The Health Insurance Portability and Accountability Act 1996 (HIPAA) is designed to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs.
MRI OnLocation does not 'process' Patient Health Information (PHI) as defined by HIPAA and therefore we are not subject to comply.
If required, we can enter into a HIPAA Business Associate Agreement (BAA) with you, our customer. Please email OnLocation support (and cc email@example.com) to request a separate Business Associate Agreement.
HIPAA and data accessibility
There are elements of data protection within the HIPAA framework that we do comply with; specifically how users have access to data and how their user access is controlled.
With OnLocation users can only access their account if they are authorized to do so through the Administrative function. Once granted permission, the user must comply with the customer's password strength and password change policies which are defined within their OnLocation account.
Forced Password Change: Best Practice and security auditors recommend that to meet the minimum for compliance, with standards like OWASP, HIPAA, and Sarbanes-Oxley passwords should be changed every 45 to 90 days and should be different every time. OnLocation supports these standards by allowing the customer to set a password change policy to comply with any standard.
Password Strength Standard: Best Practice and security auditors recommend that to meet the minimum for compliance, with standards like OWASP, HIPAA, and Sarbanes-Oxley passwords should:
- Be a minimum of six, preferably eight, characters in length
- Be a combination of uppercase and lowercase letters
- Mixed with numbers and symbols (!, @, #, $, for example)
- Not contain personal information, such as the names of spouses or family members (including pets!), or any information that an attacker could easily derive from a user.
OnLocation provides three password strength options:
- Simple: minimum of 6 characters
- Standard: (the default) minimum of 6 characters; combination of uppercase and lower case letters;
- Complex: (recommended) minimum of 8 characters, combination of uppercase and lower case letters; mixed with at least one number and one symbol (!, @, #, $, for example).