Compliance

HIPAA (Health Insurance Portability and Accountability Act of 1996) is a law that PPX strictly observes from every aspect of its workflow and operations. The privacy of the information we create and acquire through our practice is looked at as a common sense balance by providing consumers with personal privacy protections while enabling providers to securely access information to deliver high quality health care.

PPX strengthens avenues to protect health information (PHI) through the following safeguards;

• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards

Administrative Safeguards

•
• PPX has adopted a written set of privacy procedures and has designated our Administrative team to be responsible for developing and implementing all required policies and procedures.
• The policies and procedures reference management oversight and organizational buy-in to compliance with the documented security controls.
• Procedures identify employees or classes of employees who have access to electronic protected health information (EPHI). Access to EPHI is restricted to only those employees who have a need for it to complete their job function.
• PPX procedures address access authorization, establishment, modification, and termination.
• On-going training programs regarding the handling of PHI is provided to employees performing health plan administrative functions.
• Out-sourced business processes to third parties have met criteria to ensure that our vendors also have a framework in place to comply with HIPAA requirements. PPX gain this assurance through clauses in our contracts stating that the vendor will meet at minimum the same data protection requirements. PPX monitors if its vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
• PPX has developed a contingency plan for responding to emergencies. PPX is backing up the data and has disaster recovery procedures in place. Contracted IT support document data priority and failure analysis, testing activities, and change control procedures.
• PPX conducts internal audits by reviewing operations with the goal of identifying potential security violations. Our policies and procedures specifically document the scope, frequency, and procedures of audits. Audits are both routine and event-based.

Physical Safeguards – controlling physical access to protect against inappropriate access to protected data.

• PPX’s Chief Information Officer governs the introduction and removal of hardware and software from the network. (When equipment is retired it is disposed of properly to ensure that PHI is not compromised.)
• Access to equipment containing health information is carefully controlled and monitored.
• Access to hardware and software is limited to properly authorized individuals.
• PPX policies address proper workstation use.
• PPX client, the facility staff and administrative offices are considered as utilizing contractors or agents; they too are fully trained by PPX on their physical access responsibilities.

Technical Safeguards – PPX controls access to computer systems enabling protected communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.

• Information systems housing PHI are protected from intrusion. When images and information flows over open networks, encryption is utilized. Our PACS, a Virtual Private Network, (a closed systems/networks is utilized), has existing access controls which are considered sufficient.
• Policies outline who is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. Data change is documented for tracking, and data tracking measurements such as message authentication are used to ensure data integrity.
• Through individual user login, PPX authenticates entities with which they communicate.
• In addition to policies and procedures and access records, information technology vendors supporting PPX provide documentation to include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.
• Documented risk analysis and risk management programs are required. PPX carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)

Security in addition, the PPX Image acquisition devices (Field Equipment) utilizes software that safeguards against unauthorized user and unauthorized access to the PHI confined within each unit.

1) Acquisition software
The portable CXDI with system software versions 7.1.10 and later, provides a device that makes it easy for PPX to support HIPAA.

2) Functions
System software versions 7.1.10 and later support HIPAA, so the IHE Basic Security Integration Profile is supported. This support can be broadly divided into the following four functions.

• User Authentication.
• Log Generation (Generation of audit records).
• Time Synchronization
• Node Authentication

3) Overall HIPAA support of Imaging Systems
The following areas are inclusive in the overall image acquisitions which are supported in CXDI’s HIPAA software version.

• User Authentication
• Auto Logoff
• Audit Log
• TimeServer ARR
• Maintain Time
• WindowsTimeService
• Node
• Authentic RIS, PACS
• Printer/CD writer

4) Installation
The four functions mentioned above can be turned ON and OFF using the HIPAA setup tool HIPAASetupTool.exe. The installation defaults set the HIPAA functions to the disabled state.