Check In Systems publishes these policies and procedures to help our customers comply with individual requirements. Check In Systems may have additional, unpublished policies and procedures that contain sensitive material. Some of these policies refer to HIPAA Compliance even though this software does not include a Business Associate agreement or PHI. Our staff is used to support many sites including systems that must meet HIPAA regulations and therefore there is some overlap in staff training and procedures. This will only further secure the data and software for both parties.
Data created and maintained within the Check In Systems software is deemed the work product and property of the subscriber. No data will be used, shared or conveyed to any other party other than to meet legal obligations. Check In Systems will not access the data other than to provide support for the subscriber. Subscriber shall have access to download and/or destroy any and all data at their discretion and the subscriber relieves Check In Systems from the liability of monitoring the functions of export and deletion.
All data shall be stored within the United States. Currently, Check In Systems utilizes multiple facilities across the United States that store and serve data to the subscribers of service. These locations use hosted servers dedicated to each software version. All locations have redundant internet access as well as redundant hardware to ensure the best of availability. All hosting providers are contracted with Business Associate Agreements.
All databases are encrypted using rotating keys and when backed up, those encryption functions remain. Rotating keys are not stored in the same location. Backups are stored in individual files in a separate location designed for fast recovery.
At Check In Systems, all our computers and devices, used to access customer data, are encrypted, use strong passwords and are physically secured with limited access. Only persons with necessary access to data have access to these computers. All subscriber computers that have access to data should also be encrypted. We suggest at a minimum, subscribers should implement Microsoft Windows encrypted drives.
All computers at Check In Systems are protected by real time malware detection software. Furthermore, computers are periodically scanned manually for malware and unusual internet activity.
All computers at Check In Systems, that are used for accessing customer data, are restricted from open internet access. This minimizes the exposure to outside viruses and malware.
Portable devices such as CD, USB drives, and USB chips are restricted. Only specific admin users are allowed to use these devices and only for IT related duties. If a portable device is used for storage of PHI, it is required to be encrypted and stored within the locked safe at the corporate offices or a designated off-site safe of the privacy officer.
Passwords at Check In Systems are changed periodically (3-6 months). If an employee is terminated, all users must immediately change their password and all admin passwords are changed.
All servers at Check In Systems are protected using firewall technology to restrict ports, patterns and ip access. Additionally, servers are restricted from many countries outside of the U.S. Server logs are monitored regularly to ensure the firewall policies are up to date.
Computers and devices at Check In Systems are never repurposed. Any device at end of useful life is physically destroyed beyond recovery within 10 days of being removed from service.
In accordance with the policies of Check In Systems, the termination of a subscriber will begin the process of data destruction. Within 30 days, Check In Systems will destroy all databases, configurations and backups of that particular subscription. These items will no longer be recoverable. It is the responsibility of the subscriber to download any and all data prior to termination.
Our server operating systems and supporting software are monitored daily with monthly reviews for applicable patches and updates. Updates are committed on as 'as needed' basis.
Check In Systems software and accounting systems do not store credit card information. Therefore, there are no policies of PCI compliance required. Credit card payment is accepted via Stripe merchant services. Stripe is a generally accepted merchant that provides services via programmed interfaces that integrate with accounting systems, yet no data is stored by the accounting software.
All browsers are to be set to delete temporary files when closed. This will remove all temporary files and remove passwords that could be used if accessed by an unauthorized user.
When an employee is finished for the day or leaves for an extended period, the desktop of that employee shall be clear of all materials that could contain notes, documents and information that may be useful to an unauthorized user. Employees using notebooks for daily support should be secured and the end of shift. When notebooks are full and no longer usable, they should be shredded within the office. Notebooks should never leave the office.
Employees are not to print any documents that may contain customer data except in the rare exception to support a subscriber. Any and all printed materials that may contain customer data shall be shredded by the end of shift or day.
Check In Systems executes a physical site audit no less than once a year to ensure compliance of employees, equipment and facilities.
Check In Systems employees are under constant supervision and training. HIPAA training is a part of the employment guidelines to keep consistent with HIPAA regulations and employee awareness. Check In Systems uses many of the online training provided by Compliancy Group, a third party company dedicated to HIPAA Compliance of companies like us.
