Datafied takes security and compliance very seriously and has built a 100% secure
and HIPAA compliant network. This network is the backbone for our suite of data
management and retrieval products. This proprietary HIPAA compliant network and
software allows us to offer document retrieval, document management and online archiving
services at the highest level of efficiency and security.
Datafied has been providing customers with the highest levels of privacy and security
for patients' confidential health information since entity 1993. In an effort to
continue to serve the needs of our clients, Datafied is fully compliant with the
standards and procedure outlined in the HIPAA rules and regulations. In the interest
of privacy, we have created a secure environment within which we operate under strict
guidelines and security measures in order to ensure that our clients’ information
is protected and that Datafied is meeting the standards and guidelines set forth
by the HIPAA rules and regulations. We have protections and security measures in
place to protect from loss, misuse and alteration of the information you provide
to us.
What is HIPAA Compliant?
The Health Insurance Portability and Accountability Act(HIPAA) is a legislation
that was passed in 1996. The United States Health & Human Service Department has
been given authority to define regulations related to transactions and code sets,
identifiers, privacy and security. This legislation will accomplish many things,
although one of the more notable accomplishments will be improved accountability
related to the privacy of an individual's medical records and other personal health
information.
The privacy standards of HIPAA provide a framework for health privacy protection
which serves to enhance and insure the protection of patient medical and health
information. These standards have changed the manner in which information is handled
and delivered. The Privacy Rule applies only to health plans, health care clearinghouses
and covered certain health care providers – known as "covered entities" under
the legislation. Since most health care providers rely on contractors and other
"business associates" to assist them in providing quality care to their patients,
the issue of privacy has become more complicated. Datafied is considered a business
associate.
A business associate is typically defined as, “a person or entity that provides
certain functions, activities or services for or to a covered entity, involving
the use and/or disclosure of protected health information.”
The business associate provisions within HIPAA were included due to a concern that
covered entities disclose protected health information to a wide range of third
parties. The business associate rule places restriction on third parties who perform
covered certain functions on behalf of a covered entity and receive protected health
information. Without restrictions on these disclosures, the protections intended
by HIPAA would not cover a significant portion of protected health information that
is disclosed to business associates.
The privacy law requires covered entities to have written agreements and satisfactory
assurances that the information they disclose to their business associates will:
remain confidential, only be used for the stated purpose, be safeguarded from misuses,
and assist the covered entity in complying with their responsibilities under the
law. Information is only provided to a business associate to help the covered entity
carry out their health care function – never for independent use by the business
associate.
A Business Associate Agreement with our office requires that we will:
- Use the information disclosed only for the permitted purpose
- Restrict the disclosure of all protected health information only to those authorized
to receive it
- Use any and all available and appropriate protections to prevent the use or disclosure
of information other than as provided by the agreement
- Ensure that subcontractors or agents to whom protected health information is provided
agree to the same restrictions and conditions
- Make available our internal practices, books, and records relating to the use and
disclosure of protected health information to the Department of Health and Human
Services Secretary, if requested
- Return or destroy all protected health information received from the covered entity
at termination of the agreement
- Authorize termination of the agreement by the covered entity upon determination
that the business associate violated a material term of the agreement.
How Does Datafied’s System Comply with HIPAA?
Datafied’s operations executives and its legal counsel have reviewed the Department
of Health and Human Services Transaction Standards, Security Standards, and the
Privacy Standards including the Final Privacy Rule published in August 2002.
The Transaction Standards are intended to improve the efficiency and effectiveness
of the U.S. health care system by establishing national standards for electronic
health care transactions. The standards apply only to data transmitted electronically
between healthcare providers and health plans. The Security Standards specify the
steps that must be taken to ensure the security of protected health information
that is transmitted electronically. As a business associate, Datafied has been in
compliance of all rules, even prior to the HIPAA deadline.
The Privacy Standards and the Final Rule apply to all uses of individually identifiable
health information, whether or not it is in electronic form. Since Datafied business
depends on ensuring the confidentiality and security of the data it handles, any
policies required under the Privacy Rule were incorporated into our policies, procedures,
and training prior to the April 2003 deadline.
We have also taken various measures to protect our systems and the information contained
therein. We have established a HIPAA Security Rule, which applies to health information
maintained or transmitted by a Covered Entity in electronic form. This information
requires administrative, physical and technical protection
Administrative protections:
- Security management – policies to prevent, detect,
contain and correct security violations; risk analysis, risk management, and sanction/security
policies
- Assigned responsibility – single individual must
have responsibility, assigned in writing, for the overall security of a covered
entity’s information
- Workforce security – only authorized staff may
have access to information
- Information access – policies for authorizing,
establishing and modifying access to information
- Security awareness/training – program for entire
staff developed and maintained
- Security incident procedures – policies are in
place to report, respond to and manage security incidents
- Business Continuation plan – for response to disaster/emergency
that damages information systems containing information
- Evaluation – periodically determine the extent
that our security policies meet the ongoing requirements
- Business Associate Agreement – states that we
will adequately safeguard the information
Physical protections:
- Facility access – limit physical access to information
- Workstation use – policy specifies the use of
workstations and the characteristics of the physical environment of workstations
that can access information
- Workstation security – limited only to authorized
users
- Equipment Controls – for recovered information
and removal of hardware and electronic media containing information
Technical protections:
- Access control – only authorized personnel have
access
- Audit controls – to record and examine activity
within systems
- Integrity – to protect information from improper
modification or destruction
- Person/entity authentication – to verify that
persons seeking access to information are who they claim to be
- Transmission security – to prevent unauthorized
access to information that is transmitted over an electronic network (i.e., the
Internet or an Intranet)