|
|
HIPAA Compliance
Medical Cybernetics, Inc. HIPAA Compliance Statement
Medical Cybernetics provides turn-key computer systems,
software products, and maintenance services to hospitals and long-term
care facilities. These products and services are integral parts of the
clinical and accounting functions which our clients perform, and as a
result, must comply with the Health Insurance Portability and Accountability
Act (HIPAA). We, at Medical Cybernetics, Inc., are considered a part of the
workforce of our clients and are termed Business Associates under HIPAA law.
As a business associate, we will not disclose Patient Health Information (PHI)
to any individual, agency or business outside of the workforce of said client
unless specifically directed by our client.
Our turn-key systems are installed on Unix servers. To secure these
systems and the PHI databases which they contain, all non-essential Unix
services have been disabled or removed (i.e., telnet, FTP, sendmail, NFS,
rsh, rlogin, rexec, netstat, finger,…). No guest or anonymous user accounts
are allowed. PC connections to a Medical Cybernetics application must first
be authenticated by the institution's normal network login server. A secondary
application based login is also required. Remote access to the servers is
limited to secure shell connections (ssh).
Within the Medical Cybernetics software products, numerous application
features exist to achieve HIPAA compliance. These features include:
- password user authentication
- creation of user access logs
- role based access controls
- user based auto log-off timeouts
- audit logging of PHI access
- audit logging of PHI additions, modifications and deletions
Although, many of the HIPAA code sets and transaction specifications
are not applicable to the clinical functions performed by Medical Cybernetics
software products, we do provide transactional information to accounting systems
which are affected and, therefore, utilize standard code sets where applicable
within our products.
To facilitate HIPAA compliance in maintenance services,
Medical Cybernetics has established written privacy policies and the
MCI HIPAA Compliance Training Manual, which details the procedures
for the secure handling of PHI and the responsibilities of each member
of our workforce regarding confidential information. Employee training
and education is developed and implemented by our designated Security/Privacy
Officer and is mandatory for each employee. Each employee must enter into a
written agreement with Medical Cybernetics, Inc. that he/she will not disclose
PHI according to the HIPAA Privacy regulations as outlined in the
training manual.
Alvah Dennis, President - Medical Cybernetics, Inc.
June 28, 2004
|