What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law in August 1996 and is designed to improve the effectiveness and efficiency of the U.S. healthcare system and mandates national standards in several areas.
Among HIPAA regulations are two important provisions:
Title I Cobra (portability) – designed to protect workers and families from the loss of health insurance coverage as the result of a job change or termination i.e. the Security Rule
Title II Administrative Simplification (AS) – designed to simplify the administration of healthcare and to protect the privacy of individually identifiable health information i.e. the Privacy Rule
Who must comply with HIPAA?
HIPAA regulations apply to two groups - Covered Entities and their Business Associates.
There are three (3) types of Covered Entities:
Healthcare Providers (who transmit any health information or conduct electronic health transactions)
Healthcare Clearinghouses (that facilitate electronic transactions between health plans and providers)
Covered entities must ensure that Business Associates protect patient privacy and therefore each covered entity is required to enter into a formal "business associate agreement" before sharing Protected Health Information (PHI) with a business associate. This "agreement" extends accountability for protection of PHI.
What is "PHI?"
Protected Health Information includes any information relating to an individual's health or which can be used to identify the individual. PHI is not limited to written medical files, i.e. the term covers verbal communication, billing records, information written on notice boards or conference room boards etc. HIPAA requires that this information is kept secure, accurate and only available to authorized persons and for authorized uses.
Are there any restrictions on use or disclosure of de-identified Health Information?
There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify the individual.
What is a Business Associate?
A Business Associate performs services for (or acts on behalf of) a covered entity. Bonterra is a Business Associate of our covered entity. As a Business Associate to these parties, Bonterra services may involve the use or disclosure of PHI and therefore Bonterra is accountable for the protection of this PHI.
What is a Business Associate Agreement?
Our Business Associate status to our covered entities required us to execute a BAA with Covered entities. Bonterra provided Agreements to those Customers who identified themselves as Covered Entities for execution. Copies of signed agreements are uploaded to NetSuite and those Customers can be identified in the Contract Details tab of the Customer record.
Does Bonterra have a Security Plan which is HIPAA compliant?
Yes, Bonterra has a Security Plan which is available by contacting the Human Resources Department or Contracts Department. This plan covers the definition of roles related to Information Security, management of internal risks, employee/User responsibilities for protecting information, the accessing and use of information, and penalties for violation of Policy.
How does Bonterra track disclosures of PHI?
A disclosure log report is kept by the Human Resources Department. Any disclosures of PHI by Bonterra are logged on the report.
Is Bonterra HIPAA compliant?
As a Business Associate of Covered Entities, Bonterra is compliant with all requirements of the HIPAA act signed into law in 1996. It is important to note that in addition to the Act, there were many suggested changes which were not included in the Act but may be added at a later date. Those changes have been reviewed by Bonterra and are being considered in the long term plans of system enhancements. Bonterra is committed to maintaining the highest levels of information security.