Security Management Process:

Risk Analysis

meets requirements for 45 CFR 164.308(a)(1)(ii)(A)

Current potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by Pruett & Co., LLC, DBA AlpineForm are as follows:

  1. Confidentiality: All ePHI is stored on cloud servers. While multiple safeguards are in place and administrative access is limited to only a few individuals we’d be remiss to declare it impossible to compromise access to ePHI. Risk level: very low.
  2. Integrity: All ePHI is encrypted and we maintain multiple copies in separate physical locations. Files could become corrupted beyond repair, or we could lose the encryption keys, making data unreadable. Risk level: very low.
  3. Availability: We utilize reputable subcontractors for our technical infrastructure and have signed business associate agreements (BAAs) with each. While each maintains high levels of security, disaster could affect the availability of ePHI until our contingency plan is fully executed. Risk level: very low.
  4. Availability: Our team is small, which creates some risk if our infrastructure has a problem while key individuals are physically unwell or are away from a workstation. We cannot physically provide 24/7 monitoring. Risk level: low.

Risk Management

meets requirements for 45 CFR 164.308(a)(1)(ii)(B)

AlpineForm has implemented the following security measures to reduce the aforementioned risks and vulnerabilities in addition to several others to a reasonable and appropriate level to comply with 45 CFR 164.306(a):

  1. Confidentiality: All ePHI is created and stored in encrypted environments.
  2. Confidentiality: All ePHI is only accessible by our administrative-level team members. Our team is required to use strong passwords in conjunction with time-based one-time passwords for two-factor authentication. Each password is required to be unique and not reused between accounts on our various systems.
  3. Confidentiality: Our infrastructure subcontractors cannot access encrypted ePHI data, despite having signed BAAs.
  4. Confidentiality: We intentionally keep our team small and thus maintain tight control of the number of individuals who have access to our systems that create, receive, maintain, and transmit ePHI.
  5. Confidentiality: We do not permit our systems that create, receive, maintain, and transmit ePHI to come into contact with any infrastructure managed by a subcontractor who is unwilling to sign a BAA.
  6. Confidentiality: All ePHI is transmitted using encrypted connections. This applies to inbound data sent to our systems as well as outbound data sent to our users via email and data sent between our applications and backup systems.
  7. Confidentiality: Our systems are scanned daily to ensure that all software is up-to-date and current with all known security vulnerabilities.
  8. Confidentiality: Our ePHI archive system has strict inbound firewall rules at the server level and automatically drops external SSH, MySQL, or DNS connections.
  9. Confidentiality: We utilize an endpoint firewall at the application level that updates its rules in real-time to protect against malware and other vulnerabilities.
  10. Confidentiality: We monitor and block unauthorized login attempts at the application level. This includes brute force protection, XML-RPC protection, reCAPTCHA to block automated attacks, and IP access control.
  11. Confidentiality: Our systems run in data centers that restrict access to data center employees and authorized visitors, require biometrics and state-issued IDs for identification, and are staffed 24/7/365 with security guards and technicians.
  12. Integrity: All ePHI is created, received, maintained, and transmitted using infrastructure that has been proven to be reliable for a minimum of 10 years. We avoid “shiny object syndrome” and do not use unproven technology.
  13. Integrity: All ePHI stored on our systems remains unmodified by the AlpineForm team unless we receive clearly written directions from our covered entity customers to whom the ePHI belongs.
  14. Integrity: All ePHI is backed up daily in multiple redundant locations. Each location is physically separate from the others.
  15. Availability: Our systems are built using infrastructure that has been proven to be reliable for a minimum of 10 years with greater than 99.9% uptime. We avoid “shiny object syndrome” and do not use unproven technology.
  16. Availability: Our routine maintenance that has the potential for downtime is done late at night, avoiding impact on our customers during the workday.
  17. Availability: Our systems run in data centers with redundant network routers, switches, and service providers. Multiple networking systems can fail without affecting downtime or performance.
  18. Availability: Our systems run in data centers with redundant HVAC and power systems, so if one goes out, the others keep all systems powered and within operating temperature.

Sanction Policy

meets requirements for 45 CFR 164.308(a)(1)(ii)(C)

  1. We have a zero-tolerance policy for team members who intentionally fail to comply with our security policies and procedures. We will immediately remove access to all systems that create, receive, maintain, and transmit ePHI.
  2. We have a zero-tolerance policy for subcontractors who do not uphold the terms of the BAA. We will delete ePHI from the subcontractor’s infrastructure and transition to a replacement subcontractor. Immediacy will depend on the impact on our customers and the severity of any breach of contract. If a significant security or privacy breach occurs, we will execute our contingency plan.

