Purpose

The aim of this policy is to set forth directives and protocols to uphold the confidentiality and protection of protected health information (PHI) as required by the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). It pertains to every staff member, contractor, and representative engaged in handling PHI within the organization.

Scope

This policy extends to all protected health information (PHI) acquired, generated, upheld, or transmitted by the organization, irrespective of the medium or layout in which it is stored or communicated. It encompasses all systems, procedures, and tasks related to PHI, encompassing electronic, paper-based, and verbal exchanges.

Definitions

Protected Health Information (PHI) encompasses any health information identifiable to an individual, covering demographic, medical, and payment data, generated or received by a covered entity. This information pertains to an individual’s past, current, or future physical or mental health or condition.

Covered Entity refers to any entity within the healthcare sector such as a healthcare provider, health plan, or healthcare clearinghouse, which electronically transmits health information.

Policy

Ellora Systems upholds a commitment to adhere to all local, state, and federal regulations governing its operations, striving to maintain the highest moral, legal, and ethical standards. The company is dedicated to conducting business activities in compliance with applicable laws, regulations, and policies related to the HIPAA. To ensure security and compliance with federal HIPAA Security Regulations, Ellora Systems has implemented an Information Access Management policy. This policy outlines several measures:

1. Guaranteeing the security of information networks and services, ensuring availability and protecting against unauthorized access.
2. Implementing network segmentation with varying levels of traffic controls based on organizational needs and data classification.
3. Allowing access to business information across public networks only after successful identification and authentication.
4. Separating event initiation from authorization to mitigate collusion risks.
5. Restricting access to management/privileged functions to authorized personnel based on the principle of least privilege.
6. Explicitly authorizing access to security functions and limiting access rights to applications and application functions.
7. Limiting outputs from application systems handling covered information and sending them only to authorized terminals/locations.
8. Formally authorizing, controlling, and allocating privileges to users based on a “need-to-know” basis and functional roles.
9. Avoiding the use of group, shared, or generic accounts and passwords, except in exceptional circumstances with clear business benefits and appropriate approval.
10. Limiting access granted to external parties to the minimum necessary and for the required duration.
11. Maintaining a current list of all workforce members with access to PHI/PII and authorized users of information assets.
12. Reducing or removing access rights to information assets and facilities when employment or workforce arrangements terminate or change.
13. Establishing account types, conditions for group and role membership, and modifying shared/group account credentials when users are removed from the group.
14. Prohibiting the copying, moving, printing, and storage of sensitive data accessed remotely without a defined business need.
15. Reviewing confidentiality and non-disclosure agreement requirements annually and when changes occur.
16. Maintaining and monitoring the status and location of unencrypted covered information.
17. Holding individuals accountable for actions initiated under their electronic signatures to deter falsification.
18. Requiring identity verification before establishing, assigning, or certifying an individual’s electronic signature.
19. Ensuring electronic signatures are linked to respective electronic records and unique to one individual.
20. User registration and deregistration processes are formally structured to encompass establishing, activating, modifying, reviewing, disabling, and removing accounts, including:
    1. Communication of relevant policies to users and mandatory acknowledgment (e.g., electronic signature).
    2. Verification of authorization and determination of the minimum level of access required before granting access.
    3. Ensuring access aligns with business needs, considering sensitivity/risk and compliance with segregation of duties requirements.
    4. Addressing account termination and transfer procedures.
    5. Ensuring removal or renaming of default accounts.
    6. Removing or blocking critical access rights for users who change roles or positions.
    7. Automatic removal or disabling of inactive accounts.

The Information Access Management provisions delineated in this document establish a security framework founded upon three addressable HIPAA implementation specifications outlined below. These measures, devised and executed by Information Technology, are implemented across each business unit of Ellora Systems to safeguard the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the company. This policy encompasses various procedures, not limited to the following. Regular review and assessment of this policy and its associated procedures are imperative to ensure their continued viability and effectiveness

A. Access Authorization

B. Access Establishment and Modification

Procedure

Access Authorization

Supervisors hold the responsibility of granting access to Ellora Systems and its networks containing ePHI for their subordinates, aligning with each workforce member’s roles and responsibilities through “need to know” access controls. They also ensure that the access granted to ePHI for each subordinate remains suitable for their job function. The principle of separation of duties is employed to mitigate the risk of unauthorized or unintentional modification of information and systems. Tasks that are incompatible are assigned to different users to minimize the potential for misuse or fraudulent activities. Workforce members are prohibited from authorizing their own access to ePHI or receiving authorization from another supervisor. Individuals are accountable and liable for actions undertaken under their electronic signatures to deter any falsification of records or signatures, with legal considerations, including requirements for electronic signatures, being duly addressed.

