uSTOR has evaluated all of its currently implemented security practices and technical infrastructure for the purpose of providing a summary of compliancy with the HIPAA rules for privacy and security. Although privacy regulations are finalized (Bush Administration April 2001), HIPAA security regulations have not yet been finalized. The purpose of this paper is to communicate to our customers the practices and safe guards implemented to ensure the highest data security. uSTOR will continue to address the requirements necessary in HIPAA technology processes and make every effort to stay up-to-date on HIPAA regulations, processes and technology. The following represent the processes and technical infrastructure currently implemented:
A. Encryption (128 bit SSL) 128-bit encryption is used to ensure information transmitted between users and uSTOR servers are fully protected. At time of image release to our uSTOR servers, images are encrypted and transferred over a 128-bit SSL encrypted connection. When an image is retrieved through the viewer, the image is encrypted at the server level and decrypted into memory on the user's PC. The client administrator can access the security audit-reporting tool to identify every action that has taken place. The information is displayed by user, date/time, and action (including what record was accessed, viewed, printed, emailed, etc.).
B. Tiered Application Security (User, Client, Department, Project, and Document Levels) Our customers have the ability to restrict access globally, by department, by project (group of like documents with like retrieval demands), and within documents themselves. User roles and access are maintained completely by the client assigned administrator. User logins and passwords are the responsibility of each of our customers. Additional security controls are in place on the functional level. These include the ability to restrict a user from viewing, printing, emailing, or annotating any document on the system. All actions are tracked and can be reported on by the client administrator. Our employees have restricted access by the physical workstation as well as by user-based access. The same time-out and access controls that exist for our customers also exist for our employees.
C. Automatic Logoff and Timeout Routines Each successful login maintains automatic logout controls based on the idle IP organization and time to limit unauthorized viewing.
