Unified Imaging

HIPAA Compliance Checklist

Minimum Requirements for a HIPAA Compliant Web Service:

1. ENCRYPTION: EPHI IS ENCRYPTED AND SECURELY STORED IN TRANSIT AND AT REST.

We use 256-bit encryption and SSL to encrypt/decrypt ePHI during transit and at rest.

2. BACKUP: EPHI IS NEVER LOST.

We can always retrieve data through Azure.

3. AUTHORIZATION: EPHI IS ONLY ACCESSIBLE BY AUTHORIZED PERSONNEL
    1. ePHI is only accessible to qualified administrative users and patients. Patients can grant access to providers or other family members for viewing specific documents​  .
4. INTEGRITY: EPHI IS NOT ALTERED OR DESTROYED

Unauthorized users cannot delete or modify data.

5. DISPOSAL: EPHI CAN BE PERMANENTLY DESTROYED IF DEEMED NECESSARY

If the user presents the necessary reasons to destroy his/her records, ePHI can be permanently destroyed.

6. DATA STORAGE: DATA SHOULD BE STORED ON THE WEB SERVERS OF A COMPANY WITH WHOM YOU HAVE A HIPAA BAA.
Unified Imaging has a BAA with and uses Azure for data storage. Azure HIPAA compliance is outlined​ here

HIPAA Requirements

This document delineates the requirements for HIPAA compliance in web applications with access to electronic personal health information (ePHI) and examines the adequacy of Unified Imaging’s (UI) security practices.

The Requirements will be presented in four distinct sections

Administrative Safeguards
(HIPAA §164.308)

Security management process

Implement policies and procedures to prevent, detect, contain, and correct security violations. 

Implementation specifications:

  • Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
    • We conduct monthly UI tools analyses and testing of the security and accuracy of the web application. So far, we have conducted one risk analysis that described the UI platform and testing efforts.
  • Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
    • Our team is constantly looking for ways to improve our security practices. If our risk analyses reveal any potential vulnerabilities, UI’s technology team makes the necessary changes to reduce risks. Our team members use GitHub, a software versioning and source code management system, to track bug reports and respond to issues.
  • Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.
    • All of our team members are HIPAA-certified, and they closely follow HIPAA Security and Privacy rules. If any of our members fail to comply, their administrative rights are taken away and administrative accounts are suspended until they re-review the relevant HIPAA training documents
  • Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports and security incident tracking reports.
    • We use the Microsoft Azure platform (Azure) for data storage and hosting. Azure exceeds HIPAA compliance, as described in their whitepaper and includes powerful auditing and logging capabilities. Additionally, every object in our database is timestamped with created_at and updated_at values that enable our team to track changes. The application also includes an “Events” system to track actions relevant to ePHI (i.e. uploads, downloads, views, and transfers).
Assigned Security Responsibility

Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

  • Benjamin Swift is UI’s security official responsible for the development and implementation of the policies and procedures required by HIPAA.
Workforce Security

Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.

Implementation specifications:
  • Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.
    • Qualified members of the team go through a rigorous onboarding process involving HIPAA training. With successful completion of the training, members receive administrative access to the web application, granted (ii). All activity by administrative users is tracked in the same way that patient and provider user activity is tracked.
  • Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.
    • Only UI administrators with patient- or provider-facing responsibilities have immediate access to ePHI. Administrative users are easily distinguished based on their role, so this type of delineation is simple. Technology team members who develop the web application may be granted access to our administrative site to ensure the application is functioning properly on production servers.
  • Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (ii) of this section.
    • Our administrative members have the necessary power to grant or terminate access to ePHI through our administrative site.
Information access management

Implement policies and procedures for authorizing access to electronic protected health information.

Implementation specifications:

  • Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.
    • Not applicable.
  • Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.
    • Qualified members are given accounts only after being approved by their organization and UI for such access.
  • Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity’s or the business associate’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.
    • This is implemented through paragraph (4ii) and (4iii).
Security awareness and training

Implement a security awareness and training program for all members of its workforce (including management).

Implementation specifications:

  • Security reminders (Addressable). Periodic security updates.
    • We do not have official security reminders. As a small team working on a health care product, we constantly evaluate our security practices.
  • Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
    • Our team members protect their work stations with anti-virus software. Azure also implements the necessary precautions to detect malicious software.
  • Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
    • Any user’s electronic footprint regarding their activity on UI is recorded in logs.
  • Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
    • All passwords are encrypted. Any user (patient, provider, or admin) has the ability to request a change or reset his or her password.
Security incident procedures

Implement policies and procedures to address security incidents.

