FAQ‎ > ‎

HIPAA and Security

HIPAA compliance is a complex question that requires a complex answer.  Doxio is only one part of any medical office's electronic network.  As the saying goes, "a chain is only as strong as its weakest link."

Doxio by default implements the following with regards to HIPAA:

  • enforces strong passwords for log-ins
  • works with Windows Domain networks so you can implement password policies and windows authentication
  • uses hierarchical rules for user access and supervision
  • keeps track of certain chart-related entries and logs them by user, date and time
  • prevents modification of 'locked encounters' and entered prescriptions
  • non-providers are not allowed to write prescriptions or alter the formulary
  • all patient data and documents are stored on the main server, so a stolen laptop or PC typically should not have stored patient information
  • encounters, prescriptions and tasks are stamped with a checksum field in order to comply with the data integrity specification of the HIPAA technical standard

YOUR RESPONSIBILITIES WITH REGARD TO HIPAA
  • review HIPAA and have someone in the organization in charge of HIPAA compliance
  • requiring a strong password for all users when logging on to Windows
  • locking the Windows desktop with a screen saver when not in use after a reasonable length of time (5-10 minutes)
  • requiring a password when logging back on from screen saver mode
  • keeping passwords in a safe location and not sharing them
  • disabling accounts once they are no longer needed (e.g. the user has gone to another job)
  • minimizing the number of users with admin privileges
  • keeping log of the backup drives and folders in case they are needed for a system restore
  • encrypt folders that store the Doxio database and documents
  • shredding documents (both printed and electronic) that are no longer needed; an excellent freeware program for this is Eraser
  • make sure Doxio is backed up up everyday.  This requires Doxio to be running on the server computer and having the [Autobackup] button activated.  See Doxio Help for details.

FOLDER ENCRYPTION

In order to safeguard against a physical breach (e.g. the server gets stolen), the user is encouraged to keep the database and documents ONLY in encrypted folders.   Same goes for backup copies.

Microsoft Windows has very good encryption functionality in the following versions of the software:
  • Windows Server 2003/2008/Small Business Server
  • Windows 7 Professional/Ultimate
  • Windows Vista Professional/Ultimate
  • Windows XP Professional
An excellent free software program called Truecrypt essentially can accomplish the same level of encryption and is actually easier to manage in my opinion.

With proper encryption in place, stolen computers or backup drives are essentially unreadable as long as the encryption passwords are not available.


LOCATING THE FOLDERS USED BY DOXIO

The location of the documents folder is listed under the [Settings] tab.  The location of the Doxio database is a bit more tricky to find. Doxio databases have an extension of .mdf for the main database and .ldf for the log file.  Both files are used by SQL Server and commonly reside in the same folder.  This folder is set when the Doxio database is first created and can be modified with backup and restore.  To find these files, search your computer for files that have the name of the database and have the extensions .mdf and .ldf.  For example, say your database is named "jsmithmd".  The corresponding database files are jsmithmd.mdf and jsmithmd.ldf.

The OS may keep cached copies of files like documents in temporary folders or within fax server file stores.  Doxio has no control over these cache locations.  To encrypt these locations too, you can opt to encrypt whole drives instead of folders only.  This is available with either Windows or Truecrypt.  That way, ALL files are unreadable, but your PC might have a slight/negligible performance hit.


OTHER RESOURCES

An excellent article for security in small business is available here
Click here for the HIPAA link on www.hhs.gov

Comments