Vet Lobby Check In & Queuing System

Policies & Procedures

These policies describe the policies and procedures at Check In Systems facilities and the policies of Check In Systems employees.

Data, Network & Computers

Data Ownership

Data created and maintained within the Check In Systems software is deemed the work product and property of the subscriber. No data will be used, shared or conveyed to any other party other than to meet legal obligations. Check In Systems will not access the data other than to provide support for the subscriber. Subscriber shall have access to download and/or destroy any and all data at their discretion and the subscriber relieves Check In Systems from the liability of monitoring the functions of export and deletion.

Encrypted backup

All databases are encrypted using rotating keys and when backed up, those encryption functions remain. Rotating keys are not stored in the same location. Backups are stored in individual files in a separate location designed for fast recovery.

Encrypted Workstations & Devices

At Check In Systems, all our computers and devices, used to access customer data, are encrypted, use strong passwords and are physically secured with limited access. All subscriber computers that have access to personal data should also be encrypted. We suggest at a minimum, subscribers should implement Microsoft Windows encrypted drives, strong passwords and locking screen savers.

Malware protection

All computers at Check In Systems are protected by real time malware detection software. Furthermore, computers are periodically scanned manually for malware and unusual internet activity.

Restricted Use Computers

All computers at Check In Systems, that are used for accessing customer data, are restricted from open internet access. This minimizes the exposure to outside viruses and malware.

Portable Storage Devices

Portable devices such as CD, USB drives, and USB chips are restricted in all Check In Systems facilities. Only specific admin users are allowed to use these devices and only for IT related duties. If a portable device is used for storage of PHI, it is required to be encrypted and stored within the locked safe at the corporate offices or a designated off-site safe of the privacy officer. This does not restrict the use by the customer.

Password Maintenance

Passwords at Check In Systems are changed periodically (3-6 months). If an employee is terminated, all users must immediately change their password and all admin passwords are changed.


All servers at Check In Systems are protected using firewall technology to restrict ports, patterns and ip access. Additionally, servers are restricted from many countries outside of the U.S. Server logs are monitored regularly to ensure the firewall policies are up to date.

Device Destruction

Computers and devices at Check In Systems are never repurposed. Any device at end of useful life is physically destroyed beyond recovery within 10 days of being removed from service.

Data Destruction

In accordance with the policies of Check In Systems, the termination of a subscriber will begin the process of data destruction. Within 30 days, Check In Systems will destroy all databases, configurations and backups of that particular subscription. These items will no longer be recoverable. It is the responsibility of the subscriber to download any and all data prior to termination.

Operating System updates

Our server operating systems and supporting software are monitored daily with monthly reviews for applicable patches and updates. Updates are committed on as 'as needed' basis.

PCI Compliance

Check In Systems software and accounting systems do not store credit card information. Therefore, there are no policies of PCI compliance required. Credit card payment is accepted via Stripe merchant services. Stripe is a generally accepted merchant that provides services via programmed interfaces that integrate with accounting systems, yet no data is stored by the accounting software.

Browser Security

All browsers are to be set to delete temporary files when closed. This will remove all temporary files and remove passwords that could be used if accessed by an unauthorized user.

Clean Desk Policy

When an employee is finished for the day or leaves for an extended period, the desktop of that employee shall be clear of all materials that could contain notes, documents and information that may be useful to an unauthorized user. Employees using notebooks for daily support should be secured and the end of shift. When notebooks are full and no longer usable, they should be shredded within the office. Notebooks should never leave the office.

Printed Materials

Employees are not to print any documents that may contain PHI or customer data except in the rare exception to support a subscriber. Any and all printed materials that may contain PHI or customer data shall be shredded by the end of shift or day.

Physical Site Audit

Check In Systems shall execute a physical site audit no less than once a year to ensure compliance of employees, equipment and facilities. The site audit should be recorded within Compliancy Group documentation.

People & Employees


Check In Systems employees are under constant supervision and training. Although this software does not fall under HIPAA guidelines, HIPAA training is a part of the employment guidelines to keep consistent with HIPAA regulations and employee awareness. Check In Systems uses many of the online training provided by Compliancy Group, a third party company dedicated to HIPAA Compliance of companies like us.

Background Checks

Each employee of Check In Systems under goes a background check before employment and/or access to any computer systems.

Compliancy / Privacy Officer

Check In Systems has a designated compliancy officer. This person is responsible for developing, implementing and regular auditing of policies used to maintain HIPAA compliance.

