HIPAA compliance

PlusGuidance is HIPAA- and HITECH-compliant

At PlusGuidance, we consider the security and privacy of both your and your clients' data data to be extremely important. To ensure the highest standards in privacy and security, we have adapted our product and company to be HIPAA- and HITECH-compliant.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. In the United States of America, all handlers of medical and health information are legally required to comply with this act. This is not a requirement in the United Kingdom and most countries, but we’ve identified HIPAA policies to provide by far the best standards for security and privacy and voluntarily decided to comply with this act. Thus our rules and methodology with regards to your data are as thorough and strict as possible so we can offer you the safest product possible. Additionally, all local regulations on this topic (if present) should also be covered by default due to our higher standards.

The main purposes of HIPAA are to ensure the confidentiality of personal health information and offer protection against identity theft and medical theft.

What constitutes High-Risk Data?

  1. Personally Identifiable Information
  2. Name and Contact Information
  3. Personal Characteristics

At PlusGuidance, all such types of High-Risk Data are kept securely encrypted and private on our servers. We offer top-level security via our 256-bit SSL encryption.

HIPAA regulates Covered Entities and Business Associates. The former is one of the following: a health care provider, a health plan or a health care clearinghouse. Business Associates, on the other hand, create, receive, transmit or maintain Personal Health Information (PHI) on behalf of the covered entity. Follow the links for more detailed overviews on what constitutes a Covered Entity and a Business Associate.

What constitutes Personal Health Information?

Personal Health Information (PHI), also referred to as Protected Health Information, is defined as any type of individually identifiable health information which is transmitted or maintained in any form or medium (electronic, written or oral).

Individually identifiable information constitutes any type of data that:

  1. Is collected from an individual
  2. Is created or received by a covered entity
  3. Relates to the past, present or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present or future payment for the provision of health care
  4. Identifies the individual or can be used to identify the individual
  5. Examples include, but are not limited to: medications, diagnostics, clinical notes and insurance information.

The Omnibus Rule revised HIPAA rules and enacted new provisions regarding privacy and security particularly related to business associates and enforcement. Its compliance date is September 23, 2013.

By abiding to this rule, PlusGuidance ensures that any third party and/or business associates, vendors and subcontractors that interact with us sign an agreement which imposes more obligations and restrictions on their part in order to ensure full protection of PHI.

In the unlikely event of a breach of unsecured PHI, individuals will be notified immediately. A breach is defined as the acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA, which compromises the security or privacy of the PHI.

Privacy and security

In short, HIPAA compliance ensures that the organisation will act in accordance to two main rules: the HIPAA Security Rule and the HIPAA Privacy Rule.

1. The HIPAA Security Rule

This sets the standards for ensuring that only those who should have access to electronic PHI will actually have access. This rule is mostly concerned with:

Read more about security guidance.

2. The HIPAA Privacy Rule

This sets the standards for who have access to PHI.

The main idea expressed here is that telehealth services that are HIPAA compliant will enforce this rule, whereas services which are not have no obligation to do so. If the security rule was concerned with electronic PHI only, the privacy rules extend to general PHI, including all types of formats in which the information may be stored.

Here's a comprehensive summary of the Privacy Rule provided by the US Department of Health and Human Services.

HITECH Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into USA law on February 17 2009 to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

At PlusGuidance, in order to ensure we keep our gold standard in privacy and security, we decided to follow these new guidelines and also be HITECH compliant.

Some of the measures PlusGuidance takes to be HIPAA- & HITECH-compliant include:

  1. Access to data is assigned to staff on a least-needed basis to carry out the role with activity overviewed by an appointed Privacy Officer
  2. Provides education on HIPAA and organisational policies and procedures
  3. Access is monitored to prevent breaches in security
  4. Risks are regularly and systematically reviewed, monitored and amended as appropriate
  5. Data is securely encoded and encrypted
  6. All of our associates have agreements in place to meet our standards of security
  7. Data held on our system is secured physically, technically and administratively
  8. Has protocols for handling privacy-related complaints and actions taken for people who do not follow the directives