initial commit

Author: awatson1978

README.md

@@ -0,0 +1,56 @@
+## clinical:hipaa  
+
+HIPAA Compliance for Meteor Apps.  Meta package containing audit log, user accounts, and ssl security.
+
+#### Installation  
+
+``meteor add clinical:hipaa``
+
+#### Packages
+
+This is a meta package, and includes the following sub-packages:  
+
+````bash
+# for private PHI
+[accounts-base](https://atmospherejs.com/meteor/accounts-base)
+[accounts-password](https://atmospherejs.com/meteor/accounts-password)  
+
+# for auditing PHI access
+clinical:hipaa-audit-log  
+
+# for secure transmission of PHI
+[force-ssl](https://atmospherejs.com/meteor/force-ssl)
+````
+
+We're currently in the process of adding at-rest disk encryption for secure PHI at rest.
+
+#### API
+
+````html
+{{> thirdPartyPolicy}}
+{{> approvedToolsPolicy}}
+{{> auditingPolicy}}
+{{> breachPolicy}}
+{{> configurationManagementPolicy}}
+{{> dataIntegrityPolicy}}
+{{> dataManagementPolicy}}
+{{> dataRetentionPolicy}}
+{{> disasterRecoveryPolicy}}
+{{> disposableMediaPolicy}}
+{{> employeesPolicy}}
+{{> facilityAccessPolicy}}
+{{> hipaaBusinessAssociateAgreement}}
+{{> hipaaInheritanceForPaasCustomers}}
+{{> hipaaInheritanceForPlatformAddOnCustomers}}
+{{> hipaaMappingToCatalyzeControls}}
+{{> idsPolicy}}
+{{> incidentResponsePolicy}}
+{{> keyDefinitions}}
+{{> policyManagementPolicy}}
+{{> riskManagementPolicy}}
+{{> rolesPolicy}}
+{{> systemAccessPolicy}}
+{{> vulnerabilityScanningPolicy}}
+````
+
+Of course, any of these templates can be included in a route using Iron Router or Flux Router.  

hipaa-tests.js

@@ -0,0 +1,5 @@
+// Write your tests here!
+// Here is an example.
+Tinytest.add('example', function (test) {
+  test.equal(true, true);
+});

hipaa.js

@@ -0,0 +1 @@
+// Write your package code here!

lib/client-helpers.js

@@ -0,0 +1,6 @@
+Session.setDefault("companyName", "ACME, Inc.");
+
+
+Template.registerHelper("companyName", function(argument){
+  return Session.get("companyName");
+});

lib/hipaa.js

@@ -0,0 +1,9 @@
+Hipaa = {
+  configure: function(options){
+    if(Meteor.isClient){
+      if(options.company){
+        Session.set("companyName", options.company);
+      }
+    }
+  }
+}

