HIPAA Compliance

hipaa-compliancePrecisonCare and HIPAA Compliance

PrecisionCare Software is committed to protecting the confidentiality of consumer data and assisting agencies in achieving HIPAA compliance. PrecisionCare utilizes the latest advances in technology to protect your consumer data and incorporates end user features to assure privacy and compliance. PrecisionCare Software consults with regulatory experts to ensure that our software meets the most current guidelines and standards.

HIPAA Security Regulations

The following is a list of some of the proposed Security Regulations that pertain to computer and software technology. These regulations have to do with the security of information, physical location, encryption etc. PrecisionCare Software has studied the proposed rules and in anticipation we have taken the following measures to ensure compliance even though the finalized regulations have not yet been published. We expect the measures we have taken will exceed the final HIPAA security guidelines.

Authentication

Authentication is the process of identifying the staff member accessing the system and the computer from which they are accessing it. Computers are authenticated using a Digital Certificate, which is a unique identifier that serves as a digital fingerprint to identify the computer. PrecisionCare utilizes a three point system of authentication. First the user is assured the server they are logging onto is the actual server by use of a Server Side Digital Certificate. Second the user is authenticated to the server via a unique, encrypted User Id and Password. Finally, PrecisionCare authenticates the computer from which the user is logging on through the use of a Client-Side Digital Certificate to ensure it has been approved by the agency for accessing confidential consumer records.

Encryption (encipherment)

Encryption refers to the process of encoding information sent over the Internet or a network to prevent an unauthorized person from intercepting it. Encryption transforms confidential plaintext into ciphertext to protect it. An encryption algorithm combines plaintext with other values called keys, or ciphers, so the data becomes unintelligible. Once encrypted, data can be stored or transmitted over unsecured lines. Decrypting data reverses the encryption algorithm process and makes the plaintext available for further processing.
§142.308(c)(1)(i)(c), Encryption must be used over an open network.
PrecisionCare utilizes Secure Socket Layer (SSL) 128-bit encryption on all information transferred, which is the most secure encryption technology available today. 128-bit SSL encryption is commonly used for secure transactions such as on-line banking and purchases over the Internet.

Digital Signatures

A digital signature is simply an electronic way of certifying a document in the same manner that a paper document is certified with a handwritten signature. The HIPAA security regulations identify three key elements to a Digital Signature:
Proposed Rule §142.310:
• Authentication – Establishes Identity of the signer
• Non-Repudiation – Signer cannot deny signing the record
• Integrity – Detects Changes in content
Authentication is used to establish the identity of the signer. The signature must be implemented is such a way that the signer cannot deny signing the record (non-repudiation). Finally the system must detect any changes made after the record was saved and record the signature of the person who made the changes. This is to ensure that an audit trail can be produced showing any modifications made to the document, who made each change and when.
PrecisionCare identifies the user at log on through the username and password. When a record is created or updated it records the author’s username and date/time for audit trail purposes. Printed reports then contain the user’s name and title for signature. Note: Current OMH and OPWDD regulations still require a printed and signed paper record of each form for the case record. PrecisionCare is ready to support the use of digital signatures as a replacement for paper records in the future if this is approved by OMH and OMRDD.

Physical Security: Server

§142.308(b) Physical safeguards to guard data integrity, confidentiality, and availability: intends to ensure the protection of computer systems and related physical structures in which these systems are housed from fire, other natural and environmental hazards, and intrusion. These safeguards also include the use of locks, keys, and administrative measures used to control access to computer systems and facilities
When using PrecisionCare, consumer information will not be stored on individual PCs or Disks. So you only have to be concerned with the physical security of one machine: the Server, which stores the consumer database. You have three server hosting options with PrecisionCare. Whichever option you choose, you always have the ability to change where your system is hosted at any time.
Option1:

You can host PrecisionCare on your agency’s own Server. In this case, you are responsible for the physical security of your server.
Option 2:

You can host at the Internet Service Provider (ISP) of your choice. In this case, you are responsible to ensure that your ISP follows all the necessary physical security requirements.
Option 3:

PrecisionCare Software can host. In this case, we are responsible for physical security of the server.
PrecisionCare servers are housed in separate fire retardant locked enclosures within a secured hosting facility.

