The Common Controls Framework BY ADOBE

Texas Health Resources

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Knowledge Exchange (KE) V2.0 System Cyber Security Plan

Safeguarding Cardholder Account Data

Access Control Procedure

2015 HFMA What Healthcare Can Learn from the Banking Industry

Payment Card Industry (PCI) Data Security Standard

SECURITY DOCUMENT. 550archi

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Transcription:

white paper Support for the HIPAA Security Rule PowerScribe 360 Reporting v1.1 healthcare

2

Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe 360 Reporting as part of their risk analysis required for Health Information Portability and Accountability Act (HIPAA) Security Rule compliance. The paper describes specific features of PowerScribe 360 Reporting in the context of the security standards and provides an analysis on how the system can support an organization s efforts to attain HIPAA Security Rule compliance. Nuance Communications understands that compliance presents a significant challenge confronting our customers. We continue to enhance PowerScribe 360 Reporting product features and services to address security and compliance efforts of our customers. HIPAA Security Rule Compliance The HIPAA Security Rule ( the rule ) was published to protect the confidentiality, integrity and availability of electronic protected health information (ephi). The rule defined in 45 CFR Parts 160, 162 and 164 establishes the minimum national standards for information systems with access to ephi. PowerScribe 360 Reporting manages and stores ephi as dictations and medical reports in an electronic form and thus must be included in the risk assessment activities of our customers pursuant to HIPAA Security Rule compliance. Compliance with the rule was required no later than April 21, 2005. Small health plans were required to comply no later than April 21, 2006. The rule establishes a minimum set of administrative, technical and physical standards and implementation specifications which must be addressed. However, it is written in terms that are as generic as possible and which, generally speaking, may be met through various approaches or technologies. 1 Thus the rule is not prescriptive. The steps an institution will actually need to take to comply with these regulations will be dependent upon its own particular environment and circumstances and risk assessment. 2 An Institution cannot simply purchase HIPAA certified hardware or software to achieve compliance. Rather, it must implement policies and procedures which are consistent with the rule and evaluate technology decisions based upon a risk assessment process. The standards do not allow organizations to make their own rules, only their own technology choices. 3 HIPAA is flexible. According to the rule, Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. What is reasonable and appropriate is based upon the findings of a risk assessment which considers size, complexity, capability, technical infrastructure, probability of risk, criticality of data and cost of the security measure. In other words, an institution must demonstrate that its choices are reasonable and appropriate given the cost and the benefit. PowerScribe 360 Reporting was introduced to the market in November 2010 as a speechenabled dictation system with completely integrated transcription functionality. The product and its features have evolved from two mature radiology reporting platforms that have been merged to meet complex customer needs. The application is designed to capture dictated audio and use speech recognition to generate text reports in order-centric environments. 1 Federal Register / Vol. 68, No. 34, pp 8336 2 IBID 3 Federal Register / Vol. 68, No. 34, pp 8343 3

This white paper provides a brief analysis of how PowerScribe 360 Reporting supports an organization s efforts to comply with HIPAA s Security Rule standards. The paper also describes HIPAA-related security features in the latest versions of software and includes the following product components: PowerScribe 360 Reporting Dictation / Correction Client Administration Portal PowerScribe 360 Reporting contains multiple levels of system security to protect patient confidentiality and user or group privileges that grant or restrict access to specific product features. The system is equipped with comprehensive audit and reporting capabilities to provide details related to documentation creation, users, editors, signers, timestamps, viewing, distribution, etc. PowerScribe 360 Reporting HIPAA Security Rule Compliance Features/Offering Nuance Communications, in collaboration with an independent consulting firm specializing in IT security and the HIPAA Security Rule, conducted an assessment of PowerScribe 360 Reporting and developed this white paper. The paper describes HIPAArelated security features in the above mentioned version of PowerScribe 360 Reporting software; however, it does not discuss security features in previously released versions. The following table identifies the HIPAA standards, implementation specifications, marks each implementation specification as required (R) or addressable (A) and identifies the key PowerScribe 360 Reporting product features that will complement efforts to achieve HIPAA Security Rule compliance. PowerScribe 360 Reporting features alone do not ensure HIPAA Security Rule compliance and are only features that may be useful as the customer takes steps toward compliance. 4