Information System Activity Review

meets requirements for 45 CFR 164.308(a)(1)(ii)(D)

  1. Our systems keep records of changes and identify suspicious behavior early to help us mitigate and thwart any security issues.
  2. Our activity logs record all activity, including when changes occur and IP addresses from where changes originate. We log user activity, software updates, file uploads, file deletion, file changes, settings changes, and database changes.
  3. Our email logs record all outbound messages sent by our systems and allow us to monitor deliverability to ensure that they’re going to the correct user addresses.
  4. We review reports on a monthly basis but have instant alerts configured for important and critical changes.

Assigned Security Responsibility:

Security Official

meets requirements for 45 CFR 164.308(a)(2)

  1. Scott Pruett, co-founder of AlpineForm, is responsible for developing and implementing the policies and procedures as required in 45 CFR 164 Subpart C.
  2. Email: scott@alpineform.com
  3. Phone: (540) 358-0137

Workforce Security:

Authorization and Supervision

meets requirements for 45 CFR 164.308(a)(3)(ii)(A)

  1. Authorization to our systems that create, receive, maintain, and transmit ePHI is only granted on an administrative level to our team members who have successfully completed training, both for technical savviness and understanding of relevant HIPAA & HITECH requirements.
  2. All team activity on our systems containing ePHI is recorded. We log user activity, software updates, file uploads, file deletion, file changes, settings changes, and database changes.

Clearance Procedure

meets requirements for 45 CFR 164.308(a)(3)(ii)(B)

  1. Team members will not be authorized to access our systems that create, receive, maintain, and transmit ePHI without a background check.
  2. We verify identity (names, DOB, addresses) using social security numbers.
  3. We search for criminal records from several national databases. Criminal records are not automatic disqualifications but require further review.
  4. We search for records on national and state sex offender databases. Registered offenders are automatically disqualified.
  5. We search for records on global, US, and state watchlists. Risky or sanctioned individuals are automatically disqualified.

Termination Procedure

meets requirements for 45 CFR 164.308(a)(3)(ii)(C)

  1. Upon termination of employment, any team members with access to systems that create, receive, maintain, and transmit ePHI will have all credentials revoked.
  2. Activity records, emails, and other data unique to terminated team members will be archived for a minimum of six years.

Information Access Management:

Access Authorization

meets requirements for 45 CFR 164.308(a)(4)(ii)(B)

  1. Each infrastructure provider we use for creating, receiving, maintaining, or transmitting ePHI is configured to require unique user accounts, strong passwords, and time-based one-time passwords for two-factor authentication.
  2. User accounts may be created without administrative-level access for tasks not related to interacting with ePHI but are only authorized to access ePHI after completing competency training, security training, and background checks.

Access Establishment and Modification

meets requirements for 45 CFR 164.308(a)(4)(ii)(C)

  1. User accounts with access to any of our systems that create, receive, maintain, or transmit ePHI have activity logged for documentation and review.
  2. Right of access to any of our systems that create, receive, maintain, or transmit ePHI can be removed at will by AlpineForm.
  3. We verify logged-in users with a nonce before actions can be performed in the back-end to make sure any actions are intentional.

Security Awareness and Training:

Security Reminders

meets requirements for 45 CFR 164.308(a)(5)(ii)(A)

  1. We have automated notifications to ensure that all security measures are up-to-date. These notifications are triggered by several factors at the server level and the application level that could result in moderate to severe security risks.

Protection from Malicious Software

meets requirements for 45 CFR 164.308(a)(5)(ii)(B)

  1. Our systems are scanned on a daily basis to ensure that all software is up-to-date and current with all known security vulnerabilities.
  2. Our ePHI archive system has strict inbound firewall rules at the server level and automatically drops external SSH, MySQL, or DNS connections.
  3. We utilize an endpoint firewall at the application level that updates its rules in real-time to protect against malware and other vulnerabilities.

Log-in Monitoring

meets requirements for 45 CFR 164.308(a)(5)(ii)(C)

  1. Our activity logs record log-in activity, the date and time of log-in, and the IP addresses from where a log-in occurred.
  2. We monitor and block unauthorized login attempts at the application level. This includes brute force protection, XML-RPC protection, reCAPTCHA to block automated attacks, and IP access control.

Password Management

meets requirements for 45 CFR 164.308(a)(5)(ii)(D)

  1. Our team members are required to use strong passwords in conjunction with time-based one-time passwords for two-factor authentication. Each password is required to be unique and not reused between accounts on our various systems.
  2. We use a secure password manager (software) for our team with administrative control over permissions and multi-factor authentication. This allows us to monitor and mitigate any security risks like potential breaches and inadequate password strength.

