ProVision uses many security features in order to help ensure that your data is accessed only by the users you designate. Computer security is obviously a field that is constantly changing due to a variety of factors. First, your security needs must be constantly re-evaluated as your operation changes. Second, newer and more sophisticated tools for infiltrating computer databases are constantly being developed. Also, governmental (e.g., HIPAA) and other regulations often mandate changes to security policies. Following is a brief summary of some of the measures that C&S uses, beginning with a special section regarding the upcoming HIPAA Compliance regulations for Security.

HIPAA Security Risk Assessment

The Federal HIPAA regulations concerning Network Security Standards are effective April 21, 2005. HIPAA Security Compliance ensures that only those who should have access to Electronic Protected Health Information (EPHI) actually have access. EPHI must be accessible only by authorized people and processes (confidentiality), it must not be altered or destroyed in an unauthorized manner (integrity), and it must be accessible as needed by authorized person (availability).

The Security Standards are divided into three Safeguard categories including Administrative, Physical, and Technical. Administrative Safeguards deal primarily with the personnel and planning functions necessary for a Covered HealthCare Provider (CHCP) to comply. The majority of the Physical and Technical Safeguards are a function of a system's network infrastructure and hardware capability and a CHCP's Software Application. The following list of risk factors represent the primary Security Implementation Specifications along with ProVision's status with each item. For more information please contact C&S or the Centers for Medicare and Medicaid Services (CMS).

1. Does the ProVision system permit data encryption/decryption?
   Yes, any wide area network which is internet based is fully encrypted with local connection optionally encrypted.
2. Does each user have a unique user identification code?
   Yes.
3. Does each user have a unique user password?
   Yes. The system requires the user to enter his/her password at login. Furthermore, the system can require users to change their passwords a set number of days.
4. Do users use unique tokens to access the application?
   Yes. The unique token is the ProVision password. In addition to the system password, each user is assigned a ProVision identity and password that is used to track operator activity and responsibility.
5. Does the system use biometrics (fingerprints, retina scan, etc) to confirm user?
   No.
6. Are there integrity controls for transmission?
   Yes.
7. Are users automatically logged off after a period of inactivity?
   Yes, In compliance with the client's security policy, this will be set up to log Users off after a pre-determined time of inactivity.
8. Is the data protected from unauthorized, unanticipated or unintentional alteration, including detection of such activities?
   Yes.
9. Are there mechanisms to record and examine user activity? (This includes a log of user access without updating data.)
   Yes, ProVision tracks user activity in critical areas of software use. ProVision can also track a record of screens accessed without data change. This added functionality is available as an add-on module.
10. Are there procedures for accessing the application during an emergency?
    Yes. C&S can help clients conduct a risk assessment analysis of their system vulnerabilities and offer practical solutions balanced by economic and realistic concerns. These include backup power supplies, RAID mirroring, redundant parallel processing, network fallback, and the full range of technical remedies. In the worst case (cataclysmic hurricane or tornado, flooding, or fire), we can restore a backup to a new server (usually within 48 hours) and engineer access, either in the client's new location, or through the internet to ours. To accommodate the client's needs in the interim hours, we can provide scheduling and other time-sensitive information from the backup so the client can notify patients of its circumstances. Having dealt with many emergencies through our 25 years, we recommend assessing all the costs associated with the "worst-case scenario," and budget resources appropriately to mitigate risk according to the probability of its occurrence.

Server, Network, and Application level Security

Perhaps the most basic type of security is physical security of the server and backup tapes. C&S recommends storing at least one full backup off-site. Other backup tapes should be kept in a locked, fire-proof safe. C&S recommends that each user of the system be assigned his or her own server login, and that this login have a password, which is changed on a periodic basis. Access times can be assigned to users, i.e., a user can only log on between from 7am to 5pm each day, etc.

In addition to securing the server itself, we further ensure that the server is accessed only from authorized locations, and that the data is protected while it is in transit. Router configurations, access lists, and other similar tools are used to ensure that only users in authorized locations are able to gain access to the server.

It may also be necessary to encrypt data as it is in transit between the user session and the server. In such cases, C&S uses either Secure Socket Layer (SSL) encryption, a standard Internet encryption, or Virtual Private Networking (VPN). Of these two, C&S prefers SSL because the ProVision client has SSL capabilities built in, and because it is more versatile. VPN, on the other hand, typically requires additional third party software and is more difficult and costly to administer.The ProVision application itself has a comprehensive security password scheme, in addition to the system level passwords. Managers will allow each user access only to the parts of application appropriate to the user. In addition, all financial, demographic, and scheduling transactions are logged, with a date and time stamp, for later review by the managers.

Electronic Data Interchange (EDI) and Regulatory Compliance

ProVision complies with all government regulations for data transmission and storage, including the HIPAA Electronic Transaction and Code Sets Rule standard formats effective October 16, 2003. As new regulations are released, C&S applies software updates to all supported clients. Electronic claims are submitted in formats approved by the carriers, either directly to the carrier or to a clearinghouse with which the carrier participates.

Privacy Rule

The ProVision application offers standard tools that assist in complying with the HIPAA Privacy Rule effective April 14, 2003. The Privacy Rule defines who may have access to Protected Health Information (PHI). It requires all covered entities to have in place appropriate administrative, physical, and technical safeguards to comply with protecting access to PHI. ProVision has the ability to electronically track, on a patient basis, the status of patient approval of the privacy forms along with any particular limitations set by the patient.