Catalyst HIPAA Business Associate Statement

164.308 Administrative safeguards

Security management process

Implement policies and procedures to prevent, detect, contain, and correct security violations.

See Catalyst's Risk Management and related policies for SOC 2 compliance for details.

Risk analysis

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

See Catalyst's Risk Management and related policies for SOC 2 compliance for details.

Risk management

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).

See Catalyst's Information Security and Physical Access Policies for SOC 2 compliance. Catalyst outsources Data Center services to verified third parties.

Sanction policy

Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.

See Catalyst Acceptable Use and other related policies for SOC 2 compliance.

IS activity review

Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Procedures are monitored regularly by appropriate Business Owners, and quarterly scans and audits are conducted in accordance with the SOC 2 security TSP.

Assigned security policy

Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

John Tredennick is Catalyst's HIPAA compliance officer.

Workforce security

Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

Catalyst operates on the principle of least privilege according to our Access Management policy and SOC 2 Security TSP standards.

Authorization and supervision

Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Catalyst operates on the principle of least privilege according to our Access Management policy and SOC 2 standards. Additionally, Catalyst maintains video surveillance at all locations along with a supervisor compliance scorecard.

Workforce clearance

Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Catalyst operates on the principle of least privilege according to our Access Management policy and SOC 2 standards. Providing customers follow our best practices for data management, Catalyst adhere's to the principle of least privilege.

Termination procedures

Implement procedures for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section.

Catalyst has an Access Management Policy, and procedures for access termination of Catalyst authorized agents.

Information access management

Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.

Catalyst operates on the principle of least privilege according to our Access Management policy and SOC 2 standards. Providing customers follow our best practices for data management, Catalyst adhere's to the principle of least privilege. Departmental procedures are maintained for granting and revoking access to resources by Catalyst's workforce. Customer's maintain access for their own agents, and Catalyst does not monitor that access.

HC clearinghouse

Catalyst does not perform these services.

Access authorization

Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

Catalyst operates on the principle of least privilege according to our Access Management policy and SOC 2 standards. Providing customers follow our best practices for data management, Catalyst adhere's to the principle of least privilege.Departmental procedures are maintained for granting and revoking access to resources by Catalyst's workforce. Customer's maintain access for their own agents, and Catalyst does not monitor that access.

Access establishment and modification

Implement policies and procedures that, based upon the covered entity's or the business associate's access authorization policies, establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.

Catalyst operates on the principle of least privilege according to our Access Management policy and SOC 2 standards. Providing customers follow our best practices for data management, Catalyst adhere's to the principle of least privilege. Departmental procedures are maintained for granting and revoking access to resources by Catalyst's workforce. Customer's maintain access for their own agents, and Catalyst does not monitor that access.

Security awareness and training

Implement a security awareness and training program for all members of its workforce (including management).

Security training is conducted upon hire and quarterly for all of Catalyst's workforce.

Security reminders

Periodic security updates.

Security training is conducted upon hire and quarterly for all of Catalyst's workforce.

Protection from malicious software

Procedures for guarding against, detecting, and reporting malicious software.

Catalyst employs reasonable measures to guard against, detect and report through vulnerability scans, IDS, DNS filtering, and AV policies.

Log-in monitoring

Procedures for monitoring log-in attempts and reporting discrepancies.

Login attempts are logged in Insight.

Password management

Procedures for creating, changing, and safeguarding passwords.

Catalyst maintain's a Password Policy.

Security incident procedures

Implement policies and procedures to address security incidents.

Catalyst maintain's an Incident Management policy and Security Incident processes and procedures are in place.

Response and reporting

Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

See Catalyst's Incident Management and Risk Management policies.

Contingency Plan

Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.

Emergencies would be handled using Catalyst's Incident Management policy and procedures. Catalyst is not the system of record, and any data provided to Catalyst should be a copy. In the event of a data loss, Catalyst would seek replacement documents from customers. Catalyst physically destroys all media or returns it to the customer.

Data backup plan

Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy. In the event of a data loss, Catalyst would seek replacement documents from customers. Catalyst physically destroys all media or returns it to the customer.

Disaster recovery plan

Establish (and implement as needed) procedures to restore any loss of data.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy. In the event of a data loss, Catalyst would seek replacement documents from customers. Catalyst physically destroys all media or returns it to the customer.

