HIPAA overview

Effective Date: July 7, 2023

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the regulations issued under HIPAA are a set of US healthcare laws that, among other provisions, establish requirements for the use, disclosure, and safeguarding of protected health information (PHI). The scope of HIPAA was extended in 2009 with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act that was created to stimulate the adoption of electronic health records and supporting information technology.

HIPAA applies to covered entities – doctors’ offices, hospitals, health insurers, and other healthcare companies – that create, receive, maintain, transmit, or access PHI. HIPAA further applies to business associates of covered entities that perform certain functions or activities involving PHI as part of providing services to the covered entity or on behalf of the covered entity. When a covered entity engages the services of a cloud service provider (CSP), the CSP becomes a business associate under HIPAA. Moreover, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit PHI, the CSP also becomes a business associate.

Together, HIPAA and HITECH Act rules include:

• The Privacy Rule, which requires appropriate safeguards to protect the privacy of PHI and imposes restrictions on the use and disclosure of PHI without patient authorization. It also gives patients the rights over their health information, including rights to examine their health records and request corrections.

• The Security Rule, which sets the standards for administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and security of electronic PHI.

• The Breach Notification Rule, which requires covered entities and their business associates to provide notification when a breach of unsecured PHI occurs.

HIPAA regulations require that covered entities and their business associates enter into a contract called a Business Associate Agreement (BAA) to ensure the business associates protect PHI adequately. Among other things, a BAA establishes the permitted and required uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities and services being performed by the business associate.

 Visiting Aid and HIPAA

There is currently no certification program approved by the US Department of Health and Human Services (HHS) through which a CSP acting as a business associate could demonstrate compliance with HIPAA and the HITECH Act. However, HIPAA and HITECH Act requirements have been mapped to other established security frameworks and standards that CSPs typically attest to:

• The National Institute of Standards and Technology (NIST) SP 800-66 An Introductory Resource Guide for Implementing the HIPAA Security Rule, which addresses security concepts in the HIPAA Security Rule and explains how they relate to other NIST publications on information security. Specifically, Appendix D – Security Rule Standards and Implementation Specifications Crosswalk provides a catalog of the HIPAA Security Rule standards and implementation specifications, and maps each to relevant security controls detailed in NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations. NIST SP 800-53 serves as the baseline control set for the US Federal Risk and Authorization Management Program (FedRAMP). Therefore, a FedRAMP assessment and authorization provides strong assurances that HIPAA Security Rule safeguard standards and specifications are addressed adequately.  

• The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), which maps HIPAA and HITECH Act requirements to CCM control objectives covering fundamental security principles across CCM domains.  

• The HHS HIPAA Security Rule Crosswalk to NIST Cyber Security Framework, which maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework (CSF) subcategory, and provides relevant control mapping to other standards.
  

To support our customers who are subject to HIPAA compliance, Visiting Aid will enter into BAAs with its covered entity and business associate customers. Visiting Aid has enabled the physical, technical, and administrative safeguards required by HIPAA and the HITECH Act inside the in-scope Visiting Aid services, and offers a HIPAA BAA as part of the Visiting Aid Product Terms to all customers who are covered entities or business associates under HIPAA for use of such in-scope Visiting Aid services. In the BAA, Visiting Aid, LLC makes contractual assurances about data safeguarding, reporting (including breach notifications), data access in accordance with HIPAA and the HITECH Act, and many other important provisions.  

Visiting Aid Services and Infrastructure

• Azure services

• Redundant uplink to Tier 1 and 2 ISPs – Cogent, L3 (CenturyLink), KDDI, Crown Castle (LightTower), HE.

• 2 vCloud VMWare clusters – NY and Dallas

• Self-encrypted Fujitsu SSDs

• Fortinet FortiGates with active Unified Threat Management.

•  SIEM implementation.

• Sophos XDR for servers

• VEEAM replication between sites.

• Active ISO 27001 certification.

• ISO 27701 2013 certified data infrastructure environment.

• HITRUST safeguards implemented for HIPAA clients.

• 24/7 NOC

• 24/7 SOC

 Privacy Practices

The Health Insurance Portability and Accountability Act (“HIPAA”) prescribes the rules that we must follow when protecting and securing Protected Health Information (PHI) that has been lawfully provided to us for use on the Visiting Aid platform.

Visiting Aid works towards ensuring our privacy practices remain compliant with the HIPAA Privacy, Breach Notification, and Security Rules. We strive to ensure your privacy in the following manner:

• Only authorized users are allowed access to the Plan Forward platform.  

• The process for allocation of user accounts is controlled internally and according to our written policies. 

• We maintain an Incident Response Policy to respond to security breaches.

• All application data is backed up and there is a disaster contingency plan in place to ensure our continuity and recovery.

• Visiting Aid does not disclose PHI unless allowed under HIPAA compliant Business Associate agreements or required by law.

• When applicable, all PHI must be destroyed in compliance with HIPAA rules.
  

Requests for PHI Access, Amendment, or Accountings may be submitted to our Privacy Officer via U.S. mail, or e-mail:

Mail: 2744 Hylan Blvd., Suite 153, Staten Island, NY 10306

E-mail: Jill.Behrens@visitingaid.com