What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal mandate that requires specific security and privacy protections for Protected Health Information (PHI). More information around HIPAA can be found here: www.hhs.gov/ocr/privacy/
What is the HITECH Act and the Final HIPAA Omnibus rule?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, to promote the adoption and meaningful use of health information technology in the U.S.
In 2013, the final HIPAA Omnibus rule set further statutory requirements, which greatly enhanced a patient's privacy rights and protections, including holding all custodians of Protected Health Information (PHI) - including HIPAA Business Associates (BA) - subject to the same security and privacy rules as Covered Entities under HIPAA.
How does Troy SecureRx facilitate HIPAA compliance for its customers?
The SecureRx product/platform meets the obligations required by HIPAA, HITECH, and the final HIPAA Omnibus ruling.
SecureRx signs BAA addendums to with its customers who have an Enterprise agreement and want to be HIPAA compliant. A signed BAA should be in place between Box and the customer prior to storing any Protected Health Information (PHI) on Box.
Customers are responsible for configuring Box in a HIPAA compliant manner and for enforcing policies in their organizations to meet HIPAA compliance.
Is there any kind of industry certification that TROY SecureRx has undergone to prove it supports HIPAA compliance?
There are no official government or industry certifications for HIPAA compliance. In order to support HIPAA compliance, TROY SecureRx has reviewed the HIPAA regulations and updated its product, policies and procedures to support customers around their need to be HIPAA compliant.
How does TROY SecureRx support HIPAA compliance within its product and platform?
In addition to being able to sign HIPAA Business Associate Agreements (BAAs), Box has the following features in its product as well as organizational policies:
- Data encryption in transit and at rest
- Restricted physical access to production servers
- Strict logical system access controls
- Configurable administrative controls available to the customer to:
- Grant explicit authorization to customer files to read, download, edit, lock and password protect files
- Monitor access
- Reporting and audit trail of account activities on both users and content
- Formally defined and tested breach notification policy
- Training of employees on security policies and controls
- Employee access to customer data files are highly restricted
- Mirrored, active-active data center facilities to mitigate disaster situations
- 99.9% uptime SLA
- SSAE 16 SOC1 and AT-101 SOC2 Type II Reports
What types of customer and administrator controls does TROY SecureRx have that are relevant to HIPAA requirements?
- Controls to provide reasonable assurance that instructions and information provided to TROY SecureRx by the customer are in accordance with the provisions of the TROY SecureRx Service Agreement with the customer, or other applicable governing agreements or documents between TROY SecureRx and its customers.
- Controls to provide reasonable assurance that only authorized individuals from the user entity are granted the ability to access, modify, and delete information from Box's application.
- Controls to provide reasonable assurance that the user entity's method for accessing TROY SecureRx's application is configured with proper logical security protocols.
- Controls to provide reasonable assurance that the confidentiality of the user entity's sensitive information is not compromised by its users.
- Controls to provide reasonable assurance for defining and granting access to users permitted by the user entity.
- Controls to provide reasonable assurance that user accounts and access permissions are correctly specified on an ongoing basis, including revoking accounts.
Has TROY signed HIPAA Business Associate Agreements (BAAs) with customers to date?
Yes, TROY has signed BAAs with several healthcare and life sciences customers to date.
What types of TROY SecureRx accounts can be HIPAA compliant?
TROY SecureRx applies the same security and privacy controls for all of its customers, whether Health System, Community Hospital or Ambulatory Facility.
However, customers who are required by law to comply with HIPAA, such as HIPAA Covered Entities and HIPAA Business Associates, must have an Enterprise agreement with TROY and sign a HIPAA Business Associate Agreement (BAA). To comply with HIPAA they must configure Box and enforce policies within their organizations to meet HIPAA requirements.
Basic HIPAA Terms and Glossary
What is Protected Health Information (PHI)?
Protected Health Information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a health care professional to identify an individual and determine appropriate care.
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is a subset of Protected Health Information (PHI), and refers to information that is uniquely identifying to a specific individual. Protected Health Information (PHI) is specific to medical and health-related use.
What is a HIPAA Covered Entity?
A HIPAA Covered Entity (CE) stewards Protected Health Information (PHI) and/or Personally Identifiable Information (PII) on patients in the process of providing healthcare care or paying for care. Examples of HIPAA Covered Entities (CE) are one of the following:
- Healthcare provider: Including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies that transmits any information in an electronic form in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard.
- Health plan: Including health insurance companies, HMOs, company health pans, government programs that pay for healthcare (like Medicare and Medicaid)
- Healthcare clearinghouses: Including entities that process non-standard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
What is a HIPAA Business Associate (BA)?
A HIPAA Business Associate (BA) refers to a person or organization that conducts business with the HIPAA Covered Entity (CE) and touches the Protected Health Information (PHI) or Personally Identifiable Information (PII) that the covered entity is stewarding on behalf of the patient.
Business Associates (BAs) include those vendors or services that do business with the HIPAA covered entity (CE). Examples are service organizations or vendors that contract with the HIPAA Covered Entity (CE) that may provide: software such as Electronic Health Records (EHRs), claims processing, data analysis, utilization review, billing, legal services, actuarial services, accounting services, consulting services, data aggregation, accreditation services, or financial services. To be a HIPAA Business Associate (BA), the work of an organization must deal directly with the use or disclosure of Protected Health Information (PHI) and/or Personally Identifiable Information (PII).
What is a HIPAA Business Associate Agreement (BAA)?
A HIPAA Business Associate Agreement (BAA) is a legal document that a HIPAA Business Associate (BA) enters into with a HIPAA Covered Entity (CE).
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology in the U.S.
What does the HITECH Act have to do with HIPAA or patient privacy?
Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.