Alloy Software HIPAA Compliance

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act of 1996 is a US law designed to provide privacy standards to protect patient’s medical records and other health information managed by health plans, doctors, hospitals, and other health care providers. These standards establish how such Protected Health Information (PHI) is stored, used, transmitted, and disclosed.

How Does Alloy Software Support HIPAA Compliance?

Since 2002, Alloy Software has been committed to developing products that adhere to the requirements of HIPAA. Alloy Navigator Enterprise, Alloy Navigator Express, Alloy Discovery Enterprise and Alloy Discovery Express were created with an emphasis on customer security to protect the sensitive information of its users and prevent regulatory breaches.

  • Alloy Software’s products are built with features that meet the obligations of the HIPAA ruling.
  • As an on-premises service provider with customers across various industries, Alloy Software’s products were created with focus on data security and privacy.
  • Alloy Software products are not directly involved in storing or managing medical records or medical information. However in order to avoid situations where sensitive information incidentally appears as part of incident tickets or service requests, customers who manage PHI should properly train their staff to handle protected health information in accordance with HIPAA security and privacy rules.
  • If necessary, customers should maintain only the minimal amount of PHI that is necessary to create a service request, in accordance with HIPAA’s minimum necessary requirements.
  • Network administrators using Alloy Software’s products are responsible for configuring the software in a HIPAA compliant manner using appropriate role-based access levels and permissions in order to satisfy the requirements and obligations of the ruling.

What industry certifications does Alloy Software have relating to HIPAA compliance?

There are no official government or industry certifications for HIPAA compliance. However, Alloy Software has developed its products, policies and procedures in full accordance with this HIPAA compliance guidelines.

How do Alloy Software products support the HIPAA Ruling?

Alloy Software products are built with strong ITIL-based best practices, especially within the processes of Knowledge Management, Configuration Management and Change Management, providing our customers with the capabilities required to better manage and optimize their critical IT processes:

Password Credentials

  • Alloy Software recommends that users create strong passwords that are at least eight characters in length and include a combination of upper- and lower-case letters, a special character and at least one number.
  • Network administrators can also set requirements for complex passwords, define minimum character length, set a maximum number of failed attempts and the maximum length of time in which a password can be used.

Encryption Protection

Alloy Software products contain built-in data encryption which gives users an added safeguard to prevent sensitive data from incidentally being seen, printed out, or copied over into other applications.

String Access Control

Alloy Software products support strict role-based access to product features and stored data, allowing explicit authorization for viewing, entering, and modifying data records.

Complete Audit Trail

Alloy Software products support detailed audit trail of activities that are related to modifications or deletions of data records.

HIPAA Terms and Glossary

The purpose of HIPAA

In 1996, the Health Insurance Portability and Accountability Act was enacted by the US Department of Health and Human Services (HHS) for the purpose of improving the efficiency and effectiveness of the US healthcare system. Through this act, provisions were included that required HHS to adopt national standards for electronic healthcare transactions, unique health identifiers and security measures.

Upon recognizing how technological advances could disrupt the privacy of personal health information, Congress incorporated provisions into HIPAA which mandated the adoption of Federal privacy protections for individually identifiable health information. Among these rules were:

  • The Privacy Rule, also known as the Standards for Privacy of Individually Identifiable Health Information, which established a national standard for the protection of individual healthcare information under three covered entities: health plans, healthcare clearinghouses and healthcare providers.
  • The Security Rule, also known as the Security Standards for the Protection of Electronic Protected Health Information, which established a national set of security standards for protecting the confidentiality, integrity and availability of health information that is held or transferred in electronic form.

Ensuring HIPAA Compliance

The Security Rule aims to protect the privacy of an individuals’ health information while allowing Covered Entities (CEs) to improve the quality and efficiency of patient care through the adoption of new and advanced technologies. The flexibility of this rule allows CEs to implement policies, procedures, and protocols that are appropriate for the entity’s specific size, organizational structure, and risks to consumers’ electronic protected health information (ePHI).

To achieve compliance with the HIPAA Security Rule, Covered Entities must adhere to six main administrative safeguards, each consisting of several standards and implementation specifications:

  • Security Standards – includes the general requirements that all covered entities must meet to ensure reasonable and appropriate protection of ePHI.
  • Administrative Safeguards – are defined as the “administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
  • Physical Safeguards – are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
  • Technical Safeguards – are defined as the “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
  • Organizational Requirements – include standards to ensure appropriate safeguards are in place at business associates and others who share ePHI.
  • Policies, Procedures and Documentation Requirements – ensures that covered entities have formal plans (i.e., policies, procedures and documentation) in place for the reasonable and appropriate implementation of ePHI security.

HIPAA Requirements

Before the implementation of HIPAA, there existed no generally accepted set of security standards or general requirements that protected sensitive health information within the healthcare industry. With the emergence of new technologies, came the adoption of electronic information systems to manage health records, claims and several other administrative functions within the scope of healthcare.

HIPAA Today

Today, healthcare providers are facing major challenges in looking to upgrade their technological capabilities while also complying with HIPAA’s regulatory guidelines. This creates a difficult operational climate for IT leaders in healthcare, thus making advanced IT Service Management tools a critical component of any technology plan in this space

What is HHS?

HHS, the U.S. Department of Health and Human Services, is the governor develop regulations protecting the privacy and security of certain health information.

What is Protected Health Information (PHI)?

Protected Health Information (PHI) refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a healthcare professional to identify an individual and determine appropriate care.

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) is a subset of Protected Health Information (PHI), and refers to information that is uniquely identifying to a specific individual. Protected Health Information (PHI) is specific to medical and health-related use.

What is a HIPAA Covered Entity?

A HIPAA Covered Entity (CE) stewards Protected Health Information (PHI) and/or Personally Identifiable Information (PII) on patients in the process of providing healthcare care or paying for care. Examples of HIPAA Covered Entities (CE) are one of the following:

  • Healthcare Providers:
  • Including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies that transmits any information in an electronic form in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard.
  • Health Plan:
  • Including health insurance companies, HMOs, company health plans, government programs that pay for health care (like Medicare and Medicaid)
  • Healthcare Clearinghouses:
  • Including entities that process non-standard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

Resources

Summary of the HIPAA Security Rule

Health Information Privacy