HIPAA and GDPR Rules:
Medical practices and other health providers are required by Health Insurance Portability and Accountability Act (HIPAA) to utilize new rules sets after October 15, 2003. Also the European Data Protection Regulation GDPR is applicable as of May 25th, 2018 in European Union to harmonize data privacy laws across Europe. However there is no such thing as "HIPAA or GDPR compliant" software. The responsibility to be compliant rests with the medical practice. Much of what above regulations entail, especially surrounding technology usage, are far from being black and white. More accurately, the entire set of policies outlining proper technology integration with acceptable safeguards can be seen in shades of gray. For example placed most of the computers on a fully isolated network that had no physical access to an internet line does make you HIPAA compliant. We strongly recommend hands-on local IT consulting from security experts. Use databases like MS SQL Server.
Our product portfolio provides the following HIPAA and GDPR compliant Rules:
1. National Provider Identifier (NPI).
2. Secured access to patient’s data only to authorized personnel with:
- Individual authentication - individual logins and passwords with strength indicators.
- Role Based Access Control
3. Auto-logoff feature. This feature will automatically log you out after the selected amount of time of inactivity. This prevents others from reading your screen if you have left your office with the application turned on.
4. Audit trails - access to data fields tracked and recorded. The Log File keeps track of changes made to the Patient data in the program, and those changes can be viewed and printed by opening the Audit Trail Analysis Screen.
5. The power and security features of SQL Server like Password Expiration – in how many days you want the password to expire.
Security safeguards
Our software provides a powerful -two layer- security model that allows high-level control over access to your data (user-level security) and SQL Server features. By using passwords and set of attributes that specifies what kind of access a user has to data or objects in a database (permissions), you can allow or restrict the access of users, or groups of users, to the objects in the front end and SQL Server. However you must always apply other appropriate safeguards, using antivirus software, taking due precautions when opening files, and maintaining a safer database environment.
Some useful advices:
- Always use the latest version of your OS!
- Consider using full disk encryption on all of your computers and backup media. You can use Apple's FileVault for OS X or BitLocker in recent versions of Windows.
- Get a commercial security firewall.
- Employ a managed switch that can handle VLANs.
- Invest in quality anti-malware/anti-virus software.
- Make a feasible plan of action to upgrade systems piecemeal.
- Even isolated systems need to be upgraded.
- If you are replacing machines, go with warranty-backed business-oriented OEM systems.
- Backups need to be encrypted, too. Any piece of storage medium that touches patient information or records needs to be safeguarded against potential theft. This includes backup flash drives and hard drives.
- Strong password enforcement on all critical systems is key.
- Consider cable locks for your actual computer equipment.
- Have always in place a disaster recovery plan.