HIPAA & HITECH Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets guidelines for securing patient information. HIPAA guards against unauthorized disclosures of health information. It mandates a national set of security and privacy standards that shield Protected Health Information (PHI), including PHI in electronic form (ePHI). PHI consists of any information used to identify a patient, including names, birthdates, photos, emails, medical record numbers, and more.
HIPAA is comprised of a Privacy Rule, Security Rule, and Breach Notification Rule. The office for Civil Rights (OCR), under the US Department of Health and Human Services, enforces these rules. The OCR began enforcing HIPAA in 2003. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act expanded the HIPAA regulations.
Who Needs to Comply With HIPAA?
Anyone that creates, transmits, receives, or stores Protected Health Information (PHI) needs to comply with HIPAA. Individuals, organizations, or agencies may be classified as a Covered Entity or Business Associate under HIPAA.
Common examples of Covered Entities include healthcare providers like physicians, dentists, psychologists, and chiropractors. Hospitals and clinics are classified as covered entities as well. Other examples of Covered Entities include health insurance companies, HMOs, and universities.
Business Associates include any person or organization that uses or discloses PHI on behalf of a Covered Entity. Examples of Business Associates include IT vendors, laboratories, call centers, cloud providers, and legal services. Business Associates are required to protect PHI just as a Covered Entity would, and Business Associates must notify Covered Entities in the event of a data breach. Athreon is considered a Business Associate under HIPAA.
How Athreon Uses PHI
We only use the Protected Health Information entrusted to us to deliver our contracted solutions. Athreon never sells PHI or uses it for non-contracted purposes. We have implemented robust administrative, technical, and physical controls to protect PHI. Our methods safeguard PHI from misuse.
To further comply with HIPAA, we use audit trails to identify what happens with all the PHI in our care. Our technology tracks who accesses PHI, when they access it, what they do with it, and from where they access it. For technical information about our security and privacy practices, visit this link.
HIPAA Business Associate Agreements (BAAs)
HIPAA mandates that Covered Entities and Business Associates must enter into Business Associate Agreements to define expectations and responsibilities for keeping PHI safe. Athreon can review BAAs from Covered Entities or provide a BAA. In addition to signing BAAs with Covered Entities, we enter into BAAs with our technology partners, subcontractors, and anyone else who may support us in providing solutions that involve PHI.
HIPAA Risk Assessments
Under HIPAA, Business Associates must perform a Risk Assessment. A Risk Assessment helps a business to evaluate the effectiveness of the security measures it has in place. Additionally, Risk Assessments help to identify threats to PHI that an organization should address. Athreon performs a HIPAA Risk Assessment annually and, in some cases, more regularly when introducing new technology or processes or making a significant change to our existing technology or processes.
HIPAA Training and HIPAA Policies
Because we take securing patient data seriously, we provide HIPAA training to all our staff members. New hires participate in a comprehensive HIPAA training course, which they renew annually. In between annual training courses, employees participate in weekly HIPAA and cybersecurity training lessons so that security awareness stays top of mind. Likewise, we have developed written HIPAA policies to set clear expectations among our employees for the appropriate handling of PHI. Our HIPAA policies serve to further protect our clients and our company.
HIPAA Compliance – A Shared Responsibility
Although we have implemented strong controls to ensure HIPAA compliance at Athreon and among our Business Associates, data privacy is a responsibility we share with our clients. Clients are responsible for granting appropriate access to Athreon and their end-users. Clients are also responsible for configuring our solutions to adhere to the HIPAA regulations and any other security policies their organization may require.
HIPAA Security Incidents
If we were to have a data breach, we would timely alert impacted Covered Entities about the security incident. We would relay specific details about the security violation and provide a breach risk assessment document and a security incident report. If we agreed to additional breach response measures as part of a BAA, we would enact those measures.
We encourage clients, vendors, employees, or anyone else with concerns about Athreon’s HIPAA compliance to contact firstname.lastname@example.org. Anyone may report a concern without fear of reprisal. A compliance officer will address reported concerns and take the action necessary to remediate the matter.