Data Protection Policy
The SurgicalPerformance data protection policy covers the appropriate safeguards to ensure overall security and protection of user data. These standards have been developed to comply with the Australian Privacy Act 1988 and the Health Insurance Portability and Accountability Act (HIPAA, 1996).
The standards cover:
- Administrative Safeguards Policies and procedures designed to clearly show how SurgicalPerformance will comply with HIPAA
- Physical Safeguards Controlling physical access to protect against inappropriate access to protected data
- Technical Safeguards Controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
- Organisational Requirements
All § numbers below refer to the Health Insurance Portability and Accountability Act (HIPAA, 1996).
Security Management Process
Implement policies and procedures to prevent, detect, contain and correct security violations. § 164.308(a)(1)
SurgicalPerformance will protect the confidentiality, integrity, and availability of ePHI by maintaining appropriate safeguards for the networks and systems that handle ePHI.
The SurgicalPerformance Security Official and Development Team are responsible for the development and maintenance of policies and procedures designed to prevent, detect, contain and correct security violations. Those policies are found in this document.
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information held by the SurgicalPerformance. R – § 164.308(a)(1)(ii)(A)
The SurgicalPerformance Development Team is responsible for the development and maintenance of the HIPAA Assessment and Approval process. The Development Team must complete this process before a new system may be used to process or contain ePHI.
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). R – § 164.308(a)(1)(ii)(B)
The SurgicalPerformance Security Official, under the direction and with the assistance of the SurgicalPerformance Development Team, will maintain a continuous risk management program to ensure that appropriate security measures are implemented and maintained to protect the confidentiality, integrity, and availability of ePHI. Security measures will be commensurate with the risks to the information systems that store, process, transmit or receive ePHI, and will be designed to reduce the risks to ePHI to reasonable and manageable levels.
At a minimum, the risk management program will include the following:
- Formal risk analyses that documents and prioritises risks to the information assets that store, process, transmit, or receive ePHI.
- Selection and implementation of reasonable, appropriate, and cost effective security measures to manage or mitigate identified risks.
- A regular system update program to ensure that systems and software are protected from new software vulnerabilities.
- Regular review, evaluation and, if necessary, revision of security safeguards.
Apply appropriate sanctions against Workforce members who fail to comply with the security policies and procedures of the SurgicalPerformance._ R – _§ 164.308(a)(1)(ii)(C)
Protected Health Information is classified as Confidential Information by SurgicalPerformance. All staff members and sub-contractors of Surgical performance are required to sign confidentiality agreement including appropriate criminal sanctions if confidentiality agreements are not upheld.
Information System Activity Review
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports._ R – _§ 164.308(a)(1)(ii)(D)
All SurgicalPerformance systems are required to be connected to automated security monitoring and reporting solutions as defined by the SurgicalPerformance Development Team.
Administrators of such systems must also review activity and security logs on a reasonable periodic basis to confirm normal and expected system use. Potential security violations must be reported to the SurgicalPerformance Development Team. See Data Security Incident & Breach Reporting
Assigned Security Responsibility
Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the SurgicalPerformance or business associate._ R – _§ 164.308(a)(2)
The Security Official is: Dr Andreas Obermair, [email protected]
- Ensure that the necessary and appropriate HIPAA related policies are developed and implemented to ensure that PHI is properly used and disclosed (privacy) and to safeguard the integrity, confidentiality, and availability of ePHI (security).
- Act as a spokesperson and single point of contact for SurgicalPerformance in all issues related to HIPAA security and privacy
Implement policies and procedures to ensure that all members of its Workforce have appropriate access to electronic Protected Health Information, as provided under [the Information Access Management standard], and to prevent those Workforce members who do not have access under [the Information Access Management standard] from obtaining access to electronic Protected Health Information._ R – _§ 164.308(a)(3)
SurgicalPerformance restricts access to electronic Protected Health Information (ePHI) to those staff members and sub-contractors that need access to the data to carry out their roles.
Authorisation and/or Supervision
Implement procedures for the Authorisation and/or supervision of Workforce members who work with electronic Protected Health Information or in locations where it might be accessed._ A – _§ 164.308(a)(3)(ii)(A)
SurgicalPerformance ePHI data is not accessible to non-authorised staff, sub-contractors or users.
