Is Oracle Configuration Manager HIPAA compliant

oraclevendor-support

Does Oracle's Configuration Manager which according to Oracle provides a "40% faster issue resolution", violate HIPAA or require specific configuration in order to comply?

This question concerns databases that contain Protected Healthcare Information (PHI). The questions scope only covers OCM and not the broader scope of Oracle support accessing the database.

The following from Oracle describes what OCM collects:

Oracle Configuration Manager can automatically gather the
configuration information of Oracle product installs, and upload this
information onto Oracle’s support systems. The configuration
information being collected by Oracle Configuration Manager includes:
• Installed patches
• Deployment platforms, dates, versions, and type
• Deployed components and applications
• Content of configuration files
• Information about network configurations

Note that the information collected by Oracle Configuration Manager is
limited to configuration information. The utility does not collect
sensitive data such as actual customer data (that is any data other
than configuration information, including actual applications or
database transactions), password hash values, log on events, etc. My
Oracle Support note 728985.1 provides a list of all the data collected
by Oracle Configuration Manager.

According to hss.gov the following information is protected by HIPAA:

The Privacy Rule protects all "individually identifiable health
information" held or transmitted by a covered entity or its business
associate, in any form or media, whether electronic, paper, or oral.
The Privacy Rule calls this information "protected health information
(PHI)."12

“Individually identifiable health information” is information,
including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable
basis to believe it can be used to identify the individual.13
Individually identifiable health information includes many common
identifiers (e.g., name, address, birth date, Social Security Number).

Best Answer

Yes, as long as the data being transmitted is monitored in a "reasonable" way.

If the database hosts PHI and oracle is assisting in the management of the database you must have a written contract with the vendor.

Standard: Business associate contracts and other arrangements. A covered entity, in accordance with §164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a) that the business associate will appropriately safeguard the information.

Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a).

You have to log the vendors access into the database and ensure they cannot access PHI.

(A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.

(B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism.

(a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).

(b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

If they access PHI you will have to log the incident and report it.

Please see http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/adminsimpregtext.pdf page 38 for more information on HIPAA IT policy's.

The thing about HIPPA is that most of the requirements are vague and it asks you to make "reasonable" steps to prevent a PHI information breach (It marks these items as addressable). I've been through a couple of HIPAA audits myself.

Related Question