HIPAA Related Protocols

This document identifies how Omega Forms complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). When Omega Forms provides services to clients that require HIPAA compliance, this document can also serve as a Business Associate Agreement between Omega Forms (the Business Associate) and the Client (Covered Entities). This document may exceed clarity normally found in Business Associate Agreements in that it not only specifically lists each part and section of HIPAA that Omega Forms adheres to, but this document also provides the protocols Omega Forms itself uses to comply with HIPAA and the restrictions Omega Forms places on Clients who use HIPAA related information in conjunction with the services offered by Omega Forms. Each part and section of HIPAA that Omega Forms establishes a protocol on follows.

PART 160—GENERAL ADMINISTRATIVE REQUIREMENTS

§ 160.102 (3) (b) Where provided, the standards, requirements, and implementation specifications adopted under this subchapter apply to a business associate.

This document was created and is maintained to establish Omega Forms as a “business associate” with regards to Clients obtaining services with Omega Forms. This document will list all sections of the HIPAA Administrative Simplification (hereinafter referred to as “HIPAA”) that Omega Forms uses to establish protocols. Such protocols will either be listed or referenced in this document. If a section is not listed in this document, Clients acknowledges Omega Forms may not provide services relating to such sections and Client assumes full responsibility in ensuring HIPAA compliance. Clients wishing Omega Forms to establish protocols pertaining to specific sections of HIPAA, or to change or clarify existing protocols on specific sections of HIPAA, may request this of Omega Forms, but any additions or changes are not effective until listed in this document.

§ 160.304 (a) Cooperation. The Secretary will, to the extent practicable and consistent with the provisions of this subpart, seek the cooperation of covered entities and business associates in obtaining compliance with the applicable administrative simplification provisions.

Omega Forms will cooperate with government officials with regards to all laws and in ensuring Omega Forms’ compliance with HIPAA.

§ 160.310 (a) Provide records and compliance reports. A covered entity or business associate must keep such records and submit such compliance reports, in such time and manner and containing such information, as the Secretary may determine to be necessary to enable the Secretary to ascertain whether the covered entity or business associate has complied or is complying with the applicable administrative simplification provisions.

Omega Forms is taking preemptive measures to ensure records and compliance reports are available to the Secretary and Clients by publishing Internal Audits Omega Forms conducts. These Internal Audits may be viewed by accessing the following webpage: http://www.omegaforms.com/category/audits

§ 160.310 (c) Permit access to information. (1) A covered entity or business associate must permit access by the Secretary during normal business hours to its facilities, books, records, accounts, and other sources of information, including protected health information, that are pertinent to ascertaining compliance with the applicable administrative simplification provisions. If the Secretary determines that exigent circumstances exist, such as when documents may be hidden or destroyed, a covered entity or business associate must permit access by the Secretary at any time and without notice.

Omega Forms does not keep documents in physical form other than copies of contracts with Clients, copies of regulations, and turnover content relating to the services provided by Omega Forms in general. This policy by Omega Forms of “Minimal Paper” stems from the cloud services Omega Forms offers. Omega Forms will provide to the Secretary pertinent digital information.

§ 160.312 (a) Resolution when noncompliance is indicated. (1) If an investigation of a complaint pursuant to § 160.306 or a compliance review pursuant to § 160.308 indicates noncompliance, the Secretary may attempt to reach a resolution of the matter satisfactory to the Secretary by informal means. Informal means may include demonstrated compliance or a completed corrective action plan or other agreement.

Omega Forms will place any corrective action plans or other agreements under the Internal Audits section of this website (www.omegaforms.com).

§ 160.314 (a) The Secretary may issue subpoenas in accordance with 42 U.S.C. 405(d) and (e), 1320a-7a(j), and 1320d-5 to require the attendance and testimony of witnesses and the production of any other evidence during an investigation or compliance review pursuant to this part. For purposes of this paragraph, a person other than a natural person is termed an “entity.”

Omega Forms will keep updated Contact Information on the Contact Page for this website. This Contact Page can be used by accessing the following webpage: http://www.omegaforms.com/contact

§ 160.316 Refraining from intimidation or retaliation. A covered entity or business associate may not threaten, intimidate, coerce, harass, discriminate against, or take any other retaliatory action against any individual or other person for— (a) Filing of a complaint under § 160.306; (b) Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under this part; or (c) Opposing any act or practice made unlawful by this subchapter, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of protected health information in violation of subpart E of part 164 of this subchapter.

