HIPAA and HITECH Act
Last updated: Aug, 2020
Emitrr complies with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Emitrr maintains appropriate administrative, physical, and technical safeguards to provide for continuing security & privacy of your PHI or ePHI.
1. Emitrr’s commitment to HIPAA compliance
Emitrr believes privacy and data protection are core aspects of trust in today’s technology-driven world. We take our security and privacy commitment to you and your customers very seriously. We are acutely aware that we need to earn and maintain your trust on a daily basis.
Our commitment to ensuring that our customer data is safe, secure, and always available to them, is one of our top priorities. To demonstrate our compliance with security and privacy standards in the industry, Emitrr has sought and received security and privacy PCI DSS 3.2.1 Level 2 Self-Assessment.
2. Emitrr, HIPAA and the HITECH ACT
HIPAA regulations require that covered entities and their business associates—in this case, Emitrr, enter into a contract to ensure that those business associates adequately protect PHI. This contract, or Business Associate Agreement (BAA), clarifies and limits how the business associate can handle PHI, and sets forth each party’s adherence to the security and privacy provisions outlined in the HIPAA and the HITECH Act. Once a BAA is in place, Emitrr customers (covered entities) can use its services to process and store PHI.
Currently, there is no official certification for HIPAA or HITECH Act compliance. However, Emitrr has undergone audits conducted by accredited independent auditors for Emitrr.
HIPAA covers information about a person’s health or healthcare services is classified as Protected Health Information (PHI). Emitrr customers who are subject to HIPAA and wish to use the Emitrr products with PHI must sign a BAA with Emitrr. Customers are responsible for ensuring that they achieve compliance with HIPAA and HITECH Act requirements.
We adhere to the HIPAA obligations by leveraging appropriate security configuration options for all Emitrr products. Additionally, we make our Business Associate Agreement (BAA) available for execution by subscribers.
3. Which Emitrr Customers Does HIPAA Apply To?
Emitrr customers that collect, transmit, and store PHI or ePHI are considered “Covered Entities“ under the HIPAA. Covered entities bear the primary responsibility of ensuring that their processing of PHI is compliant with the HIPAA and HITECH Act.
Emitrr acts as a “Business Associate,“ and shall transmit and store the Protected Health Information (PHI) of our customers solely for the purpose of performing our obligations under our existing contract(s) with our subscribers; and, for no commercial purpose other than the performance of such obligations and improvement of the services we provide.
4. How Emitrr Complies with HIPAA?
At Emitrr, we ensure that our customer data is secure and easily accessible. Emitrr product is built on a foundation of trust, security, and compliance to ensure that our internal data practices are HIPAA-ready. An equally important part for us is to assist our customers and partners in their journey toward compliance. Customers can also view the below table for more detailed information on how to use Emitrr Services to comply with HIPAA and HITECH Act.
With that in mind, we have the following details about the Emitrr 24/7 Answering Software:
Emitrr Features How It Works
5. Frequently asked questions
I. What are HIPAA and HITECH?
“HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations passed by the U.S. Congress designed to protect privacy and ensure the security of Personal Health Information (PHI) and electronic Personal Health Information (ePHI).
“HITECH” refers to the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
II. What is considered PHI under HIPAA Rules?
Under HIPAA, PHI is any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA – covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.
It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health-related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information.
Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers. Demographic information is also considered PHI under HIPAA rules, as are many common identifiers such as patient names, Social Security numbers, driver’s license numbers, insurance details, and birth dates when they are linked with health information. The 18 identifiers that make health information PHI are:
|18 Identifiers that make health information PHI|
|Names||Dates expect year||Telephone numbers|
|Geographic data||Fax numbers||Social Security numbers|
|Email addresses||Medical record numbers||Account numbers|
|Any unique identifying number or code||Certification/license numbers||Vehicle identifiers and serial numbers including license plates|
|Web URLs||Device identifiers and serial numbers||Full face photo and comparable images|
|Internet protocol addresses||Biometrics identifiers (i.e. retinal scan, fingerprints)||Health plan beneficiary numbers|
One or more of these identifiers turn health information into PHI, and PHI HIPAA Privacy Rule restrictions will then apply, which limit usage and disclosures of the information. HIPAA covered entities and their business associates also need to ensure appropriate technical, physical, and administrative safeguards are implemented to ensure the confidentiality, integrity, and availability of PHI, as stipulated in the HIPAA Security Rule.
What is Protected Health Information (PHI)?
It is any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
III. To whom does HIPAA apply?
HIPAA applies to healthcare providers, health plans, and healthcare clearinghouse services. These providers are required to handle patient personal health information in a way that meets defined security standards. When providers use third-party vendors or services (Business Associates) where personal health information might be stored, those Business Associates need to adhere to the standards as well. This agreement is contractually defined in a Business Associate Agreement (BAA). For additional information, refer to the US Department of Health and Human Services HIPAA covered entities website.
