HIPAA

Last Updated: 27 December 2019

Couchdrop and HIPAA

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information and Protected Health Information.

The HITECH Act

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.

Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Reference [LINK - https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html]

What is Protected Health Information (PHI)?

Protected health information “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:

  • Transmitted by electronic media;
  • Maintained in electronic media; or
  • Transmitted or maintained in any other form or medium.

There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information.

1. Names (Full or last name and initial)
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone Numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers (including serial numbers and license plate numbers)
13. Device identifiers and serial numbers;
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

Who is covered?

HIPAA applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).

HIPAA and SFTP

According to HIPAA Journal [LINK - https://www.hipaajournal.com/hipaa-compliant-sftp-server/] “If FTP is required to transfer protected health information, healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities must ensure their service provider uses a HIPAA compliant sFTP server.
a HIPAA compliant sFTP server could use AES-256 symmetric cryptography for stored data and protect transmitted data using a RSA 2048 bit key, both of which meet NIST and HIPAA standards.”

Is Couchdrop HIPAA certified?

Unlike PCI and SOC compliance, there is no official HIPAA certification for a cloud service like Couchdrop. However, Couchdrop provides modern security compliance and redundancy.
For more on HIPAA and Cloud Service Providers please see here[https://healthitsecurity.com/features/what-is-a-hipaa-business-associate-agreement-baa]

Business Associate Definition

In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

Business Associate Agreement

A business associate agreement is a written arrangement that specifies each party’s responsibilities when it comes to PHI.
The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
Appropriate safeguards need to be established, ensuring that the business associate will prevent PHI disclosure outside of what is permitted in the contract.
Couchdrop has a BAA ready and available for Enterprise customers. Please contact Couchdrop’s support or sales team to be provided a BAA for review. Couchdrop understands that all organizations are different and is open to consider amendments or change to the BAA, however the grounds for acceptance would be based on whether there is an increase risk to Couchdrop and other legal or other implications.