Omega Forms’ ability to provide services relies on trust and good faith with its clients. If Omega Forms appears to be operating in any illegal or negligent manner, Omega Forms dictates that Clients, at a minimum, first notify Omega Forms via email, phone, or in person so that any legitimate issues can be rectified; or at a minimum, issues can be documented by all parties. After such communication between a concerned Client and Omega Forms, should matters escalate to requiring the attention of the Secretary, or should the Secretary take action without the knowledge of a client, no negative actions will be taken by Omega Forms. Should a Client not communicate to Omega Forms a concern, and instead notify the Secretary, the trust that Omega Forms had with the client may be damaged and Omega Forms may pursue terminating services with the Client in a manner that will not harm or disrupt care for individuals under the Client’s services. The only negative actions that may arise from any proceedings with the Secretary would be a decision to end specific services, to all Clients, related to areas that were found to be in noncompliance; such termination of services would be done in a manner that would present the least amount of difficulties for Clients, unless otherwise directed by the Secretary.

§ 160.406 Violations of an identical requirement or prohibition. The Secretary will determine the number of violations of an administrative simplification provision based on the nature of the covered entity’s or business associate’s obligation to act or not act under the provision that is violated, such as its obligation to act in a certain manner, or within a certain time, or to act or not act with respect to certain persons. In the case of
continuing violation of a provision, a separate violation occurs each day the covered entity or business associate is in violation of the provision.

Should the Secretary find violations with Omega Forms, Omega Forms may suspend services immediately to any area Omega Forms deems necessary to prevent separate violations from occurring.

§ 160.408 Factors considered in determining the amount of a civil money penalty. In determining the amount of any civil money penalty, the Secretary will consider the following factors, which may be mitigating or aggravating as appropriate: (a) The nature and extent of the violation, consideration of which may include but is not limited to: (1) The number of individuals affected; and (2) The time period during which the violation occurred; (b) The nature and extent of the harm resulting from the violation, consideration of which may include but is not limited to: (1) Whether the violation caused physical harm; (2) Whether the violation resulted in financial harm; (3) Whether the violation resulted in harm to an individual’s reputation; and (4) Whether the violation hindered an individual’s ability to obtain health care;

Omega Forms provides services that allow Clients to create an unspecified number of records on individual people covering unspecified data. Omega Forms dictates that a Client cannot create any record in Omega Forms that, should the record become compromised, would cause any physical, financial, or reputational harm to an individual or would hinder an individual’s ability to obtain health care. An exception may be made, by the Client, to record potential financial or reputational harm on an individual so long as the Client assumes full responsibility to rectify any damages caused by any damaging incident regardless of the incident being the fault of Omega Forms. This restriction does not prevent a Client from entering data that would cause financial or reputational harm to a Client’s business; however, Omega Forms will only provide compensation to a Client in a manner that does not exceed the value of the last three months of services paid to Omega Forms from that Client at the time of discovery of a damaging incident.

§ 160.426 Notification of the public and other agencies. Whenever a proposed penalty becomes final, the Secretary will notify, in such manner as the Secretary deems appropriate, the public and the following organizations and entities thereof and the reason it was imposed: the appropriate State or local medical or professional organization, the appropriate State agency or agencies administering or supervising the administration of State health care programs (as defined in 42 U.S.C. 1320a-7(h)), the appropriate utilization and quality control peer review organization, and the appropriate State or local licensing agency or organization (including the agency specified in 42 U.S.C. 1395aa(a), 1396a(a)(33)).

Omega Forms further extends the right of the Secretary to have any notifications made publicly available on the Omega Forms website, or any related website under Omega Forms’s control, as deemed appropriate by the Secretary.

PART 162—ADMINISTRATIVE REQUIREMENTS

Due to the dynamic nature of Omega Forms, in that Clients are able to establish how and to with whom data in handled by the Omega Forms platform, the Client assumes full responsibility in ensuring any Standard Transaction is conducted in the appropriate manner per Part 162 of HIPAA.

PART 164—SECURITY AND PRIVACY

§ 164.106 Relationship to other parts. In complying with the requirements of this part, covered entities and, where provided, business associates, are required to comply with the applicable provisions of parts 160 and 162 of this subchapter.

