800-289-7930 info@rx30.com

HIPAA Compliance Outline

Rx30 is a strong supporter and places strong emphasis on HIPAA regulations.

HIPAA Compliancy Outline
For Transaction Data Systems, Inc.
Tuesday, February 24, 2015

The following document is for your information regarding the steps Transaction Data Systems has taken in order to further secure our compliance to the HIPAA Security Rule and associated regulations. Please be advised that we are making every effort to conform in all areas that we have deemed appropriate by means of our own security assessment. We will continue to update our infrastructure and services as required to meet any and all new regulations or guidelines when they become mandated through future updates to the standards.

If you have any questions regarding the items covered within this document please feel free to contact our offices.

Sincerely,

Steve Kerr
HIPAA Security Officer
Transaction Data Systems, Inc.

Rx30 Statement:

Transaction Data Systems has established an information security policy in an effort to protect the security, confidentiality, integrity, and availability personally identifiable information, corporate trade secrets, intellectual property, and any other confidential/regulated data held by Transaction Data Systems. The purpose of this Information Security Policy is to formalize the Security and Internal Control standards that Transaction Data Systems has adopted to mitigate security risks to patient, customer and employee data as well as comply with applicable regulations including the Health Information Portability and Accountability Act (HIPAA).

HIPAA Compliance Law:

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

Network Security:

Network infrastructures are configured securely in order to protect Transaction Data Systems information assets and customer data by maintaining network integrity and availability. Any and all transmissions via LifeLine are securely transferred through a 128-bit Secure Sockets Layer (SSL) encryption. All specific processes are in place to ensure that internal networks are not accessible to unauthorized external parties.

Firewalls must be deployed to restrict inbound and outbound connections to the customer’s network. All firewalls installed are configured to deny or control all traffic between any wireless networks and any systems that store cardholder data.

All new wireless access points must be configured securely and approved by IT management to avoid unwanted access to the customer’s network and Transaction Data Systems corporate network. All wireless access points must be set up in a secure, unobtrusive location to avoid tampering.

Network and system vulnerabilities are tested for and remediated for all systems containing company confidential information or Protected Health Information (PHI). All services, protocols, and ports allowed are documented with a specific business justification.

System Software Security:

Malicious program detection software is installed, properly configured, and updated on Transaction Data Systems information systems deemed to be of greater risk for viruses, i.e. Windows® platforms. All antivirus software updates are implemented within appropriate timeframes.

User Security:

All system users, including third party users, must have a unique identification number and be registered on the systems they use to conduct business. System Users idle timeout ensures that the system terminates the user session or require the user to reenter their password after 15 minutes of inactivity has been reached on any and all systems containing PHI or company confidential information.

System Users are forced to change passwords every 180 days. Any inactive user account is automatically disabled after 183 days. All remote access into the customer’s network use authentication methods. The remote access user is required to update such password every 30 days. Failure to do so will result in an access denied.

Remote Backups:

Remote Backups are performed on the client server on a scheduled timetable. The backup is encrypted on the client server before being securely uploaded via SSH to the offsite backup server.

Auditing:

All contracts between Transaction Data Systems and vendors or third parties must include specific Information Security provisions and the right to audit. Operating System level auditing to track user activity is all logged and can be called upon for reporting. Reporting for auditing purposes can only be accessed via a user or users with specific rights that have been granted or configured access.