Sunday, May 28, 2023

LibraryWorld HIPPA Compliance

 What is HIPPA?

The Health Insurance Portability and Accountability Act of 1996 was passed by the U.S. Congress and signed into law by President Bill Clinton.

HIPAA laws were enacted primarily to:

  • Modernize the flow of healthcare information.

  • Stipulate how personally identifiable information (PII) maintained by the healthcare and health insurance industries should be protected from fraud and theft.


HIPAA mandated national standards to protect sensitive patient health information from disclosure without patient knowledge or consent. The U.S. Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement this mandate.


Another key element of HIPAA compliance is the Security Rule, a subset of the Privacy Rule. This includes all individually identifiable health information that a covered entity creates, receives, maintains, or transmits electronically. 


Understanding which entities must comply with these regulations is crucial for maintaining data privacy and avoiding potential penalties. In general, there are two main categories of organizations that must be HIPAA-compliant:

  • Covered Entities: Medical practitioners, Health plans, Healthcare clearinghouses.


  • Business Associates: Billing companies, Electronic health record (EHR) vendors, IT service providers,  Consultants and auditors.


How LibraryWorld Complies with HIPPA


About LibraryWorld Data:


First,  LibraryWorld is defined as a Business Associate. Second, it must be clear that LibraryWorld stores no health information at all.  It does store personal identifier information such as names, addresses, emails and phone numbers.  But many of those fields are optional.  They are simply used to identify who has a particular item (book) checked out.  


Security:


All LibraryWold data is stored in a ‘Level 3’ server farm with three levels of physical security including: keypad (front door), card reader (server room), and lock combination (cabinet) to access the servers.  The site is manned full time 24/7 with video surveillance.  There are also redundant power electrical systems in place. 


The data is stored on a set of primary and hot secondary servers.  Servers have RAID 5 SSD disk drives (all backed up all the time) and multiple power units.   


Backups:  All data is backed up nightly to rotational external disk drives for five nights.  Rotational weekly and monthly backups are also performed.   


Malware:  LibraryWorld is based on the LAMP stack (Linux, Apache, MySQL, PHP/Perl), which historically have been well suited for secure commercial Web sites.  Virus protection software is additionally used to scan and protect against any infections from the outside.  All unnecessary ports are closed.  


Cybersecurity insurance provides up to $5 million per incident and the insurance firm activity scans our servers for vulnerabilities. 


Privacy:


Access to servers can only be performed through Transport Layer Security (TLS) protocols (think modern SSL) providing data encryption from and to the servers from the clients. Data is also encrypted at rest in the databases.


Each Library database resides in its own MySQL database.  There is no sharing of data elements with any other library database. 


Each library is owned by a unique user_id that includes a username, password and a multi-factor-authentication process.   


Each server maintains activity logs that are reviewed daily for suspicious activity.  Logs are kept for six months. 


Policies and Procedures:


LibraryWorld performs risk analysis on a monthly basis to review security and privacy vulnerabilities.


All employees that handle personal information undergo training on best practices on handling sensitive personal  data.  Only employees with absolute need have access to personal information. 


Breach Notification Policy:


LibraryWorld’s Breach Policy is the following:  In case of any data breach involving personal information, all customers affected will be informed by email the nature and extent of the breach and what personal information that may have been disclosed. This action shall take place within 24 hours of the knowledge of  the breach occurring. 

Conclusion:

Even though LibraryWorld stores no health related information, we take our responsibility to secure and protect the customer’s information extremely seriously.

If you have any questions on LibraryWorld policies or procedures, please feel to call LibraryWorld at 1-800-852-2777.