Workforce Clearance Procedure
Implement procedures to determine that the access of a Workforce member to electronic Protected Health Information is appropriate. A – § 164.308(a)(3)(ii)(B)
Access to ePHI is authorised only to those SurgicalPerformance staff and sub-contractors with a legitimate “need to know” based on job responsibilities. Access is limited to the minimum level of access required to perform their job functions.
Confidentiality Agreements – All SurgicalPerformance staff and sub-contractors SurgicalPerformance are required to follow all applicable laws and SurgicalPerformance policies and procedures. This includes the proper security and confidentiality of PHI with which the member may come into contact.
Employment Agencies – When temporary workers are provided via an agency, the agency should give appropriate written assurances that it has reviewed the candidate’s background and has performed appropriate verification checks. It is the responsibility of each SurgicalPerformance to ensure that the temporary worker adheres to all applicable SurgicalPerformance policies and procedures.
Implement procedures for terminating access to electronic Protected Health Information when the employment or engagement of a Workforce member ends or as required by determinations made in accordance with the Workforce clearance procedures. A – § 164.308(a)(3)(ii)(C)
SurgicalPerformance will electronically remove access to ePHI from staff and sub-contractors when their employment or engagement ends or when the access is no longer appropriate. The process will include:
- Internal notification to ensure that the appropriate personnel are made aware that the user’s access to ePHI is no longer required.
- Disabling the user’s accounts on networks and systems.
- Changing administrative or other shared passwords of which the user has been made aware.
Information Access Management
Implement policies and procedures for authorising access to electronic Protected Health Information that are consistent with the applicable requirements in the Privacy Rule._ R – _§ 164.308(a)(4)
This policy ensures that SurgicalPerformance staff and sub-contractors needing access to ePHI have appropriate access, and provides procedural safeguards to ensure that access to ePHI is properly restricted.
Before access to ePHI can be provided to a user, that user must be authorised for the appropriate minimum level of access that their position requires. Access to ePHI and systems that store or process ePHI requires a valid and authorised user account and password. Users are required to authenticate themselves to these systems using their unique user accounts.
Isolating Health Care Clearinghouse Functions
If a health care clearinghouse is part of a larger organisation, the clearinghouse must implement policies and procedures that protect the electronic Protected Health Information of the clearinghouse from unauthorised access by the larger organisation. R – § 164.308(a)(4)(ii)(A)
Not applicable. SurgicalPerformance performs no clearinghouse functions.
Implement policies and procedures for granting access to electronic Protected Health Information, for example, through access to a workstation, transaction, program, process, or other mechanism. A – § 164.308(a)(4)(ii)(B)
- Access to PHI is limited to authorised users that have been approved and provided with an Administrator level account or access to SurgicalPerformance Servers.
- SurgicalPerformance will ensure that each of its Workforce members has received training and understands appropriate information handling, usage, and safeguards, and is aware of all applicable HIPAA Privacy and Security policies and procedures.
Access Establishment and Modification
Implement policies and procedures that, based upon the entity’s access Authorisation policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. A – § 164.308(a)(4)(ii)(C)
Each system containing ePHI must have one or more security administrators who will be responsible for controlling access to the ePHI once such access has been authorised in writing.
- The security administrator is responsible for establishing, modifying, and removing access to the ePHI maintained in the system based upon proper documented Authorisation as well as maintaining the Access Authorisation Form documenting the specific level of access granted.
- Once access has been granted, the security administrator will keep the request on file for a minimum of six years from the time access is terminated.
- Occasionally a user’s required access may change. SurgicalPerformance Managers and supervisors may request access modifications for a user. Such requests for changes will be submitted in writing.
- Managers and supervisors will notify the security administrator immediately when a user’s employment or term of engagement has terminated or when the current level of access to ePHI is no longer required. This notice must be in writing.
- The security administrator will be responsible for ensuring that access is removed within 24 hours of receiving the written request. In the event of involuntary termination or in other special circumstances, access may need to be removed immediately.
- SurgicalPerformance management will review user access levels on an annual basis to ensure that they are appropriate.
Security Awareness and Training
Implement a security awareness and training program for all members of its Workforce (including management). R – § 164.308(a)(5)
All SurgicalPerformance staff and sub-contractors must complete the security awareness and training program, and all SurgicalPerformance must certify annually that their staff and sub-contractors have completed training. Completion of the training program is required before access can be granted to ePHI.
