How we help you comply: HIPAA
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets out mandatory requirements that organisations covered by it need to comply with in order to collect, process and secure protected health information (PHI).
HIPAA applies to ‘covered entities’. These can be institutions, organizations or individuals who are: (1) health plan providers; (2) health care clearinghouses; and, (3) health care providers who electronically transmit health information in connection with transactions for which the US Department of Health and Human Services (HHS) has adopted standards. This means that hospitals, medical centers, physicians and other providers who transmit claims information to health plans are covered.
What is HITECH?
The Health Information Technology for Economic and Clinical Health Act (HITECH) made changes to the HIPAA privacy regulations, such an amending parts of the Security and Privacy Rules.
Why is it important to us?
Whilst we ourselves do not offer regulated software and services, we are mindful of our obligations to the companies and people using our services where their own products, services and activities may be caught by the requirements of HIPAA and HITECH.
We can provide further information to you about how the compliance measures that we take in respect of our own software and services can help you to meet your own obligations under HIPAA and HITECH. We can provide this information either under a non-disclosure agreement or through any secure portal functionality that we may provide on our website from time to time.
Why is it important to you?
If you use our software services to process personal PHI then this activity will be subject to certain requirements set out in HIPAA and HITECH. You will need to make sure that you comply with your obligations and we can help you meet these.
Software and services focussed on compliance
Our software and services are firmly focussed on ensuring regulatory compliance – not just with HIPAA and HITECH, but with other privacy regulations around the globe. You can find out more information on each of these using the links above or the Products and Solutions tabs at the top of the page.
Protect your Content
Our communication and file sharing services provide security and encryption to protect your Content and help to ensure that it remains confidential and secure.
User controls and access permissions
Our software and services can provide you with tools to ensure that only those who you want to access your Content (and any PHI in it) can do so. These editable and auditable permission controls provide key regulatory compliance when sharing PHI with colleagues and third parties, and ensure that you remain in control of your Content (and any PHI in it).
Taking steps to prevent breaches before they happen
Through our Prevent tool we also provide tools that guide user behaviour to help prevent incidents before they arise.
Where you subscribe to a service that we host on your behalf, we use market leading providers to ensure that your Content (and any PHI in it) remains safe and secure. You can find our more information here and here.
Transparency and information
We provide a wide range of information and resources on our Legal and Compliance hubs to enable you to conduct your own risk assessments on us to ensure that you are able to meet your own obligations under HIPAA and HITECH.
Some of these may be subject to controls to ensure the confidentiality of any information that we provide to you, so please bear with us if we ask you to sign up to user terms or non-disclosure obligations prior to giving you access.
What is a BAA?
BAA is an easy way to refer to a Business Associate Agreement (or Business Associate Contract). These provide contractual clauses that are specific to meeting certain regulatory requirements that are placed on covered entities under HIPAA and HITECH.
Our BAA expands on the obligations placed on us under our standard Master Subscription Agreement to ensure that you, as a covered entity, have the right contractual relationship with us to ensure that both of us comply with these legislative requirements.
What is a business associate?
A business associate is anyone who handles PHI for any reason on behalf of a covered entity (or on behalf of another business associate of a covered entity). This could be an organization or individual who creates, transmits, receives, stores or maintains PHI.
Where can you find our BAA?
You can find it via the link on our Legal Hub at here. Please note that this link starts a Docusign process, but do not worry – simply entering your name and email address provides secure access to our document but you will not sign it unless you complete the process.
What if you do not sign our BAA?
Our standard Master Subscription Agreement applies across all the jurisdictions that we operate in. The requirements of HIPAA and HITECH may not always be relevant to a customer and so we chose to detail these clauses in a separate document – our BAA. As a result, if you do not execute it we recommend that you obtain separate legal advice to assess the impact or risks on you and your own compliance efforts.
Key HIPAA and HITECH requirements
Protected Health Information
This is the category of information that is regulated by HIPAA and HITECH. It covers individually identifiable information relating to the past, present and future health status of an individual. It might include information such as diagnoses, test results, prescriptions and treatment information, and other identifiers like birth dates, ethnicity, gender, account numbers, name, biometric information and so on.
The Security Rule requires that safeguards are implemented to ensure the confidentiality, integrity and availability of this information, whilst the Privacy Rule places limits on what this information can be used for and how it can be disclosed.
With data protection at the core of our software and services, and compliance programmes, we are perfectly placed to help you to ensure the security and confidentiality of the PHI you control. Encryption is a key aspect of our service delivery and our software and services can provide you with tools to ensure that only those who you want to access your Content (and any PHI in it) can do so. These editable and auditable permission controls provide key regulatory compliance when sharing PHI with colleagues and third parties, and ensure that you remain in control of your Content (and any PHI in it).
Through our Prevent tool we can also provide tools that guide user behaviour to help prevent incidents before they arise.
The Security Rule
This rule requires covered entities to consider the threats that could be posed to the security of the PHI that they maintain, store and process. They are then required to take steps to protect against these. This means that covered entities need to consider physical, technical and administrative safeguards– including measures such as encryption software.
To help you capture how our software and services work and form part of your security measures, we provide information about how they work here, and information about the steps that we take to protect information can be found here.
We are able to provide more detailed on request. Please note that these are subject to controls to ensure the confidentiality of any information that we provide to you, so please bear with us if we ask you to sign up to user terms or non-disclosure obligations prior to giving you access.
The Privacy Rule
The Privacy Rule has a slightly different emphasis to the Security Rule in that, whilst it still places obligations on covered entities to protect PHI, it focuses more on: (1) controls around the uses and disclosures of PHI (e.g. requirements for patient authorization) in whatever form the PHI is held; and, (2) the rights that patients have in their own PHI (e.g. a right to examine PHI held by a covered entity, to obtain a copy of it, and to correct errors in it).
The Omnibus Rule
The Omnibus Rule covers a number of key changes that were introduced by HITECH. These included key changes that covered entities were required to make to their privacy notices and to their relationships with their business associates. It also introduces what are sometimes referred to as the Breach Notification Rule, and the Enforcement Rule.
Disclosures to the Secretary
In our BAA we agree to make our internal practices, books, and records relating to the PHI that we receive from you available to the Secretary of the US Department of Health and Human Services for purposes of determining your compliance with the HIPAA Privacy Rule (subject to attorney-client and other applicable legal privileges).
How we respond to a disclosure request from law enforcement
From time to time, we may receive requests or orders from a governmental body (e.g. a court order, law enforcement demand or other local equivalent) relating to Content that we process on behalf of you.
If we receive one of these we will attempt to re-direct the requestor to seek disclosure directly from you (and may provide your basic contact information to enable them to do this this). If, despite our best efforts, we are compelled to disclose the Content then, provided we are allowed to do so, we will provide notice to you so that you may seek a protective order or other remedy.
You can find more information on our approach here.
You can find out more details on our compliance with HIPAA and HITECH at these links:
- Master subscription agreement (view previous versions)
- Online subscription terms
- Free user subscription terms
Additional service terms
- Acceptable use policy
- Data retention policy
- End of support policy
- Third-party disclosure requests
- Customer complaint policy