Each employee of Check In Systems under goes a background check before employment and/or access to any computer systems.
Check In Systems has a designated compliancy officer. This person is responsible for developing, implementing and regular auditing of policies used to maintain HIPAA compliance.
Incidents and breaches are two different things. Each has it's definition as defined by Department of Health and Human Services Office for Civil Rights (OCR). In accordance with HIPAA regulations, Check In Systems maintains a policy to report, document and correct the incident or breach. These policies utilize a third party to maintain the perception and transparency of a professional organization.
The HIPAA Security Rule (45 CFR 164.304) describes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” In accordance with this rule, Check In Systems has established a policy and tracking mechanism to deal with incidents. This policy uses a third party, Compliancy Group, to document and notify proper parties when an incident is detected.
HIPAA section 164.402 defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information.” In accordance with this rule, Check In Systems has established a policy and tracking mechanism to deal with breaches. This policy uses a third party, Compliancy Group, to document and notify proper parties when a breach is detected.
Check In Systems employees are trained to immediately report any suspicion of an incident or breach to the Check In Systems compliancy officer. The compliancy officer is responsible for determining if the suspicion constitutes an actual incident or breach. Upon determining an incident or breach has occurred, the compliancy officer will complete the standard reporting form to document the issue. The report will include details of the incident, specific entities that have been effected, and actions that will be taken to correct and notify. This report should be printed and included in the third party documentation platform and the local confidential policy manuals. Follow up reports should include remediation actions taken to prevent similar future issues.
In the event of a incident or breach, Check In Systems will first act to protect the data from further exposure or damage. Following remediation, an investigation should include identifying cause of the incident or breach, entities and/or persons data may have been exposed to, and provide information for the required notifications to the covered entity. Notification will be made in accordance with the Reporting policy within this document and any contractual BAA obligations.
A subscriber of Check In Systems software as a service is expected to maintain their subscription to meet legal requirements. These responsibilities include but are not limited to user maintenance, security levels, data exports and configuration.
The software provides a field for the subscriber to maintain HIPAA contact information. It is the responsibility of the subscriber to keep this information up to date. This field will be the primary notification contact. If this contact information is not available, Check In Systems will do their best to obtain a designated contact of the subscriber in the event of an incident or breach but notification may be delayed as a result.
According to the Terms of Service and any BAA, all parties are responsible for reporting to the other party, any incident or breach that may potentially affect a customer.
All notifications to Check In Systems shall be in written form (mail or email) to the following contact;
Check In Systems Inc
Privacy Compliance Officer
8401 9th St N
Suite E
St Petersburg, FL 33702
jcorn@medicalcheckin.com
In the event of a reportable incident or breach, primary notification to the subscriber will be to the contact information, as entered by the subscriber, into the Check In Systems software. The Contact information is to be maintained by the subscriber and is updatable from the main menu. Notification should include the extent of the incident or breach that effects the subscriber, any known names or data entries that may have been effected and the actions that have been taken to contain the damage.
Check In Systems software is focused on the business process of queuing customers. The data collected does not present a method of notifying the people that may have signed into the Check In System software. This prevents Check In System from directly notifying subscribers customers. The subscriber may have additional information about their customer and therefore will be responsible for notification if needed.
User passwords must use a minimum of 6 characters including 1 uppercase, 1 lowercase, 1 number and 1 special character.
All transmission to and from Check In Systems software is restricted to TLS 1.1/1.2 communication. TLS is a newer and better version of SSL. This ensures that all data is encrypted in motion.
All databases are encrypted at rest. Each location has a dedicated database and those databases are encrypted using rotating keys.
All databases are encrypted using rotating keys and when backed up, those encryption functions remain. Rotating keys are not stored in the same location. Backups are stored in individual files in a separate location designed for fast recovery.
The software includes a role based security model with 3 levels. Standard user, reports and admin are level 1,3,5 respectively. Level 3 users have access to reports and export features. Level 5 admin users have complete control to add/edit/delete users, change configuration and mass delete data.
There are many features such as canned reports, exports and displays that may or may not be used by the end user. To streamline the user experience, admin users can turn these menu items on or off. This means the menu is restricted to the features the admin makes available.