Access Establishment and Modification

1. Periodic review of ePHI access levels granted to their workforce members and submission of any necessary access level change requests are the responsibilities of supervisors.
2. Role-based access control is implemented to assign each workforce member to one or more roles, and each role to one or more system functions.
3. Access to management functions or administrative consoles of systems is restricted to workforce members based on the principle of least privilege and supported through technical controls. Access rights to applications and application functions are limited to the minimum necessary using menus.
4. All file system access not explicitly required is disabled, and only authorized workforce members are permitted system access that is expressly required for the performance of their roles and responsibilities.
5. When a workforce member plans an internal transfer to another organization or department, the current supervisor must ensure that ePHI access based on current job roles is terminated, and the new supervisor must request ePHI access appropriate for the workforce member’s new roles and responsibilities.
6. Upon termination of employment with Ellora Systems, a workforce member’s supervisor is required to immediately notify Human Resources. Human Resources then notifies IT to terminate employee access to network and computer systems upon any workforce member’s termination from Ellora Systems. Note: Under no circumstances will ePHI access be granted to workforce members beyond the final date of their employment with Ellora Systems unless a Business Associate Agreement or other contract is filed.
7. Various account types are identified (individual, shared/group, system, application, guest/anonymous, emergency, and temporary), conditions for group and role membership are established, and, if used, shared/group account credentials are modified when users are removed from the group.
8. Identity verification of the individual is required prior to establishing, assigning, or certifying an individual’s electronic signature or any element of such signature.
9. Electronic signatures and handwritten signatures executed to electronic records are linked to their respective electronic records. Electronic signatures, unique to one individual, cannot be reused by or reassigned to anyone else.
10. User registration and deregistration procedures formally address establishing, activating, modifying, reviewing, disabling, and removing accounts. This includes communicating relevant policies to users and requiring acknowledgment, checking authorization and minimum access levels, ensuring access aligns with business needs, addressing termination and transfer, removing default accounts, blocking critical access rights of users who have changed roles or jobs, and automatically removing or disabling inactive accounts.
11. Non-compliance with this policy may result in immediate disciplinary action, up to and including termination of employment.

Privacy Officer

The organization will designate a Privacy Officer tasked with overseeing the implementation and adherence to HIPAA Privacy Rule requirements. This Privacy Officer will serve as the main point of contact for all privacy-related matters and will offer guidance, training, and support to employees

Employee Training

Every employee, contractor, and agent responsible for handling PHI will undergo thorough training on HIPAA privacy regulations, this policy, and associated procedures. Training will be provided upon hiring and regularly thereafter to maintain continuous compliance and awareness of privacy requirements.

Business Associates

When interacting with business associates or third-party vendors who may access PHI, appropriate business associate agreements will be established. These agreements will outline their responsibilities to safeguard PHI and comply with HIPAA regulations.

Individual Rights

Individuals possess certain rights concerning their PHI, including the right to access, amend, restrict disclosure, and receive an accounting of disclosures. Ellora Systems will establish procedures to facilitate the exercise of these rights and respond to individual requests within the required timeframe.

Breach Notification

In the event of a breach of unsecured PHI, the organization will promptly investigate and adhere to the HIPAA Breach Notification Rule.

Discovery of the Breach: The covered entity or business associate must ascertain when the breach was discovered or should have been discovered. It is imperative to swiftly investigate any potential breaches to ensure timely reporting and mitigation.

Breach Notification to individuals: If the breach poses a significant risk of financial, reputational, or other harm to the individual, the covered entity will notify the affected individuals without delay and no later than 60 days after the discovery of the breach.

It’s essential to emphasize that these timelines are contingent on the “discovery of the breach” rather than the occurrence of the breach itself. Swift detection and response to breaches are vital to comply with HIPAA requirements and mitigate potential harm to individuals.

Privacy and Security Incident Response

Ellora Systems will establish an incident response plan to promptly address privacy and security incidents.

The incident response team at Ellora Systems, comprising representatives from IT, compliance, operations, and communications, is responsible for handling privacy and security incidents. Led by the privacy officer, this team will develop an incident response plan outlining steps to detect, contain, analyze, mitigate, and communicate about incidents.

The incident plan will categorize incidents into various types, including Data Breaches, unauthorized access, malware infections, physical theft of devices, and employee misconduct. All privacy breaches will be promptly reported to the privacy officer, who will bring them to the incident response team’s attention.

Following incident resolution, Ellora Systems will conduct a post-incident analysis to identify root causes, assess response effectiveness, and implement preventive measures. This analysis will involve reviewing incident logs, conducting forensic investigations, and updating security controls.

Incident response plans will undergo continuous review and updates to address emerging threats, industry best practices, and regulatory changes. Additionally, regular testing of the incident response plan will be conducted to identify any gaps and enhance response capabilities.

Information Sharing:

Ellora Systems does not share any PII, including phone number, with any third parties/affiliates for marketing/promotional purposes. This data sharing excludes SMS opt-in data and consent.

Notification of Changes:

Any changes to this Privacy Policy will be posted on this page for user awareness. It is advisable to check back frequently for updates.

Compliance, Questions, and Concerns:

We actively monitor compliance with this policy. For questions or concerns, please contact us at hello@ellorasystems.com.