| HIPAA
COMPLIANCE POLICY |
|
Physical Safeguards |
| Standards
|
Specifications |
Measures and
Methodology |
Controls |
Facility Access Controls
|
Contingency operations
|
Procedures and Systems in place which would allow facility
access to support the restoration of lost data under the disaster
recovery plan and/or emergency mode operations plan in the event
of an emergency
|
Site Location Mohali/Gurgaon |
| |
Facility Security plan |
Policies and procedures to safeguard the facility and equipment
from unauthorized physical access, tampering or theft.
|
Access Cards & Biometrics for Production Floor along with
CCTV |
| |
Access controls and validation
procedures
|
Having systems and procedures which would protect access to
critical workstations and servers by utilizing an effective
physical access control method. Supplementing this with eTrust™
Access Control protects critical systems and information from
unauthorized users who are allowed access to physical devices
|
Server & WKS are under lock-in Key. Access Cards &
Biometrics for Production Floor |
| |
Maintenance records
|
Policies and procedures that allow them to document repairs
and modifications to physical structures, where these changes
are meant to enhance security.
|
Decision has to be taken with consent of MD |
Work Station Use
|
|
Single Sign-On systems that can effectively lock down a workstation
— requiring all users of that workstation to go through
single sign-on. Based on their roles, the users would then be
able to access and/or use only those functions for which they
are authorized. |
Licensed Windows 2003 Server for Single Sign-on control. |
Work station security
|
|
Covered entities must implement physical security measures
to restrict workstation access to authorized users only.
|
Biometrics & Windows 2003 Server Login-in time authorization |
Device and Media controls
|
Disposal
|
Policies and procedures that govern the receipt and removal
of hardware and electronic media that contain electronic protected
health information (ePHI) into and out of the facility.
|
HDD & CD's will be crushed & we will have the new
Device for faulty ones. |
| |
Media reuse
|
Establish policies and procedures designed to eliminate ePHI
from all media before that media may be reused.
|
Authorization for accessing the Backup Device or Backup location
will be audited. |
| |
Accountability
|
Procedures and Systems in place to logging on all resources
— IT and non-IT — that contain ePHI. In addition,
they can track the location, movement and depreciation related
to the contracts and responsibilities of that information. |
Audit on Server 2003 is on for every event.
|
| |
Data Backup and Storage
|
Data storage solutions which would create a retrievable, exact
copy of ePHI and also enterprise backup when needed before moving
equipment
|
Backups are obtained at 3 levels. Backup Server for Level
1 with the Software is required. IInd Level - We need to Finalize
the Location & Vendor. IIIrd Level - US location with Backup
Device & Software for getting the Recovery at any time. |
| Administrative
Safeguards |
Security Management Process
|
|
We are having procedures and practices for risk analysis,
risk management, HIPAA sanction policy, and information system
activity review policies for HIPAA risk coverage
|
Liability Insurance is in place in US. |
| Assigned Security Responsibility |
|
|
|
Workforce Security
|
|
Policies and procedures in place for authorization and supervision
of the employees and workforce clearance procedures and termination
procedures as part of administrative practices
|
Under Confidentiality Agreement & HR Policy |
Information Access Management
|
|
Policies, procedures and systems which would enable isolating
clearing house functions, access authorization and access modification
|
Inline with IT policy |
Security Awareness and
Training
|
|
Various measures including password management, log-in monitoring,
screen recording, security reminders and systems in place for
protection from malicious software’s
|
Inline with IT policy. Screen Recording software for reviewing
& analysis, LAN monitoring and Internet Security for Accessing
the Remote Applications |
Security Incident Procedures
|
|
Procedures in place for security incident response and reporting
|
Exception Log |
Contingency Plan
|
|
Contingency plan is part of our HIPAA compliance program which
would include Data backup, disaster recovery plan, emergency
mode operation plan, testing and revision procedures, and also
Applications and Data criticality analysis.
|
Data Backup at 3 level. Disaster recovery Site yet to decide.
|
Evaluation
|
|
Evaluation of systems and procedures as part of our compliance
program
|
In-house Compliance Officer |
Business Associate Contracts
and Other Arrangement
|
|
Written Contract or Other Arrangement
|
Business Team has to design the contract as per HIPAA compliance |
| Technical
Safeguards |
Access Control
|
|
Access control systems through unique user/employee identification,
emergency access controls in exigency procedures, encryption
and decryption user specific access by and automatic log-off
to prevent unauthorized access
|
Licensed Windows server 2003 |
Audit Controls
|
|
Periodic auditing and systems for greater controls
|
Audit will be once in 30 days |
Integrity
|
|
Systems and procedures to check and maintain data integrity
at both the ends while date transferring
|
Firewall/VPN for secure data movement |
Integrity
|
|
Procedures and systems in place for user authentication to
access ePHI
|
Licensed Windows 2003 server |
Transmission controls
|
|
Data integrity while transmission would be controlled by integrity
controls, data encryptions and decryptions.
|
VPN-3-DES encryption Standard |
