HIPAA

Compliance Solutions

HIPAA

Reporting and audit compliance for the healthcare industry

The Health Information Portability and Accountability Act requires organizations to safeguard patients’ protected health information (PHI), restricting and monitoring access to any systems that house it. HIPAA includes a privacy rule that concerns appropriateness and disclosures of collected, stored, or distributed information, and the ability of patients to opt-out of certain information usages.

Servergraph for HIPAA

In typical implementations, your PHI would never be stored directly within Rocket® Servergraph. The Servergraph solution collects only metadata surrounding your backup process, not the content of the backed up data. However, Servergraph can support the contingency planning, data availability, and data integrity controls that HIPAA requires.

Relevant criteria and capabilities

HIPAA Requirements

Rocket Servergraph Capabilities

Contingency Plan: 164.308(a)(7)

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic PHI.

Servergraph collects information from backup software, hardware, and processes in your environment to document that data backups are operating in accordance with your organizational policies.

Traps, reports, and alerts are customizable to capture relevant information for all of your backup control requirements.

Reports and alerts can be automatically distributed to any individuals, supporting segregation of duties and facilitating review and monitoring processes.

Backup collection logs and reports are retained within Servergraph for a fully configurable duration to maintain historical evidence.

The Server Monitor feature shows real-time statistics and alerts for backup systems such as storage utilization and disk capacity.

Facility Access Controls: 164.310(a)(1)

Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Systems are installed on premise, and the organization can implement physical and environmental controls as with all other computing equipment.

Access Control: 164.312(a)(1)

Implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).

Servergraph is agentless and requires only a read-only service account to operate, preventing unintentional or unauthorized modification of network systems and data.

Servergraph supports unique user IDs for all individuals accessing the system, and uses LDAP integration with Active Directory credentials.

System administration is performed through the separate administration client, with access restricted to designated administrative users.

Detailed, customizable permissions can be configured for each user to support the rule of least privilege and segregation of duties.

Audit Controls: 164.312(b)

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI.
Systems logs are available to record all data collection activities performed by Servergraph over your backup systems.

Integrity: 164.312(c)(1)

Implement policies and procedures to protect electronic PHI from improper alteration or destruction.
Servergraph is agentless and requires only a read-only service account to operate, preventing unintentional or unauthorized modification of network systems and data.

Person or Entity Authentication: 164.312(d)

Implement procedures to verify that a person or entity seeking access to electronic PHI is the one claimed.
Passwords are required for all users attempting to log into the system. Local credentials are stored in encrypted hash format. Servergraph offers LDAP integration with Active Directory credentials, inheriting your organization’s network-level authentication requirements.

Documentation: 164.316(b)(1)

(i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form.
(ii) If an action, activity, or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.
(iii) Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
Servergraph collects information from backup software, hardware, and processes in your environment to demonstrate that data backups are operating in accordance with your organizational policies. Reports and alerts can be automatically distributed to any individuals, supporting segregation of duties and facilitating review and monitoring processes.

Documentation Specifications: 164.316(b)(2)

(i) Time limit: Retain the documentation required by paragraph (b)(1) of this section for six years from the date of its creation or the date when it last was in effect, whichever is later.
(ii) Availability: Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.
(iii) Updates: Review documentation periodically and update as needed in response to environmental or operational changes affecting the security of the electronic PHI.
Backup collection logs and reports are retained within Servergraph for a fully configurable duration to maintain historical evidence.
Aldon for HIPAA

In typical implementations, your PHI would never be stored directly within Rocket® Aldon Lifecycle Manager (LM). While LM may be used to develop products that fall under the requirements of HIPAA, the  underlying code of those products (i.e., the data stored in LM) should not itself contain PHI. In the event that Aldon Lifecycle Manager contains PHI, or that it touches PHI in test environments, relevant HIPAA requirements and the capabilities LM offers are listed below.

Relevant criteria and capabilities

HIPAA Requirements

Rocket Aldon Lifecycle Manager Capabilities

Workforce Security: 164.308(a)(3)

Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

Aldon Lifecycle Manager and its associated modules (Lifecycle Manager IBM i Edition (LMi), Lifecycle Manager Enterprise Edition (LMe), Community Manager (CM), and Security Service Manager) support unique user IDs for all individuals accessing the systems.

Detailed, customizable role-based access levels allow an organization to define the exact capabilities of each system user. Permissions are granular to support any organization’s business needs according to the rule of least privilege and segregation of duties.

Reports are available showing all users with their associated access capabilities.

Information Access Management: 164.308(a)(4)

Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

The CM module supports automated, system-driven workflows that may include access request, authorization, and provisioning processes.

Reports are available showing all administrative activity performed within the system, including the modification of user access and roles.

Security Awareness and Training: 164.308(a)(5)

Implement a security awareness and training program for all members of its workforce (including management).

The CM module supports automated, system-driven workflows that may include information security training programs.

Facilities Access Controls: 164.310(a)(1)

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Systems are installed on premise, and the organization can implement physical and environmental controls as with all other computing equipment.

Access Control: 164.312(a)(1)

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

Aldon LM and its associated modules (LMi, LMe, CM and Security Service Manager) support unique user IDs for all individuals accessing the systems.

Detailed, customizable role-based access levels allow an organization to define the exact capabilities of each system user. Permissions are granular to support any organization’s business needs according to the rule of least privilege and segregation of duties.

Audit Controls: 164.312(b)

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

All actions performed within the system, including accessing or modifying data, is logged and auditable.

Integrity: 164.312(c)(1)

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Access to modify data is restricted to users specifically authorized within that development release and environment.

All changes made to code are highlighted by the Harmonizer module, allowing the organization to validate that all changes were made in accordance with an approved work order.

Person or Entity. Authentication: 164.312(d)

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Passwords are required for users to access each system. LMi also supports integration with IBM i user credentials, and Community Manager supports LDAP integration with Active Directory credentials.

Person Transmission Security: 164.312(e)(1)

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Users access the web-based LMe, Security Service Manager, and CM systems using encrypted HTTPS sessions. LMi utilizes encrypted SSH sessions.

All data in transit, including code being checked in or out or moved to new environments, is encrypted.
Questions? Call us: U.S. +1 855-577-4323