What does "HIPPA" mean?

"HIPPA" is an acronym that stands for "Health Insurance Portability and Accountability Act," which was enacted as a US Federal Statute, and was signed into law on August 21 of 1996 by President Bill Clinton. The HIPPA Act was intended to update the handling of sensitive health insurance information by healthcare organizations as well as health insurance organizations with the intent of protecting patients against information theft, fraud and identity forging.

The 5 titles of HIPPA Compliance

Title One: Health Care Access, Portability and Renewability
Title Two: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
Title Three: Tax-related health provisions governing medical savings accounts
Title Four: Application and enforcement of group health insurance requirements
Title Five: Revenue offset governing tax deductions for employers

Each title has specific verbiage that you can read at Wikipedia below.

Do you need to be HIPPA Compliant?

If you are a healthcare provider or health insurance organization, your staff is responsible for being HIPPA Compliant and learning the details of HIPPA Compliance. You are subject to HIPPA Compliance if you provide any form of medical or health related services, including Dentists, Orthodontists, Chiropractors, Physicians, Hospitals, Medical Clinics, Home Health Care Providers, Hospice Providers, Outpatient Care Centers, Ambulatory Services, and any other organization or service that touches health related information. These include Primary/Secondary/Tertiary/Quartenary Care Providers.

The three rules of HIPPA Compliance

The Privacy Rule: The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearing houses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Read more

The Security Rule: The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called "covered entities" must put in place to secure individuals' "electronic protected health information" (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. Read more

The Breach Notification Rule: The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act. Read more

What are HIPPA Business Associates?

HIPAA defines Business Associates as a person, persons or entity that provides services to a covered entity that involves the disclosure of PHI (Personal Health Information). Businesses that would be considered business associates when working with covered entities include: software companies with access to PHI, companies in claims processing or collections, or any individual(s) who come into the posession of, or have access to, PHI. Read more

How do you become a Business Associate?

To become a Business Associate, you or your organization must follow some requirements and guidelines. You must create Privacy and Security Policies for the organization. You must name a HIPAA Privacy Officer and Security Officer. You must implement Security Safeguards. You must regularly conduct Risk Assessments and Self-Audits. You must maintain Business Associate Agreements with any person or entity sharing PHI with you or your entity. You must establish a Breach Notification Protocol. Learn more about HIPPA Compliance Training at hhs.giv

What are HIPPA Compliant forms?

Forms can be either physical or electronic, such as a Printed Paper form that a patient completes by hand at their medical office, or an Online Form that can be completed electronically on the web. This presents two different methodoligies and responsibilities for HIPPA Compliant Forms. EZ Fast Forms are Online forms that are secured through various methods of encryption to protect PHI both in-transit and in-storage. The responsibility of HIPPA Compliancy for EZ Fast Forms ends when the member downloads or exports PHI to their office computer. Once PHI has been printed in the office or stored on an office server, the responsibility for HIPPA Compliance falls to the member or member's organization.

Printed PHI must be physically secured so only appropriate personnel and staff can access the information. The physical copies need to be moved to a secure storage location, such as a safe, vault or secured storage room. Access to the storage area must be limited to approved persons, and shuold not be accessible to extraneous persons such as cleaning staff, contractors, or any other persons. Physical copies of PHI should be secured when they are no longer in use and never left sitting idle anywhere outside of the secured area. Printer and copier buffers should be purged to prevent access to PHI by technical support service persons. It is the responsibility of all Business Associates to apply due diligence to securing and protecting all PHI.

Downloaded electronic PHI must be electronically AND physically secured so only appropriate Business Associates can access the information. The computer on which the PHI was downloaded must be password-protected at startup. It must also have a password requirement when awakening from an idle timeout or sleep mode. Stored data on the hard drive must be encrypted, such that direct hard drive access will not reveal the PHI. Browser caches should be automatically purged, else manually purged to prevent PHI access.

EZ Fast Forms provides multiple electronic methods of accessing PHI to members. PHI can be viewed in a tabular form for copy/paste access, downloaded as a PDF (either secured or not-secured), downloaded as an FDF file for direct import to a custom PDF via the API Editor (mapping system), and as CSV, TSV, XLSX, and TXT formats. All PHI is secured by EZ Fast Forms at all points of contact, but we have no control over the PHI after it has been downloaded to your office.

EZ Fast Forms defaults to HIPPA Compliant settings for all new members, but provides the ability to circumvent HIPPA Compliance in some situations. Please note that PDF Password Protection is NOT HIPPA Compliant and PDFs of response sets may optionally be generated and attached to alert emails automatically. As well, it is possible to define certain questions to include the answers in plain-text in the body of alert emails for easier identification and office processing. These are NOT intended to be used with PHI of any form. These features are intended for non-PHI and non-PII questions that can be used to aid in data management.

What are the HIPPA Compliance conditions for storing PHI Online?

In general, there are no conditions for the "duration of storing PHI" in Online systems, such as databases or on servers. As long as the PHI is secured and cannot be accessed by a non-Business Associate, the data may remain Online indefinitely. EZ Fast Forms routinely purges data after a prescribed period defined by the membership profile, to provide automated maintenance purging. It is not our intent to provide indefinite storeage, rather provide a secure means to acquire, manage and access PHI for normal operations.

Concerned about HIPPA Compliance and/or PHI?

Email us at email@ezfastforms.com or call 801-253-2564 and we will be happy to answer your questions, research any new concerns, and implement custom solutions to meet your special HIPPA Compliance needs.

Read the EZ Fast Forms Business Agreement

Read more about HIPPA Compliance at Wikipedia