RHIOnet Security

Security Model

APP Design recognizes the expectations of security especially when sending healthcare records. Our software is always up to date with the latest security features and technologies. The RHIOnet security model delivers a robust and reliable environment for delivering healthcare information from source data systems to the caregiver’s desktop. RHIOnet’s security model can be partitioned into six distinct areas:

Authentication/Two-Factor Authentication

RHIOnet’s interchangeable authentication modules deliver the specific level of authentication desired. Simple passwords, complex passwords, token/smart cards or biometrics can be employed to meet security needs. RHIOnet always transmits private authentication data over encrypted connections to prevent password snooping.

Authorization

Authenticated users have an Access Control List built from RHIOnet’s internal security database. This list determines the menu of permitted actions. Only allowed actions are shown to the user, precluding any possibility of executing an unauthorized action. User permissions can be specified on an organizational and transaction level, allowing, for example, a user to have member eligibility permission at all institutions on the network while having only referral permissions at selected institutions.

Provider Privileges

Another important authorization component is the ability to give users substitution rights for approved providers. RHIOnet recognizes that today’s busy providers rarely have time to access systems directly and must rely on office managers and other personnel to retrieve health plan information. The solution allows authorized users to submit requests on behalf of these providers. RHIOnet considers these requests as those of the underlying provider and submits the request on their behalf without giving the submitter any additional privileges. This allows authorized personnel to submit requests for several providers, further reducing costs. In addition, RHIOnet’s Provider Demographics Updates eliminate the need for calls and forms between providers and payers with online updates such as change in location, phone number, e-mail or tax ID number.

Sensitive Requests

RHIOnet provides additional levels of security for sensitive requests such as claims status and referral inquiry, which may contain sensitive patient information. These requests can only be viewed if they involve the submitting provider. For example, providers can only see their own claims and referrals where they are the primary care or referral provider, preventing personnel from “surfing” and viewing unauthorized sensitive information.

Encryption

RHIOnet provides several levels of encryption to prevent unauthorized persons and outsiders from viewing sensitive information. It provides Secure Sockets Layer v3 encryption between the central server and the user’s Web browser, ensuring that confidential information cannot be “snooped” in transit. This verifies that RHIOnet has not been “spoofed” by intruders attempting to steal authentication credentials. If confidential information is being received from outside the central server data center from an online clinic or laboratory, this traffic can be SSL encrypted if desired. In fact, RHIOnet can encrypt any of the data streams between its services, allowing them to be dispersed securely over a wide area network if desired.

Audit/Reporting

Every transaction submitted or received by RHIOnet is recorded in an audit trail database. The audit trail records all significant information about each request, transaction and login performed. This audit trail is an essential tool for detecting unauthorized access, credential theft or excessive requests (surfing). RHIOnet provides numerous reports to assist in this detection.

Audit Trail Reports/Disclosure Tracking

RHIOnet’s audit trail records the user name, transaction, information source, status and time of each transaction as well as transaction-dependent information such as patient name for relevant queries. RHIOnet’s Report Service supplies numerous standard reports such as:

  • Response Time by Entity
  • Transaction Details By Time
  • Transaction Grand Totals
  • Transaction Hour Averages
  • Transaction Hour Peaks
  • Transaction Report by User
  • Transaction Summary by Month/Year
  • Transaction Totals by Hour/Date/Week/Month
  • Transaction Totals by Entity/Type
  • Transaction Totals by User/Group
  • Invalid Logins
  • Current Users
  • Inactive Users
  • Consent Queries
  • Consent Updates by Date
  • Authorized Contact List
  • Administrator Privilege Audit
  • Community Portal Details
  • Community Portal Summary

HIPAA Compliance

In brief, HIPAA imposes the following standards on healthcare organizations:

  • Security – Protection of the patient’s electronically stored or transmitted healthcare information.
  • Privacy – Confidentiality of the patient’s healthcare information and specific rules for disclosure.
  • Transactions – ANSI X12 transaction format standards for the electronic request and response of healthcare information.
  • Codes – Mandated use of specific code sets for uniformity of transmitted data (ICD-9, CPT-4, etc.).
  • Identifiers – Unique identifiers for providers, employers, health plans, etc.

RHIOnet can help healthcare organizations meet the HIPAA compliance standards in the following ways:

Security

As described above, RHIOnet’s robust security model enables healthcare organizations to deliver on the stringent security requirements of HIPAA. Features such as the replaceable authentication module allow organizations to enhance security where state or local laws supersede HIPAA requirements and require more robust authentication.

Privacy

RHIOnet’s simple administration makes it easy for organizations to secure information from unauthorized parties while allowing access to all who require it.

Transactions

RHIOnet’s X12 transaction set helps organizations comply with HIPAA mandated standards. In addition, APP Design can create custom interfaces to existing legacy systems, then use RHIOnet’s X12 transaction service to handle incoming X12 transactions, thereby creating “instant” X12 compliance for the organization.

Identifiers

APP Design understands that each organization can have its own set of identifiers for providers while converting to NPI. RHIOnet can substitute the appropriate provider identifier for the destination organization “on the fly” as the transaction is transmitted. This saves organizations from maintaining and synchronizing multiple identifier lists. Using APP and RHIOnet, healthcare organizations can prove due diligence in implementing HIPAA standards to avoid fines and penalties.