HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information and Protected Health Information.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Protected health information “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:
There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information.
HIPAA applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
According to HIPAA Journal “If FTP is required to transfer protected health information, healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities must ensure their service provider uses a HIPAA compliant SFTP server. A HIPAA compliant SFTP server could use AES-256 symmetric cryptography for stored data and protect transmitted data using a RSA 2048 bit key, both of which meet NIST and HIPAA standards.”
Unlike PCI and SOC compliance, there is no official HIPAA certification for a cloud service like Couchdrop. However, Couchdrop provides modern security compliance and redundancy. For more on HIPAA and Cloud Service Providers please see here.
In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
A business associate agreement is a written arrangement that specifies each party’s responsibilities when it comes to PHI. The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
Appropriate safeguards need to be established, ensuring that the business associate will prevent PHI disclosure outside of what is permitted in the contract.
Couchdrop has a BAA ready and available for Premium and Enterprise customers. Please contact Couchdrop’s support or sales team to be provided a BAA for review.
Please note that as a matter of policy, we do not accept redlines or consider changes to any of our terms of service or other legal documents unless a customer is on an Enterprise plan. For Enterprise customers, we are happy to discuss changes, however, changes that substantially increase our risk will only be considered with a significant offsetting change.