Emergency mode operation plan

Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy. In the event of a data loss, Catalyst would seek replacement documents from customers. Catalyst physically destroys all media or returns it to the customer.

Testing and revision procedures

Implement procedures for periodic testing and revision of contingency plans.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy. In the event of a data loss, Catalyst would seek replacement documents from customers. Catalyst physically destroys all media or returns it to the customer.

Applications and data criticality analysis

Assess the relative criticality of specific applications and data in support of other contingency plan components.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy. In the event of a data loss, Catalyst would seek replacement documents from customers. Catalyst physically destroys all media or returns it to the customer.

Evaluation

Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.

Catalyst maintains policies and procedures for the fulfillment of SOC 2 security TSP standards. SOC 2 criteria are audited annually, and a compliance report is released.

164.310 Physical safeguards

A covered entity or business associate must, in accordance with § 164.306:

See implementation actions below.

Facility access controls

Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Catalyst operates on the principle of least privilege according to our Access Management policy and SOC 2 standards. Additionally, Catalyst maintains a Physical Access Management Management policy and video surveillance at all locations. IT access is audited quarterly.

Contingency operations

Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy. In the event of a data loss, Catalyst would seek replacement documents from customers. Catalyst physically destroys all media or returns it to the customer.

Facility security plan

Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Catalyst operates on the principle of least privilege according to our Access Management policy and SOC 2 standards. Additionally, Catalyst maintains a Physical Access Management policy and video surveillance at all locations. IT access is audited quarterly.

Access control and validation procedures

Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

Catalyst operates on the principle of least privilege according to our Access Management policy and SOC 2 standards. Additionally, Catalyst maintains a Physical Access policy and video surveillance at all locations. IT access is audited quarterly. Please note, visitors are not permitted in IT areas, and office visitor logs are maintained.

Maintenance records

Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

Catalyst maintains policies and procedures including Physical Access Management and Change Management. All repairs are logged in our ticketing system.

Workstation use

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Catalyst has a Device Management policy which lists standards for desktop and mobile devices. There are no controls in place for the standards listed in the policy. Delivery of data per Catalyst's data Management best practices (via FTP) does not require download to a local Catalyst desktop device. Catalyst maintains discovery documents for its clients which may include ePHI. One of the services our products provide is the local download of documents by authorized users, primarily chosen by the client.

Workstation security

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Catalyst Maintains a physical access management policy for it's offices and data centers. Users may also connect to Catalyst systems remotely through a multifactor VPN connection. Local antivirus is installed upon deployment of all workstations. Again, delivery of data per Catalyst's data management best practices (via FTP) does not require the involvement of desktop machines.

Device and media controls

Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

If a customer chooses to use physical drives that may contain ePHI, Catalyst keeps the drives in secure storage at our office facilities when not in use. Catlayst maintains chain of custody for drives it receives, and either stores them or returns them at customer's request. It is preferred by Catalyst that data is transmitted by secure FTP and is maintained securely at the colocation facilities.

Disposal

Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.

Catalyst maintains a Media Destruction policy, and all Catalyst owned media is destroyed when it is no longer in use. Catalyst returns physical drives or stores them at customer's request. Catalyst does reuse media if applicable.

Media re-use

Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use.

Catalyst maintains a Media Destruction policy, and all Catalyst owned media is destroyed when it is no longer in use. Catalyst returns physical drives or stores them at customer's request. Catalyst does reuse media if applicable.

Accountability

Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

See media handling and destruction policies. Catalyst maintains chain of custody on all media received or sent to customers.

Data backup and storage

Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy. In the event of a data loss, Catalyst would seek replacement documents from customers. Catalyst physically destroys all media or returns it to the customer.

164.312 Technical safeguards

Access control

Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).

Catalyst Insight is a secure system that only allows access by authorized users. The client files are stored on a system that requires authorization credentials to access. There is no file access without an auth ticket. Data stored and processed in P2 has limited access for those with a need for access.

Unique user identification

Assign a unique name and/or number for identifying and tracking user identity.

Users are assigned unique identities in Active Directory, Insight, and Google.

Emergency access procedure

Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy.

Automatic logoff

Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Insight has this capability, and it is applied on other systems where possible.

Encryption and decryption

Implement a mechanism to encrypt and decrypt electronic protected health information.

ePHI is not specifically encrypted.

Audit Controls

Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Catalyst maintains a Device Management policy and depends on users for adherence to that policy for end user devices. Catalyst infrastructure is monitored with regular scans and an IDS system.