package.js

@@ -0,0 +1,85 @@
+Package.describe({
+  name: 'clinical:hipaa',
+  version: '0.0.2',
+  // Brief, one-line summary of the package.
+  summary: 'HIPAA Compliance for Meteor Apps. Audit log, user accounts, and SSL security.',
+  // URL to the Git repository containing the source code for this package.
+  git: 'https://github.com/awatson1978/clinical-hipaa',
+  // By default, Meteor will default to using README.md for documentation.
+  // To avoid submitting documentation, set this field to null.
+  documentation: 'README.md'
+});
+
+Package.onUse(function(api) {
+  api.versionsFrom('1.1.0.2');
+
+  api.use('meteor-platform');
+
+  api.use('accounts-base');
+  api.use('accounts-password');
+  api.use('force-ssl');
+  api.use('clinical:[email protected]');
+  api.use('perak:[email protected]')
+  //api.use('session');
+
+  api.addFiles('lib/hipaa.js');
+  api.addFiles('lib/client-helpers.js', 'client');
+
+
+  api.addFiles('policyTemplates/3rd_party_policy.html');
+  api.addFiles('policyTemplates/approved_tools_policy.html');
+  api.addFiles('policyTemplates/auditing_policy.html');
+  api.addFiles('policyTemplates/breach_policy.html');
+  api.addFiles('policyTemplates/configuration_management_policy.html');
+  api.addFiles('policyTemplates/data_integrity_policy.html');
+  api.addFiles('policyTemplates/data_management_policy.html');
+  api.addFiles('policyTemplates/data_retention_policy.html');
+  api.addFiles('policyTemplates/disaster_recovery_policy.html');
+  api.addFiles('policyTemplates/disposable_media_policy.html');
+  api.addFiles('policyTemplates/employees_policy.html');
+  api.addFiles('policyTemplates/facility_access_policy.html');
+  api.addFiles('policyTemplates/hipaa_business_associate_agreement.html');
+  api.addFiles('policyTemplates/hipaa_inheritance_for_paas_customers.html');
+  api.addFiles('policyTemplates/hipaa_inheritance_for_platform_addon_customers.html');
+  api.addFiles('policyTemplates/hipaa_mapping_to_catalyze_controls.html');
+  api.addFiles('policyTemplates/ids_policy.html');
+  api.addFiles('policyTemplates/incident_response_policy.html');
+  api.addFiles('policyTemplates/key_definitions.html');
+  api.addFiles('policyTemplates/policy_management_policy.html');
+  api.addFiles('policyTemplates/risk_management_policy.html');
+  api.addFiles('policyTemplates/roles_policy.html');
+  api.addFiles('policyTemplates/systems_access_policy.html');
+  api.addFiles('policyTemplates/vulnerability_scanning_policy.html');
+
+  api.export('thirdPartyPolicy');
+  api.export('approvedToolsPolicy');
+  api.export('auditingPolicy');
+  api.export('breachPolicy');
+  api.export('configurationManagementPolicy');
+  api.export('dataIntegrityPolicy');
+  api.export('dataManagementPolicy');
+  api.export('dataRetentionPolicy');
+  api.export('disasterRecoveryPolicy');
+  api.export('disposableMediaPolicy');
+  api.export('employeesPolicy');
+  api.export('facilityAccessPolicy');
+  api.export('hipaaBusinessAssociateAgreement');
+  api.export('hipaaInheritanceForPaasCustomers');
+  api.export('hipaaInheritanceForPlatformAddOnCustomers');
+  api.export('hipaaMappingToCatalyzeControls');
+  api.export('idsPolicy');
+  api.export('incidentResponsePolicy');
+  api.export('keyDefinitions');
+  api.export('policyManagementPolicy');
+  api.export('riskManagementPolicy');
+  api.export('rolesPolicy');
+  api.export('systemAccessPolicy');
+  api.export('vulnerabilityScanningPolicy');
+
+});
+
+Package.onTest(function(api) {
+  api.use('tinytest');
+  api.use('clinical:hipaa');
+  api.addFiles('hipaa-tests.js');
+});

policies/.gitignore

@@ -0,0 +1,60 @@
+### OSX ###
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear on external disk
+.Spotlight-V100
+.Trashes
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+
+### Ruby ###
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