Omega Forms has listed above all the provisions of parts 160 and 162 that Omega Forms has determined, and from having services with Omega Forms the Client agrees, is applicable to Omega Forms as a business associate.

§ 164.302 Applicability. A covered entity or business associate must comply with the applicable standards, implementation specifications, and requirements of this subpart with respect to electronic protected health information of a covered entity.

Omega Forms’ protocols to achieve compliance to the applicable standards, implementation specifications, and requirements to the referenced subpart are listed below.

§ 164.306 (a) (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

To ensure confidentiality, Omega Forms will never keep in its possession physical documents pertaining to PHI (protected health information). Omega Forms will use test data (data on fictitious individuals and scenarios) whenever possible when developing, testing, or discussing services with the respective Clients. At no time will Omega Forms use PHI from one Client with another unless requested in writing by all Clients involved. In cases where the PHI of a real individual is used, the PHI will be limited as much as needed to satisfy a Clients request. Any non-fictitious PHI accessed by Omega Forms’s workforce will be done on physically isolated computers that are fully updated, make use of encryption in transmissions, and uses RAM drives to ensure no traces of received PHI remain after a reboot of the computer. PHI is recorded and made available to Clients as determined by Clients. The integrity of PHI is the responsibility of the Client in that any recorded information must be tested by the Client to ensure accuracy before being considered acceptable and used in the Client’s business. In ensuring availability of PHI during an outage of primary services, access to the core data, as existed from the previous day, will be available to Clients. Additional options exist for Clients, at additional costs, where accessing the previous day’s data during an outage is insufficient.

§ 164.306 (a) (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

The services Omega Forms provides allows Clients to specify how PHI is stored and accessed after it has been securely transmitted (at a minimum all data is transmitted by the  Hypertext Transfer Protocol Secure protocol) from servers maintained by Omega Forms. Omega Forms takes measures that account for dangers to the security and integrity of PHI by creating an encrypted backup of all PHI and related data on a daily basis to a secured server located in a physical location other than where Omega Forms’s active servers reside. Security is further achieved by ensuring all servers used for services are updated and maintained on a regular basis. The integrity of backups is tested and logs of server maintenance are recorded on a routine basis and the results are made available on the Omega Forms website by the publicly published Internal Audits.

§ 164.306 (a) (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

Omega Forms limits testing of data integrity to fictitious test records.

§ 164.306 (a) (4) Ensure compliance with this subpart by its workforce.

All members of Omega Forms’ workfore are required to maintain and demonstrate understanding of this document and its updates, and all documentation contained on the Omega Forms website, as a condition of employment and continued employment.

§ 164.306 (c) Standards. A covered entity or business associate must comply with the applicable standards as provided in this section and in § 164.308, § 164.310, § 164.312, § 164.314 and § 164.316 with respect to all electronic protected health information.

Compliance is documented in this document.

§ 164.306 (e) Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation of such security measures in accordance with § 164.316(b)(2)(iii).

Security measures are reviewed and modified as needed by updates to HIPAA or protocols of Omega Forms. Reviews are documented and made available by the “Internal Audits” section of the Omega Forms website.

§ 164.308 (a) (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

Omega Forms routine Internal Audits address security violations.

§ 164.308 (a) (1) (ii) (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

Omega Forms’ routine Internal Audits address potential risks and vulnerabilities of PHI.

§ 164.308 (a) (1) (ii) (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

Omega Forms conducts routine Internal Audits that involve reviewing and updating current security polices, the protocols listed in this document, and identifying any potential new security threats.

§ 164.308 (a) (1) (ii) (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

The Omega Forms’ workforce will complete an Internal Audit on a monthly basis which includes review of a Sanction Policy.

§ 164.308 (a) (1) (ii) (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

The Omega Forms routine Internal Audits include reviewing system logs.

§ 164.308 (a) (2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

Omega Forms’ security official is Shawn Brunner.

§ 164.308 (a) (3)(i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

Omega Forms limits access to all data and systems on an “Access Only As Needed” basis. This policy is reviewed during Omega Forms routine Internal Audits.

§ 164.308 (a) (3) (ii) (A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Omega Forms’ Internal Audits specify Omega Forms’ workforce may not work with Client data and Client PHI in public locations.

