The University of Washington Clinical Informatics Research Group (“CIRG”) is committed to ensuring the confidentiality, privacy, integrity, and availability of all electronic protected health information (ePHI) it receives, maintains, processes and/or transmits on behalf of its collaborators. As providers of health information systems used by other health care organizations in both research settings, and in the provision of routine clinical care, CIRG strives to maintain compliance, proactively address information security, mitigate risk for its collaborators, and assure that any known breaches of privacy are completely and effectively communicated in a timely manner. The following documents address core policies used by CIRG to maintain compliance and assure the proper protections of infrastructure used to store, process, and transmit ePHI for collaborators.
CIRG provides secure and compliant cloud-based software systems, hosted either on CIRG’s private cloud located on hardware we manage within server facilities at the University of Washington, or on commercial cloud facilities such as AWS (Amazon), or Azure (Microsoft). We operate these systems under a Software as a Service (SaaS) model.
SaaS collaborators utilize hosted software and infrastructure from CIRG to deploy, host, and scale custom developed applications and configured databases. These customers are deployed into compliant virtual machines run on systems secured and managed by CIRG.
CIRG provides compliant hosted software systems for its collaborators. CIRG does not act as a covered entity, or as a business associate. CIRG operates information systems according to best practices regarding security, availablity, and data integrity. CIRG does not mediate the access of authorized system users to ePHI. Such access occurs when our collaborators grant that access to their employees and partners, and so full compliance can not be assured by CIRG.
Certain aspects of compliance cannot be mangaged through software alone. Because of this, CIRG collaborators, in order to maintain full compliance, must implement certain organizational policies to be compliant with HIPAA, such as those ensuring that employees understand and respect the privacy of ePHI to which they have access. These policies and aspects of compliance fall outside of the services of CIRG.
Mappings of HIPAA Rules to CIRG controls are described in §2.
The physical infrastructure environment supporting CIRG’s private cloud is hosted at server facilities of the University of Washington. The network components and supporting network infrastructure are contained within the UW Cata Centers. CIRG does not have physical access into the network components. The CIRG environment consists of web servers; application servers; MySQL and PostgreSQL database servers; KVM virtual machine hosts, SAN storage systems; Docker containers; and developer tool and deployment tool servers running on Linux.
Within the CIRG Platform, all data transmission is encrypted and all hard drives are encrypted (note: to be completed in Fall 2017) so data at rest is also encrypted; this applies to all servers - those hosting Docker containers, databases, APIs, log servers, etc. CIRG assumes all data may contain ePHI, even though our Risk Assessment does not indicate this is the case, and provides appropriate protections based on that assumption.
It is the responsibility of CIRG collaborators to restrict, secure, and assure the privacy of all ePHI data at level where users interact with that data, as this is not under the control or purview of CIRG.
Certain servers are externally facing and accessible via the Internet. Access to databases is restricted to a limited number of personnel and strictly controlled to only those personnel with a business-justified reason.