Client Administrator Agreement

Passport Client Administrator Agreement – Existing Client

Please Read the Following Terms and Conditions:

CLIENT ADMINISTRATION TOOL - Responsibilities and Procedures Customer shall designate a person or persons to have full responsibility for all client administration tools and procedures necessary to ensure that access to OneSource and protected health information is limited to users that have been verified as current employees of Customer and have a reason to access such information. Such person or persons shall be referred to as the Passport Client Administration Tool Administrator. Each such person must comply with the implementation and administration of the foregoing. In fulfilling your obligations under this agreement, Customer and the Client Administration Tool Administrator agree without limitation, to the following: (a) Customer will verify user as member of organization and need to access protected health information prior to granting access. (b) Customer will not utilize generic login names, e.g., “admitting department” or “emergency room”. (c) Customer will provide each authorized individual user with a specific and unique login name and password. (d) Customer will transfer new login names and passwords to its employees in a secure manner that ensure the login name and password remains restricted to the use of the intended specific and unique end user. (e) Customer will advise and require all employees to take precautionary measures to prevent their login names and passwords being revealed to others. (f) Customer will review its login name and password list on a monthly basis and immediately delete all employees listed who no longer require access to OneSource. (g) Customer will not add users from other Customer locations which are not referenced in this Agreement. In order to add users at locations not covered under this Agreement, Customer will need to execute an Addendum to Add a New Location.
I have read and agree to the terms and conditions of this agreement.

By checking this box, I certify that I have read these terms and conditions and that all information is complete and accurate. I further certify that I am authorized to sign and contractually bind the facility listed above for the products and services referenced herein and any associated fees. I hereby authorize Passport to process the following addendum. This electronic addendum is available only to current Passport customers.

Designation as a client administrator does not automatically give this person the authority to add credit card, address verification, or financial products. The authority to request changes can only be delegated from the person that signed the addendum.

This Agreement is Accepted and Agreed to by:
Facility:
Passport Login or User ID:
Accepted By:
Title:
Telephone:
Email:
Date:
Client ID: (optional)
Current Client Administrator who authorized this electronic request.
Authorized By:
Title:
Telephone:
Email:

Passport OneSource - Security Guide

OneSource Security Model
The OneSource security model consists of four elements:
1) network firewall, 2) encryption, 3) authentication, and 4) access control lists.

Firewall
Passport uses industry standard firewall protection and monitoring which provide a broad range of security services that govern access to network resources and protects these same resources from both internal and external threats.

Encryption
OneSource uses the Secure Socket Layer (SSL) protocol. SSL is a program layer created by Netscape for managing the security of message transmissions in a network. The primary goal of the SSL Protocol is to provide privacy and reliability between two communicating applications. The SSL protocol provides connection security that is private, can be authenticated using asymmetric or public key cryptography, and is reliable.
SSL encryption is used for any data being transferred between the Passport system and the users. This encryption means that, should any person intercept this data it will be unreadable and cannot be decoded without the proper “keys”. Passport is able to restrict access to clients with only 128-bit browsers on a payer-by-payer basis.

Authentication
Two authentication methods exist for OneSource. The preferred and most prevalent method is Username and passwords. Clients already connected to a corporate network or intranet can also have that network pass authentication information to Passport, so the user only has to be authenticated once.

Username / Password
OneSource can use usernames and passwords to authenticate users. OneSource users are required to change their passwords every 90 days. OneSource employs a “three strikes you’re out” methodology to failed username / password attempts. If a user fails to provide the correct password in three attempts, that username will be locked out of OneSource until the customer support staff has been notified and assigns the user a new password. When username / password authentication is used users are logged out after two hours of inactivity and required to login again after twelve hours regardless of activity.

Corporate Network or Intranet Authentication
We recommend this authentication method for clients that have a large number of users who are already connected on a corporate network or intranet since it may be possible to utilize pass-through authentication to transmit authentication information to Passport transparently, network to network. This way the user only logs in to the local network once and then can access Passport from the local network or intranet. Passport has experience utilizing secure industry standard tools to accomplish the pass-through authentication. Minimal programming is required, but our technical staff is available to assist implementation. For more information on this option, contact the Passport sales representative.

Access Control Lists
OneSource establishes security and access control using its Membership Manager component. When a user makes an inquiry request, OneSource accesses the Membership Manager to determine whether the requestor has been granted permission to that particular data or functionality. The user is only allowed to see and access the data and functions set up through the Membership Manager by Passport administration.

HCFA Internet Security Compliance Statement
The Passport OneSource security model meets the Centers for Medicaid and Medicare Services (formerly Healthcare Finance and Administration (HCFA)) policy governing communications of Privacy Act-protected and other sensitive HCFA information over the Internet as defined in the document titled HCFA INTERNET SECURITY POLICY dated November 24, 1998.

The policy states in Section 7, Paragraph 8, “In summary, a complete Internet communications implementation must include adequate encryption, employment of authentication or identification of communications partners, and a management scheme to incorporate effective password/key management systems”. OneSource addresses each of these areas as outlined below.

Encryption is the organized scrambling of data to avoid inappropriate disclosure or modification. For this requirement, OneSource uses software-based encryption, specifically Secure Sockets Layer (SSL), version 3.0 (Section 7, Option 2 under ACCEPTABLE ENCRYPTION APPROACHES). Passport is able to restrict access to clients with only 128-bit browsers on a payer-by-payer basis.

Authentication or identification technologies allow users to prove they are who they say they are. For most clients, OneSource uses locally-managed digital certificates (Section 7, Option 2 under ACCEPTABLE AUTHENTICATION APPROACHES) for authentication. For the remaining clients, the identification of the user is verified telephonically before a password is issued (Section 7, Option 1 under ACCEPTABLE IDENTIFICATION APPROACHES). Passwords transmitted over the Internet are encrypted (Section 7, Option 4 under ACCEPTABLE AUTHENTICATION APPROACHES).

Physical Security
The data center at Passport which houses the hardware that runs OneSource is secured by a locked door accessible through a combination keypad. Only authorized data center employees are allowed to access the data center.

Explanation of IP Restrictions
To improve our ability to protect sensitive healthcare information, Passport is beginning to require verification of a user’s Internet Protocol (IP) address before adding Client Administrator permission. Restricting access by IP address limits the access to employees logged into your internal network and blocks users from having access to this data from their home computers or PC's not associated with a specific facility network.
Since our customers typically work in a network environment and access the internet with a *NAT'd or static IP addresses, we can use that range of IP addresses from the hospital's network as validation at our firewall. For example, your Hospital may use a range of IP addresses to access the internet from 192.111.111.1 to 192.111.111.228. This information can be obtained from your network administrators. They can contact us with any questions related to this change.

*Network Address Translation (NAT) is a way to map an entire network, (or networks), to a single IP address. NAT is necessary when the number of IP addresses assigned to you, by your Internet Service Provider, is less than the total number of computers that you wish to provide Internet access for. Typically, your internal network will be setup to use one or more of these network blocks. They are:
10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
192.168.0.0/16 (192.168.0.0 - 192.168.255.255)