§ 164.308 (a) (3) (ii) (B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Omega Forms limits access to all data and systems on an “Access Only As Needed” basis. This policy is reviewed during Omega Forms’ routine Internal Audits.

§ 164.308 (a) (3) (ii) (C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.

Omega Forms controls access to all systems and services with controlled user accounts; the passwords of all user accounts is not obtainable by accessing any data contained on servers. Upon termination, a user’s account is disabled or deleted and any system account passwords the terminated employee had are changed.

§ 164.308 (a) (4) (ii) (A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization.

All PHI is controlled by computer access accounts which are limited to only the needed areas for a specific user or service. Any larger organization would be issued an access account that limits access to areas determined for needed functions. All access accounts document the nature of the account.

§ 164.308 (a) (4) (ii) (B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

All direct access to Client defined PHI would be made available through the Omega Forms platform by the Client. Clients, and the Cients’ users, accessing PHI through Omega Forms are required to follow the HIPAA guidelines established by  their organization.

§ 164.308 (a) (4) (ii) (C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the covered entity’s or the business associate’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

Omega Forms only creates and controls computer access accounts for its users to access Omega Forms systems. Client accounts are created by Omega Forms; that Client may then be able to create additional accounts at which time that Client is responsible for controlling access to its PHI. Omega Forms computer access accounts, not Client accounts, are reviewed during Omega Forms’ routine Internal Audits. Clients are responsible for the security and liability of use or misuse of Client created user accounts and passwords.

§ 164.308 (a) (5) (i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).

All members of Omega Forms’ workforce attend Omega Forms’ routine Internal Audits.

§ 164.308 (a) (5) (ii) (A) Security reminders (Addressable). Periodic security updates.

Updates to security are addressed with Omega Forms’ routine Internal Audits.

§ 164.308 (a) (5) (ii) (B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.

Omega Forms only executes software on its systems from major, industry established vendors, and from software developed internally.

§ 164.308 (a) (5) (ii) (C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

Omega Forms monitors and reviews all access attempts to its systems during its Internal Audits. Clients are able to request access to as much information as desired to accomplish their needs.

§ 164.308 (a) (5) (ii) (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

Omega Forms creates and changes all account passwords on the related systems directly. Passwords are not stored anywhere in plain text; Omega Forms uses a proprietary system for storing sensitive information such as computer access codes.

§ 164.308 (a) (6) (i) Standard: Security incident procedures. Implement policies and procedures to address security incidents.

Protocols to address security incidents are contained in this document.

§ 164.308 (a) (6) (ii) Implementation specification: Response and reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

Upon detection of a security incident, the skill set of Omega Forms’ workforce will be used to mitigate any harmful effects and a summary of any documented incident will be included in Omega Forms’ Internal Audits.

§ 164.308 (a) (7) (i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Omega Forms will initiate a “Relaunch Now” protocol when responding to major emergencies: acquire physically secured servers, install needed software for services, ensure security of servers, reload Client data and any PHI contained therein, redirect all Client traffic to new servers.

§ 164.308 (a) (7) (ii) (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

Omega Forms makes daily encrypted backups of PHI to non active, secured servers. Backups are checked at Internal Audits to ensure recovery is possible.

§ 164.308 (a) (7) (ii) (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data.

Daily backups of PHI are made during off-peak hours (sometime between 6pm and 6am). Clients assume risk with backups not possibly covering ones days worth of data recording activity. Client must ensure policies exist in their organization to be able to recreate at least one days worth of data reentry.

§ 164.308 (a) (7) (ii) (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

In the event that Omega Forms is unable to provide remote access to services containing PHI, Omega Forms will establish a command center where Clients can access PHI directly from a computer setup and controlled by Omega Forms. Clients may send one individual to this location to access PHI directly from Omega Forms and relay the information to their organization.

§ 164.308 (a) (7) (ii) (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans.

Omega Forms’ Internal Audits include testing an “Emergency Mode Operation” scenario.

§ 164.308 (a) (7) (ii) (E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components.

In an “Emergency Mode Operation” scenario, the priority is providing the means to access PHI by one individual from each Client in a secured environment setup by Omega Forms. To achieve this, at a minimum, Internet access is required by Omega Forms. Without Internet access, no services, including Emergency Mode Operation, are possible. Omega Forms keeps no Client data outside of prearranged secured servers and secured backup servers.

