Privacy policies related to PII and PHI.
General Privacy Information and Policies
FastHealth Corporation is a healthcare and alerting website company that partners with hospitals and small to middle size institutions to help them establish an Internet presence and communication services. Most FastHealth customers are smaller non-profit critical access hospitals or smaller organizations and institutions with limited resources. FastHealth Corporation helps tribes, hospitals, cities, schools, and businesses establish websites for clients so that they can operate their web presence and alerting with limited numbers of staff and to help them stay viable. FastHealth also provides text alerting tools to many of its customers through FastCommand. All services are protected under similar privacy policies. Some FastHealth clients generate content to be posted on their websites. Some hospitals also generate forms for the purpose of collecting personal information from users or patients via direct website submission. Once private information is collected the PHI or PII can only be accessed by those limited individuals with authorized credentials. Controlling access to credentials is both the responsibility of FastHealth Corporation, its employees and its partner hospitals and businesses. Defending against server criminal attack is the responsibility of FastHealth Corporation. FastHealth has a small staff which reduces challenges to easily educate and inform staff regarding security and privacy issues. Limited manpower also presents new al challenges that are met through careful planning.
FastHealth Corporation and FastCommand keeps all information private and does not use, sell, or license any private information to third parties. FastHealth Corporation assures e-mail addresses, phone numbers, text numbers, credentials and contact information is protected. FastHealth Corporation facilitates website development tools and alerting tools to help hospital management teams to update websites and send alerts. Hospitals and licensees can also use tools to create form areas to encourage input of health information or personal information on their hospital client websites through secure forms and through alerts. After PII and PHI submissions are made through a secure and encrypted website form then access to the data submitted is only accessed by authorized staff through credentials. The access to admin areas cannot be achieved unless proper credentials are presented and exchanged. User names and passwords are customized for clients to give them credentials to access the form submission data. Individual user names and passwords are created and are distributed to authorized designated hospital staff for access of administrative areas. In the administrative areas those with credentials can retrieve encrypted private information.
User Names and Password Access
FastHealth provides certain user names and password credentials that are distributed properly to all customers via FastHealth staff. No passwords are ever e-mailed. Some FastHealth staff have access to an Auto-Login program that is available through internal networks that upon access allow shortcut access to internal credentials that FastHealth staff can use to login in quickly to assist and support clients in updating their internal areas. Auto-Login makes available credentials so that support can be undertaken when customers seek assistance. This area is limited to authorized FastHealth staff that are in IT or production and support roles and is limited to those internal staff undertaking. Auto-Login is restricted to only a portion of FastHealth Staff with approved IP addresses or through a secure VPN.
User name and passwords are customized by FastHealth programmers for varied users and are transferred to customer authorized staff. The credentials, or user names and passwords, must be issued and distributed properly. Individual user names and passwords are created and are distributed to authorized designated licensee staff for access of their compartmentalized administrative areas. This is done via direct phone attempt after speaking with client or through text. In order to assure credentials are not accidentally given to those without permission direct voice exchange for passwords is made prior to distribution.
User name and passwords that are distributed to clients for web updates and alerting must not be transferred to others without authority to use the FastHealth admin areas. Once FastHealth issues credentials to customers the customer must take responsibility for their own employees to protect them from loss of control and privacy disclosure. This means when an employee leaves the employment of a customers then the credentials which were in their possession are replaced with new ones for the replacement staff member. FastHealth asks customers and to change passwords upon personnel change.
FastHealth hosts Linux based and sql based servers in the Alabama operations building. An offsite center exists in Kansas through a high quality third party server company: One and One. Only authorized company representatives are able to access the systems through credentials and passwords and barriers. We have about a dozen servers that are housed in our local secure building only accessible by secure and locked doors to the server room. Offsite remote backup servers for SQL, DNS, and FastCommand are also based in Kansas. FastHealth also stores backup data on remote drives that are in limited but secure locations.
The server room hosting FastHealth and alerting programs on its servers has restricted access and limitations of access. Only six staff members are allowed permission in the server room. The building in which servers are housed is secure. Within the building only one room hosts private client servers, dns, and database servers, and this is only accessible through locked areas accessible by key. This room is only accessible through keys of approved staff members. The doors remain locked until access is needed. Remote servers in Kansas are only available through network access points via proper staff having credentials.
