HIPAA Compliance & Certification
Life9 achieves HIPAA Compliance in the following manner: [reference: accountablehq.com/post/saas-hipaa-compliance]
1) Signed Business Associate Agreements (BAAs)
As a SaaS Business Associate — a service provider that performs a function that requires access to protected health information (PHI) — Life9 adheres to all US Department of Health and Human Services (HHS) HIPAA requirements applicable to Business Associates.
To comply with requirement, Life9 has signed BAAs with all clinics and clients that use our services (Covered Entities). BAAs are legal contracts that are signed between covered entities and their business associates, like Life9, where both groups agree that they are responsible for their own compliance with HIPAA.
2) Adherence to HIPAA Security Rule Safeguards
Administrative Safeguards are policies and procedures that are implemented to protect the sanctity of ePHI and ensure compliance with the Security Rule. These requirements cover training and procedures for employees regardless of whether the employee has access to protected health information or not.
The bulk of the Security Rule is focused on administrative safeguards. These standards include:
– Security Management Process: A covered entity must implement security measures that will help to reduce vulnerabilities in PHI security. A key part of this standard is conducting a thorough HIPAA risk assessment.
– Security Personnel: The rule requires that a Privacy Officer is designated who is responsible for developing and implementing security policies and procedures.
– Information Access Management: This standard focuses on restricting unnecessary access to ePHI meaning that only the appropriate personnel have access to that data only when it is appropriate.
– Workforce Training and Security Awareness: This standard requires that employees complete an annual HIPAA training and also be educated on the organization’s specific security procedures. The organization must also have and apply sanctions against any employee who violates these security procedures.
Physical Safeguards are the policies and procedures for protecting PHI within electronic information systems, equipment, and the buildings they are housed in from unauthorized intrusion. Common examples of Physical Safeguards include:
– Access Control: These are procedures that limit access to the facilities that contain information systems like computers and servers.
– Workstation use and security: These pertain to the usage of workstations, which can be any computer as well as the information contained within it.
– Device and Media controls: These are the policies for how devices containing ePHI can be removed from a facility.
Technical Safeguards as the policies and procedures that determine how technology protects ePHI as well as control access to that data. This can often be the most challenging regulation to understand and implement.
– Access Control: A covered entity must put in place policies and procedures that allow only the authorized individuals to access ePHI.
– Audit Control: Covered Entities must implement procedures through hardware or software that record and monitor access to systems that contain ePHI.
– Integrity Controls: Organizations must have procedures in place to maintain that ePHI is not altered, destroyed, or tampered with.
– Transmission Security: A covered entity must implement security measures that protect against unauthorized access to ePHI that is being transmitted over an electronic network.
3) Annual Risk Assessment
The Administrative Safeguards provision in the Security Rule require covered entities to perform recurring risk assessments as part of their security management processes. The HIPAA Risk Assessment, also called a Security Risk Assessment, will help to determine which security measures are reasonable and appropriate for a particular covered entity.
Risk Assessments will help to:
– Evaluate the likelihood and impact of potential risks to ePHI.
– Help guide the implementation of appropriate security procedures to address the risks identified in the risk analysis.
– Document the chosen security measures and, where required, the rationale for adopting those measures.
– Maintain continuous, reasonable, and appropriate security protections.
Life9 performs ongoing risk assessments to regularly track access to ePHI and identify security breaches, periodically review how effective our security measures have been, and regularly reevaluate potential risks to ePHI.