In compliance with Federal, State and local regulations, Check In Systems publishes these policies and procedures. Check In Systems may have additional, unpublished policies and procedures that contain sensitive material.
Occasionally, customers of Student Check In use the software for clinics within their facility. Depending on the information collected, the information may be considered PHI (personal health information) and therefore be included in the regulations of HIPAA. For everyone's protection, Student Check In is also maintained in compliance with HIPAA regulations.
As a part of the Terms of Use, each subscriber and user is bound to a Business Associate Agreement. This agreement should be read and understood before use of the software as it contains legal responsibilities for the user, subscriber, covered entities and Check In Systems.
Although Check In Systems policies adhere to the same policies of a covered entity for security, documentation and reporting, the legal responsibilities of a Business Associate are different from those of a covered entity. Detailed Description
Data created and maintained within the Check In Systems software is deemed the work product and property of the subscriber. In accordance with the BAA, no data will be used, shared or conveyed to any other party other than to meet legal obligations. Check In Systems will not access the data other than to provide support for the subscriber. Subscriber shall have access to download and/or destroy any and all data at their discretion and the subscriber relieves Check In Systems from the liability of monitoring the functions of export and deletion.
All HIPAA regulated data shall be stored within the United States. Currently, Check In Systems utilizes multiple facilities across the United States that store and serve data to the subscribers of service. These locations use hosted servers dedicated to each software version. All locations have redundant internet access as well as redundant hardware to ensure the best of availability. All hosting providers are contracted with Business Associate Agreements.
All databases are encrypted using rotating keys and when backed up, those encryption functions remain. Rotating keys are not stored in the same location. Backups are stored in individual files in a separate location designed for fast recovery.
Another requirement of HIPAA is the protection of computers and devices that have access to any PHI or HIPAA regulated data. This includes desktops, laptops, tablets and more. At Check In Systems, all our computers and devices, used to access customer data, are encrypted, use strong passwords and are physically secured with limited access. Only persons with HIPAA training and necessary access to data have access to these computers. All subscriber computers that have access to PHI data should also be encrypted. We suggest at a minimum, subscribers should implement Microsoft Windows encrypted drives, strong passwords and locking screen savers.
All computers at Check In Systems are protected by real time malware detection software. Furthermore, computers are periodically scanned manually for malware and unusual internet activity.
All computers at Check In Systems, that are used for accessing customer data, are restricted from open internet access. This minimizes the exposure to outside viruses and malware.
Portable devices such as CD, USB drives, and USB chips are restricted. Only specific admin users are allowed to use these devices and only for IT related duties. If a portable device is used for storage of PHI, it is required to be encrypted and stored within the locked safe at the corporate offices or a designated off-site safe of the privacy officer.
Passwords at Check In Systems are changed periodically (3-6 months). If an employee is terminated, all users must immediately change their password and all admin passwords are changed.
All servers at Check In Systems are protected using firewall technology to restrict ports, patterns and ip access. Additionally, servers are restricted from many countries outside of the U.S. Server logs are monitored regularly to ensure the firewall policies are up to date.
Computers and devices at Check In Systems are never repurposed. Any device at end of useful life is physically destroyed beyond recovery within 10 days of being removed from service.
In accordance with both the BAA and the policies of Check In Systems, the termination of a subscriber will begin the process of data destruction. Within 30 days, Check In Systems will destroy all databases, configurations and backups of that particular subscription. These items will no longer be recoverable. It is the responsibility of the subscriber to download any and all data prior to termination.
Our server operating systems and supporting software are monitored daily with monthly reviews for applicable patches and updates. Updates are committed on as 'as needed' basis.
Check In Systems software and accounting systems do not store credit card information. Therefore, there are no policies of PCI compliance required. Credit card payment is accepted via Stripe merchant services. Stripe is a generally accepted merchant that provides services via programmed interfaces that integrate with accounting systems, yet no data is stored by the accounting software.
All browsers are to be set to delete temporary files when closed. This will remove all temporary files and remove passwords that could be used if accessed by an unauthorized user.
When an employee is finished for the day or leaves for an extended period, the desktop of that employee shall be clear of all materials that could contain notes, documents and information that may be useful to an unauthorized user. Employees using notebooks for daily support should be secured and the end of shift. When notebooks are full and no longer usable, they should be shredded within the office. Notebooks should never leave the office.
Employees are not to print any documents that may contain PHI or customer data except in the rare exception to support a subscriber. Any and all printed materials that may contain PHI or customer data shall be shredded by the end of shift or day.
Check In Systems shall execute a physical site audit no less than once a year to ensure compliance of employees, equipment and facilities. The site audit should be recorded within Compliancy Group documentation.