Administrative Safeguards Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) This white paper provides details intended to assist an institution in completing a HIPAA risk analysis of the PowerScribe 360 Reporting product. PowerScribe 360 Reporting includes a number of configurable security measures that improve an institution s ability to manage risks and vulnerabilities. These security measures include user and password management, session encryption, audit and logging mechanisms, and configurable workflow processes that can improve data integrity. Passwords can be administratively changed to revoke access in support of a sanction policy. User accounts can be administratively disabled to revoke access in support of a sanction policy. Various audit reports provide information vital to implementing Information System Activity Review specifications. Two levels of authority, Administrator and System Administrator, are provided for administration the various security mechanisms featured in PowerScribe 360 Reporting. Workforce Security Authorization and/or Supervision (A), Workforce Clearance Procedures (A) Termination Procedures (A) PowerScribe 360 Reporting s role-based user accounts can be easily incorporated into the access authorization and workforce clearance processes procedures that an institution implements to determine appropriate access to protected information. Passwords can be administratively changed to revoke access in support of termination procedures. User accounts can be administratively disabled or completely removed to revoke access in support of termination procedures. 5

Information Access Management Isolating Healthcare Clearinghouse Functions (R), Access Authorization (A) Access Establishment and Modification (A) PowerScribe 360 Reporting helps support the access authorization specifications by providing the capability to implement centralized role-based security through the use of user accounts that can be created based on roles, departments, geographic locations or other identifying criteria, such that users are granted unique user rights and privileges. PowerScribe 360 Reporting helps support the access authorization specifications PowerScribe 360 Reporting provides a comprehensive capability to create and manage user accounts and associated roles and privileges via two levels of administration (Administrators, System Administrators) which have groupings of functions applied to each administrative level. The following roles can be added or revoked by administrators depending on their privileges, per user. Author enables report authors to the Dictation/Correction client to create reports. Includes roles for Attending, Resident, and Fellow. Transcriptionist enables access to the Dictation/Correction Client for editing and correction of dictated reports. Order Entry enables access to the Order Entry application to enter new patients and orders into PowerScribe 360 Reporting. Administrator enables access to perform administrator functions. System Administrator enables access to perform system administrator functions. Technologist enables access to create draft reports and set field values. Front Desk Staff enables access to scan patient documents. Note: See PowerScribe 360 Reporting Administrator Guide for privileges associated with roles. 6

Security and Awareness Training Security Reminders (A) Protection from Malicious Software (A) The PowerScribe 360 Reporting administration guide and periodic information articles sent to customers provide security related recommendations and instructions. The Nuance Professional Services Group can also be contracted to provide installation and/ or operational process and procedural expert guidance to support customer s unique implementation requirements and training activities. PowerScribe 360 Reporting is certified to work with the following anti-virus packages: Symantec Norton Antivirus McAfee (known to work but not certified) Log-in Monitoring (A) The Dashboard page in the administration portal can be used to monitor all users using the system. The following login statistics can be viewed at any time: Login ID the user s Login ID Name the user s name Session length duration the user has been logged in Workstation the name of the user s client machine Report info information about the report the user is currently working on Last action the last workflow action by the user. The Account Audit page in the administration portal can be used to view a history of events related to a user s account, including logon, logoff, failed logon attempts, and password. Password Management (A) The following password management features are available: Masked password entry Password aging and forced expiration Administrative password reset and change Strong password option requiring minimum length of 6 characters with at least one letter and one digit Password encrypted in storage 7

