If your company stores any data about US citizens that is classified as Electronic Protected Health Information (e-PHI), this article provides an overview of your compliance responsibilities, and how you can work with a SaaS provider like Origami.
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in the US in 1996, and led to national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
How to determine if you need to comply
If your organization is a Health Plan, Health Care Provider, or Health Care Clearinghouse, you’re considered a Covered Entity and you need to comply.
If your organization provides services to a Health Care Provider such as assisting in treatment or diagnosis, you are also considered a Covered Entity and you need to comply.
There are limited exceptions to the definitions, so consult with the HHS or an expert if you have any questions about applicability.
Your compliance activities
- Policies for security, sanctions
- Procedures for risk analysis, security, onboarding, termination, malicious software, login monitoring, password management, security incidents, emergency response plans, business continuity plans, data criticality analysis, facility access controls, device and media controls, access controls, authentication, logoff, encryption and decryption, e-PHI access monitoring and controls, data integrity controls, document management and retention, breach notification, use and disclosure, research use and disclosure as approved by a privacy Institutional Review Board (IRB), de-identification, training, safeguards, complaints management, non-intimidation or retaliation, waiver of rights
- Designate security responsibility
- Regularly verify implementation of all policies and procedures both internally and by vendors
- Review information systems regularly
- Data Sharing Agreement with applicable vendors
- Business Associate Agreement with applicable vendors
- Regulatory change management
Origami’s activities as your SaaS provider
- Scoping our features and processes to your needs
- Aligning physical, process and software procedures to your organization’s
- Signing your BAA and data sharing agreements
- Regularly auditing and providing your organization evidence of how our processes meet commitments set out in your BAA and data sharing agreements
- Submitting to audits by your organization
- Collaborating on changes initiated by regulations, your organization or ours
Contact Origami at [email protected] to find out about our free HIPAA readiness and implementation checklists and compliance solution.