HIPAA Compliance & Computer Security

The HIPAA Security Rule covering electronic Protected Health Information (ePHI) extends to the personnel of a covered entity’s workforce even if they work at home. For complete information on Mainstream Living and Community Support Advocate’s HIPAA security policies contact the IT Specialist.

Mainstream Living’s HIPAA Privacy Notice:

• http://www.mainstreamliving.org/documents/filelibrary/hipaa_files/2013_Notice_of_Privacy_Practices_962308FB12416.pdf

Community Support Advocate’s HIPAA Privacy Notice:

• http://www.teamcsa.org/wp-content/uploads/2013/04/CSA-Notice-of-Privacy-Practices.pdf

Access Policy

Access to information is granted based on an individual’s job responsibilities. Prognotus requires a user name and password, and information is limited by group assignments. Network connections to Prognotus will use high grade end to end encryption (TLS 1.0 or better).

Operating Systems (e.g. Windows XP) or Browsers (e.g. Internet Explorer 6 or less) that do not support TLS 1.0 or better are not supported.

Password Security

• Passwords must be kept private; Never share passwords with anyone.
• Passwords must be at least eight characters long and should contain at least two number or symbols.
• Do not use you user name or password outside of the company, such as other websites.
• Prognotus implements password aging for increased security.

ePHI Privacy & Prognotus Use

• If not using a company computer, you must ensure that your computer meets the minimum requirements listed under Prognotus Requirements, and also prepare your computer as described in section Working at Home.
• Be aware of persons within view of your screen (e.g. a person standing behind you can read the protected health information).
• Do not access Prognotus on a public computer, or other computer not owned by the company or you.
• Avoid accessing Prognotus over a public or unsecured wireless network. This is a security hazard.
• Log off when finished.

Working at Home

Your company should have laptops for employees to use for the purpose of working outside the office. If you plan to work at home, the use of a company portable computer is preferred. The company provided computers meet the HIPAA security policy requirements, and include additional security measures. If you choose to use your home computer you are responsible for meeting the security requirements detailed in Prognotus Requirements, and preparing our computers as described in this section.

Working at Home Points to Remember:

• Only use wireless networks with caution.

• Turn off your wireless connection when not in use.

• Don’t use defaults with your wireless router.

• Avoid accessing HIPAA information over an unsecured wireless network.

• Do not share your files (e.g. Windows File & Printer Sharing should be off).

• Use an agency provided flash storage devices only.

  • Currently the IronKey is the preferred secure option offered.

• Encrypt HIPAA protected data on portable storage devices (laptops, USB devices, CD-ROMs, DVDs, etc).

  • AxCrypt (http://www.axantum.com/AxCrypt/) is a free utility and can be installed on your home computers also.

• Do not store work related data on personal computers.