This checklist originates from Luxsci.com
“HIPAA standards fall into four categories. Standards denoted with a (R) are required, while those with an (A) are addressable.
ADMINISTRATIVE REQUIREMENTS
Administrative requirements pertain to employee training. Organizations must implement security measures to reduce systemic risks and safeguard electronic and physical information.
| Risk Analysis: (R) Perform a risk analysis to understand where PHI is stored to determine what data is at risk. | elig.pro stored PHI in Luxsci provided encrypted SQL servers, only briefly. All PHI data is deleted when received (on upload) and when retrieved (on download). |
| Risk Management: (R) Implement measures to reduce identified risks to an appropriate level. | elig.pro software is hosted on Luxsci HIPAA compliant servers. Measures are implemented to reduce the risk of PHI disclosure. |
| Sanction Policy: (R) Implement sanction policies for employees who fail to comply. | TBD (elig.pro has only one person who has access to servers and code) |
| Information Systems Activity Reviews: (R) Regularly review system activity, logs, audit trails, etc. | System activity is reviewed daily, and error logs and user activity logs exist. |
| Officers: (R) Designate HIPAA Security and Privacy Officers. | Andrew Rose, LPC is the designated HIPAA Security and Privacy Officer. andrewroselpc@boulderemotionalwellness.org |
| Employee Oversight: (A) Create procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment. | Access to servers and data is logged by Luxsci.com. All PHI data is erased in the course of normal operations, so in the event of a site shut-down, there will be no PHI data in storage. |
| Multiple Organizations: (R) Protect PHI from unauthorized parent or partner organizations or by unauthorized subcontractors. | elig.pro is independently owned, there is no parent organization. |
| ePHI Access: (A) Implement procedures for granting access to ePHI. Document access to ePHI or to services and systems which grant ePHI access. | No services or systems can access PHI in elig.pro. Only logged-in users may upload or download PHI, and access is logged. |
| Security Reminders: (A) Periodically send updates and reminders of security and privacy policies to employees. | TBD |
| Protection Against Malware: (A) Implement procedures to guard against and detect malicious software. | Luxsci.com servers have extensive firewall protections and detection for DDoS (Denial of Service), repeated log in attempts, and executable intrusions. |
| Login Monitoring: (A) Monitor logins to systems and report discrepancies. | Logins are logged. |
| Password Management: (A) Ensure there are procedures for creating, changing, and protecting passwords. | Passwords are encrypted and users may change passwords. |
| Response and Reporting: (R) Identify, document, and respond to security incidents. | Security incidents are documented and responded to. |
| Contingency Plans: (R) Ensure that there are accessible backups of ePHI and procedures to restore lost data. | PHI does not persist on the elig.pro platform. There is no data to lose. If batch jobs are interrupted, the user can restart the jobs by uploading again. |
| Contingency Plans Updates and Analysis: (A) Periodically test and revise contingency plans. | Contingency plans are periodically tested and revised as necessary. |
| Emergency Mode: (R) Establish procedures to enable continuation of critical business operations. These procedures include securing electronic protected health information while operating in emergency mode. | Emergency responses are the responsibility of the Luxsci server team, who have achieved HITRUST certification through 3rd party independnet audit. |
| Evaluations: (R) Perform periodic evaluations to see if any changes in business operations or the law require changes to HIPAA compliance procedures. | Periodic evaluations are performed and changed to HIPAA are reviewed. |
HIPAA ORGANIZATIONAL REQUIREMENTS
Organizational Requirements include the development, documentation, and implementation of security policies and procedures and the management business associate agreements.
| Business Associate Agreements: (R) Create and manage contracts with business partners who will have access the organization’s PHI to ensure that they will adequately safeguard data. | All users sign the Business Associate Agreement to access features. |
| Policies, Procedures and Documentation Requirements: (R) A covered entity must implement reasonable and appropriate policies and procedures to comply with the standards and implementation specifications. | elig.pro implements policies and procedures to comply with the standards and implementation specifications. |
HIPAA PHYSICAL REQUIREMENTS
Physical Safeguards concern physical access to buildings, workstations, computer servers, and networks. Only allow authorized access to ePHI and monitor access through established policies to prevent violations.
| Contingency Operations: (A) Establish procedures that allow facility access in emergency situations to support the restoration of lost data. | Luxsci.com responsibility |
| Facility Security: (A) Implement policies and procedures to safeguard the facility and equipment from unauthorized physical access, tampering, and theft. | Luxsci.com responsibility |
| Access Control and Validation: (A) Institute procedures to control and validate an individual’s access to facilities based on their role or function. Log visitors and control access to software programs. | Luxsci.com responsibility |
| Maintenance Records: (A) Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security. | Luxsci.com responsibility |
| Workstations: (R) Establish policies to govern software usage. Set up procedures for proper configuration on systems that provide access to ePHI. Safeguard all workstations the provide access to ePHI and restrict access to only authorized users. | Luxsci.com responsibility. elig.pro developers use “two lock” method where the workstations where code is developed is behind both a physical lock and a password system, one for the machine and another to access Luxsci servers remotely. |
| Devices and Media Disposal and Re-use: (R) Create procedures to securely dispose of media that contains ePHI. Put policies in place for the reuse of devices and media that formerly stored ePHI. | No PHI is written to portable media. |
| Media Movement: (A) Record movements of hardware and media associated with ePHI storage. Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. | There is no PHI data stored in the elig.pro system beyond the time it takes for a user to retrieve their data. |
HIPAA TECHNICAL REQUIREMENTS
Technical Safeguards ensure the security of data at rest and in transmission. Controlling access to ePHI provides a reviewable log of users in case of a security incident.
| Unique User Identification: (R) Assign a unique name or number for identifying and tracking user identities. | eilg.pro user accounts have unique identifiers. |
| Emergency Access: (R) Establish procedures for obtaining necessary electronic protected health information during an emergency. | No procedure is necessary because no PHI is stored beyond the time it takes for the user to retrieve their batch result. |
| Automatic Logoff: (A) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. | Implemented. |
| Encryption and Decryption: (A) Institute a mechanism to encrypt and decrypt electronic protected health information when deemed appropriate. | All PHI is encrypted “in flight” and “at rest.” Files are uploaded and downloaded through an SSL encryption layer. Any temporary files are stored in the Luxsci.com encrypted servers. |
| Audit Controls: (R) Establish hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. | User activity is recorded. |
| ePHI Integrity: (A) Create policies and procedures to secure electronic protected health information from improper alteration or destruction. | No PHI is stored beyond the time for the user to retrieve their results. |
| Authentication: (R) Implement procedures to verify the identities of people or entities seeking access to electronic protected health information. | Users are requested to provider their Colorado HCPF “Medicare ID” which typically begins with “9000” |
| Transmission Security: (A) Institute technical security measures to guard against unauthorized access to electronically transmitted protected health information. | Technical security measures are instituted. |