policies/3rd_party_policy.md

@@ -0,0 +1,37 @@
+
+
+# 3rd Party Policy
+
+Catalyze makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of Catalyze or Catalyze Customer data. 3rd Parties include Customers, Partners, Subcontractors, and Contracted Developers.
+
+## Applicable Standards from the HITRUST Common Security Framework
+
+*  05.i - Identification of Risks Related to External Parties
+*  05.k - Addressing Security in Third Party Agreements
+*  09.e - Service Delivery
+*  09.f - Monitoring and Review of Third Party Services
+*  09.g - Managing Changes to Third Party Services
+*  10.1 - Outsourced Software Development
+
+## Applicable Standards from the HIPAA Security Rule
+
+* 164.314(a)(1)(i) - Business Associate Contracts or Other Arrangements
+
+## Policies to Assure 3rd Parties Support Catalyze Compliance
+
+1. The following steps are required before 3rd parties are granted access to any Catalyze systems:
+	* Due diligence with the 3rd party;
+	* Controls implemented to maintain compliance;
+	* Written agreements, with appropriate security requirements, are executed.
+2. All connections and data in transit between the Catalyze Platform and 3rd parties are encrypted end to end.
+3. Access granted to external parties is limited to the minimum necessary and granted only for the duration required.
+4. A standard business associate agreement with Customers and Partners is defined and includes the required security controls in accordance with the organization’s security policies. Additionally, responsibility is assigned in these agreements.
+5. Catalyze has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.
+	* Catalyze utilizes monitoring tools to regularly evaluate Subcontractors against relevant SLAs.
+7. Third parties are unable to make changes to any Catalyze infrastructure without explicit permission from Catalyze. Additionally, no Catalyze Customers or Partners have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties. 
+8. Whenever outsourced development is utilized by Catalyze, all changes to production systems will be approved and implemented by Catalyze workforce members only. All outsourced development requires a formal contract with Catalyze.
+9. Catalyze maintains and annually reviews a list all current Partners and Subcontractors.
+10. Catalyze assesses security requirements and compliance considerations with all Partners and Subcontracts.
+11. Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.
+13. Any changes to Partner and Subcontractor services and systems are reviewed before implementation.
+14. For all partners, Catalyze reviews activity annually to assure partners are in line with SLAs in contracts with Catalyze. 

policies/CONTRIBUTING.md

@@ -0,0 +1,11 @@
+#Contributing
+
+We encourage contributions to our open source policies. Here's a quick guide on how to contribute:
+
+- Fork this repository so you have a copy on your personal Github account
+- Clone the forked repository (`git clone [email protected]:USERNAME/policies.git`)
+- Make your changes on a new branch
+- Commit and push your changes up to your fork
+- Create a PR with the green PR button basing from Catalyze's policies repository
+
+Once you've created the PR we'll receive a notification for review. If the changes make sense we'll approve and merge them in.