§ 164.308 (a) (8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity’s or business associate’s security policies and procedures meet the requirements of this subpart.

Omega Forms’ Internal Audits include evaluation of overall security policies.

§ 164.308 (a) (8) (b) (3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).

This document is provided as a contract between Omega Forms (the Business Associate) and the Client (Covered Entity). This document may be printed and signed by both parties as desired by the Client. This document may be updated at anytime and client assumes responsibility to periodically review this document for updates as the Client deems necessary in accordance with their policies on HIPAA compliance.

§ 164.308 (b) (2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information.

Omega Forms will not enter into a business relationship with any organization, be it a subcontractor or partner, unless that organization is commonly known to be established in its industry and its security measures are similar or greater than Omega Forms. Omega Forms investigates the practices and history of an organization before entering into a relationship. Furthermore, Omega Forms ensures it will retain full control over all Client data and PHI that may be accessible, by any means, by another organization.

§ 164.308 (b) (3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).

Omega Forms maintains all contracts and other arrangements with other other businesses that ensures HIPAA compliance and considers this information proprietary. Disclosures of this information would be limited as much as possible to the Secretary in a fashion that would satisfy the Secretary.

§ 164.310 (a) (2) (i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

Omega Forms does not require facility access for restoration of lost data under its disaster recovery plan (Relaunch protocol would be initiated) or during emergency mode operations (Internet access would be required).

§ 164.310 (a) (2) (ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Omega Forms only provides services from physically secured buildings that specialize in housing servers. The exception to this rule would be during emergency mode operations; at that time services will be provided in the direct supervision of Omega Forms workforce in a business or residential setting.

§ 164.310 (a) (2) (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

Active servers providing regular Omega Forms services are physically located in secure locations throughout the world. Software development makes use of test data whenever possible over private networks or secured public networks. When client PHI is accessed by Omega Forms, it is done on secure computers over secure networks.

§ 164.310 (a) (2) (b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Omega Forms relies on experienced personnel and follows a Code of Conduct (reviewed and updated as needed during Internal Audits) for working with sensitive systems and data (including PHI). Omega Forms’ protocols limit data access a manner that prevents third party exposure.

§ 164.310 (a) (2) (c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Omega Forms’ workforce will only access PHI on authorized computers that make use of anti-malware software, administrative accounts, lock screens, and RAM Drives.

§ 164.310 (a) (2) (d) (2) (i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Omega Forms stores sensitive data, as defined by the Client, in an encrypted fashion on HDDs. Non encrypted data may be stored temporarily on RAM drives and such computers are rebooted on routine. When services are terminated with a Client, all data for that client will be written over after 60 days to prevent access to any client data. No electronic media will be used to store unencrypted data that has been designated by Clients to require encryption.

§ 164.310 (a) (2) (d) (2) (ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for reuse.

No electronic media will be used to store unencrypted data that has been designated by Clients to require encryption. In instances where Omega Forms terminates the use of a server providing services, all files on partitions containing Client data will first be wiped using a file wiper tool and then the partitions will be formatted.

§ 164.312 (a) (2) (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity.

All computer access accounts are created and maintained on the respective servers with descriptions for identifying the purpose of the account. Access logs are in place and reviewed during Internal Audits to ensure the computer access accounts Omega Forms creates and maintains are not compromised.

§ 164.312 (a) (2) (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

In instances where the services of Omega Forms are unavailable, the “Relaunch Now” protocol will be used to restore services when Internet services is accessible. In instances where the Client’s primary point of contact is unreachable, Omega Forms’ contact page, located at www.omegaforms.com/contact, should be used to establish communications with another representative of Omega Forms. Note, Omega Forms uses the contact page as part of its Business Continuity Plan; Clients should use the contact page in all emergencies or general inquires about Omega Forms.

§ 164.312 (a) (2) (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Clients are able to request any automatic logoff that should take place for their organization or users.

§ 164.312 (a) (2) (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

Mechanisms are available to encrypt and decrypt PHI as desired by Clients.

§ 164.312 (c) (1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Omega Forms requires that Clients approve all means to record and retrieve any information with any service. Omega Forms itself limits its access and modification of information to test data whenever possible.

§ 164.312 (c) (2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Clients are able to specify what data (including PHI) should include a “History” tracking feature that records all changes to the data. Clients are also able to specify what data (including PHI) will trigger an alert when altered, or entered, to whomever the Client specifies.

