HIPAA Compliance

PlusGuidance is HIPAA and HITECH compliant

Introduction

At PlusGuidance we consider the security and privacy of both your data and client’s data to be extremely important. To ensure the highest standards in privacy and security we have adapted our product and company to be HIPAA and HITECH compliant.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. In the United States of America all handlers of medical/health information are legally required to comply with this act. This is not a requirement in the United Kingdom and most countries but we’ve identified HIPAA policies to provide by far the best standards for security and privacy and voluntarily decided to comply with this act. Thus, our rules and methodology with regards to your data are as thorough and strict as possible so we can offer you the safest product possible. Additionally, all local regulations on this topic (if present) should also be covered by default due to our higher standards.
The main purposes of HIPAA are to ensure the confidentiality of personal health information and offer protection against identity theft and medical theft.

What constitutes High-Risk Data?

  1. Personally Identifiable Information
  2. Name & Contact Information
  3. Personal Characteristics
  4. At PlusGuidance all such types of High-Risk Data are kept securely encrypted and private on our servers. We offer top level security via our 256 bit SSL encryption.

HIPAA regulates Covered Entities and Business Associates. The former is one of the following: a health care provider, a health plan or a health care clearing-house. Business Associates on the other hand create, receive, transmit,or maintain PHI on behalf of the covered entity. Follow the links for more detailed overviews on what constitutes a Covered Entity and respectively a Business Associate.

What constitutes Personal Health Information?

Personal Health Information, also referred to as Protected Health Information is defined as any type of individually identifiable health information which is transmitted or maintained in any form or medium (electronic, written or oral).
Individually identifiable information constitutes any type of data that is:

  1. Collected from an individual
  2. Created or received by a covered entity
  3. That relates to the past, present or future physical or mental health or condition of an individual; provision of health care to an individual; or the past, present or future payment for the provision of health care
  4. That identifies the individual or can be used to identify the individual
  5. Examples include but are not limited to: medications, diagnostics, clinical notes and insurance information.

The Omnibus Rule revised HIPAA rules and enacted new provisions regarding privacy and security particularly related to business associates and enforcement. Its compliance date is September 23, 2013.

By abiding to this rule, PlusGuidance ensures that any third party and/or business associates, vendors and subcontractors that interact with us sign an agreement which imposes more obligations and restrictions on their part in order to ensure full protection of PHI.

In the unlikely event of a breach of unsecured PHI individuals will be notified immediately. A breach is defined as the acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA which compromises the security or privacy of the PHI.

Privacy and security

In short, HIPAA compliance ensures that the organisation will act in accordance to two main rules: the HIPAA Security Rule and the HIPAA Privacy Rule.

1. The HIPAA Security Rule

This sets the standards for ensuring that only those who should have access to electronic PHI will actually have access. This rules is mostly concerned with:

For further reading and security guidance materials please click here or here.

2. The HIPAA Privacy Rule

This sets the standards for who may have access to PHI.
The main idea expressed here is that telehealth services that are HIPAA compliant will enforce this rule whereas services which are not have no obligation to do so. If the security rule was concerned with electronic PHI only, the privacy rules extend to general PHI, including all types of formats in which the information may be stored.

For a comprehensive summary of the Privacy Rule provided by the US Department of Health & Human Services please click here.

HITECH act

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into USA law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

At PlusGuidance, in order to ensure we keep our gold standard in privacy and security we decided to follow these new guidelines and also be HITECH compliant.

Some of the measures PlusGuidance takes to be HIPAA & HITECH compliant include:


  1. Access to data is assigned to staff on a least-needed basis to carry out the role with activity overviewed by an appointed Privacy Officer
  2. Provides education on HIPAA and organisational policies and procedures
  3. Access is monitored to prevent breaches in security
  4. Risks are regularly and systematically reviewed, monitored and amended as appropriate
  5. Data is securely encoded & encrypted
  6. All of our associates have agreements in place to meet our standards of security
  7. Data held on our system is secured physically, technically and administratively
  8. Has protocols for handling privacy-related complaints and actions taken for people who do not follow the directives

Simplify your practice with PlusGuidance