policies/README.md

@@ -0,0 +1,72 @@
+# Catalyze HIPAA Compliance Policies
+
+HIPAA compliance is complicated, but it doesn't have to be. Catalyze helps relieve the technical burden with our HIPAA-compliant cloud computing platform and solutions for healthcare.
+
+In an effort to make compliance as easy as possible for companies working with protected health information (PHI), we decided to open source our company policies. 
+	
+Our policies have been written with modern, cloud-based technology vendors in mind. We looked far and wide for policy examples that fit our company, and couldn't find any. So we wrote our own. Importantly, these policies have been through three external audits—two HIPAA audits and one HITRUST audit.
+
+Do you handle PHI and not yet have your own company policies in place? Then you'll find our content useful.
+
+## Why did we open source these policies?
+
+HIPAA compliance really has two halves. The first half includes all technical guidelines, both physical and digital. Compliant companies take measures to secure their hardware and manage their software in a certain way. Encryption, logging, monitoring—these are just a few examples of HIPAA technical requirements. Catalyze builds its platform with these guidelines in mind.
+
+The second half of HIPAA is focused on administrative and organizational activities. This includes signing Business Associate Agreements (BAAs), and managing company policies like training, among other things. Crafting company policies that align with HIPAA administrative guidelines are straightforward, but an immense burden.
+
+When we were creating our policies, we found lots of policy templates for healthcare providers, but nothing for modern health technology companies. We spent a lot of time and effort writing our policies, then adapting them to meet the demands of external audits. We don't want people to reinvent the wheel; trust us, it's not fun. We also feel a broader community can improve these polices over time, making them better for everybody.
+
+By open sourcing our own company policies, we hope other companies who handle PHI will benefit. It aligns with our company mission: to help you focus on building innovative healthcare applications.
+
+## What do I do with these policies?
+
+As a company who handles PHI, it's critical you maintain and publish your own policies. To make use of our policies, we recommend the following steps.
+
+1. Read through all the enclosed policies to get an understanding to the structure.
+2. When ready, download the policies and comb through for mentions of Catalyze or our business and change to appropriate references to your company.
+3. Publish your policies in a publicly available location. The files are markdown, so you may need to convert to HTML if you don't have a publishing platform capable of markdown format. You can either create an index page linking to each individual policy, or create a single page listing all the policies in line, [much like we did](https://catalyze.io/policy/).
+
+## Who is behind this?
+
+[Catalyze.io](htts://catalyze.io), healthcare's trusted HIPAA-compliant platform.
+
+We help companies who handle PHI, both business associates and covered entities, maintain compliance with our Platform as a Service, Mobile Backend as a Service, and managed data integration services. Think Heroku and Parse for healthcare. In addition, we also provide HL7 Integration for those who need to communicate with EHR vendors like Epic or Cerner.
+
+To get in touch, shoot us an email at [[email protected]](mailto:[email protected]). We'd love to hear from you!
+
+### License
+
+All policies are licensed under [CC BY-SA 4.0](http://creativecommons.org/licenses/by-sa/4.0/).
+
+### Policy Index
+
+Each policy is included as it's own markdown file in case you want to cherry pick specific policies. If you currently have no policies in place, we encourage you to consider utilizing all policies.
+
+* [Introduction](introduction.md)
+* [HIPAA Inheritance for PaaS Customers](hipaa_inheritance_for_paas_customers.md)
+* [HIPAA Inheritance for Platform Add-on Customers](hipaa_inheritance_for_platform_addon_customers.md)
+* [Policy Management Policy](policy_management_policy.md)
+* [Risk Management Policy](risk_management_policy.md)
+* [Roles Policy](roles_policy.md)
+* [Data Management Policy](data_management_policy.md)
+* [System Access Policy](systems_access_policy.md)
+* [Auditing Policy](auditing_policy.md)
+* [Configuration Management Policy](configuration_management_policy.md)
+* [Facility Access Policy](facility_access_policy.md)
+* [Incident Response Policy](incident_response_policy.md)
+* [Breach Policy](breach_policy.md)
+* [Disaster Recover Policy](disaster_recovery_policy.md)
+* [Disposable Media Policy](disposable_media_policy.md)
+* [IDS Policy](ids_policy.md)
+* [Vulnerability Scanning Policy](vulnerability_scanning_policy.md)
+* [Data Integrity Policy](data_integrity_policy.md)
+* [Data Retention Policy](data_retention_policy.md)
+* [Employees Policy](employees_policy.md)
+* [Approved Tools Policy](approved_tools_policy.md)
+* [3rd Party Policy](3rd_party_policy.md)
+* [Key Definitions](key_definitions.md)
+* [Catalyze HIPAA Business Associate Agreement (“BAA”)](catalyze_hipaa_business_associate_agreement.md)
+* [HIPAA Mappings to Catalyze Controls](hipaa_mapping_to_catalyze_controls.md)
+
+
+

policies/approved_tools_policy.md

@@ -0,0 +1,11 @@
+# Approved Tools Policy
+
+Catalyze utilizes a suite of approved software tools for internal use by workforce members. These software tools are either self-hosted, with security managed by Catalyze, or they are hosted by a Subcontractor with appropriate business associate agreements in place to preserve data integrity. Use of other tools requires approval from Catalyze leadership.
+
+## List of Approved Tools
+
+* **Gitlab**. Gitlab is an open source tool built on top of Git, the version control platform. Gitlab is hosted and secured by Catalyze. It is utilized for storage of configuration scripts and other infrastructure automation tools, as well as for source and version control of application code used by Catalyze.
+
+* **Box**. Box is used for storage of files and sharing of files with Partners and Customers.
+
+* **Google Apps**. Google Apps is used for email and document collaboration.