HIPAA Compliant Websites and PHI Forms for Doctors and Clinics. Price $149/Mon.
OnRevenue provides BAA’s for its customers. In order to understand what is covered, let’s review the four major areas of HIPAA compliance.
As a medical practice owner or an administrator, you have determined that you are handling Protected Health Information (PHI) and that you need to be HIPAA compliant. HIPAA compliance is not a “switch” that can be simply turned on. It requires processes and technology in place to address the key requirements for your medical business.
If you have a medical website, and potential or existing patients communicate with you by using the website to call you, send emails, or send forms, you are very likely receiving patient information that may include PHI.
If you have been audited for a HIPAA violation, you may be asked to provide a Business Associate Agreements (BAA) from all your vendors, including your website provider, who may have transported, viewed, stored or handled PHI. As a medical business owner it is your responsibility to address BAA requirements from all providers of services to your medical practice.
OnRevenue providers BAA’s for its customers. In order to understand what is covered, let’s review four major areas of HIPAA regulations and some definitions.
What is a Covered Entity: In HIPAA legal language, a Covered Entity is the medical practice providing services to patients. This would mean your clinic or medical facility.
What is a Business Associate: A business associate is a service provider or a vendor that provides services, technology, websites, software, etc. to the Covered Entity.
What is a Business Associate Agreement (BAA): A BAA is a legal document provided to the Covered Entity, that states in detail that the Business Associate has taken necessary steps, in accordance with HIPAA regulations, to provide security and other measures to protect PHI.
It is important to note that Covered Entities and their Business Associates need to protect the privacy and security of Protected Health Information (PHI). But, it gets more complicated when you start to put together a to-do list. Covered entities are required to apply the appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information. This applies to all forms of PHI. As such, covered entities are not permitted to abandon Protected Health Information or dispose such information so that it will be accessible to the public or unauthorized individuals. Covered entities are required to train their workforce on the proper disposal of PHI. It is important to note that under federal standards, the “workforce” includes volunteers. Covered entities should also determine what steps are reasonable to dispose of PHI while complying with the HIPAA Privacy and Security Rules.
There are four key HIPAA rules:
1. HIPAA Privacy Rule
2. HIPAA Security Rule
3. HIPAA Enforcement Rule
4. HIPAA Breach Notification Rule
As far as action items are concerned, you need to follow the HIPAA Privacy Rule and the HIPAA Security Rule. And, you need to provide notification following a breach of unsecured protected health information (the Breach Notification Rule). This article is not a definitive list of what is required for HIPAA compliance; you should assign a Privacy Officer to review each rule in its entirety. This article is intended to point you in the right direction. OnRevenue will provide BAA for your clinic, if requested.
OnRevenue apps for healthcare clinics save PHI information in secure servers that meets these guidelines. Contact us for more information.