Information Security Policy & Procedures

Overview

OPIE Software is dedicated to our clients, and their security needs within the HIPAA space. The OPIE Business Intelligence service is designed with security in mind, and we are dedicated to keeping our client’s data, and private information confidential. We have established the below Policies and Procedures to ensure all OPIE Business Intelligence users understand the critically of our client’s data.

Purpose

The purpose of the policy is to provide guidance that limits the use of PHI or ePHI. Additionally, this policy provides direction to ensure that regulations are followed and legal authority is granted for the dissemination and use of encryption technologies. This policy applies to all OPIE employees and its affiliates

Scope

This policy covers the entirety of the OPIE Business Intelligence service.

General Policy

Recognized and Classified PHI and ePHI:

The HIPAA privacy rule protects most ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information.

• Data transmitted, processed or stored is classified as ePHI information within the OPIE Business Intelligence service. The ePHI is covered under HIPAA security regulations and is produced, saved, transferred in an electronic form.
• The OPIE Business Intelligence service contains ePHI that is identifiable by patient name, and address.
• The ePHI may need to be inspected by OPIE Software staff during diagnostics, support, or feature upgrades to better serve our clients. ePHI may not be accessed for any reason other than business related, and only by approved Teams.

Encryption Policy

Guidance on the use of encryption technologies to protect ePHI.

• Information will be encrypted in transit
• Ciphers in use must meet or exceed AES-256 cryptographic standards
• Algorithms in use will be the standards defined in NIST publications
• All servers and applications using SSL or TLS must have the certificates signed by a known and trusted provider

Data Breach Response Policy

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications will be provided without unreasonable delay and no later than 5 days following the discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals will be submitted to HHS annually. The Breach Notification Rule also requires business associates of covered entities to notify the covered entity of breaches at or by the business associate.

• SOC 1 report prepared by Microsoft Azure annually
• The compliance officer will provide their cell number to all employees for reporting breaches at all times.
• The Compliance Officer will ensure notification of all effected parties upon breach.
• Once the Compliance Officer has determined extent of the breach or exposure along with the designated team will analyze the breach to determine the plan of action for each individual case. Law enforcement will be engaged to further review the InfoSec team’s findings if malicious intent was discovered. If instructed by law enforcement breach notifications may be delayed.

Incident Response Policy

The Incident Response Policy provides the impetus for security and business teams to integrate their efforts from the perspective of awareness and communication as well as coordinated response in times of crisis. The purpose of this policy is to establish the requirement that all business units supported by the InfoSec team develop and maintain a security response plan. This ensures that InfoSec team has all the necessary information to formulate a successful response should a specific security incident occur.

In case of a security incident with the OPIE Business Intelligence service, the InfoSec team will be available with dedicated team members during non-business hours should an incident occur and escalation be required.

All security issues are categorized into High, Medium and Low based on assessments

Workstation Security Policy

Appropriate measures must be taken when using workstations to ensure the confidentiality, integrity and availability of sensitive information, including protected health information (PHI) and that access to sensitive information is restricted to authorized users. 

• Workforce members using server shall consider the sensitivity of the information, including protected health information (PHI) that may be accessed and minimize the possibility of unauthorized access.
• OPIE Software will implement physical and technical safeguards for all servers that access electronic protected health information to restrict access to authorized users.
• Changes to IT assets are inspected by InfoSec team and run through manual and/or automated integration policies and testing infrastructure prior to staged deployment.
• Internal Team HIPAA training covers the processes and procedures in place for adequately destroying scoped data (digital, physical and paper)

Remote Access Policy

• Remote Access is prohibited from personal computers for OPIE Staff.
• OPIE Business Intelligence services are offered through Microsoft Azure and only authorized teams will be granted minimal necessary access to the control console of Microsoft Azure.
• The OPIE Support team may need access required to troubleshoot client level issues. All login sessions are logged for auditing.

Policy Compliance

Compliance Measurement

OPIE Software will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exception to the policy must be approved by OPIE Software in advance.