HIPAA Compliance is about Privacy, Security, and Accountable Health Information Technology. In HIPAA terms, that means:
- the HIPAA Privacy Rule
- the HIPAA Security Rule
- the HITECH Act or Health Information Technology for Economic and Clinical Health Act.
How does Oasis ensure the protection of your data and abide by the HIPAA laws that govern Protected Health Information:
- Encrypted communications via SSL
- Authorized users access data via a confidential login
- Daily backups of health data with 2 week retention
- Hosted on Microsoft's Azure platform with geo redundancy and business associate agreement with Microsoft
- Audit trail on all data - every record is timestamped and logged by user
- All logins are captured for security and review
- Users are logged out of the Oasis application after 15 minutes of inactivity
Another important aspect of complying with the HIPAA act is maintaining strong business associate contract with our customers, the Covered Entity, through our service agreement. Our business associate contract covers the following areas:
(1) establishes the permitted and required uses and disclosures of protected health information by the business associate;
(2) provides that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
(3) requires the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information;
(4) requires the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;
(5) requires the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;
(6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, requires the business associate to comply with the requirements applicable to the obligation;
(7) requires the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
(8) at termination of the contract, if feasible, requires the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;
(9) requires the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and
(10) authorizes termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.
Implementation Specifics
The purpose of using the Oasis Bridge software system is to allow the Covered Entity to manage their own PHI data. OTG maintains backup records and item level log records for all PHI records, commonly referred to as a Designated Record Set. The Covered Entity has access to all of their own data at all times by designated adminstrators defined in the system.
The Covered Entity determines who is an authorized user of the Oasis Bridge software system, granting access privileges to PHI data. The covered entity can modify or revoke this access at any time.
Oasis values privacy and serves as the only moderator of your data. If Oasis employs the services of another IT professional, the outside vender will be required to sign a business associate agreement with Oasis.
What is the HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH Act) of 2009 expanded the scope of the privacy and security provisions of the HIPAA and its enabling regulations. Some of the significant changes for health care providers include:
- Applying privacy and security provisions and penalties to business associates
- Imposing new notification requirements in the event of a breach of PHI.
- Creating stricter disclosure requirements, such as: Restricting the disclosure of PHI by a health care provider at the request of a patient if it is for purposes other than treatment and the health care service or item has been paid out-of-pocket and in full (except as otherwise required by law); Limiting the disclosure of PHI to a limited data set or to the minimum necessary to accomplish the intended purpose; and Requiring health care providers to make available an accounting of certain disclosures of PHI that occurred over the past three years at the patient's request
- Strengthening enforcement procedures and penalties
The HITECH Act also expands notification requirements to the vendors of personal health records (PHRs) and other non-HIPAA covered entities for the breach of identifiable information in personal health records.
Resources to aid compliance:
You may want to review some of the resources offered by the Health and Human Services Dept to help firms like Oasis and its customers comply with all the neessary HIPAA laws:
HIPAA Privacy Summary
HIPAA Security Rule Summary
HIPAA Security Rule - Federal Register
HITECH Act
Covered Entities and Business Associates