§ 164.312 (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Omega Forms is accessible to anyone with valid computer access codes (username and password) that is created by either Omega Forms or the Client (Clients can create their own user accounts). The responsibility of maintaining the confidentiality of access codes is the responsibility of the Client. Omega Forms itself cannot retrieve computer access codes (one way hash functions are used in storing passwords) and will not change the passwords for any account unless there are extenuating circumstances; in such cases, Omega Forms will relay on establishing direct communication with the Client to restore any lost access to Omega Forms.

§ 164.312 (e) (2) (i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

Omega Forms uses a combination of custom encryption algorithms and standard security technologies (TLS, Transport Layer Security) for establishing an encrypted link between Omega Forms and Clients. Proprietary procedures are also used by Omega Forms to ensure data is not compromised while in transit between Omega Forms and Clients.

§ 164.312 (e) (2) (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Clients are able to specify what data (including PHI) should be encrypted in Omega Forms. Clients are also able to specify if the access key used to decrypt the information in managed by Omega Forms or themselves. In instances where the client manages the decrypting key, Omega Forms cannot decrypt the data that was encrypted, under any circumstances; if the Client loses their managed access key, they lose access to the encrypted data.

§ 164.314 (a) (2) (i) Business associate contracts. The contract must provide that the business associate will— (A) Comply with the applicable requirements of this subpart; (B) In accordance with § 164.308 (b) (2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and (C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.

Omega Forms addresses parts (A) and (B) of this section above in its protocols established for § 164.308 (b). Omega Forms addresses part (C) of this section by ensuring that any business relationships Omega Forms has involving Client data, those business either 1) provide written statements that security incidents are  reported; 2) have demonstrated though public means to report security incidents; or 3) Omega Forms is able to identify security incidents on its own behalf with regards to the services being offered by the business relationship.

§ 164.314 (a) (2) (ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3).

Omega Forms is not a government entity.

§ 164.314 (a) (2) (iii) Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

The text of § 164.308(b)(4) was not found in the HIPAA Administrative Simplification so the text as it appears at this location, http://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1.pdf, was used by Omega Forms during August 2013 and is provided here:

 § 164.308(b) (4) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).

Omega Forms ensures it adhears to its protocols established for working with other businesses or partners when dealing with any subcontractors.

§ 164.316 (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

Omega Forms has considered the following factors in creating this document and its protocols which specify Omega Forms’ policies and procedures used to comply with HIPAA:

§ 164.306 (b) Flexibility of approach. (2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity or business associate. (ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.

§ 164.316 (b)(1) Standard: Documentation. (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

This document lists Omega Forms’ policies and procedures it implements to comply with HIPAA. All required and related documentation is either included in this document as a protocol or is included in an Intern Audit made pubic by Omega Forms on its website: www.omegaforms.com.

§ 164.316 (b) (1) (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

Omega Forms will retain this document and its Internal Audits for a minimum of 6 years from the date when this document was in effect.

§ 164.316 (b) (1) (ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

This documentation is publicly available to all of Omega Forms’ workforce, Clients, and other interested party at the following location: http://www.omegaforms.com/hipaa

§ 164.316 (b) (1) (iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

Omega Forms reviews this document during its Internal Audits.

§ 164.404 Notification to individuals. (a) Standard —(1) General rule. A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.

In the event of a breach of any Client data, the Client is responsible to adhere to this section and related sections of HIPAA with regards to notifying any individuals. As noted elsewhere in this document, Omega Forms imposes no limits on the amount or type of data entered into Omega Forms by Clients and Omega Forms take no liability for damages to individuals whose PHI may be compromised.

§ 164.406 Notification to the media. (a) Standard. For a breach of unsecured protected health information involving more than 500 residents of a State or jurisdiction, a covered entity shall, following the discovery of the breach as provided in § 164.404(a)(2), notify prominent media outlets serving the State or jurisdiction.

In the event of a breach of any Client data, the Client is responsible to adhere to this section and related sections of HIPAA with regards to notifying any media outlets.

164.408 Notification to the Secretary. (a) Standard. A covered entity shall, following the discovery of a breach of unsecured protected health information as provided in § 164.404(a)(2), notify the Secretary.

