HIPAA Compliance

HIPAA Compliance

Mediflash takes security and compliance very seriously and has built a 100% secure and HIPAA compliant network and technology solution. This solution is the backbone for our data management and retrieval product offerings. Our Microsoft-Azure-based, HIPAA compliant network and software allows us to offer document retrieval, document management and APS Summary services at the highest level of efficiency and security.

Mediflash has been providing customers with the highest levels of privacy and security for patients’ confidential health information since we opened our doors in 2008. In an effort to continue to serve the needs of our clients, Mediflash is fully compliant with the standards and procedure outlined in the HIPAA rules and regulations. In the interest of privacy and compliance, we have crafted a secure environment wherein we operate under strict guidelines and security measures in order to ensure that our clients’ information is protected and that Mediflash is meeting the standards and guidelines set forth by the HIPAA rules and regulations. We have protections and security measures in place to protect from loss, misuse, and alteration of the information provided to us.

What is HIPAA Compliant?

The Health Insurance Portability and Accountability Act (HIPAA) is a piece of legislation that was passed in 1996. The United States Health & Human Service Department has been given authority to define regulations related to transactions and code sets, identifiers, privacy, and security. This legislation will accomplish many things, although one of the more notable accomplishments will be improved accountability related to the privacy of an individual’s medical records and other personal health information.

The privacy standards of HIPAA provide a framework for health privacy protection which serves to enhance and insure the protection of patient medical and health information. These standards have changed the manner in which information is handled and delivered. The Privacy Rule applies only to health plans, health care clearinghouses, and covered certain health care providers – known as “covered entities” under the legislation. Since most health care providers rely on contractors and other “business associates” to assist them in providing quality care to their patients, the issue of privacy has become more complicated. Mediflash is considered a business associate. A business associate is typically defined as, “a person or entity that provides certain functions, activities or services for or to a covered entity, involving the use and/or disclosure of protected health information.”

The business associate provisions within HIPAA were included due to a concern that covered entities disclose protected health information to a wide range of third parties. The business associate rule places restriction on third parties who perform covered certain functions on behalf of a covered entity and receive protected health information. Without restrictions on these disclosures, the protections intended by HIPAA would not cover a significant portion of protected health information that is disclosed to business associates.

The privacy law requires covered entities to have written agreements and satisfactory assurances that the information they disclose to their business associates will: remain confidential, only be used for the stated purpose, be safeguarded from misuses, and assist the covered entity in complying with their responsibilities under the law. Information is only provided to a business associate to help the covered entity carry out their health care function – never for independent use by the business associate. A Business Associate Agreement with our office requires that we will:

  • Use the information disclosed only for the permitted purpose
  • Restrict the disclosure of all protected health information only to those authorized to receive it
  • Use any and all available and appropriate protections to prevent the use or disclosure of information other than as provided by the agreement
  • Ensure that subcontractors or agents to whom protected health information is provided agree to the same restrictions and conditions
  • Make available our internal practices, books, and records relating to the use and disclosure of protected health information to the Department of Health and Human Services Secretary, if requested
  • Return or destroy all protected health information received from the covered entity at termination of the agreement
  • Authorize termination of the agreement by the covered entity upon determination that the business associate violated a material term of the agreement.

How Does Mediflash’s System Comply with HIPAA?

Mediflash’s operations executives and its legal counsel have reviewed the Department of Health and Human Services Transaction Standards, Security Standards, and the Privacy Standards including the Final Privacy Rule. The Transaction Standards are intended to improve the efficiency and effectiveness of the U.S. health care system by establishing national standards for electronic health care transactions. The standards apply only to data transmitted electronically between healthcare providers and health plans. The Security Standards specify the steps that must be taken to ensure the security of protected health information that is transmitted electronically. As a business associate, Mediflash has been in compliance of all rules, even prior to the HIPAA deadline. The Privacy Standards and the Final Rule apply to all uses of individually identifiable health information, whether or not it is in electronic form. Since Mediflash’s business depends on ensuring the confidentiality and security of the data it handles, any policies required under the Privacy Rule have been incorporated into our policies, procedures, and training.

We have also taken various measures to protect our systems and the information contained therein. We have established a HIPAA Security Rule, which applies to health information maintained or transmitted by a Covered Entity in electronic form. This information requires administrative, physical and technical protection.

Administrative protections:

    Security management – policies to prevent, detect, contain and correct security violations; risk analysis, risk management, and sanction/security policies
  • Assigned responsibility – single individual must have responsibility, assigned in writing, for the overall security of a covered entity’s information
  • Workforce security – only authorized staff may have access to information
  • Information access – policies for authorizing, establishing and modifying access to information
  • Security awareness/training – program for entire staff developed and maintained
  • Security incident procedures – policies are in place to report, respond to and manage security incidents
  • Business Continuation plan – for response to disaster/emergency that damages information systems containing information
  • Evaluation – periodically determine the extent that our security policies meet the ongoing requirements
  • Business Associate Agreement – states that we will adequately safeguard the information

Physical protections:

  • Facility access – limit physical access to information
  • Workstation use – policy specifies the use of workstations and the characteristics of the physical environment of workstations that can access information
  • Workstation security – limited only to authorized users
  • Equipment Controls – for recovered information and removal of hardware and electronic media containing information

Technical protections:

  • Access control – only authorized personnel have access
  • Audit controls – to record and examine activity within systems
  • Integrity – to protect information from improper modification or destruction
  • Person/entity authentication – to verify that persons seeking access to information are who they claim to be
  • Transmission security – to prevent unauthorized access to information that is transmitted over an electronic network (i.e., the Internet or an Intranet, including SFTP over TLS 1.2 or greater)