WIXLIB

GUIDEGoToAssistCitrix GoToAssist CorporateHIPAA Compliance GuidePrivacy, productivity and remote supportThe healthcare industry has benefited greatly from the ability to receive remote support from technology providers and internal IT departments. However, since the computers being serviced often contain confidential patientdata, many remote support products inadvertently put patient privacy at risk,especially if the data is sent or made accessible over unsecured networkssuch as the Internet.For this reason, the Health Insurance Portability and Accountability Act(HIPAA) calls for privacy and security standards that protect the confidentialityand integrity of patient health information. Specifically, if you transmit patientdata across the Internet, your remote support products and security architecture must provide end-to-end encryption so the data cannot be interceptedby anyone other than the intended recipient. In addition, the remote supportproducts and network must provide access control to allow viewing only byauthorized people.GoToAssist Corporate HIPAA Security GuideCitrix Online created the following matrix as a guide to assist healthcareproviders in navigating the various HIPAA requirements and to demonstratehow Citrix GoToAssist Corporate can support HIPAA compliance. GeneralHIPAA requirements can be found in the Frequently Asked Questions sectionat the end of this document.The matrix is based upon the HIPAA Security Standards rule published inthe Federal Register on February 20, 2003 (45 CFR Parts 160, 162 and 164Health Insurance Reform: Security Standards; Final Rule). The Departmentof Health and Human Services provides the HIPAA Security Standards on itswebsite: df.www.gotoassist.com

GUIDEGoToAssistTechnical safeguards § 164.312Standardcovered entitiesmust implementImplementationspecificationsR RequiredA Addressable(a) (1) AccessControlKey factorsRSupport in GoToAssist CorporateImplement technical PC and Mac access is 100% permission basedpolicies and proceduresand the customer retains overriding control atfor electronic informationall times.systems that maintain Representatives and managers must log inelectronic protectedusing strong passwords to access thehealth information toGoToAssist Corporate solution.allow access only toauthorized persons or Configurable failed log-in lockout threshold.software programs. Account administrator organizes representativesinto groups, defining feature access policy on aper-user or per-group basis. Account administrator can terminate sessionsin progress. Technicians running GoToAssist Corporate as aservice must log in with the proper credentials ofa local or domain administrator.(b) AuditControls(c) (1) IntegrityUnique UserIdentification(Required)RAssign a unique nameand/or number foridentifying and trackinguser identity.Encryption andDecryptionRImplement a mechanism Provides rapid, secure access to a computerto encrypt and decryptdesktop from virtually anywhere, which may beelectronic protectedused as a supplementary method for providinghealth information.emergency access to healthcare information.RImplement hardware,software and/orprocedural mechanismsthat record and examineactivity in informationsystems that contain oruse electronic protectedhealth information. All connection and session activity through CitrixOnline’s distributed network service infrastructureis logged (including file transfers, remote printing,WAN IP and more) for security and quality-ofservice purposes.Implement policies andprocedures to protectelectronic protectedhealth information fromimproper alteration ordestruction. Integrity protection mechanisms in GoToAssistCorporate are designed to ensure a high degreeof data and service integrity, working independently of any integrity controls that may alreadyexist on the customer’s computers and internaldata systems.R Representatives and administrators are identifiedby using their unique email address as theirlog-in name. Account managers have up-to-the-minute webbased access to advanced management andreporting tools. Customer has complete overriding control of allkeyboard and mouse activity.2

GUIDEStandardcovered entitiesmust implementImplementationspecificationsR RequiredA Addressable(c)(1) IntegritymechanismMechanism toauthenticateelectronicprotected healthinformation.Key factorsAImplement methods tocorroborate thatinformation has notbeen destroyed oraltered.GoToAssistSupport in GoToAssist Corporate All session data is compressed using proprietarylossless compression techniques and protectedusing HMAC-SHA1 message authenticationcodes. Numerous additional structural integrity checksare made on the decrypted session data after it isreceived to ensure data and service integrity. Session recording, if enabled, would show if anydata was inadvertently affected by the remotesupport session.(d) Person Verify that the person orentity seeking access isthe one claimed. Access to GoToAssist Corporate is protected bya strong password and a unique user log-in ID.Implement policies andprocedures to protectelectronic protectedhealth information fromimproper alteration ordestruction. Integrity protection mechanisms in GoToAssistCorporate are designed to ensure a highdegree of data and service integrity, workingindependently of any integrity controls that mayalready exist on the customer’s computers andinternal data systems. R epresentatives must be approved and set upby an administrator before they can access clientcomputers. Customer has complete overriding control of allkeyboard and mouse activity.Integrity ControlsREnsure that protectedhealth information is notimproperly modifiedwithout detection. All session data is compressed using proprietarylossless compression techniques and protectedusing HMAC-SHA1 message authenticationcodes. Numerous additional checks are made on thedecrypted session data after it is received toensure network transmission integrity.EncryptionREncrypt protected health All sensitive chat, session, file transfer and servicecontrol data transmitted across the network isinformation wheneverprotected using AES (FIPS 197) in counter mode.deemed appropriate. A unique 128-bit AES encryption key is generatedat the start of each session.Healthcare applicationsAuthorized technology providers and IS/IT staff can use GoToAssistCorporate patented web-based screen-sharing technology to instantly andsecurely view PC and Mac desktops and provide remote assistance to healthcare workers from any location connected to the web. Unlike other remotesupport solutions, GoToAssist Corporate does not distribute actual data acrossnetworks. Rather, by using screen-sharing technology, security is strengthenedbecause only mouse and keyboard commands are transmitted. GoToAssistCorporate further protects data confidentiality through a combination of encryption, strong access control and computer protection methods.3

GUIDEGoToAssistSecurity, control and customizationSupport administrators have the option of assigning representatives togroups defined by the features to which they are granted access. Somefeatures may be disabled by an administrator to customize the level ofsecurity that is appropriate for your organization. Because the securityfeatures are built in, administrators can rest easy: Security cannot beweakened by inexperienced users.EncryptionGoToAssist Corporate employs industry-standard end-to-end AdvancedEncryption Standard (AES) encryption using 128-bit keys to protect the datastream, file transfers, chat and keyboard and mouse input. Additional built-insecurity features such as strong passwords, end-to-end user authenticationand unique session connection codes ensure data confidentiality. GoToAssistCorporate encryption fully complies with HIPAA Security Standards to ensurethe security and privacy of patient data.Frequently asked questionsQ: What are the general requirements of theHIPAA Security Standards?(Ref: § 164.306 Security Standards: General Rules)Covered entities must do the following: Ensure the confidentiality, integrity and availability of all electronicprotected health information that the covered entity creates, receives, maintains or transmits. Protect against any reasonably anticipated threats or hazards tothe security or integrity of such information. Protect against any reasonably anticipated uses or disclosuresof such information that are not permitted or required under theprivacy regulations. Ensure compliance with this subpart by its workforce.Q: How are covered entities expected to addressthese requirements?Covered entities may use any security measures that reasonably and appropriately implement the standards; however, covered entities must first take intoaccount the risks to protected electronic information; the organization’s size,complexity and existing infrastructure; and costs. The final rule includes three“safeguards” sections outlining standards (what must be done) and “implementation specifications” (how it must be done) that are either “required” or“addressable.” If “required,” it must be implemented to meet the standard; if“addressable,” a covered entity can implement it, implement an equivalentmeasure or do nothing. Administrative Safeguards: Policies and procedures, workforcesecurity and training, evaluations and business associate contracts.4