Mechanism to authenticate electronic protected health information

Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized

Catalyst is not the system of record, and any data provided to Catalyst should be a copy.

Integrity

Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy.

Mechanism to authenticate electronic protected health information

Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Catalyst is not the system of record, and any data provided to Catalyst should be a copy.

Person or entity authentication

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Insight uses passwords and user IDs to authenticate users. Two factor authentication is available at client request.

Transmission security

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Transmissions are encrypted.

Integrity controls

Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.

Catalyst is not the system of record. Catalyst maintains copies of client documents for electronic discovery purposes only. The files are never altered. If destroyed, Catalyst would obtain added copies from its client.

Encryption

Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Catalyst offers FTPes and HTTPS to access our services. All files transmitted through FTPes are in encrypted form. Catalyst does not encrypt files at rest.

164.314 Organizational requirements

Business associate contracts

The contract must provide that the business associate will -

(A) Comply

Ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and...

Catalyst will ensure that appropriate subcontractors have NDA's in place to meet these requirements.

(B) In accordance with § 164.308(b)(2)

Ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and...

Catalyst will comply with this requirement.

(C) Report

(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.

Catalyst will comply with this requirement.

Business associate contracts with subcontractors

The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

Catalyst will comply with this requirement.

164.316 Policies and procedures and documentation requirements

Policies and procedures

Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity or business associate may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.

Catalyst believes that it has implemented reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements designated here.

Standard: Documentation.

Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and

Done

(ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.

Catalyst maintains records through SOC policies and through this HIPAA compliance statement.

Time limit

Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

Catalyst will maintain records in accordance with this requirement.

(ii)Availability

Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains.

Catalyst will make records available as may be directed by its client and these regulations.

(iii)Updates

Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information.

HIPAA documentation will be reviewed in conjunction with annual SOC reviews.

164.410 Notification by a business associate

General Rule

A business associate shall, following the discovery of a breach of unsecured protected health information, notify the covered entity of such breach.

Catalyst will provide notification to its clients consistent with these regulations and Catalyst's BA responsibilities

164.500 Definitions

Where provided, the standards, requirements, and implementation specifications adopted under this subpart apply to a business associate with respect to the protected health information of a covered entity.

Catalyst follows this requirement.

164.502 Uses and disclosures of protected health information: General rules

Standard

A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.

Catalyst does not use or disclose customer information unless directed by the customer or requirement of law.

Business associates: Permitted uses and disclosures

A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to § 164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under § 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.

Catalyst does not use or disclose customer information unless directed by the customer or requirement of law.

HITECH Act and Omnibus Rule – IT Security Provisions

Notification in the Case of Breach - 13402(a) and 13402(b)

Covered Entity Notice

A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.

Catalyst has specific requirements in place in their BA Agreements with clients to notify clients including Covered Entities of a breach which may or may not include ePHI.

Timeliness of Notification - 13402(d)(1)

Subject to subsection (g)

All notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)).

Catalyst has specific requirements in place in their BA Agreements with clients to notify clients including Covered Entities of a breach of data which may or may not include ePHI.

Content of Notification - 13402(f)(1)

Description of breach

Regardless of the method by which notice is provided to individuals under this section, notice of a breach shall include, to the extent possible, the following:

(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

Catalyst has specific requirements in place in their BA Agreements with clients to notify clients including Covered Entities of a breach of data which may or may not include ePHI.

Description of ePHI involved

(2) A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).

Catalyst has specific requirements in place in their BA Agreements with clients to notify clients including Covered Entities of a breach of data which may or may not include ePHI.

Actions by individuals

(3) The steps individuals should take to protect themselves from potential harm resulting from the breach.

Catalyst has specific requirements in place in their BA Agreements with clients to notify clients including Covered Entities of a breach of data which may or may not include ePHI.

Actions by covered entity

(4) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.

Catalyst has specific requirements in place in their BA Agreements with clients to notify clients including Covered Entities of a breach of data which may or may not include ePHI.

Contact procedures

(5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail

Catalyst has specific requirements in place in their BA Agreements with clients to notify clients including Covered Entities of a breach of data which may or may not include ePHI.

Colophon

Owner: Legal Department

$Date: 2018-07-18 11:59:53 -0600 (Wed, 18 Jul 2018) $

$Revision: 468901 $

results matching ""

    No results matching ""