SurgicalPerformance has web-based and face-to-face training program for all staff. The security awareness and training program will be updated from time to time and new versions may be used to meet the security reminder requirement.
Periodic security awareness updates. A – § 164.308(a)(5)(ii)(A)
The SurgicalPerformance Development Team is responsible for issuing periodic security and awareness updates to the entire SurgicalPerformance community.
Protection from Malicious Software
Procedures for guarding against, detecting, and reporting malicious software. A – § 164.308(a)(5)(ii)(B)
All systems that contain or may be used to access ePHI are required to have anti-malware software installed, active and kept up-to-date. They are also required to have an active process in place to keep the operating system and installed software up-to-date.
Procedures for monitoring log-in attempts and reporting discrepancies. A – § 164.308(a)(5)(ii)(C)
Security monitoring software is required for any system that stores ePHI. Procedures for monitoring log-in attempts and reporting discrepancies are in place for SurgicalPerformance systems. Every time an end user logs in to a system that stores or processes ePHI, that access and any of their activities on that system are logged.
Users should remain alert for any suspicious access attempts. Suspicious behaviour should be reported to the SurgicalPerformance Development Team. See Data Security Incident & Breach Policy
Procedures for creating, changing, and safeguarding passwords.
- Every user must have their own account
- Accounts may not be shared
- Strong passwords are required
- A user may change a password any time using the established process for changing the password
- If anyone, even a users manager, demands a user’s password, refer them to this document or have them call the SurgicalPerformance Support Team ([email protected]).
- If a user knows or suspects that an account has been compromised, the user has to report it to the SurgicalPerformance Support Team immediately. See Data Security Incident & Breach Policy
Password audits may be performed on a periodic or random basis by the Security Official, or delegate. If a password is guessed or cracked during an audit, the user will be required to change the password.
Security Incident Procedures
Implement policies and procedures to address security incidents. R – § 164.308(a)(6)
The SurgicalPerformance Development Team is responsible for maintaining incident response capabilities, drafting associated policies and procedures, and for responding to incidents. SurgicalPerformance are required to ensure that all staff and sub-contractors understand how to report a Data Security Incident. If any person knows or suspects that there has been a Data Security Incident, it is crucial that he or she report that event immediately. See the Data Security Incident & Breach Policy
Response and Reporting
Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the SurgicalPerformance; and document security incidents and their outcomes. R – § 164.308(a)(6)(ii)
- Staff and sub-contractors are responsible for reporting known or suspected security issues. See Security Incident Procedures above.
- The SurgicalPerformance Development Team is responsible for responding to incidents in accordance with established procedures.
- Organisations are responsible for facilitating incident response and providing assistance where required.
Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic Protected Health Information. R – § 164.308(a)(7)
Contingency Planning recognises that a disaster may occur at some point in the future and develops detailed plans to deal with that disaster, providing an agreed level of interim capability. Included in Contingency Planning are procedures to successfully recover critical business and information assets following a disaster. The presence or absence of such plans impacts the risk associated with operating any system.
The Security Official is responsible for Contingency Planning. SurgicalPerformance may leverage services available from third party Information Systems & Technology providers in order to help meet Contingency Planning objectives.
Data Backup Plan
Establish and implement procedures to create and maintain retrievable exact copies of electronic Protected Health Information. R – § 164.308(a)(7)(ii)(A)
To ensure the recoverability of ePHI and other critical information assets, SurgicalPerformance maintains formal data backup procedures through Amazon Web Services.
Disaster Recovery Plan
SurgicalPerformance’s disaster recovery (and implementation as needed) procedures to restore any loss of data. R – § 164.308(a)(7)(ii)(B)
Such a plan is operated by through Amazon Web Services.
Emergency Mode Operation Plan
SurgicalPerformance’s Emergency Mode Operation (and implementation as needed) procedures to enable continuation of critical business processes for protection of the security of electronic Protected Health Information while operating in emergency mode. R – § 164.308(a)(7)(ii)(C)
Such procedures are is operated through Amazon Web Services.
Testing and Revision Procedures
SurgicalPerformance’s Testing and Revision procedures contingency plans. (The three plans above.) A – § 164.308(a)(7)(ii)(D)
Such procedures are operated through Amazon Web Services.
Applications and Data Criticality Analysis
Assess the relative criticality of specific applications and data in support of other contingency plan components. A – § 164.308(a)(7)(ii)(E).