PHI stands for Protected Health Information and is any information in a medical record that can be used to identify an individual, which was created, used, or disclosed in the course of providing a healthcare service, such as a diagnosis or treatment.
ePHI is Electronic Protected Health Information and is all individually identifiable health information that is created, maintained, or transmitted electronically by mHealth and eHealth products. This includes PHI on desktop, web, mobile, wearable, and other technology such as email, text messages, etc.
IV. How does HIPAA work with a platform like Emitrr?
The term “Business Associate” refers to those entities that perform a service related to claims processing or administration; data analysis processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. For example, a third-party administrator that assists a health plan with claims processing would be considered a HIPAA “Business Associate,” and its customers would expect the administrator to be HIPAA compliant on their behalf.
Emitrr can enter into a Business Associate Agreement (BAA) with HIPAA covered customers. While customers have the ability to use the Emitrr’s 24/7 Answering Software in various ways to meet their business needs, HIPAA covered customers must configure the correct configuration level and appropriately configure their Emitrr access controls and usage to help safeguard Protected Health Information (PHI) from misuse and wrongful disclosure.
Although Emitrr, as a Business Associate, is HIPAA compliant, ultimately, customers are responsible for evaluating their own HIPAA compliance. In addition, Emitrr should not be considered the ‘Designated Record Set’ holder under HIPAA.
V. Is Emitrr HIPAA compliant?
Yes, Emitrr is HIPAA compliant when covered entities or business associates configure the platform correctly and have a business associate agreement with Emitrr.
Note that there is no certification recognized by the US Department of Health and Human Services (HHS) for HIPAA compliance. HIPAA compliance, specifically the relationship between a covered entity and a Business Associate, is a shared responsibility.
To provide assurance and external verification, Emitrr plans to undergo several audits regularly. These audits will test Emitrr’s documentation and approach to security and privacy for datastores, infrastructure, and operations. Additionally, you might also want to review Emitrr’s documentation related to privacy and terms
VI. Where is my information located?
VII. Does having a BAA with Emitrr ensure my organization’s compliance with HIPAA and HITECH Act?
No, having a BAA with Emitrr does not ensure your organization’s compliance with the HIPAA and HITECH Act. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Emitrr aligns with HIPAA and the HITECH Act.
VIII. Who are the key stakeholders?
Covered Entity – The HIPAA Covered Entity has the same meaning as the term “covered entity” at 45 CFR 160.103. The Privacy Rule defines a Covered HIPAA Entity as any health plan, any healthcare clearinghouse, or any healthcare provider who transmits Protected Health Information (or PHI as per the standards developed by the Department of Health & Human Services) in electronic form.
Business Associate – “Business Associate” has the same meaning as the term “business associate” at 45 CFR 160.103.
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services that make a person or entity a business associate if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business Associate Agreement – A HIPAA business associate agreement is a contract between a HIPAA-covered entity and a vendor used by that covered entity. A vendor of the HIPAA-covered entity that needs to be provided with PHI to perform duties on behalf of the covered entity is called a business associate (BA) under the HIPAA. A vendor is also classed as BA if, as part of the services provided, electronic PHI (ePHI) passes through their systems. A signed HIPAA business associate agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI.
HIPAA Rules – “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
IX. What are the penalties for non-compliance?
Penalties for HIPAA violation can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA. The four categories used for the penalty structure are as follows:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.
- Tier 2: A violation that the covered entity should have been aware of, but could not have avoided even with a reasonable amount of care. (But falling short of willful neglect of HIPAA Rules)
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.
X. Where can I find additional resources on HIPAA?
Here are some links you can refer to for additional reading on the HIPAA:
- HIPAA Omnibus Rule (The final regulations-modifying HIPAA rules)
- Summary of the HIPAA Security Rule
- Summary of the HIPAA Privacy Rule
- Summary of the HIPAA Breach Notification Rule
Please feel free to ask questions and share concerns with us emitrr.com
HIPAA and the HITECH Act Overview
The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities — doctors’ offices, hospitals, health insurers, and other healthcare companies — with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf. (Most covered entities do not carry out functions such as claims or data processing on their own; they rely on business associates to do so.)
The law regulates the use and dissemination of PHI in four general areas:
- Privacy, which covers patient confidentiality.
- Security, which deals with the protection of information, including physical, technological, and administrative safeguards.
- Identifiers, which are the types of information that cannot be released if collected for research purposes.
- Codes for electronic transmission of data in a healthcare-related transaction, including eligibility and insurance claims and payments.
The scope of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Together, HIPAA and HITECH ACT rules include:
- The HIPAA Privacy Rule, which focuses on the right of an individual to control the use of their personal information, and covers the confidentiality of PHI, limiting its use and disclosure.
- The HIPAA Security Rule, which sets the standards for administrative, technical, and physical safeguards to protect electronic PHI from unauthorized access, use, and disclosure. It also includes organizational requirements such as Business Associate Agreements (BAAs).
- The HITECH Breach Notification Final Rule, which requires giving notice to individuals and the government when a breach of unsecured PHI occurs