If your company stores any data about US citizens that is classified as Electronic Protected Health Information (e-PHI), this article provides an overview of your compliance responsibilities, and how you can work with a SaaS provider like Origami.
The Act
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in the US in 1996, and led to national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule standards to implement HIPAA requirements on how covered entities can use and disclose individuals’ protected health information (PHI) as well as individuals’ rights to understand and control how their health information is used.
The HIPAA Security Rule protects the electronic form of individually identifiable health information (e-PHI) created, received, maintained or transmitted by a covered entity.
The Food and Drug Administration (FDA) issued Guidance for Medical Devices Manufacturers in 2017, on sharing Patient-Specific Information from Medical Devices with Patients Upon Request.
In 2009 and 2013, the HITECH Act updated HIPAA.
How to determine if you need to comply
If your organization is a Health Plan, Health Care Provider, or Health Care Clearinghouse, you’re considered a Covered Entity and you need to comply.
If your organization provides services to a Health Care Provider such as assisting in treatment or diagnosis, you are also considered a Covered Entity and you need to comply.
There are limited exceptions to the definitions, so consult with the HHS or an expert if you have any questions about applicability.
Your compliance activities
- Policies for security, sanctions
- Procedures for risk analysis, security, onboarding, termination, malicious software, login monitoring, password management, security incidents, emergency response plans, business continuity plans, data criticality analysis, facility access controls, device and media controls, access controls, authentication, logoff, encryption and decryption, e-PHI access monitoring and controls, data integrity controls, document management and retention, breach notification, use and disclosure, research use and disclosure as approved by a privacy Institutional Review Board (IRB), de-identification, training, safeguards, complaints management, non-intimidation or retaliation, waiver of rights
- Designate security responsibility
- Regularly verify implementation of all policies and procedures both internally and by vendors
- Review information systems regularly
- Data Sharing Agreement with applicable vendors
- Business Associate Agreement with applicable vendors
- Regulatory change management
Origami’s activities as your SaaS provider
- Scoping our features and processes to your needs
- Aligning physical, process and software procedures to your organization’s
- Signing your BAA and data sharing agreements
- Regularly auditing and providing your organization evidence of how our processes meet commitments set out in your BAA and data sharing agreements
- Submitting to audits by your organization
- Collaborating on changes initiated by regulations, your organization or ours
Contact Origami at [email protected] to find out about our free HIPAA readiness and implementation checklists and compliance solution.