This section is not applicable to SurgicalPerformance because data stored in SurgicalPerformance’s databases are not critically required to continue the clinical management of patients.
Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic Protected Health Information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule]. R – § 164.308(a)(8)
Systems that have been approved for ePHI will be reviewed every two years to ensure their continued compliance with the policies. At the same time, or upon the initiative of an involved party, relevant SurgicalPerformance policies may also be evaluated to ensure continued viability in light of technological, environmental, or operational changes that could affect the security of electronic Protected Health Information.
If any change is made to any HIPAA policy—enterprise or organisational—it must be made in accordance with the requirements below [See Documentation].
Facility Access Controls
Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorised access is allowed. R – § 164.310(a)(1)
SurgicalPerformance is cloud hosted. Physical access controls are not required.
Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. A – § 164.310(a)(2)(i)
SurgicalPerformance is cloud hosted and contingency plans provided by the cloud host are in place.
Facility Security Plan
Implement procedures that allow access to facilities by appropriate personnel during a disaster or declared emergency situation to facilitate the retrieval of the backup media, hardware, and software necessary for the recovery of systems and restoration of lost data. See Disaster Recovery Planning A – § 164.310(a)(2)(ii)
All data is cloud-hosted in Amazon Web Services in a highly protected and redundant environment with automated snapshots and backups kept both locally and remote. In the event of an unrecoverable disaster, the site can be re-launched with an alternate provider.
Access Control and Validation Procedures
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. A – § 164.310(a)(2)(iii)
SurgicalPerformance is cloud hosted and access control and validation procedures are provided by Amazon Web Services.
Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). A – § 164.310(a)(2)(iv)
SurgicalPerformance is cloud hosted with such maintenance provided by Amazon Web Services.
Each SurgicalPerformance user is responsible for ensuring that all repairs, modifications, and maintenance performed on the physical access controls of its facilities are tracked and logged. The physical security controls include doors, locks, fences, badge readers, and surveillance equipment. R – § 164.310(b)
Implement physical safeguards for all workstations that access electronic Protected Health Information, to restrict access to authorised users. R – § 164.310(c)
- Users are prevented from accessing SurgicalPerformance without a valid account
- Additionally, sensitive areas can also be restricted with a PIN
- Usernames are not revealed on logged-in screens
- User accounts have a session timeout after which users are automatically logged out
Device and Media Controls
Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic Protected Health Information into and out of a facility, and the movement of these items within the facility. R – § 164.310(d)(1)
SurgicalPerformance is cloud hosted. Not Applicable.
Implement policies and procedures to address the final disposition of electronic Protected Health Information, and/or the hardware or electronic media on which it is stored. R – § 164.310(d)(2)(i)
SurgicalPerformance is cloud hosted. Not Applicable.
Implement procedures for removal of electronic Protected Health Information from electronic media before the media are made available for re-use. R – § 164.310(d)(2)(ii)
SurgicalPerformance is cloud hosted. Not Applicable.
Maintain a record of the movements of hardware and electronic media and any person responsible therefore. Maintain a record of the movements of hardware and electronic media and any person responsible therefore. A – § 164.310(d)(2)(iii)
SurgicalPerformance is cloud hosted. Not Applicable.
Data Backup and Storage
Create a retrievable, exact copy of electronic Protected Health Information, when needed, before movement of equipment. A – § 164.310(d)(2)(vi)
SurgicalPerformance has automated daily local and remote backups of all content and code. The software is also on Source Control and all records have a full audit trail.
Implement technical policies and procedures for electronic information systems that maintain electronic Protected Health Information to allow access only to those persons or software programs that have been granted access rights. R – § 164.312(a)(1)
All admin access is restricted by login and user level. Server access is restricted by SSH Key. See the Administrative Safeguards section for details on procedures for granting rights.
Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity. R – § 164.312(a)(2)(i)
All users have a unique login.
Emergency Access Procedure
Establish (and implement as needed) procedures for obtaining necessary electronic Protected Health Information during an emergency. R – § 164.312(a)(2)(ii)
This requirement is met by the Disaster Recovery Plan and Emergency Mode Operation Plan sections as provided by Amazon Web Services.
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. A – § 164.312(a)(2)(iii)
Sessions are set to log out automatically after a period of inactivity.
