HIPAA Compliance News

OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced it has published additional resources for mobile health app developers and has updated and renamed its Health App Developer Portal.

The portal – Resources for Mobile Health Apps Developers – provides guidance for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they apply to mobile health apps and application programming interfaces (APIs).

The portal includes a guidance document on Health App Use Scenarios and HIPAA, which explains when mHealth applications must comply with the HIPAA Rules and if an app developer will be classed as a business associate.

“Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” explained OCR. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.”

The portal provides access to the Mobile Health Apps Interactive Tool developed by the Federal Trade Commission (FTC) in conjunction with the HHS’ Office of the National Coordinator for Health IT (ONC) and the Food and Drug Administration (FDA). The Tool can be used by the developers of health-related apps to determine what federal rules are likely to apply to their apps. By answering questions about the nature of the apps, developers will discover which federal rules apply and will be directed to resources providing more detailed information about each federal regulation.

The portal also includes information on patient access rights under HIPAA, how they apply to the data collected, stored, processed, or transmitted through mobile health apps, and how the HIPAA Rules apply to application programming interfaces (APIs).

The update to the portal comes a few months after the ONC’s final rule that called for health IT developers to establish a secure, standards-based API that providers could use to support patient access to the data stored in their electronic health records. While it is important for patients to be able to have easy access to their health data to allow them to check for errors, make corrections, and share their health data for research purposes, there is concern that sending data to third-party applications, which may not be covered by HIPAA, is a privacy risk.

OCR has previously confirmed that once healthcare providers have shared a patients’ health data with a third-party app, as directed by the patient, the data will no longer be covered by HIPAA if the app developer is not a business associate of the healthcare provider. Healthcare providers will not be liable for any subsequent use or disclosure of any electronic protected health information shared with the app developer.

A FAQ is also available on the portal that explains how HIPAA applies to Health IT and a guidance document explaining how HIPAA applies to cloud computing to help cloud services providers (CSPs) understand their responsibilities under HIPAA.

The post OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers appeared first on HIPAA Journal.

Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations

Posted by HIPAA Journal

The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations.

Healthcare professionals often create presentations that include medical images for educational purposes; however, care must be taken to ensure that protected health information is not accidently exposed or disclosed. Medical images contain embedded patient identifiers to ensure the images can be easily matched with the right patient but advances in web crawling technology is now allowing that information to be extracted, which places patient privacy at risk.

The web crawling technology used by search engines such as Google and Bing have enabled the large-scale extraction of information from previously stored files. Advances in the technology now allow information in slide presentations that was previously considered to be de-identified to be indexed, which can include patient identifiers. Source images can be extracted from PowerPoint presentations and PDF files, for example, and the technology can recognize alphanumeric characters that are imbedded in the image pixels.

As part of the indexing process, that information becomes associated with the images and search engine searches using a search term containing the information in those images will result in the files being displayed in the search engine results.

If a patient performs a search using their name, for example, an image from a diagnostic study conducted several years previously could be displayed in the search engine results. A click on the image would direct the patient to a website of a professional imaging association that had stored a PowerPoint presentation or Adobe PDF file that was used internally in the past for education purposes.

The professional imaging association would likely be unaware that the image contained any protected health information, the author of the file would be unlikely to be aware that the PHI had not been sufficiently de-identified when the presentation was created, and that saving the presentation as an Adobe PDF file had not ensured patient privacy.

The radiology organizations have offer guidance to healthcare organizations to help them avoid accidental PHI disclosures when creating online presentations containing medical images for educational purposes.

When creating presentations, only medical images that do not include any patient identifiers should be used. If medical images have embedded patient identifiers, screen capture software should be used to capture the part of the medical image that displays the area of interest, omitting the part of the image that contains patient identifiers. Alternatively, an anonymization algorithm embedded in the PACS should be used prior to saving a screen or active window representation or patient information overlays should be disabled before exporting the image.

The radiology organizations warn against the use of formatting tools in the presentation software – PowerPoint, Keynote, Google Slides etc – for cropping the images so as not to display any patient identifiers, as this practice will not permanently remote PHI from the images. They also warn that the use of image editing software such as Adobe Photoshop to blackout patient identifiers is also not a safe and compliant practice for de-identification.

After patient identifiers have been removed, a final quality control check is recommended to ensure that the images have been properly sanitized before they are made public.