Security Incident Response Response and Reporting (R) The PowerScribe 360 Reporting exam explorer and reporting engine can be utilized in responding to incidents and supports the forensics and investigation processes by generating very detailed standard or custom reports. Reports can also be exported for additional processing and analysis. Contingency Plan Data Backup Plan (R) Backups of critical PowerScribe 360 Reporting files can be made with any software which can successfully handle SQL Server databases and Windows. PowerScribe 360 Reporting has been tested with the following backup product: Veritas Backup Exec Disaster Recovery Plan (R) Emergency Mode Operations Plan (R) Testing and Revision Procedures (A) Application Data Criticality Analysis (A) Disaster Recovery procedures for PowerScribe 360 Reporting can be crafted which are based upon standard Windows and SQ Server disaster recovery technologies, strategies and third party solutions. PowerScribe 360 Reporting is compatible with backup and disk imaging products that are certified to work with the current Windows desktop and server operating systems. Evaluation Response and Reporting (R) Nuance continually reviews customer requests for security features and enhancements based upon the results of internal risk assessment activities. 8

Business Associate Contract and Other Arrangements Written Contract or Other (R) Nuance will execute HIPAA Business Associate Agreements with its customers who purchase Maintenance, or other services. Physical Safeguards Physical Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and validation (A) Procedures (A) Maintenance Records (A) N/A Workstation Use (R) N/A Workstation Security (R) PowerScribe 360 Reporting uses standard Windows workstations which support a variety of physical security mechanisms. PowerScribe 360 Reporting supports session termination after a specified time of inactivity. Device and Media Controls Disposal (R) Media Reuse (R) Accountability (R) Data Backup and Storage (R) N/A 9

Technical Safeguards Access Controls Unique User Identification (R) Emergency Access Procedures (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (R) PowerScribe 360 Reporting fully supports the creation, maintenance and use of unique user identifiers. PowerScribe 360 Reporting also supports standard Lightweight Directory Access Protocol (LDAP) services to authenticate users (username/password). Administrator accounts can be used to provide full access to system features in the event of an emergency. PowerScribe 360 Reporting has a configurable inactivity timeout feature that can be utilized to automatically logoff idle users within the application. Third party encryption and decryption solutions can be used at the customer s discretion but are not supported by PowerScribe 360 Reporting. In addition to the standard audit and logging features found in a Windows operating system and SQL server database system, PowerScribe 360 Reporting includes a robust auditing feature that records activities performed by administrators and users of PowerScribe 360 Reporting. Database tables capture detailed information concerning the activities performed in each of the PowerScribe 360 Reporting application areas Administrator (ADM), PowerScribe 360 Reporting API (API), Dictation/ Correction (DC), Order Entry (OE), and System (SYS). The following information is captured for every event: Date and time Computer name Application area User name Admin user name Description of event Other activities recorded include: User logins, logouts, and failed logon attempts Password changes Add, modify, delete users Preference changes Order information created or updated by RIS Reports created, edited, viewed, or deleted Reports signed Reports faxed 10

Integrity Mechanisms to Authenticate ephi (A) Person or Entity Authentication (R) PowerScribe 360 Reporting utilizes both application and operating system features to restrict access rights to authorized users as a preventative integrity control. Application and operating system audit logs can be used to track the activity of authorized users and detect the activity of unauthorized users as a detective integrity control. Purging of audio and text files is system configurable at the administrative level and can be totally disabled. Configurable workflow processes can be implemented to facilitate integrity checking by requiring transcribed reports to be reviewed for accuracy prior to being signed. PowerScribe 360 Reporting is compatible with all Windowsbased biometric and multi-factor authentication schemes when they are used as pre-scribed by the vendor. PowerScribe 360 Reporting supports Lightweight Directory Access Protocol (LDAP) for those institutions that leverage LDAP services to authenticate users. Transmission Integrity Control (A) Encryption (A) The PowerScribe 360 Reporting Web portal supports Secure Sockets Layer (SSL) communication between browser-based clients and servers to protect data integrity and data confidentiality. The PowerScribe 360 Reporting Windows client connects to the database without encryption, and therefore relies upon lower level integrity and encryption services such as VPN, Windows operating system and TCP/ IP network devices for transmission. 11

L-3523 7/12 DTM Copyright 2012 Nuance Communications, Inc. All rights reserved. Nuance, the Nuance logo, and PowerScribe are trademarks and/or registered trademarks, of Nuance Communications, Inc. or its affiliates in the United States and/or other countries. All other brand and product names are trademarks or registered trademarks of their respective companies. healthcare

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback