|Yes! ChiroUp is HIPAA Compliant. Under the HITECH Act, the term “personal health record (PHR)” means an electronic record of PHR identifiable health information (as defined in section 13407(f)(2) of the HIPAA Privacy Rules) that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual who is the subject of the record.|
The information that is being collected and stored by ChiroUp creates a personal health record (PHR) for each of your patients and is subject to HIPAA requirements. To meet HIPAA requirements, ChiroUp follows the same required privacy and security safeguards for its PHR that subscribers would use for patient records created in their chiropractic practice. The following points describe how ChiroUp and subscribers meet HIPAA requirements:
Business Associate Agreement
The Privacy Rule allows a covered entity (you) to use a business associate (ChiroUp) to perform functions or activities on behalf of, or provide services to, the covered entity that involves the use or disclosure of personal health information (PHI), provided the covered entity obtains satisfactory assurances, through a contract or agreement, that the business associate will appropriately safeguard the information. (See 45 C.F.R. §§ 164.502(e), 164.504(e).)
Upon initial registration, ChiroUp automatically provides subscribers with a valid Business Associate Agreement stating that ChiroUP is “a business associate with whom covered entities are permitted to share PHI” and that ChiroUP will provide “all assurances and appropriate safeguards” for the records created. If you need a copy of the agreement, please contact support@ChiroUp.com
Data Security and Encryption
Finally, because the PHR is provided by a covered entity (you), ChiroUp must abide by the HIPAA/ HITECH Act’s security provisions. To meet these requirements ChiroUp employs:
– Administrative safeguards including background checks and training for ChiroUp employees.
– Physical safeguards for ChiroUp facilities and devices.
– Technical safeguards within the program including authentication, automatic log-off, and encryption.
HIPAA’s final rule on security standards covers transmission security (i.e. email and file sharing): “With respect to transmissions from covered entities, covered entities must protect electronically protected health information when they transmit that information” (pp. 8338).
To achieve this security standard, HIPAA recommends two potential solutions:
“Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
“Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (pp. 8338)
HIPAA allows discretion when choosing a method of encryption and does not specifically name requirements for encryption: “Covered entities are encouraged to consider use of encryption technology for transmitting electronic protected health information, particularly over the internet…We remain committed to the principle of technology neutrality and agree with the comment that rapidly changing technology makes it impractical and inappropriate to name a specific (encryption) technology.” (pp. 8357)
Basically, if the data is encrypted, HIPAA does not consider the theft or hacking of it a breach. In order to achieve HIPAA compliance, ChiroUp encrypts email data via transport layer security (TLS). Download ChiroUp’s HIPAA Business Associate Agreement located in My Account.