Incidents, Breaches & Reporting


Incidents and breaches are two different things. Each has it's definition as defined by Department of Health and Human Services Office for Civil Rights (OCR). In accordance with HIPAA regulations, Check In Systems maintains a policy to report, document and correct the incident or breach. These policies utilize a third party to maintain the perception and transparency of a professional organization.


The HIPAA Security Rule (45 CFR 164.304) describes a security incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” In accordance with this rule, Check In Systems has established a policy and tracking mechanism to deal with incidents. This policy uses a third party, Compliancy Group, to document and notify proper parties when an incident is detected.


HIPAA section 164.402 defines a breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Subpart E of this part which compromises the security or privacy of the protected health information.” In accordance with this rule, Check In Systems has established a policy and tracking mechanism to deal with breaches. This policy uses a third party, Compliancy Group, to document and notify proper parties when a breach is detected.


Check In Systems employees are trained to immediately report any suspicion of an incident or breach to the Check In Systems compliancy officer. The compliancy officer is responsible for determining if the suspicion constitutes an actual incident or breach. Upon determining an incident or breach has occurred, the compliancy officer will complete the standard reporting form to document the issue. The report will include details of the incident, specific entities that have been effected, and actions that will be taken to correct and notify. This report should be printed and included in the third party documentation platform and the local confidential policy manuals. Follow up reports should include remediation actions taken to prevent similar future issues.


In the event of a incident or breach, Check In Systems will first act to protect the data from further exposure or damage. Following remediation, an investigation should include identifying cause of the incident or breach, entities and/or persons data may have been exposed to, and provide information for the required notifications to the covered entity. Notification will be made in accordance with the Reporting policy within this document.

Subscriber Responsibilities

Privacy Contact Information

Check In Systems software provides a field for the subscriber to maintain privacy contact information. It is the responsibility of the subscriber to keep this information up to date. This field will be the primary notification contact. If this contact information is not available, Check In Systems will do their best to obtain a designated contact of the subscriber in the event of an incident or breach but notification may be delayed as a result.


All notifications to Check In Systems shall be in written form (mail or email) to the following contact;

Check In Systems Inc
Privacy Compliance Officer
8401 9th St N
Suite B
St Petersburg, FL 33702

In the event of a reportable incident or breach, primary notification to the subscriber will be to the contact information, as entered by the subscriber, into the Check In Systems software. The Contact information is to be maintained by the subscriber and is updatable from the main menu. Notification should include the extent of the incident or breach that effects the subscriber, any known names or data entries that may have been effected and the actions that have been taken to contain the damage.

Notification to Subscriber's Customers

Check In Systems software is focused on the business process of queuing customers. The data collected does not present a method of notifying the people that may have signed into the Check In System software. This prevents Check In System from directly notifying anyone that may need notification in the event of a breach. The subscriber may have additional information about their customer and therefore will be responsible for notification if needed.

Software Features

Password Expiration

Password expiration is an optional feature in Medical Check In software. Password expiration allows the system to periodically require new passwords on a user level. The subscriber can implement this feature in the configuration.

Multi-factor Authentication

Access to Check In Systems software is only done via multi-factor authentication. User, password and system id are required to access subscriber data. Certain displays with restricted data access may use only two-factor authentication.

Attempted login lockout

Subscribers have the option to implement a lockout system that will lock a users access if the user id has 3 or 5 failed attempts. This is a feature that must be activated by the subscriber admin within the configuration of each subscription.

Encryption in motion

As an industry standard for HIPAA, all transmission to and from Check In Systems software is restricted to TLS 1.1/1.2 communication. TLS is a newer and better version of SSL. This ensures that all data is encrypted in motion.

Encryption at Rest

As an industry standard for HIPAA, databases are encrypted at rest. Each location has a dedicated database and those databases are encrypted using rotating keys.

Encrypted backup

All databases are encrypted using rotating keys and when backed up, those encryption functions remain. Rotating keys are not stored in the same location. Backups are stored in individual files in a separate location designed for fast recovery.

Role based Security Levels

Check In Systems software includes a role based security model with 3 levels. Standard user, reports and admin are level 1,3,5 respectively. Level 3 users have access to reports and export features. Level 5 admin users have complete control to add/edit/delete users, change configuration and mass delete data.

Custom Menu Configuration

There are many features such as canned reports, exports and displays that may or may not be used by the end user. To streamline the user experience, admin users can turn these menu items on or off. This means the menu is restricted to the features the admin makes available.