StudyManager software is designed to meet industry security standards, including HIPAA and SAS70. This document provides an overview of how StudyManager applications and data centers meet these requirements.

Watch our informational webinar: Demystifying the HIPAA Privacy Rule for Clinical Researchers, which provides a concise introduction to the HIPAA Privacy Rule and the HITECH Act.

Application Design
The following privacy and security features are implemented within StudyManager products to meet HIPAA compliance standards:

• Authenticated System Access: A login identifier and password are required. Passwords are always encrypted and login identifiers are unique.
• Password Strength: All passwords are required to be at least 8 characters and must include a combination of upper-case alphabetic characters, lower-case alphabetic characters, numeric characters, and special characters (such as %, $, and #).
• Password Aging: All users are required to change their passwords within a customer-specified period of days. 90-day password expiration is the default. Users are warned before the password expires.
• Authenticated Database Server Access: Access to all StudyManager product databases on servers is limited to the registered database owner or system administrator, both of which require a password.
• Inactive Session Termination: The system administrator will designate the amount of time a session can be “inactive” prior to the program automatically terminating. This prevents a situation where a user steps away from his/her desk, inadvertently leaving confidential information visible on their screen. The default is 20 minutes.
• Login Re-access: After 3 failed login attempts, the user trying to log in is alerted that the maximum number of login attempts has been reached and the application must be restarted.
• Data Partitioning: System administrators can designate which departments, sites, and/or studies a user has access to. This meets HIPAA’s guidelines for providing access to data strictly on a “need to know” basis. This additional layer of confidentiality helps to prevent unauthorized access to patient or study information.
• User Activity Auditing: StudyManager applications keep a log of events associated with viewing or modifying patient-specific information, along with all successful and failed logins. Audit entries include username, date/time of modification, affected module, study, patient name, and a description of the action taken by the user. Old value/new value information for changed data, where appropriate, is also included. The system administrator can query the audit log within the application’s user interface to view logged activity.

StudyManager Data Center
StudyManager provides both On-Premises and Cloud-based solutions. Our Cloud-based solutions run at an enterprise-class data center on equipment owned solely by StudyManager. Some of the capabilities designed to protect confidential customer data at StudyManager Data Centers are:

• Firewalls to prevent unauthorized access to StudyManager servers from outside the data center.
• SSL data encryption to ensure that all data exchanged between StudyManager servers and client computers outside the data center cannot be tapped en route.
• At-rest encryption of Protected Health Information (PHI) to ensure additional security and exemption from breach notification under the HITECH amendments to HIPAA.
• Multiple independent network paths and backbone providers to provide system availability and continuity in the event of problems with specific network providers.
• Highly secure data center building with extensive physical access controls such as staff escort required for access.
• 24/7 on site and remote security and engineers available for emergency maintenance.
• Fully redundant fire suppression, backup power, and environmental controls.
• Seismic mitigation engineered directly into the building.

For additional information on HIPAA compliance,
please email support@studymanager.com.