HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information and Protected Health Information.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Protected health information “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:
There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information.
HIPAA applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
According to HIPAA Journal, “If FTP is required to transfer protected health information, healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities must ensure their service provider uses a HIPAA compliant sFTP server.
a HIPAA compliant sFTP server could use AES-256 symmetric cryptography for stored data and protect transmitted data using a RSA 2048 bit key, both of which meet NIST and HIPAA standards.”
Unlike PCI and SOC compliance, there is no official HIPAA certification for a cloud service like Movebot. However, Movebot provides modern security compliance and redundancy.
For more on HIPAA and Cloud Service Providers please see here.
In general, a business associate is a person or organisation, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organisations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
A business associate agreement is a written arrangement that specifies each party’s responsibilities when it comes to PHI.
The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
Appropriate safeguards need to be established, ensuring that the business associate will prevent PHI disclosure outside of what is permitted in the contract.
Movebot has a BAA ready and available for Enterprise customers. Please contact Movebot support or sales team to be provided a BAA for review. Movebot understands that all organisations are different and is open to consider amendments or change to the BAA, however the grounds for acceptance would be based on whether there is an increase risk to Movebot and other legal or other implications.