You can view the guidance on the removal of PHI from medical images prior to creating medical image presentations on this link.

The post Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations appeared first on HIPAA Journal.

HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires

Posted by HIPAA Journal

The Secretary of the HHS, Alex Azar, has declared a public health emergency exists in the states of Louisiana and Texas as a result of the consequences of Hurricane Laura, and in California due to ongoing wildfires.

During public health emergencies the HIPAA Rules are not suspended; however, the HHS Secretary may choose to waive certain provisions of the HIPAA Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

In addition to the declaration of public health emergencies, the HHS Secretary has declared that sanctions and penalties against hospitals will be waived for the following provisions of the HIPAA Privacy Rule.

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • The patient’s right to request confidential communications. See 45 CFR 164.522(b).

Sanctions and penalties for noncompliance with the above provisions of the HIPAA Privacy Rule have only been waived for hospitals in the emergency areas and only for the time period stated in the public health emergency declarations.

The waivers only apply to hospitals that have instituted their disaster protocol, and only for up to 72 hours from the time the disaster protocol is instituted.  Once either the Presidential or Secretarial declaration terminates, the HIPAA waivers will no longer be in effect and hospitals must then ensure they comply with all provisions of the HIPAA Privacy Rule. That applies even if the 72 hour period has not elapsed.

During public health emergencies, the HIPAA Privacy Rule allows patient information to be shared for treatment, payment, and healthcare operations.

Patient information can also be shared for public health activities to allow public health authorities to carry out their public health mission. Patient information can be shared with a public health authority such as the Centers for Disease Control and Prevention for the purpose of preventing or controlling disease, injury or disability.

The HIPAA Privacy Rule also permits the sharing of patient information at the direction of a public health authority to a foreign government agency and to persons at risk of contracting or spreading a disease or condition if permitted by other laws, which authorize a covered entity to notify such persons to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Disclosures can also be made to family members, friends, and others involved in an individual’s care and for notification, and healthcare providers may disclose patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law, and the provider’s standards of ethical conduct.

Limited disclosures to the media and others not involved in the care of a patient are permitted, if a request is received and the name of the patient is provided, but should be restricted to limited facility directory information to acknowledge an individual is a patient at the facility and basic information about the status of the patient (e.g., critical or stable, deceased, or treated and released).

In all cases, the minimum necessary rule applies. Disclosures should be restricted to the minimum amount of information necessary to achieve the purpose for which the information is being disclosed.

Public Health Emergency Declarations

Louisiana and Texas PHE

California PHE

HIPAA Waivers

HIPAA Bulletin Louisiana and Texas

HIPAA Bulletin California

The post HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires appeared first on HIPAA Journal.

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

Posted by HIPAA Journal

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization.

In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization.

In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the risk analysis process. An IT asset inventory is a detailed list of all IT assets in an organization, which should include a description of each asset, serial numbers, names, and other information that can be used to identify the asset, version (operating system/application), its location, and the person to whom the asset has been assigned and who is responsible for maintaining it.

“Although the Security Rule does not require it, creating and maintaining an up-to-date, information technology (IT) asset inventory could be a useful tool in assisting in the development of a comprehensive, enterprise-wide risk analysis, to help organizations understand all of the places that ePHI may be stored within their environment, and improve their HIPAA Security Rule compliance,” explained OCR in the newsletter.

An IT asset inventory should not only include physical hardware such as mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers. It is also important to list software assets and applications that run on an organization’s hardware, such as anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems.

IT solutions such as backup software, virtual machine managers/hypervisors, and other administrative tools should also be included, as should data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media.

“Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization.”

For smaller healthcare organizations, an IT asset inventory can be created and maintained manually, but for larger, more complex organizations, dedicated IT Asset Management (ITAM) solutions are more appropriate. These solutions include automated discovery and update processes for asset and inventory management and will help to ensure that no assets are missed.

When creating an IT asset inventory to aid the risk analysis, it is useful to include assets that are not used to create, receive, process, or transmit ePHI, but may be used to gain access to ePHI or to networks or devices that store ePHI.  IoT devices may not store or be used to access ePHI, but they could be used to gain access to a network or device that would allow ePHI to be viewed.