Security Incident Procedures:

Response and Reporting

meets requirements for 45 CFR 164.308(a)(6)(ii)

  1. In the event of any security incident of which we become aware, we will immediately respond to secure and protect all ePHI as possible. Details of any security incident will be documented and reported to parties to whom we are legally required to report.
  2. We will report any use or disclosure of ePHI not provided for by our BAA of which we become aware, including breaches of unsecured ePHI as required at 45 CFR 164.410, and any security incident of which we become aware.
  3. As a business associate, we will not send breach notifications on your behalf to individuals, the HHS Office for Civil Rights (OCR), or the media.

Contingency Plan:

Data Backup Plan

meets requirements for 45 CFR 164.308(a)(7)(ii)(A)

  1. We create and maintain multiple retrievable exact copies of AlpineForm.com daily using automated software.
  2. We back up all files containing ePHI in two separate secure locations.
  3. Backups are encrypted, both in transit between data centers and at rest.
  4. Backups are redundant. One copy is stored on-site (in the same data center as our servers), and two additional copies are stored in two separate off-site data centers.
  5. Each backup location is managed by a separate infrastructure subcontractor, and none has access to the others. We require BAAs with each subcontractor.

Disaster Recovery Plan

meets requirements for 45 CFR 164.308(a)(7)(ii)(B)

  1. In the event that a disaster takes AlpineForm.com offline, we will decrypt and restore a backup set using the same software we use to create backups.
  2. In the event that a disaster has compromised the hosting infrastructure of a website that creates, receives, maintains, and/or transmits ePHI, we will restore a backup to one of our hosting environments covered under a BAA.

Emergency Mode Operation Plan

meets requirements for 45 CFR 164.308(a)(7)(ii)(C)

  1. We strive to eliminate the need to enter emergency mode operations, but in the rare event that a catastrophic failure of multiple systems occurs, we will rebuild our infrastructure on alternate service providers and bring systems online after ensuring that security and privacy requirements are met.
  2. Emergency mode operations may include turning off services that transmit outbound data packets that contain ePHI, such as automated email notifications and backup systems. This will not impact the security, privacy, or integrity of ePHI that is created, received, or maintained by our systems. In the event that our customers depend on email notifications to receive ePHI, such as provided through AlpineForm, it will be necessary to contact our team directly via phone, text, or email to request copies of ePHI.
  3. Emergency mode operations may include turning off services that permit the creation or receiving of ePHI by our systems. This will not impact the security, privacy, or integrity of ePHI that is maintained or transmitted by our systems.
  4. Emergency mode operations will cease after all of our primary systems are back online. We will keep affected customers updated via phone, text, or email.

Testing and Revision Procedures

meets requirements for 45 CFR 164.308(a)(7)(ii)(D)

  1. Contingency plans will be tested for reliability on an annual basis.
  2. Contingency plans will be revised as necessary to ensure successful outcomes. In the event that contingency plans are revised, our team will undergo training to ensure technical savviness in implementing the revised plans.
  3. In the event that contingency plans are revised in a manner that affects methods of interaction with our customers, we will send notices via email.

Applications and Data Criticality Analysis

meets requirements for 45 CFR 164.308(a)(7)(ii)(E)

  1. Our position is that all applications and data are critical to business operations. Our AlpineForm service has been designed to minimize dependency on any one infrastructure provider and can be moved between systems easily.
  2. Our contingency plan has been designed to be executed rapidly (same day) to minimize downtime in the event of a disaster.

Evaluation:

Written Contract

meets requirements for 45 CFR 164.308(b)(3)

  1. The satisfactory assurances that are required by 45 CFR 164.308(b)(1) through a written contract to meet the applicable requirements of 45 CFR 164.314(a) can be found in our Business Associate Agreement.
  2. We will not engage in business with any covered entity under HIPAA rules without a signed BAA. This applies to both our compliance services and our AlpineForm service.

Facility Access Controls:

Contingency Operations

meets requirements for 45 CFR 164.310(a)(2)(i)

  1. Due to our use of redundant backup sets, neither our disaster recovery plan nor our emergency mode operations plan requires physical access to the data centers that house our backup files.
  2. If access to each of our redundant backup sets is compromised for some extremely rare reason, we will work with our infrastructure subcontractors to recover any lost data from the facilities that house the servers.