Implementation specifications:

  • Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
    • All security incidents are identified and reported to our security officer. The security officer takes the necessary precautions to mitigate the incident and notifies the parties involved in the incident. These incidents are documented internally and available upon request.
Contingency plan

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Implementation specifications:

      1. Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
        1. Data backup is accomplished through Azure. Azure SQL service backs up our database periodically and allows us to retrieve copies of documents stored in Azure servers.
      2. Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.
        1. We use Azure’s read-access geo-redundant storage (RA-GRS) to ensure that data is preserved even in the event of a data center outage. Restore points are created automatically with full backup, differential backups, and transaction log backups. Full database backups are created weekly, differential database backups are generally created every 12 hours, and transaction log backups are generally created every 5 – 10 minutes. Each restore point is stored in RA-GRS for 5 weeks.
Evaluation
  1. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.
    1. Our team evaluates our security practices informally on a regular basis. We will conduct an end of year analysis of potential risks and vulnerabilities of our services and are planning to produce monthly risk analysis reports. In the case that a report reveals a vulnerability, necessary precautions will be taken to reduce exposure to the given risk.
Regarding a Covered Entity or Business Associate
    1. Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
    2. A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with §164.314(a), that the subcontractor will appropriately safeguard the information.
      1. Implementation specifications:
        1. Written contract or other arrangement. Document the satisfactory assurances required by paragraph (1) or (2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).
          1. We currently have BAA’s in place with our existing customer base. We are aware that if we want to partner with hospitals or other health institutions we have to have an approved BAA with them.

Physical Safeguards (HIPAA §164.310)

Facility access controls

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. 

Implementation specifications:

  • Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
    • Not applicable. We do not have any facilities.
  • Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft.
    • Not applicable. We do not have any facilities.
  • Access control and validation procedures (Addressable). Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control and control of access to software programs for testing and revision.
    • Not applicable. We do not have any facilities.
  • Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).
    • We do not have any facilities. All our workstations are password-protected and have anti-virus software.
Workstation use

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

  • As mentioned previously, all workstations are password-protected and have anti-virus software.
Workstation security

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

  • In the future, Unified Imaging employees will use company computers and no personal devices will be allowed for company work. Currently, the hardware used for development is secured by passwords and encryption.
Device and media controls

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

Implementation specifications:

  • Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.
    • Our team does not store ePHI on electronic media. All our workflows use our web services.
  • Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.
    • Same as section (i).
  • Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore.
    • Azure provides logging capabilities to track the electronic footprints of all our users (patient, provider and admin). Additionally, we are implementing an “Events” system to track actions relevant to ePHI (uploads, downloads, views, transfers).
  • Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.
    • All health information is stored online in Azure and can be retrieved without movement of equipment.

Technical Safeguards (HIPAA §164.312)

Access control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.

Implementation specifications:

      • Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.
        • All our users (patient, provider and admin), requests, access controls and documents have unique user identifiers that are randomly generated and not predictable.

      • Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
        • In case of an emergency, Azure provides the necessary tools to block incoming traffic to our servers and handle the emergency in a controlled manner. We also always have secure command-line access to Azure servers.
      • Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
        • We have implemented a timeout system for user sessions
      • Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
        • We use 256-bit encryption and SSL to encrypt/decrypt ePHI during transit and at rest.
Audit Controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  • Azure provides logging capabilities to track the electronic footprints of all our users (patient, provider and admin). Additionally, we are implementing an “Events” system to track actions relevant to ePHI (uploads, downloads, views, transfers).
Integrity

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Implementation specifications:

  • Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
    • Unauthorized users cannot delete or modify data. Only the creators of ePHI can modify existing data. These creators can be providers or patients. All modifications and deletions are tracked in logs, the “Events” system, and timestamps on database objects.
  • Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
    • We verify the identities of our users via phone calls. After this initial verification, patients and providers use the system via username/password combinations. In the future, UI plans to implement more detailed ID checking features (verifying the identity of the user via health insurance card info or NPS#).
Transmission security

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

implementation specifications:

  • Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
    • We use 256-bit encryption and SSL to encrypt/decrypt ePHI during transit and at rest. The data is transferred securely and is not prone to modification in transit.
  • Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
    • Same as section (i).

    Documentation Requirements (HIPAA §164.316)

    Policies and procedures

    Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

    • All our security practices and privacy notices are online and documented here.
    Documentation

    Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

    Implementation specifications:

    • Time limit (Required). Retain the documentation for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
      • Documents in Unified Imaging will be stored for at least 6 years.
    •  Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
      • This and other security-related documents are available to all members of our team. Our users can also read our privacy and security practices on our user portals.
    • Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.
      • Our team follows HIPAA requirements closely to ensure that Unified Imaging security practices remain up-to-date and relevant.

    Optimize Your Chair Time

    Spend More Time Focusing On Diagnostic Data and Less Time Managing It

    Unify Your Practice

    We'd love to work with you, let us know how we can help!