In the event of a breach of any Client data, the Client is responsible to adhere to this section and related sections of HIPAA with regards to notifying the Secretary.

§ 164.410 Notification by a business associate. (a) Standard —(1) General rule. A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach.

In the event of a breach of any Client data, Omega Forms will notify the Client immediately via phone or personal contact. If a Client is not immediately available via phone or personal contact, an email will be sent to the Client and Omega Forms will continue attempts to make contact with the Client until the Client acknowledges such a breach.

§ 164.410 (a) (2) Breaches treated as discovered. For purposes of paragraph (a)(1) of this section, a breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate (determined in accordance with the Federal common law of agency).

Omega Forms acknowledges this section.

§ 164.410 (b) Implementation specifications: Timeliness of notification. Except as provided in § 164.412, a business associate shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.

Omega Forms acknowledges this section and has established a protocol for making contact with a Client in § 164.410 (a) (1).

§ 164.410 (c) Implementation specifications: Content of notification. (1) The notification required by paragraph (a) of this section shall include, to the extent possible, the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, used, or disclosed during the breach.

Omega Forms acknowledges this section and, due to the nature of Omega Forms allowance of Client defined fields, Omega Forms will work with the Client in providing the Client with data needed to identify individuals whose PHI may have been compromised.

§ 164.410 (c) (2) A business associate shall provide the covered entity with any other available information that the covered entity is required to include in notification to the individual under § 164.404(c) at the time of the notification required by paragraph (a) of this section or promptly thereafter as information becomes available.

Omega Forms’ ability to provide information is detailed below as it directly relates to § 164.404 (c):

§ 164.404(c) Implementation specifications: Content of notification —(1) Elements. The notification required by paragraph (a) of this section shall include, to the extent possible: (A) A brief description of what
happened, including the date of the breach and the date of the discovery of the breach, if known;

Omega Forms will provide a description of what happened, including any related dates, with any breach of data.

§ 164.404(c) (1) (a) (B) A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);

Omega Forms will identify what sets of data were involved in the breach: for example, what services were involved, what eForms were involved, if all Client data was breached. As Clients are able to determine the type of data it may record on individuals, the Client is responsible in determining the types and descriptions of any PHI that may be involved in the breach.

§ 164.404(c) (1) (a) (C) Any steps individuals should take to protect themselves from potential harm resulting from the breach;

As Omega Forms allows Clients to determine the type and quantity of data recorded on individuals, Omega Forms is unaware of any harm that may result from any breach of data and has established a protocol at § 160.408 that prohibits a Client from using Omega Forms to record data that may cause harm to an individual.

§ 164.404(c) (1) (a) (D) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and § 164.404(c) (1) (a) (E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.

Omega Forms is able to provide information regarding how Omega Forms is able to address further breaches.

§ 164.404(c) (2) Plain language requirement. The notification required by paragraph (a) of this section shall be written in plain language.

Omega Forms is able to provide the information it gives to a Client in plain language. The guidelines Omega Forms will use in creating plain language is as follows:

Plain language (also called Plain English) is communication your audience can understand the first time they read or hear it. Language that is plain to one set of readers may not be plain to others. Written material is in plain language if your audience can: Find what they need; Understand what they find; and Use what they find to meet their needs. There are many writing techniques that can help you achieve this goal. Among the most common are: Logical organization with the reader in mind; “You” and other pronouns; Active voice; Short sentences; Common, everyday words; Easy-to-read design features. No one technique defines plain language. Rather, plain language is defined by results—it is easy to read, understand, and use.

§ 164.412 Law enforcement delay. If a law enforcement official states to a covered entity or business associate that a notification, notice, or posting required under this subpart would impede a criminal investigation or cause damage to national security, a covered entity or business associate shall: (a) If the statement is in writing and specifies the time for which a delay is required, delay such notification, notice, or posting for the time period specified by the official; or (b) If the statement is made orally, document the statement, including the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described in paragraph (a) of this section is submitted during that time.

Omega Forms acknowledges this section.

§ 164.414 Administrative requirements and burden of proof. (a) Administrative requirements. A covered entity is required to comply with the administrative requirements of § 164.530(b), (d), (e), (g), (h), (i), and (j) with respect to the requirements of this subpart. (b) Burden of proof. In the event of a use or disclosure in violation of subpart E, the covered entity or business associate, as applicable, shall have the burden of demonstrating that all notifications were made as required by this subpart or that the use or disclosure did not constitute a breach, as defined at § 164.402.

