Using the Final Rules of the Health Insurance Portability and Accountability Act (HIPAA) as guidelines, Orion Software Development adheres to the industry best practices for the privacy and security of protected health information. Orion Software Development is committed to continue providing and supporting a low-cost outcomes solution in light of this new legislation with its current support plan.
The HIPAA privacy regulations address what information is considered to be protected health information (PHI). In supporting the product, Orion Software Development may come into contact with PHI. Orion Software Development’s internal policies and procedures have been updated to address HIPAA guidelines.
The HIPAA security regulations (45 CFR 164) take effect on April 21, 2005. This law, often referred to as the “HIPAA Security Rule”, is a set of additional requirements from the “HIPAA Privacy Rule”, which went into effect April 14, 2003. Like the Privacy Rule, the Security Rule mandates the use of certain administrative, physical and technical and safeguards to protect confidentiality. However, in contrast to the Privacy Rule, which only requires the safeguards to be “adequate,” the Security Rule actually sets forth specific standards that covered entities must implement in order to comply with the Security Rule.
The following is a list of the HIPAA security requirements by section number. The HIPAA rule is listed below the section title in italics. A description of how Orion Outcomes addresses those requirements follows along with the version in which it appears.
§ 164.308(a)(5)(ii)(C) Log-in Monitoring
Procedures for monitoring log-in attempts and reporting discrepancies.
- The application will display the last user logon date and time to permit the user to monitor the use of their access. (Version 3 & 4)
- Last login information for all users is available to the Administrator account. (Version 3 & 4)
§ 164.312(a)(2)(i) Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity.
- The application supports individual user IDs. (Version 2 & 3 & 4)
- The application supports multiple administrator level accounts. (Version 4)
§ 164.312(a)(2)(ii) Emergency Access Procedure
Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
- Orion Software Development has a method to allow authorized personnel to login to the system in case of an emergency for a fee. (Version 2 & 3 & 4)
§ 164.312(a)(2)(iii) Automatic Logoff
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- The application will terminate a session after a predetermined time of inactivity. (Version 2 & 3)
- Time period is configurable by the Administrator account. (Version 2 & 3)
- Default time period is 20 minutes. (Version 2 & 3 & 4)
§ 164.312(a)(2)(iv) Encryption and Decryption
Implement a mechanism to encrypt and decrypt electronic protected health information.
- The application stores the protected health information in an encrypted database. (Version 2 & 3 & 4)
- Only the application has the key to decrypt the database. (Version 2 & 3 & 4)
§ 164.312(b) Audit Controls
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
- The application records access to patient information, including read-only access, additions, modifications or deletions to protected health information. (Version 2 & 3 & 4)
- The application records exporting of data for benchmarking. (Version 2 & 3 & 4)
- The application records access attempts and failed logins. (Version 3 & 4)
- The application records user account creation, modification, and deletions. (Version 4)
§ 164.312(c)(1,2) Integrity
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Mechanism to authenticate electronic protected health information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.
This requirement is listed as addressable in the HIPAA security requirements. Orion Software Development has chosen not to implement an automated mechanism for integrity at this time. Customers are encouraged to develop integrity processes around the audit logs. Feedback is welcome on possible acceptable automated mechanisms. (Version 2 & 3 & 4)
§ 164.312(d) Person or Entity Authentication
Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
- The application limits logon attempts per session. Excessive failed logon attempts will results in disabling the user account. (Version 2 & 3 & 4)
- Password length configurable to require at least 6 characters. (Version 3 & 4)
- Password construction requirements, including required use of numeric and/or special characters. (version 3 & 4)
- Requirement to change password periodically. (Version 3 & 4)
- A configurable history to ensure a previous password is not re-entered. (Version 3 & 4)
- New users are required to change password on initial login. (Version 4)
§ 164.312(e)(2)(i) Transmission Security – Integrity Controls
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
- The application applies tamper controls onto the database before transferring it. (Version 2 & 3 & 4)
§ 164.312(e)(2)(ii) Transmission Security – Encryption
Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
- The application transfers benchmarking data over the Internet using Secure File Transfer Protocol (SFTP), which is encrypted using AES-192. (Version 2 & 3 & 4)
Benchmarking Services and PHI
Benchmarking outcomes is a part of the continuous quality improvement process, which falls under hospital operations. As such a patient release form is not necessary under HIPAA guidelines. It is recommended that you indicate in your informed consent that PHI will be used for outcomes and benchmarking purposes.
For compliance with HIPAA, you must choose one of the following options when submitting your data for benchmarking:
|Method||PHI Included||PHI Excluded||Requirements|
De-identified Data Set
||No legal agreement required.|
Limited Data Set
||Requires a Data Use Agreement between Orion and your program/hospital.|
Full Data Set
|All||None||Requires a Business Associate Agreement between Orion and your program/hospital.|
A unique identifier is assigned to each patient when originally created. This identifier is used internally during the synchronization process at the benchmarking site. This also allows for the covered entity to re-identify a patient if necessary.
The software will present the 3 options during the benchmarking process.
Version 3.01.000 or higher of Orion Outcomes is required to adhere to the HIPAA guidelines and security requirements. This version is a free service release to all version 3 owners.
Customers using version 2 of Orion Outcomes are encouraged to upgrade to version 4 of Orion Outcomes in order to adhere to the new HIPAA Security Rule. The required security mechanisms are not available for version 2. Version 2 was developed prior to the introduction of new HIPAA Security Rule. Version 2 does comply with the HIPAA Privacy Rule.
Download the latest version of Orion Outcomes at http://orionoutcomes.com/support/downloads/
For more information or specific questions regarding this policy, contact our support department.
Frequently Asked Questions
Q: Is your software HIPAA compliant?
A: There is no such thing a “HIPAA compliant” software — there is no “seal of approval”. HIPAA itself puts no requirements on software.
Q: Do you have an MDS2 form?
A: Yes, you can download it here.
Q: Will you be developing conversion tools?
A: Conversion tools are not necessary.
Q: Will you sign our Business Associate Agreement or Data Use Agreement?
A: Yes, send it to us at our corporate address. The legal name to be used in the agreement is Orion Software Development, Inc.
Q: Can I submit data using a lesser method of PHI even though we have executed a Business Associate Agreement with Orion?
Q: Which benchmarking data set method do you recommend?
A: We recommend Limited Data Set. It gives us accurate information for benchmarking while maintaining a high level of privacy for protected health information.