Compliance and Security


 HIPAA overview


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued under HIPAA are a set of US healthcare laws that, among other provisions, establish requirements for the use, disclosure, and safeguarding of protected health information (PHI). The scope of HIPAA was extended in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act that was created to stimulate the adoption of electronic health records and supporting information technology.


HIPAA applies to covered entities – doctors’ offices, hospitals, health insurers, and other healthcare companies – that create, receive, maintain, transmit, or access PHI. HIPAA further applies to business associates of covered entities that perform certain functions or activities involving PHI as part of providing services to the covered entity or on behalf of the covered entity. When a covered entity engages the services of a cloud service provider (CSP), the CSP becomes a business associate under HIPAA. Moreover, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit PHI, the CSP also becomes a business associate.


Together, HIPAA and HITECH Act rules include:





HIPAA regulations require that covered entities and their business associates enter into a contract called a Business Associate Agreement (BAA) to ensure the business associates protect PHI adequately. Among other things, a BAA establishes the permitted and required uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities and services being performed by the business associate.


 Visiting Aid and HIPAA



There is currently no certification program approved by the US Department of Health and Human Services (HHS) through which a CSP acting as a business associate could demonstrate compliance with HIPAA and the HITECH Act. However, HIPAA and HITECH Act requirements have been mapped to other established security frameworks and standards that CSPs typically attest to:




To support our customers who are subject to HIPAA compliance, Visiting Aid will enter into BAAs with its covered entity and business associate customers. Visiting Aid has enabled the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside the in-scope Visiting Aid services, and offers a HIPAA BAA as part of the Visiting Aid Product Terms to all customers who are covered entities or business associates under HIPAA for use of such in-scope Visiting Aid services. In the BAA, Visiting Aid, LLC makes contractual assurances about data safeguarding, reporting (including breach notifications), data access in accordance with HIPAA and the HITECH Act, and many other important provisions.  


Visiting Aid Policy regulatory compliance built-in initiative for HIPAA/HITRUST maps to HIPAA/HITRUST compliance domains and controls. Regulatory compliance in Visiting Aid Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Visiting Aid, or shared. For Visiting Aid-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each HIPAA/HITRUST control is associated with one or more Visiting Aid Policy definitions. These policies may help you assess compliance with the control; however, compliance in Visiting Aid Policy is only a partial view of your overall compliance status. Visiting Aid Policy helps to enforce organizational standards and assess compliance at scale.  

 

Visiting Aid Services and Infrastructure