Firewall

A firewall protects the server from unauthorized access from computer hackers on the Internet. PrecisionCare Software servers utilize enterprise-class firewall protection to prevent unauthorized intrusion. The only access permitted by the firewall is through secure socket layer (SSL) 128-bit encrypted communication from an authenticated user. Each agency’s database runs on a separate process. PrecisionCare servers incorporate state-of-the art virus protection. The firewall blocks any e-mail sent to the server, which can be a frequent method of virus transmission.

Plans for Backup and Disaster Recovery

§142.308(a)(ii) Backup plan & §142.308(a)(iii) Disaster Recovery Plan
Each covered entity must have a backup plan and disaster recovery plan for electronic information.
Copies of PrecisionCare Software’s server backup plan and disaster recovery plan will be provided upon request.

Physical Security: Workstations

Proposed Rule §142.308(b)(4) Each covered entity must establish policy and guidelines on workstation use §142.308(b)(5) Each covered entity must position workstations to minimize the possibility of unauthorized access.
You are responsible to ensure that staff only access confidential records from a computer at an agency-approved location. PrecisionCare can help ensure this by utilizing a technology called client-side digital certificates. Client side certificates allow you to control which computers are authorized to access PrecisionCare. Client side certificates eliminate the ability for anyone to access consumer information from an unauthorized location such as a home computer, a library or a shopping mall. Client side certificates can be applied to any computer without the need for specialized software. Certificates can be granted and revoked at anytime by your agency. Note: We recommend checking with OMH and/or OMRDD before authorizing staff to access case records from home.

HIPAA Privacy Regulations

PrecisionCare has incorporated functions that will assist your agency in achieving HIPAA regulatory compliance.

Minimum Necessary Access

§164.514(d)(2 ) Minimum necessary access privileges- A covered entity must identify classes of persons who need access to protected health information to carry out their duties and must establish the level of access needed by each
PrecisionCare has a highly customizable security system. Each user is assigned to a security group. Each security group can be customized to have view, add, edit, and delete functions to specific areas of specific consumer records.

Disclosures and Authorizations

§164.502 Uses and disclosures of protected health information
PrecisionCare automatically generates Consent for Release forms for all consumer contacts, treatment providers, and entitlement providers. Examples of PrecisionCare’s Consent for Release form will be provided upon request.
§164.508(c)(1) Core Elements
(i)A description of the information to be used or disclosed that identifies the information in a specific meaningful fashion
PrecisionCare allows each agency to create a unique list of permissible information to be disclosed
(ii)The name or other specific identification of the person(s), or class of persons authorized to make the use or disclosure
PrecisionCare’s Consent for Release Forms display the agency name, address and the name and title of the person completing the form.
(iii)The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure
PrecisionCare’s Consent for Release Forms display the name, address, phone, and affiliation, of the party to which the disclosure will be made.
(iv)A description of each purpose of the requested use or disclosure
PrecisionCare allows each agency to create a unique list of permissible purposes for disclosure.
(v)An expiration date
PrecisionCare automatically generates expiration dates for Consent for Release Forms and generates reminders.
(vi)Signature of the individual and date
PrecisionCare’s Consent for Release Forms display the name, of the individual and corresponding signature lines.

An Individual’s Access to Protected Health Information

§164.524(a) (1) an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.
PrecisionCare’s customizable security system provides for an individual’s access to his or her own records. Temporary or permanent permission can be granted to an individual to access the system and view only their records or particular subsets of their record. An individual can be granted the ability to view their service plans yet be restricted from viewing psychotherapy notes.

Business Associate Agreement/Contract

§164.504(e)(2) covered entity must document the satisfactory assurances required through a written contract or other written agreement or arrangement with the business associate.
PrecisionCare provides all customers with a business associate’s nondisclosure agreement. Copies are available upon request

Chain of Trust Agreement

PrecisionCare provides all customers for whom we host data, a chain of trust agreement. Copies are available upon request.

Code Sets/De-identification of Personal Health Information

Code sets are a list of proposed codes to be used for things like diagnosis and treatments so that providers and insurers are using universal codes when transmitting information. A transaction as defined by HIPAA means the exchange of information between two parties to carry out financial and administrative activities related to health care. This is exclusively dealing with transmission to outside parties. PrecisionCare does not transmit Personal Health Information to any outside party. Consult with your billing software vendor to make sure they are compliant.

Scroll to Top