Remote Backup Drives
FastHealth Corporation facilitates backup drives to be taken off-site in case of calamity. This backup is in the form of mobile remote drives copied from main servers then taken by one of three staff members to offsite locations about once a week. These drives are designated to be returned for reuse unless they are damaged. This makes sure we have a limited number of remote drives in use since they are recycled. In the event of fire, tornado, or other calamity these remote drives allow restoration of company systems and data quickly. They are not compressed. Once a week these weekly drives are taken by one of three staff members offsite where they are kept secure until they are needed to be utilized for restoration or needed to be erased for new backup purposes.
PROGRAMS AND APPLICATIONS ASSESSMENT
FastHealth has organized proprietary programs and applications to serve customers and to serve company requirements. Systems are organized by administrators to provide usability and security. Usability is critical and privacy is critical. The company has selected systems and created applications that can accomplish both. Applications are primarily proprietary and PHP based.
FastHealth runs a LAMP system. Our LAMP systems has credential restricted access permissions. Data is stored through SQL based servers. Apache is the open source webserver platform utilized. An earlier available version of Linux is utilized that also influences use earlier Apache. Conflicts in client tools has discouraged upgrades to new Linux use until now.
FastHealth designs and uses complex proprietary PHP based programs for customer use and for internal use. FastHealth has tried to remove all known vulnerabilities so that hackers cannot get into our systems. Earlier versions of PHP that are being utilized until now might provide exploitation potential. Fasthealth is encryption systems in place to prevent systemic hacking of private information.
CONTROL AND EXCLUSION ASSESSMENT
FastHealth has organized proprietary programs and applications to serve customers and to serve company requirements. Systems are organized by administrators to provide usability and security. Usability is critical and privacy is critical. The company has selected systems and created applications that can accomplish both.
FastHealth has two Watchguard Firebox M Series in place that block suspicious users IP addresses. This has been very beneficial in block those attempting infringement on company servers and resources. We have two means of monitoring our systems Uptime robot use let us know when sites are impacted. Internally we have automated monitoring that occurs through NAGIOS. All of our systems from CPU, disk drive, hardware resources are monitored. Logs are kept for any access into the system from any and all accounts. Rea l time logs are kept indefinitely until deleted.
Password and Root Password is limited to a few individuals. Privileges are removed from staff that no longer have affiliation with FastHealth Corporation.
FastHealth Corporation has adopted this l HIPAA Compliance and Training Policy in order to recognize the requirement to comply with the Health Insurance Portability and Accountability Act (“HIPAA”), as amended. We acknowledge that full compliance with the HIPAA Final Rule is required. We also use these standards to protect PPI in our ALERTING systems. FastHealth has a duty and responsibility to protect the privacy and security of Individually Identifiable Private Information generally and Protected Information as defined in the HIPAA Regulations under the regulations implementing HIPAA and other federal and state laws protecting the confidentiality of personal information, and under principles of general and professional ethics. We also acknowledge our duty to responsibly support and facilitate the timely and unimpeded flow of health information for lawful and appropriate purposes. This policy governs the General HIPAA Compliance for FastHealth Corporation. All personnel of FastHealth Corporation must comply with this policy. Demonstrated competence in the requirements of this policy is an important part of the responsibilities of every member of the company workforce and for contracted help operating with company staff. All staff must read, understand, and comply with this policy in full and at all times. FastHealth Corporation and FastCommand recognizes its status as a business associate under the definitions contained in the HIPAA Regulations and under state privacy guidelines. FastHealth Corporation must comply with PRIVACY GUIDELINES and the HIPAA implementing regulations, in accordance with the requirements currently amended. Full compliance with HIPAA is mandatory and failure to comply can bring severe sanctions and penalties. Possible sanctions and penalties include, but are not limited to civil monetary penalties, criminal penalties including prison sentences, and loss of revenue and reputation from negative publicity. Full compliance with HIPAA strengthens our ability to meet other compliance obligations, and will support and strengthen our non-HIPAA compliance requirements and efforts. Full compliance with HIPAA reduces the overall risk of inappropriate uses and disclosures of Protected Health Information (PHI) and reduces the risks of breaches of confidential health data.
All staff must attend the monthly meetings where HIPAA privacy and security topics are discussed. All staff must annually take and pass an online HIPAA training class and module.