Clients are responsible for complying with the administrative requirements specified in this section and in handling all required notifications.

§ 164.500 (c) Where provided, the standards, requirements, and implementation specifications adopted under this subpart apply to a business associate with respect to the protected health information of a covered entity.

Omega Forms acknowledges this section.

§ 164.502 (a) (4) (i) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the business associate’s compliance with this subchapter.

Omega Forms acknowledges this section.

§ 164.502 (a) (4) (ii) To the covered entity, individual, or individual’s designee, as necessary to satisfy a covered entity’s obligations under § 164.524(c)(2)(ii) and (3)(ii) with respect to an individual’s request for an electronic copy of protected health information.

Omega Forms will not hold any Client data hostage from a Client. Omega Forms is not involved with the recording of information on specific individuals and will only provide Client defined data to Clients, the Secretary, and law enforcement agencies.

§ 164.502 (a) (5) (ii) (A) Except pursuant to and in compliance with § 164.508(a)(4), a covered entity or business associate may not sell protected health information.

Omega Forms acknowledges this section.

§ 164.502 (a) (5) (ii) (B) (2) (viii) (b) (1) Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

The services provided by Omega Forms allows Clients to specify how information is recorded and disclosed. Clients are responsible for ensuring limits are placed on any data and PHI that is used.

§ 164.502 (e) (1) (ii) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with § 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information.

Omega Forms acknowledges this section.

§ 164.504 (e) (1) (iii) A business associate is not in compliance with the standards in § 164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor’s obligation under the contract or other arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

Omega Forms acknowledges this section.

§ 164.504 (e) (2) (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

Omega Forms establishes, and Client agrees, Omega Forms may only use the Clients data, and any PHI contained therein, in ensuring the services Omega Forms provides are operating at an optimal level: services are fast, secure, and stable. Omega Forms does not disclose any Client data unless such disclosure is stated with an established protocol contained in this document.

§ 164.504 (e) (2) (ii) (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;

This document serves as a contract between Omega Forms and the Client. Omega Forms will adhere to protocols it has established in this document.

§ 164.504 (e) (2) (ii) (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;

Omega Forms will adhere to protocols it has established in this document.

§ 164.504 (e) (2) (ii) (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410;

Omega Forms will adhere to protocols it has established in this document.

§ 164.504 (e) (2) (ii) (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

Omega Forms acknowledges this section.

§ 164.504 (e) (2) (ii) (E) Make available protected health information in accordance with § 164.524;

Omega Forms will not hold any Client data hostage from a Client. Omega Forms is not involved with the recording of information on specific individuals and will only provide Client defined data to Clients, the Secretary, and law enforcement agencies.

§ 164.504 (e) (2) (ii) (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526;

Omega Forms is not involved with the recording of information on specific individuals and does not engage in altering Client data other than for testing purposes.

§ 164.504 (e) (2) (ii) (G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528;

Omega Forms will not hold any Client data hostage from a Client. Omega Forms is not involved with the recording of information on specific individuals and will only provide Client defined data to Clients, the Secretary, and law enforcement agencies.

§ 164.504 (e) (2) (ii) (H) To the extent the business associate is to carry out a covered entity’s obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation.

Omega Forms is not able to carry out a Client’s obligation other than what has been established by Omega Forms as a protocol contained in this document.

§ 164.504 (e) (2) (ii) (H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this subpart; and

Omega Forms acknowledges this section.

§ 164.504 (e) (2) (ii) (J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

Omega Forms will destroy any potential PHI 60 days after the termination of services with a client unless specified by the Client to destroy such data sooner: Client may request destruction of data prior to termination of services to ensure data is destroyed. This destruction of data includes backups of Clients data and ensuring no Client data exists with other business associates, subcontractors, or other individuals.

UPDATES

2/9/2015

Update to § 164.312 (e) (2) (i): replaced “(SSL, Secure Sockets Layer)” with “(TLS, Transport Layer Security)”.

2/25/2015

Update to § 164.306 (a) (1): added “In ensuring availability of PHI during an outage of primary services, access to the core data, as existed from the previous day, will be available to Clients. Additional options exist for Clients, at additional costs, where accessing the previous day’s data during an outage is insufficient.”