The Health Insurance Portability and Accountability Act (HIPAA) turned 20 years young on August 21st and in light of this important milestone, it’s crucial for employers to understand how a cloud-based leave management system can support their efforts to be HIPAA compliant.
HHS.gov explains that “a major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.”
Generally, the protections of the law revolve around the following:
- Determining who the law applies to - Covered Entities and Business Associates of Covered Entities.
- Determining what Protected Health Information (PHI) consists of.
- Identifying the responsibilities of Covered Entities and Business Associates in the collection, storage, distribution and access to PHI.
What You Need to Know:
Protected Health Information (PHI)
Under U.S. law, any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity or a Business Associate of a Covered Entity, and can be linked to a specific individual, is considered PHI and must be protected from disclosure.
In general, U.S. law governing PHI applies to data collected in the course of providing and paying for health care. Privacy and security regulations govern how doctors, hospitals, health insurers and other covered entities use and protect the data they collect. It is important to understand that the source of the data is as relevant as the data itself when determining if something is PHI under U.S. law. An employer is not normally covered by HIPAA unless they provide or pay for the cost of medical care under a private health plan.
HIPAA requires that the capture, storage, and distribution of PHI is at all times carried out in such a way as to prevent access or disclosure to unauthorized individuals or entities. In other words, PHI should only be accessed by individuals with proper authorization and on a need-to-know basis.
Now, how does a cloud-based solution support employers’ efforts to be HIPAA compliant?
Data Security & Encryption
To comply with HIPAA requirements, technology must use secure methods to protect data both at rest and in transit. This communication must also be capable of identifying and authorizing other technology access, either machine to machine, or machine to human so that at all times the data is protected from unauthorized users.
It is of the utmost importance that the technology you choose supports the use of strong encryption methods, especially when it comes to how the data is stored and transmitted. Additionally, using secure channels for communication between various levels of technology ensures that attempts to breach the data must overcome both the technology level security and the data level security protecting it!
Next week we will look at two other important aspects that you need to take into account in order to remain HIPAA compliant: Authorizing Access and Data Storage & Location of Servers.
Founded in 1987, Presagia has a long history of helping organizations solve complex business problems with easy-to-use solutions. Today, this means providing cloud-based absence management solutions that enable organizations to be more efficient, control lost time and risk, and strengthen compliance with federal, state and municipal leave and accommodation laws.