|
SECURITY, PRIVACY AND HIPAA POLICIES
SpringCM extends its commitment to protecting and securing personal data by following the general philosophy found in applicable security regimes, including the Health Insurance and Portability and Accountability Act and its implementing regulations (collectively "HIPAA"), such as adopting appropriate physical, technical and administrative safeguards to protect client confidential and personal information, including data which HIPAA defines as Protected Health Information (PHI). The following applies to SpringCM functionality and safeguards, which will apply to our customers' data:
A. HIPAA
The greatest burdens that HIPAA places on covered entities include:
I. HIPAA's Individual Rights Provisions: Allowing an individual access their record on demand and allowing an individual to see a record of when and to whom the record has been disclosed
II. HIPAA's Security Rule: Adequately securing Protected Health Information (PHI)
III. HIPAA's Document Retention Policy: Six year mandatory document retention
IV. HIPAA's Audit Trail Policy: Ensuring identification of who accesses documents and when, where and how
Here's how SpringCM can help you manage your HIPAA compliance obligations:
Compliance
The documents managed through our system can help a covered entity, or business associate of a covered entity, to timely respond to an individual requests for access, amendment and disclosure accounting. SpringCM's secure document repository, and powerful search capabilities, allow organizations the ability to electronically store, locate and manage large volumes of documents in a fraction of the time compared to traditional filing processes.
For example:
- SpringCM enables a covered entity to easily search its entire database and quickly assemble an individual's entire history of PHI to respond to an access request.
- SpringCM helps track disclosures of PHI as certain settings can be modified to track a disclosure to another entity. Along those lines, SpringCM can be used to capture certain data required for an accounting (through keywords) such as a list of persons to whom the document is disclosed, a brief description of the disclosure, the date, etc.
- A new document can easily be created, stored and tagged for later retrieval to satisfy amendment requirements when the covered entity agrees to make an amendment to PHII on behalf of the individual.
SpringCM On-Demand Content Management
Security Rule Compliance
HIPAA requires covered entities to implement reasonable technical, administrative and physical safeguards to ensure the confidentiality of PHI. Those safeguards should be appropriate for the size and complexity of the covered entity's business. To that end, SpringCM provide a sophisticated and comprehensive security model.
Our technical controls include:
- Technical safeguards to secure client's personal information where data is hosted. These safeguards include: firewalls, Intrusion Prevention Systems, Secure Socket Layer (SSL) encryption over the public Internet for web-facing applications, authentication for remote access and comprehensive protection against malware (malicious software) at Internet gateways, email gateways, file servers and desktops. SpringCM hardens its servers (i.e., permanently shuts down certain services if not in use) and engages in diligent security patch management to remediate vulnerabilities on servers.
- Clients may also audit the SpringCM security programs on an annual basis, subject to applicable client confidentiality and security policies.
Our administrative controls include:
- Role-based access control policy to restrict access to all computerized information through a strong password system.
- Access to software or data is prohibited unless specifically authorized by use of such password and granting of rights by the administrator of the client's account
- Users are only given access to the system resources that contain personal data to the extent necessary to perform their roles. All other access to computer resources requires the approval of the data owner, who is typically a business leader responsible for the business functions supported by that data owner.
- Clients should give careful consideration to access granted only to specific areas related to that user's job function authorize those functions through the covered entity's Information Security Officer.
Our physical controls include:
- To protect PHI, SpringCM locates all enterprise data on SpringCM's state of the art hosting environment located with Qwest Communications, a tier one hosting provider.
- SpringCM regularly performs third-party security audits.
- Among other features, your data is housed on a fully redundant, highly available, Storage Access Network (SAN) in a restricted access area; access is restricted to by badge reader systems, biometrics access control (hand-readers) and a facility guard staff.
|