Check In Systems employees are under constant supervision and training. HIPAA training is a part of the employment guidelines to keep consistent with HIPAA regulations and employee awareness. Check In Systems uses many of the online training provided by Compliancy Group, a third party company dedicated to HIPAA Compliance of companies like us.
Each employee of Check In Systems under goes a background check before employment and/or access to any computer systems.
Check In Systems has a designated compliancy officer. This person is responsible for developing, implementing and regular auditing of policies used to maintain HIPAA compliance.
Incidents and breaches are two different things. Each has it's definition as defined by Department of Health and Human Services Office for Civil Rights (OCR). In accordance with HIPAA regulations, Check In Systems maintains a policy to report, document and correct the incident or breach. These policies utilize a third party to maintain the perception and transparency of a professional organization.
The HIPAA Security Rule (45 CFR 164.304) describes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” In accordance with this rule, Check In Systems has established a policy and tracking mechanism to deal with incidents. This policy uses a third party, Compliancy Group, to document and notify proper parties when an incident is detected.
HIPAA section 164.402 defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information.” In accordance with this rule, Check In Systems has established a policy and tracking mechanism to deal with breaches. This policy uses a third party, Compliancy Group, to document and notify proper parties when a breach is detected.
Check In Systems employees are trained to immediately report any suspicion of an incident or breach to the Check In Systems compliancy officer. The compliancy officer is responsible for determining if the suspicion constitutes an actual incident or breach. Upon determining an incident or breach has occurred, the compliancy officer will complete the standard reporting form to document the issue. The report will include details of the incident, specific entities that have been effected, and actions that will be taken to correct and notify. This report should be printed and included in the third party documentation platform and the local confidential policy manuals. Follow up reports should include remediation actions taken to prevent similar future issues.
In the event of a incident or breach, Check In Systems will first act to protect the data from further exposure or damage. Following remediation, an investigation should include identifying cause of the incident or breach, entities and/or persons data may have been exposed to, and provide information for the required notifications to the covered entity. Notification will be made in accordance with the Reporting policy within this document and any contractual BAA obligations.
A subscriber of Check In Systems software as a service is expected to maintain their subscription to meet HIPAA and other legal requirements. These responsibilities include but are not limited to user maintenance, security levels, data exports and configuration.
Medical Check In provides a field for the subscriber to maintain HIPAA contact information. It is the responsibility of the subscriber to keep this information up to date. This field will be the primary notification contact. If this contact information is not available, Check In Systems will do their best to obtain a designated contact of the subscriber in the event of an incident or breach but notification may be delayed as a result.
According to the BAA, all parties are responsible for reporting to the other party, any incident or breach that may potentially affect a customer.
All notifications to Check In Systems shall be in written form (mail or email) to the following contact;
Check In Systems Inc
Privacy Compliance Officer
8401 9th St N
Suite E
St Petersburg, FL 33702
jcorn@medicalcheckin.com
In the event of a reportable incident or breach, primary notification to the subscriber will be to the contact information, as entered by the subscriber, into the Check In Systems software. The HIPAA Contact information is to be maintained by the subscriber and is updatable from the main menu. Notification should include the extent of the incident or breach that effects the subscriber, any known names or data entries that may have been effected and the actions that have been taken to contain the damage.
Check In Systems software is focused on the business process of queuing customers. The data collected does not present a method of notifying the people that may have signed into the Check In System software. This prevents Check In System from directly notifying anyone that may need notification in the event of a breach. The subscriber may have additional information about their customer and therefore will be responsible for notification if needed.
Password expiration is an optional feature in Medical Check In software. Password expiration allows the system to periodically require new passwords on a user level. The subscriber can implement this feature in the configuration.
Access to Check In Systems software is only done via multi-factor authentication. User, password and system id are required to access subscriber data. Certain displays with restricted data access may use only two-factor authentication.
Subscribers have the option to implement a lockout system that will lock a users access if the user id has 3 or 5 failed attempts. This is a feature that must be activated by the subscriber admin within the configuration of each subscription.
As an industry standard for HIPAA, all transmission to and from Check In Systems software is restricted to TLS 1.1/1.2 communication. TLS is a newer and better version of SSL. This ensures that all data is encrypted in motion.
As an industry standard for HIPAA, databases are encrypted at rest. Each location has a dedicated database and those databases are encrypted using rotating keys.
All databases are encrypted using rotating keys and when backed up, those encryption functions remain. Rotating keys are not stored in the same location. Backups are stored in individual files in a separate location designed for fast recovery.
Medical Check In includes a role based security model with 3 levels. Standard user, reports and admin are level 1,3,5 respectively. Level 3 users have access to reports and export features. Level 5 admin users have complete control to add/edit/delete users, change configuration and mass delete data.
There are many features such as canned reports, exports and displays that may or may not be used by the end user. To streamline the user experience, admin users can turn these menu items on or off. This means the menu is restricted to the features the admin makes available.