Home |   About Us |  Book Appointment |  Contact Us |  Ask the Doc |  Shop | Log In |   FAQ

Home » Technical Security Policy

 
Terms & Conditions   |   Privacy Policy   |    

Technical Security Policy


Technical Security Policy

Introduction

As an application service provider facilitating communications between patients and Provider offices and their associations, as an enterprise that maintains individually identifiable health information on behalf of these parties, and as a company dependent on health care transaction revenues for a significant portion of its income, CosMedicLaserClinic.com (the Company) has a vital stake in ensuring the highest level of data security and confidentiality on behalf of its constituent users. For one thing, it will soon be mandated in regulations from the US Department of Health and Human Services (DHHS); criminal penalties will be exacted for knowingly and inappropriately releasing individually identifiable health information. For another, knowing how important confidentiality is to Provider-patient relationships, it simply is good business for Company employees to act as trustworthy stewards of this data

On the other hand, there will never be perfect data security; malicious or inadvertent confidentiality breaches will occur. However, companies at least must be diligent in protecting confidentiality and in maintaining data security to the greatest practical extent. And when breaches inevitably occur, companies must actively monitor its systems to detect them, must take corrective action as quickly as possible upon detection, and must continually adjust its security and confidentiality policies and procedures to insure that they remain adequate. All of this is recognized implicitly or explicitly in the proposed rules on privacy that have resulted from the original HIPAA legislation from DHHS.

Present Measures

The Company has NEVER planned nor suggested to customers that it would be advisable to eliminate paper records from its customer's practices. In fact, the Company has always regarded the data it collects and maintains on behalf of its users to be supplemental to medical care processes. Its operating model has been to function as an "electronic shadow chart" - recording information maintained for the convenience and improved efficiency of the Providers and other health care providers that use the system; as with other shadow charts; the final arbiter of, and source of documentation about, patient care remains the main (paper) chart. We recommend the Health care Providers to keep the paper backups, as they do it now.

Nevertheless, the Company has put in place a number of measures to assure the security of its users data. First, data is hosted at the co-location facility (COLO) of an Internet Service Provider (ISP). The COLO is monitored by ISP personnel, and the hosted systems are monitored continuously by ISP systems to detect a variety of possible attacks.

The Company is notified by pager of any suspected security breaches.

The computers on which customer data is located at the COLO. The COLO has security, and policies and procedures are in place to log all entry and access to the computers containing customer data. ISP electrical power is carefully conditioned. There is an on-line battery and automatic backup to temporarily keep the servers running for a short period of time.

The Company has automatic tape-backup units for all computers containing customer data. Backup tapes are made at least nightly and stored in locked vaults that only selected Company employees can access.

Beyond that, the Company designed its systems to be compliant with industry standards. In particular, all data interchange through company applications is encrypted (currently using up to strong domestic triple-DES 56-bit encryption via SSL where supported by client browser). Data access is protected by a system of User IDs and passwords. All updates to data are accompanied by audit information stored with it that records (among other things) date, time, user, nature of the change, and optional user comments. Finally, the system has an office-administrator-definable time-out, which upon expiration requires re-authentication of the user before further data access is allowed. In addition, the Company protects its customers' (and its own) data using a state-of-the-art, market leading firewall, with a strict security policy. Additionally, strong encryption and industry standard access controls are used to safeguard the privacy and availability of customer information.

The Company is planning to regular internal security assessments.

Future Measures

The most important aspect of the proposed HIPAA regulations is the following: any organization that plans to exchange individually identifiable health information electronically with another individual or organization can only do so when appropriate "chain-of-trust" agreements are in place between these organizations or individuals.

Specifically, this means that these entities must themselves have an explicitly set of policies assuring some level-of-protection of this data, that there is effective administrative enforcement of these policies, and that there is continuous monitoring of the policies and their enforcement to insure that protection endures and improves over time to meet any threats.

Of course, the requirements for entering into chain-of trust agreements apply to the Company itself. HIPAA has a proposed two-year phase-in period before compliance is required. During that time, the Company must:
 
a. Hire or designate a Chief Security Officer to assume responsibility for the Company's security measures.
b. Have in place specific policies and procedures for ensuring adequate security and privacy protections; fully document this activity.
c. Have in place adequate monitoring procedures to detect security breaches in a timely manner, and to assure that corrective measures are instituted as quickly as possible; fully document this activity.
d. Upgrade technical security and privacy protections as needed to keep up with technical requirements; fully document this activity.
e. Formally engage the Company's data interchange partners with chain-of-trust agreements based on the above; fully document this activity

The requirement for entering into chain-of-trust agreements applies equally to small-office Providers (Providers in practices of 10 or fewer providers - including solo practitioners). The Company is uniquely positioned to make it feasible for this constituency to enter into these chain-of-trust agreements.

The Company plans to offer to its office users a system of templates and reminders that will assist them in becoming and remaining HIPAA-compliant. In particular (almost exactly parallel to what the Company itself must do), it will implement a system that:

a. Helps assign a party responsible for office security; documents this activity.
b. Creates and periodically updates policies and procedures for ensuring adequate security and privacy protections; documents this activity
c. Monitors and reports possible security breaches to these offices as soon as they occur; recommends corrective measures; documents this activity
d. Continuously updates its own technical security and privacy protections (on behalf of its office and consumer users); documents this activity.
e. Creates and submits to data interchange partners chain-of-trust agreements based on the above; fully documents this activity. The Company is committed to providing users with the information necessary to stay ahead of industry regulations, and keep their medical data secure.
  
 

 
<+ Book Appointment + Need more info + Shopping Cart + Enter to win $1,000