Facility Security Plan

meets requirements for 45 CFR 164.310(a)(2)(ii)

  1. Our systems run on servers in secure data centers that are staffed 24/7/365 with security guards.
  2. Our systems are segregated from other data center tenants by locking cabinets. Only data center staff assigned to supporting our systems have keys.
  3. Each of the subcontractors that house our systems has SOC 1 Type 2, SOC 2 Type 2, and PCI DSS certifications. Our subcontractors that maintain ePHI also have SOC 3, ISO 27001, ISO 27017, ISO 27018, and ISO 27701 certifications.

Access Control and Validation Procedures

meets requirements for 45 CFR 164.310(a)(2)(iii)

  1. Our systems run on servers in data centers that restrict access to data center employees and authorized visitors.
  2. Each data center verifies the identification of all individuals with biometrics and state-issued IDs before they can enter the facilities.

Maintenance Records

meets requirements for 45 CFR 164.310(a)(2)(iv)

  1. Our systems run on servers in data centers managed by infrastructure subcontractors. We do not have direct access to their maintenance records but have contracts with each to ensure that compliance requirements are met.

Workstations:

Workstation Use

meets requirements for 45 CFR 164.310(b)

As a remote-first company, almost all of our work is performed online. This creates flexibility for how and where our team works, but we do have specific requirements for computer (workstation) usage:

  1. Accessing our systems that create, receive, maintain, or transmit ePHI should be done on MacOS or Windows-based computers with up-to-date software.
  2. We do not restrict work to be done in specific locations, though whenever working around other people in publicly-accessible locations, such as in a coworking space or a coffee shop, screens must be positioned away from the view of anyone when interacting with any of our systems that create, receive, maintain, or transmit ePHI.
  3. System settings must be set to automatically enable a screen saver, screen lock, or sleep after 10 minutes of inactivity. If stepping away from the computer, this must be activated manually.
  4. System settings must be set to require a password immediately after a screen saver begins, a screen lock, or sleep.
  5. Whenever working in a publicly-accessible location with other people, such as in a coworking space or a coffee shop, the computer must be within eyesight at all times, even if the screen is locked. This is not required for private locations, such as at home or in a private office.

Workstation Security

meets requirements for 45 CFR 164.310(c)

  1. All internet traffic is encrypted using our company-provided VPN.
  2. Our team computers must be configured with a strong password for login. Biometric login should be enabled as well, if available.
  3. Our company-managed password manager is required to be installed and used for accessing any of our systems that create, receive, maintain, or transmit ePHI. Passwords are encrypted and stored in the password manager, not on-device.
  4. Time-based one-time password two-factor authentication is required to access any of our systems that create, receive, maintain, or transmit ePHI. This requires a second device, such as a smartphone.
  5. Our team computers are protected from keyloggers, cryptocurrency miners, and more threats using a malware scanner with regularly-updated virus databases. This must be set to open at login.
  6. Our team computers are regularly scanned for sensitive browser data, including autofill data that is periodically removed.
  7. When traveling in areas with security checkpoints, all company accounts must be removed from devices that access any of our systems that create, receive, maintain, or transmit ePHI. Accounts can be re-added after passing through security.

Device and Media Controls:

Disposal

meets requirements for 45 CFR 164.310(d)(2)(i)

  1. Our systems are configured to maintain ePHI for active customers. Upon termination of a contract, all ePHI will be moved into an archive.
  2. All archives are permanently deleted from our systems after 30 days.

Media Re-Use

meets requirements for 45 CFR 164.310(d)(2)(ii)

  1. We lease our server infrastructure from subcontractors who may reuse media (storage disks) for future customers. All ePHI will be permanently deleted from storage in accordance with our contracts with each subcontractor.

Accountability

meets requirements for 45 CFR 164.310(d)(2)(iii)

  1. Our systems run on servers in data centers managed by infrastructure subcontractors. We do not have direct access to their records that keep track of any movements of hardware and electronic media but have contracts with each to ensure that compliance requirements are met.

Data Backup and Storage

meets requirements for 45 CFR 164.310(d)(2)(iv)

  1. We create and maintain multiple retrievable exact copies of websites containing ePHI using automated software. Any time equipment is moved, we’ll have at least two off-site copies of all data.
  2. Backups are redundant. One copy is stored on-site (in the same data center as our servers), and two additional copies are stored in two separate off-site data centers.
  3. Each backup location is managed by a separate infrastructure subcontractor, and none has access to the others.

Access Control:

Unique User Identification

meets requirements for 45 CFR 164.312(a)(2)(i)

  1. No shared logins are permitted on any of our systems that create, receive, maintain, or transmit ePHI. This applies to our team as well as our users.
  2. Each user ID must be unique.