Systems Activity Review
FastHealth Corporation IT staff review company access logs, system resources, IP accessibility logs, credentials, bandwidth resources, crosssite scripting, sql injections, error logs, dns logs, and other logs. It is the policy of the company that IT staff regularly undertake the following: · Daily Review of Cross-Site Scripting and SQL Injection · Daily Auditing of General Logs · Daily Review of Access Logs · Daily Review of Error Logs · Regular Review of Base64 Insertion · Regular Consideration of Credentials · Regular Inspection of Server Room Access · Regular Analysis of remote system security · Review of Nightly Backups and Proper Distribution of Remote Backups · Review of Remote Backup and Proper Storage · Review of Security Certificate Availability · Review of Secure Access Points The company expects all IT staff and other employees of FastHealth Corporation to report any suspicious activity to management in which data is attempted to be accessed by non-approved individuals including staff or clients. All staff are to report to management any unauthorized access to servers, backups, vpn, networks, systems, computers, Internet data of all kinds if they are suspected of being used being inappropriately. All systems are to be locked when not under supervision to protect data and systems. Any oral disclosure of EPHI or PII should also be reported by staff to management. Any infringement on these policies can lead to discipline including loss of job or suspension. FastHealth Corporation staff are required to always investigate reports of infringement on our system or systems and to take immediate action to remedy problems or infringement. Any verified infraction reports will be taken seriously and without challenge. Tracking security incidents by retaining documents or taking screen shots during incidents to save proof is expected and required.
Malware Policy and Procedure
It is the policy of FastHealth Corporation that all staff guard systems and protect personal data of all types and to protect systems that collect PHI or PII. All staff agree to guard against the following: · Private Network Access to Unauthorized Individuals · Access Privileges to Unauthorized Individuals · Improper Distribution of Credentials, User Names, and Passwords · Improper Access to Hardware, Servers, and Systems · Unwarranted Use of Employee Computer Systems · Careless Storage of Backup · Insufficient Deletion or Incorrect Erasing or Improper Destruction of Data · Remote Servers Against Unauthorized Access Any device that connects to the network must have a current antivirus installed and running at all times. The antivirus software must be configured to automatically clean and remove an infected file or to quarantine the infected file if automatic cleaning is not possible. The antivirus software must be configured to automatically update itself on a regular basis. Scans for viruses on the device must occur without user intervention on a regular basis. On systems where this is not possible, users are responsible for regularly initiating the scan and updating the software to protect against the latest threats. All company computers and servers must have antivirus software installed and configured. Users are prohibited from disabling or tampering with the installed antivirus software. Any Technology Consultant, System Administrator, Chief Programmer, and all other employees or consultants must report any and all failures in privacy, security, insufficient defensive measures within database systems including improper attempts to gain access to company data or systems. Any Technology Consultant, System Admin, or Chief Programmer, and all other employees or consultants must report any and all infractions or improper software discovered on any and all systems and to report major infractions or discovery of unwarranted malicious software on any company owned devices.
Documentation of access rights to systems containing ePHI
FastHealth Corporation access rights are as follows by category. System Administration and Chief Programmer: Root and All Areas, Backups and Systems Programmers: Priority Servers and Applications, Auto Login Management: Priority Servers and Applications, Remote Backups Support: Auto Login Clients: Sovereign Client Administration Areas
Use and Disclosure of PHI Policy and Procedure
FastHealth Corporation is a business associate to covered entities. As a business associate, FastHealth may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to § 164.504(e) or as required by law. FastHealth staff is required to abide by applicable business associate contracts. FastHealth staff is required to disclose protected health information when required by the Secretary of the U.S. Department of Health and Human Services to investigate or determine the business associate's compliance with HIPAA. FastHealth staff is required to disclose protected health information to the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under § 164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information.
FastHealth and FastCommand may not sell or license protected private information to third parties.
FastHealth may not use or disclose protected private information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under § 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement. When using or disclosing protected health information as authorized, FastHealth must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This requirement does not apply to: • Disclosures to or requests by a health care provider for treatment purposes. • Disclosures to the individual who is the subject of the information. • Uses or disclosures made pursuant to an individual’s authorization. • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules. • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes. • Uses or disclosures that are required by other law. FastHealth may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if FastHealth obtains satisfactory assurances, that the subcontractor will appropriately safeguard the information. The satisfactory assurances must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of § 164.504(e).
Breach Notification Policy and Procedures
The purpose of this Breach Notification Policy is to provide guidance to the staff of there is a breach – an acquisition, access, use, or disclosure of the patients’ unsecured protected health information in a manner not permitted under the Health Insurance Portability and Accountability Act of 1996 and its implementing rules and regulations, which compromises the security or privacy of the Protected Health Information. HIPAA, as well as business associate agreements, require that FastHealth notify affected covered entities if their patients’ unsecured PHI has been compromised by such a breach.