1. What is HIPAA?
HIPAA is an acronym for the Health Insurance Portability and Accountability Act signed by former U.S. President Bill Clinton in 1996. This is the most far-reaching law after the Employee Retirement Income Security Act (“ERISA”) of 1974, and it has a regulatory effect on a variety of health care industries, including transaction rules, identification of medical service providers, identification of practitioners, medical information security, medical privacy, health plan identification, first injury and illness reporting, patient identification, etc. HIPAA sets national standards for the protection of personally identifiable health information, healthcare industry organizations need to raise awareness on HIPAA compliance.
2. Who does HIPAA apply to?
HIPAA applies to two types of entities: covered entity and business associate.
Covered entities include: health plans (including health insurers, employer-sponsored group health plans, etc.); most health care providers (including physicians, clinics, hospitals, nursing homes, and pharmacies); and health care clearinghouse (including billing services, community health management information systems, etc.).
Business associates include organizations or individuals (including attorneys, software service providers, etc.) that perform a function on behalf of, or provide a service to, a covered entity that involves the use or disclosure of PHI.
3. Is there a difference between HIPAA and HITECH Act?
The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009 to promote the efficient use of health information technology. HITECH strengthens HIPAA in a number of ways, including civil penalties for willful disregard of HIPAA rules, increased enforcement and, most importantly, extending the application of the HIPAA security rules to business associates of covered entities, which must comply with certain privacy and breach notification rules. Business associates are required to comply with certain privacy rules and breach notification rules. PingCAP has undertaken HIPAA compliance preparations and can meet both HIPAA and HITECH requirements regarding business associates.
4. What is protected health information (PHI)?
Protected health information (PHI, ePHI is PHI in electronic form) is individually identifiable health information that is held or transmitted by a covered entity (or its business associate) in any form or media, whether electronic, paper, or oral. Individually identifiable health information includes common identifiers such as name, address, social security number, date of birth, or any other information that can be used to identify the individual.
5. What is a HIPAA Business Associate?
In accordance with the definition provided, a HIPAA business associate refers to an individual or entity tasked with performing functions on behalf of a HIPAA-covered entity that involve the use or disclosure of protected health information. As per HIPAA Rules, any business associate of a HIPAA-covered entity is obliged to execute a HIPAA-compliant business associate agreement. This contract outlines the specific elements of HIPAA Rules that the business associate must adhere to. Business associates comprise a broad range of individuals and entities, including but not limited to companies involved in data analysis, claims processing, administrative services, quality assurance, billing, payment, and collections services. In addition, business associates also encompass accountants, consultants, attorneys, data storage firms, and data management companies. Given PingCAP’s provision of database services, it is typically regarded as a business associate.
6. Is a software vendor a business associate of a covered entity?
Providing or selling software to a covered entity alone does not establish a business associate relationship, unless the vendor is granted access to the covered entity’s protected health information. If such access is required to render its service, the vendor is deemed a business associate of the covered entity. For instance, a software company that hosts ePHI on its own server or accesses it while troubleshooting software issues, qualifies as a business associate. As to PingCAP’s service, there are certain scenarios that our experts can access to ePHI stored in PingCAP’s database for troubleshooting purposes, all the accessing are strictly authorized by the covered entity.
7. May a HIPAA covered entity use a cloud service to store or process ePHI?
Yes, in the event that a CSP is tasked with creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on behalf of a covered entity or business associate, such activity is permitted provided that a HIPAA-compliant business associate contract or agreement (BAA) is entered into between the parties. PingCAP has prepared a model BAA and is ready to enter into BAA with customers based on the cooperation nature.
The BAA serves several functions, including establishing the permissible and required uses and disclosures of ePHI by the business associate. The specific activities or services being performed by the business associate and the nature of the relationship between the parties determine the terms of the BAA. Additionally, the BAA imposes contractual obligations on the business associate to appropriately safeguard the ePHI, which includes implementing the Security Rule requirements.
8. Do the HIPAA Rules allow a covered entity to use a CSP that stores ePHI on servers outside of the United States?
Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, while the HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that the risks to such ePHI may vary greatly depending on its geographic location.
9. When can we say we are HIPAA compliant?
The question of whether an organization is HIPAA-compliant lacks a definitive answer. Nevertheless, it appears from the Office for Civil Rights’ (OCR) perspective that an organization is deemed to have made a “good faith” effort if it has taken certain steps. Generally, these steps include:
- Conducting a Security Risk Analysis recently, implementing an active Risk Management Process；
- Establishing Policies and Procedures that outline how Protected Health Information (PHI) is safeguarded；
- Executing signed Business Associate agreements;
- Training employees;
- Maintaining documentation that demonstrates compliance with HIPAA requirements.
10. Is PingCAP HIPAA compliant?
PingCAP meets the relevant requirements under HIPAA, and has conducted a series of HIPAA compliant assessment and adjustment, the scope covers three primary rules of HIPAA, the Privacy Rule, the Security Rule and the Breach Notification Rule. Regarding the PingCAP service responsibility model, compliance can be ensured within PingCAP’s responsibility.
11. What guarantees can PingCAP provide to ensure compliance requirements?
Assurance can be demonstrated from following three aspects(If more information needed, please download the PingCAP HIPAA Compliance White paper):
- Privacy: PingCAP has established a sound privacy protection compliance system and set up a privacy protection team, with the ability to sign business associate agreements and assist customers in handling personal requests.
- Security: PingCAP has established a sound security compliance system and established a security team，and adopted a series of security measures to strengthen security capabilities of the products, including physical security, data encryption, access control, personnel training, etc.
- Breach Notification: HIPAA requires covered entities to report breach to individual, media, HHS in a timely manner. PingCAP has developed breach notification policy, when a breach happens, PingCAP is capable of reporting the incident to the covered entity with the least delay, if needed, to individual and media and HHS.
12. Can my organization enter into a BAA with PingCAP?
Yes, as a HIPAA defined business associate, PingCAP is ready to sign the BAA with customers, and also has prepared a model BAA in accordance with HIPAA requirements.