You are viewing limited content. For full access, please sign in.

Question

Posted to Laserfiche Solution Marketplace

Question

Laserfiche Solution Marketplace

Regulatory compliance and privacy

Updated August 24, 2016
asked on August 23, 2016

Do some of these forms meet regulatory compliance regarding privacy?  For example, the Leave of Absence business process, does it meet the guidelines for HIPAA (Health Insurance Portability and Accountability Act) compliance.  This is especially critical with confidentiality and involving transmission of individual's medical information.

 

 

1 0

Answer

APPROVED ANSWER
replied on August 23, 2016

Hi Debbie,

Yes, HIPAA compliance is often a point of concern for HR process implementations. There are 3 areas where confidential information is/can be stored in this process: the Forms database, Forms process instances, and the repository. If Workflow was involved, sensitive data could also be exposed in Workflow instances, but this process was designed to run without Workflow to avoid that problem. I am assuming you are using SSL for secure data in transit, so this response only considers data at rest. 

To mitigate security issues in the Forms database, a common practice is to: 1) secure the Forms database such that only one service user has access to the database, 2) have that service account password changed frequently so that if anyone needs to access the database for troubleshooting/maintenance reasons, they need to request the password, 3) audit the database to ensure that the database is only being accessed when needed by the service account. You can also encrypt the database if desired. 

To secure the Forms process instances in Laserfiche (which contains sensitive form field information) you can set the Forms Process Administrator to someone in HR who is allowed to see that information. That will ensure that no one else using Forms (and who is not part of the process) can access those process instances and their confidential information. 

To secure the repository and repository database, there are a number of ways to restrict access. Many customers prefer to set up an HR-only repository to be safe, but you can also set strict folder access rights and template and volume security to restrict access.

In the end, IT system administrators will always have a way to dig up sensitive information if they really want to, as this is the unavoidable result of a technical system--though it is understood they should not be snooping around. Other than that, these security measures should meet HIPAA compliance regulations, and be safe enough to use in a work environment.

Hope this helps!
Vicky 

7 0

Replies

replied on August 24, 2016

Assuming we are talking about an on-premise system Vicky is quite correct regarding the IT side of meeting HIPAA. In addition from a process perspective you will want to ensure that you are saving the all of the task data as part of your audit process. I suggest adding a Save to repository step that includes the action history (and potentially the XML). This provides you with a record of whom touched and viewed HIPAA related information as part of the process. You will also want to make sure that any processes where medical information is sent to the repository has a full audit trail and records management. 

If you have an off-site database, you will want to make sure that the transmission is not only SSL but meets the encryption is FIPs 140--2 standards. Also if the data center is run by an seperate entity for your organization you will want to ensure that you have a full Business associate aggreement "BAA" that confirms they understand that, as a associate, they are required to meet HIPAA standards of data security and standards.

4 0
replied on August 24, 2016

Thank you both for the information.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...