Encryption and Decryption
Implement a mechanism to encrypt and decrypt electronic Protected Health Information. (This item refers to data at rest. Data in motion is covered by Transmission Security.) A – § 164.312(a)(2)(iv)
PHI store on the server is restricted to access with SSH Keys and is limited to date data.
Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic Protected Health Information. R – § 164.312(a)(1)
Activity is logged in the application layer, server, hosting environment and external monitoring tools. Software monitors these various levels for unexpected changes and issues.
Implement policies and procedures to protect electronic Protected Health Information from improper alteration or destruction. R – § 164.312(c)(1)
All records have a full audit trails and log and cannot be deleted, they can only be made inactive.
Mechanism to Authenticate ePHI
Implement electronic mechanisms to corroborate that electronic Protected Health Information has not been altered or destroyed in an unauthorised manner. A – § 164.312(c)(2)
SurgicalPerformance monitor the integrity of the system, files and database. Contact the SurgicalPerformance Development Team for details of currently enabled integrity monitoring solutions.
Person or Entity Authentication
Implement procedures to verify that a person or entity seeking access to electronic Protected Health Information is the one claimed. R – § 164.312(d)
Systems at SurgicalPerformance rely on a valid password as the proof that a user is indeed who he or she claims to be. This is why it is so important that a user has a good password and that the user never shares that password. Two factor authentication is also available and recommended on all admin accounts.
The SurgicalPerformance password requirements are:
- A user needs to select a strong password
- A user is advised not to use the same password at SurgicalPerformance that a user uses in other places
- A user is advised not to share the password with anyone (not a friend, a colleague, an assistant, a secretary, an IT support contact, no one)
- No user-level account may be set up as a shared account
- A user should change its password regularly
Administrative passwords are particularly sensitive and will be changed regularly. They also must be changed when someone who knows that password leaves SurgicalPerformance or the SurgicalPerformance, or a person’s need for administrator-level access expires.
If an account or password is suspected to have been compromised, SurgicalPerformance asks users to report the incident to the SurgicalPerformance Development Team and change the password. See Data Security Incident & Breach Reporting
The SurgicalPerformance Development Team may periodically review password strength by attempting to guess or crack a password. If a password is guessed or cracked during one of these reviews, the user will be required to change that password.
Implement technical security measures to guard against unauthorised access to electronic Protected Health Information that is being transmitted over an electronic communications network. R – § 164.312(e)(1)
SSL Encryption is set on all communication and protects the data while it is being transmitted.
Implement security measures to ensure that electronically transmitted electronic Protected Health Information is not improperly modified without detection until disposed of. A – § 164.312(e)(2)(i)
SSL Encryption is set on all communication and protects the data while it is being transmitted. A full audit trail shows all changes made through the system and can be replayed, rolled back and compared to the stored data as required.
Implement a mechanism to encrypt electronic Protected Health Information whenever deemed appropriate. A – § 164.312(e)(2)(ii)
Data is protected by SSL Encryption transit. Passwords are also encrypted. All server management is also encrypted.
Policies and Procedures
Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. SurgicalPerformance or a business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. R – § 164.316(a)
This document works together with the other SurgicalPerformance policies to meet this requirement.
(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. R – § 164.316(b)(1)
Formal policy documentation must be maintained to ensure that the SurgicalPerformance has a clear understanding of management directives with respect to HIPAA compliance. These documents are published on the SurgicalPerformance website and have a full revisions history showing all edits, including the author.
Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later. R – § 164.316(b)(2)(i)
If any change is made to any HIPAA policy—enterprise or SurgicalPerformance—the previous version of the policy must be archived and remain available for 6 years starting from when the new policy goes into effect.
The SurgicalPerformance Security Official is responsible for maintaining historical copies of the policies.
Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. R – § 164.316(b)(2)(ii)
Documentation is publicly available on the SurgicalPerformance website.
Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic Protected Health Information. R – § 164.316(b)(2)(iii)
This document will be evaluated when needed to ensure continued viability in light of technological, environmental, or operational changes that could affect the security of electronic Protected Health Information (ePHI).
The policy evaluation process may be triggered by one or more of the following events:
- Changes in the HIPAA Security Rule or Privacy Rule or other applicable law;
- Changes in technology, environmental processes, or business processes that may affect HIPAA Security policies or procedures;
- A material security violation, breach, or other security incident.