“Unpatched IoT devices with known vulnerabilities, such as weak or unchanged default passwords installed in a network without firewalls, network segmentation, or other techniques to deny or impede an intruder’s lateral movement, can provide an intruder with a foothold into an organization’s IT network,” suggests OCR. “The intruder may then leverage this foothold to conduct reconnaissance and further penetrate an organization’s network and potentially compromise ePHI.” There have been multiple incidents where hackers have exploited a vulnerability in one of these devices to penetrate an organization’s network and access sensitive data.

Organizations that do not have a comprehensive IT asset inventory could have gaps in recognition and mitigation of risks to ePHI. Only with a comprehensive understanding of the entire organization’s environment will it be possible to minimize those gaps and ensure that an accurate and thorough risk analysis is performed to ensure Security Rule compliance.

Maintaining an IT asset inventory may not be a Security Rule requirement but covered entities must create policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility. An IT asset inventory can also be used for this purpose. The IT asset inventory can also be compared with the results of network scanning and mapping processes to help identify unauthorized devices that have been connected to the network and used as part of vulnerability management to ensure that no devices, software, or other assets are missed when performing software updates and applying security patches.

The NIST Cybersecurity Framework can be leveraged to assist with the creation of an IT asset inventory. NIST has also produced guidance on IT asset management in its Cybersecurity Practice Guide, Special Publication 1800-5. The HHS Security Risk Assessment Tool can also help with IT asset management. It includes inventory capabilities that allow for manual entry or bulk loading of asset information with respect to ePHI.

The post OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory appeared first on HIPAA Journal.

House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System

Posted by HIPAA Journal

The House of Representatives has voted to lift the ban on the Department of Health and Human Services using federal funds to develop a national patient identifier system.

The Health Insurance Portability and Accountability Act (HIPAA) called for the development of a national patient identifier system. As the name suggests, a national patient identifier system would see each person in the united States issued with a permanent, unique identification number, similar to a Social Security number, that would allow each patient to be identified across the entire healthcare system in the United States. If a patient from California visited an emergency room in New York, the patient identifier could be used to instantly identify the patient, allowing the healthcare provider to access their medical history. Currently, the lack of such an identifier makes matching patients with their medical records complicated, which increases the potential for misidentification of a patient.

The extent to which records are mismatched has been shown in multiple studies. For instance, in 2012, a study conducted by the College of Healthcare Information Management Executives (CHIME) found that 20% of its members could trace an adverse medical event to the mismatching of patient records. In 2014, the Office of the National Coordinator for Health Information Technology (ONC) found that 7 out of every 100 patient records were mismatched. Between 50% and 60% of records are mismatched when shared between different healthcare providers. A study conducted by the Ponemon Institute suggested 35% of all denied claims are due to inaccurately matched records or incomplete patient information, which costs the healthcare industry around $1.2 million each year.

It has been 24 years since HIPAA was signed into law, yet there is still no national patient identifier system. A ban was implemented in 1999 preventing the Department of Health and Human Services from funding the development of such as system out of privacy concerns. The ban has remained in place ever since.

Attempts have been made to lift the ban, notably by Reps. Bill Foster (D-IL) and Mike Kelly (R-PA). Last year, their efforts were partially successful, as the House of Representatives voted to remove the ban, only for the Senate to reject the house provision by not including the language removing the ban in the fiscal year 2020 funding bill for the HHS.

On July 30, 2020, the House approved the Foster-Kelly amendment for the House fiscal 2021 appropriations bill covering the departments of labor, health and human services and education. If the Foster-Kelly amendment is included in the Senate fiscal year 2021 funding bill, the HHS will be free to evaluate a range of solutions and find one which is cost-effective, scalable and secure.

Proponents of lifting the ban claim a national patient identifier would increase patient safety and would help with the secure exchange of healthcare information. While support for a national patient identifier is growing, not everyone believes such a system is wise. Opponents to the lifting of the ban believe a national patient identifier would create major privacy risks. The Citizens’ Council for Health Freedom said a national patient identifier “would combine all of your private information, creating a master key that would open the door to every American’s medical, financial and other private data.”

While there are concerns about privacy, the benefits of introducing such a system have been highlighted during the COVID-19 pandemic. Temporary healthcare facilities and testing sites have been set up and laboratories are now processing huge numbers of COVID-19 tests. There have been many reports of healthcare facilities struggling to correctly identify patients and laboratories have found it difficult to match test results with the right patients due to the lack of complete demographic data.