Emergency Access Procedure

meets requirements for 45 CFR 164.312(a)(2)(ii)

  1. In the event of an emergency, covered entity customers on an active compliance services plan may contact us via phone, text, or email for copies of their ePHI.
  2. In the event of an internal emergency, we will execute our contingency plan to obtain the necessary ePHI to resume our services with minimal downtime.

Automatic Logoff

meets requirements for 45 CFR 164.312(a)(2)(iii)

  1. When appropriate, user accounts that have access to any of our systems that create, receive, maintain, or transmit ePHI will automatically log out after inactivity.

Encryption and Decryption

meets requirements for 45 CFR 164.312(a)(2)(iv)

  1. Our systems that create, receive, maintain, or transmit ePHI run on infrastructure configured to encrypt data in transit and at rest.
  2. The software packages we use to receive, maintain, and transmit ePHI are configured to encrypt and decrypt data as appropriate.
  3. AlpineForm.com (the website itself) does not save or maintain any ePHI in its database because it’s built on WordPress, which does not use encrypted databases. All files that AlpineForm generates that contain ePHI are securely transmitted to systems that maintain the data in encrypted environments.

Audit Controls & Integrity:

Mechanism to Record and Examine Activity

meets requirements for 45 CFR 164.312(b)

  1. Our activity logs record all activity, including when changes occur, what user made changes, and IP addresses from where changes originate.
  2. We log user activity, software updates, file uploads, file deletions, file changes, settings changes, and database changes.

Mechanism to Authenticate Electronic Protected Health Information

meets requirements for 45 CFR 164.312(c)(2)

  1. Our activity logs and user logs can be used to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
  2. Because we do not store ePHI in the AlpineForm.com database, we can also compare any activity against our email logs, which record when ePHI was transmitted to its intended recipient(s) after creation.

Person or Entity Authentication:

Verification Procedures

meets requirements for 45 CFR 164.312(d)

  1. Each of our team members’ accounts must be connected to an email address managed by Pruett & Co., LLC, only accessible within our company.
  2. Time-based one-time password two-factor authentication is required to access any of our systems that create, receive, maintain, or transmit ePHI. This is set up at the same time a team member’s account is set up, meaning that each team member is authenticated using a secondary device.

Transmission Security:

Integrity Controls

meets requirements for 45 CFR 164.312(e)(2)(i)

  1. Our systems that create, receive, maintain, and transmit ePHI run on infrastructure designed and managed to be HIPAA compliant.
  2. Each of our infrastructure subcontractors has entered into a BAA with us to ensure compliance, including implemented security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.

Encryption

meets requirements for 45 CFR 164.312(e)(2)(ii)

  1. Our systems that create, receive, maintain, and transmit ePHI run on infrastructure configured to encrypt data in transit.
  2. All data submitted to create ePHI is done over a secure socket layer (SSL) connection between an end-user and our systems.
  3. We have configured our systems to force all insecure HTTP connections to switch to secure HTTPS connections automatically.

Business Associate Contracts:

Business Associate Agreement

meets requirements for 45 CFR 164.314(a)(2)

  1. Our Business Associate Agreement (BAA) contract provides that we will comply with the applicable requirements of 45 CFR Part 164 Subpart C with respect to the ePHI of a covered entity.
  2. We have ensured that any of the subcontractors that create, receive, maintain, or transmit ePHI on behalf of us will comply with the applicable requirements of 45 CFR Part 164 Subpart C by entering into a similar BAA contract, in accordance with 45 CFR 164.308(b)(2).
  3. We will report any security incident of which we become aware, including breaches of unsecured ePHI, in accordance with 45 CFR 164.410.

Documentation:

Time Limit

meets requirements for 45 CFR 164.316(b)(2)(i)

  1. Our policies and procedures implemented to comply with 45 CFR Part 164 Subpart C with respect to ePHI of a covered entity will be retained for a minimum of 6 years from the date of their creation (August 2022), or the date when they were last in effect, whichever is later.

Availability

meets requirements for 45 CFR 164.316(b)(2)(ii)

  1. Our policies and procedures implemented to comply with 45 CFR Part 164 Subpart C with respect to ePHI of a covered entity will be available to our team at all times.

Updates

meets requirements for 45 CFR 164.316(b)(2)(iii)

  1. Our policies and procedures implemented to comply with 45 CFR Part 164 Subpart C with respect to ePHI of a covered entity will be reviewed periodically and updated as needed in response to environmental or operational changes affecting security.