OCHIN supports and advises members about security, compliance, and best practices for health data.
Compliance and Security
OCHIN recognizes that HIPAA compliance begins with organizational policies, procedures, and practices that are reinforced through appropriately secured technology. OCHIN is fully compliant with HIPAA and HITECH. As the health care landscape continues to evolve, OCHIN undergoes regular compliance reviews designed to reinforce existing compliance tools and identify potential updates required in the future.
OCHIN’s disaster recovery policies and procedures are fully compliant with HIPAA and industry standards. To further minimize the potential for data loss in the event of a natural disaster, OCHIN utilizes a secondary data center located in a different geographic region and on a separate tectonic plate from the primary data center site. Member clinics are connected to both primary and secondary datacenters through OCHIN’s privately managed medical grade network. The disaster recovery facility is activated annually, and member clinics are required to test their access to the facility.
OCHIN maintains regularly scheduled backups for each information system. Clinical information is replicated to separate systems both within the primary facility (highly available) and to the secondary facility (disaster recovery) within seconds of being committed to the production systems. Additional storage area network “snapshots” and copies to separate network storage occurs nightly for long-term offline protection. All backups are stored on AES-256 encrypted devices.
Data Security Personnel
OCHIN employs a team of highly experienced and appropriately credentialed data security personnel. We consider it every employee’s responsibility to ensure that patient information is protected and treated with the utmost respect and that all HIPAA Privacy and Security Policies and Procedures are maintained and followed by staff. OCHIN staff receive appropriate education and training that begins with an annual baseline training and expands to additional training that is defined based on job and access to protected health information and personally identifiable information.
OCHIN implements auditing functionality to meet all requirements. Audit information is available to both OCHIN compliance and security teams and to member clinics at all time. The audit information is available within the EHR applications and stored separately from the applications to meet compliance requirements.
Encryption and Transmission
All data are encrypted in transit and at rest. Data at rest uses AES-256, while data in transit uses only strong security protocols, such as Transport Layer Security (TLS), with the predominant protocol being TLS v1.2.
Incident Protection and Detection
OCHIN utilizes centralized security information and event management (SIEM) software to correlate and notify on system events, along with commercial vulnerability assessment tools that provide continuous assessment of security vulnerabilities. Critical Incident Response protocols are implemented across the organization and reported up through the Chief Information Security Officer to operational and executive leadership.
Third-Party Security Audit
Annually OCHIN is audited for compliance by a third-party auditor that is qualified to conduct compliance audits for HIPAA and HITECH. Additionally, OCHIN contracts a 3rd Party organization to conduct complete penetration testing from the public internet and from inside the datacenters.