“The coronavirus pandemic continues to demonstrate the importance of accurately identifying patients and matching them to their medical records. Today marks another milestone in keeping patients safe with the passage of the Foster-Kelly Amendment in the House, bringing us closer to a national patient identification solution,” Russ Branzell, CHIME CEO.

“Removing this archaic ban is more important than ever as we face the COVID-19 pandemic,” said Rep. Bill Foster. “Our ability to accurately identify patients across the care continuum is critical to addressing this public health emergency, and removing this ban will alleviate difficult and avoidable operational issues, which will save money and, most importantly, save lives.”

The post House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System appeared first on HIPAA Journal.

OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA Rules.

Lifespan is a not-for-profit health system based in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was filed with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the theft of an unencrypted laptop computer on February 25, 2017.

The laptop had been left in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that contained information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had conducted a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. Through the risk analysis, Lifespan ACE determined that the use of encryption on mobile devices such as laptops was reasonable and appropriate given the level of risk but failed to implement encryption. The lack of encryption was a violation of 45 C.F .R. § I 64.312(a)(2)(iv).

OCR also discovered Lifespan ACE had not implemented policies and procedures that required the tracking of portable devices with access to a network containing ePHI, nor was there a comprehensive inventory of those devices, in violation of 45 C.F.R. § 164.310(d)(1).

Lifespan Corporation was a business associate of Lifespan ACE, but both entities had failed to enter into a business associate agreement with each other. Lifespan ACE had also not obtained a signed business associate agreement from its healthcare provider affiliates, in violation of 45 C.F.R. § 164.502(e).

As a result of the compliance failures, Lifespan ACE was responsible for the impermissible disclosure of the ePHI of 20,431 individuals when the laptop was stolen – See 45 C.F.R. § 164.502(a).

Lifespan ACE agreed to settle the case, pay the financial penalty, and adopt a comprehensive corrective action plan (CAP). The CAP requires Lifespan ACE to enter into business associate agreements with its affiliates and parent company, create an inventory of all electronic devices, implement encryption and configure access controls, and review and revise its policies and procedures with respect to device and media controls. Those policies and procedures must be distributed to the workforce and training must be provided on the new policies. Lifespan ACE’s compliance efforts will be scrutinized by OCR for the duration of the two-year CAP.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

This is the second HIPAA penalty to be announced by OCR in the past week. On July 23, 2020, OCR announced Metropolitan Community Health Services dba Agape Health Services had been fined $25,000 for longstanding, systemic noncompliance with the HIPAA Security Rule.

The post OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures appeared first on HIPAA Journal.

Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced a $25,000 settlement has been reached with Metropolitan Community Health Services to resolve violations of the HIPAA Security Rule.

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has around 43 employees and serves 3,100 patients each year.

On June 9, 2011, Metropolitan Community Health Services filed a report with OCR over a breach of the protected health information of 1,263 patients. OCR conducted a compliance review to establish whether the breach was the direct result of noncompliance with the HIPAA Rules. The OCR investigation uncovered longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metropolitan Community Health Service had failed to implement HIPAA Security Rule policies and procedures, in violation of 45 C.F.R. §164.316, and an accurate and thorough assessment of the potential risks to the confidentiality, integrity, and availability of ePHI had not been conducted, in violation of 45 C.F.R. § 164.308(a)(l )(ii)(A). Despite being in business since 1999, no HIPAA security awareness and training had been provided to the workforce prior to June 30, 2016, in violation of 45 C.F.R. §164.308(a)(5).

When deciding on an appropriate settlement, OCR took the size of the organization and several other factors into account.  In addition to paying a financial penalty of $25,000 to resolve the HIPAA violations, Metropolitan Community Health Services has agreed to adopt a robust corrective action plan and will ensure policies and procedures are implemented to the standards required by HIPAA.  Metropolitan Community Health Services will be monitored for compliance with the corrective action plan for a period of two years.

This is the second HIPAA violation penalty to be imposed on a HIPAA covered entity in 2020 to resolve violations of HIPAA Rules, the first being a $100,000 financial penalty in March 2020 for Steven A. Porter, M.D for risk analysis and risk management failures.

The fine confirms that healthcare providers, large and small, are required to comply with HIPAA Rules. “Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

The post Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance appeared first on HIPAA Journal.

Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations

Posted by HIPAA Journal

When patients contract an infectious respiratory disease such as COVID-19, the immune system develops antibodies that provide protection if the pathogen is encountered again. The antibodies in the blood of patients who recover from such an illness are valuable, as not only will they provide protection for the patient, that protection could potentially be transferred to other patients.

Through the donation of blood and plasma two preparations can be made: Convalescent plasma and hyperimmune immunoglobulin. Convalescent plasma and hyperimmune immunoglobulin have both been used to successfully treat patients who have contracted other viral respiratory diseases. Given the severity of COVID-19 and the high mortality rate, these treatments could be vital for patients who are struggling to fight the infection. Research studies are now underway to test whether antibody treatments are effective against COVID-19.

To participate in these programs, patients who have previously been diagnosed with COVID-19 will need to be contacted and asked if they are willing to donate blood and plasma, but is this contact permitted by the HIPAA Privacy Rule?

On June 12, 2020, the Department of Health and Human Services’ Office for Civil Rights issued guidance to healthcare providers on the HIPAA Privacy Rule and contacting COVID-19 patients to request blood and plasma donations.

OCR explained that the HIPAA Privacy Rule does not prohibit healthcare providers from contacting COVID-19 patients to request blood and plasma donations and prior authorization from the patient is not required.

Healthcare providers can contact patients to advise them about the opportunities for donating blood and plasma to support the response to COVID-19 to improve other patents’ chances of beating the disease.

HIPAA covered entities and business associates acting on their behalf can use or disclose PHI for the purpose of treatment, payment, and healthcare operations, without first receiving authorization to do so from a patient. Requesting a donation of blood or plasma does not fall into the category of treatment, as the blood/plasma will not be used to treat the patient, instead it is being used for population-based health care operations to improve health, case management, and care-coordination, which are included in the definition of healthcare operations.

There is some confusion over whether contacting patients to solicit blood donations would constitute marketing communications, which are generally not permitted by the HIPAA Privacy Rule without prior authorization from a patient.

In this case, an exception to the Privacy Rule’s Marketing provision applies. “A covered health care provider is permitted to make such communication for the covered entity’s population-based case management and related health care operations activities, provided that the covered entity receives no direct or indirect payment from, or on behalf of, the third party whose service is being described in the communication (e.g., a blood and plasma donation center),” explained OCR in the guidance.

An authorization is required from a patient before PHI can be disclosed to a third party, such as a blood and plasma donation center, to allow a COVID-19 patient to be contacted to request blood and plasma donations for the donation center’s own purposes.

The post Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations appeared first on HIPAA Journal.

Safe Partner Inc. Confirmed as HIPAA Compliant

Posted by HIPAA Journal

Compliancy Group has announced that Safe Partner Inc. has demonstrated it has implemented an effective HIPAA compliance program and has successfully completed its proprietary 6-stage HIPAA risk analysis and remediation process.

Safe Partner Inc. is a Belmont, CA-based boutique software development and consulting company that provides a full range of software services, from design to development, implementation, and ongoing customer support. The company was formed in 1995 and works with clients in a wide range of industry sectors, including healthcare. Some of the software solutions developed by the company interact with healthcare data, which means the company is classed as a business associate and must comply with HIPAA Rules.

To ensure that no aspect of HIPAA compliance was missed, Safe Partner Inc sought assistance from Compliancy Group. Assisted by the company’s compliance coaches and using the firm’s HIPAA compliance tracking software solution, The Guard, Safe Partner Inc was able to demonstrate its HIPAA compliance program covered all aspects of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. The company also conducted a comprehensive risk analysis to identify all potential risks to the confidentiality, integrity, and availability of protected health information, and ensured risks were effectively mitigated in accordance with the requirements of the HIPAA Security Rule.

After demonstrating to Compliancy Group that its policies and procedures met the minimum standards required by HIPAA, the company’s good faith effort toward HIPAA compliance was recognized and the company was awarded the Compliancy Group HIPAA Seal of Compliance.

The HIPAA Seal of Compliance helps the company differentiate its services and demonstrates to current and future clients that Safe Partner Inc. is committed to ensuring the privacy and security of any healthcare data provided to the company or accessible through its software solutions.

The post Safe Partner Inc. Confirmed as HIPAA Compliant appeared first on HIPAA Journal.