Please note that this FAQ is for information purposes only and shall not constitute legal advice by no means. HIPAA covered entities or other Business Associates shall implement appropriate measures to ensure compliance with the HIPAA rules.
HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed by Congress in 1996. The law, among other things, provides rules and guidelines for healthcare providers to protect and handle patients’ protected health information. HITECH stands for the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH updated HIPAA to include and promote the adoption and meaningful use of health information technology. When we talk about HIPAA we also include HITECH as well.
Covered Entities are institutions, organizations, or individuals who electronically transmit any health information in connection with transactions for which HIPAA has adopted standards. According to the U.S. Department of Health and Human Services, Covered Entities fall into three categories: (1) health plans, (2) health care clearinghouses, and (3) health care providers.
A Business Associate is a person or entity that performs certain functions on behalf of a Covered Entity that involve the use or disclosure of protected health information. Technically, HIPAA only applies to Covered Entities; however, Covered Entities may not be fully capable of handling all of their business activities without some help from outside their business. Therefore, HIPAA allows Covered Entities to disclose protected health information to a Business Associate if the Covered Entity obtains assurances that the Business Associate will use the information only for the purposes for which it was engaged and how it will safeguard the information from misuse.
Protected health information, or PHI, is any information about health status, health care treatment, or health care payment that is created or collected by a Covered Entity or Business Associate and can be linked to a specific individual. There are 18 data points categorized by HIPAA that fall under PHI, ranging from names to IP address numbers and URLs to any other unique identifying number, characteristic, or code that can trace back to the individual patient.
The HIPAA Privacy Rule permits the use and disclosure of PHI needed for patient care and other important purposes as long as the Covered Entity and Business Associate implement appropriate safeguards to protect the privacy of PHI, including imposing certain limits and conditions on the use and disclosure of PHI without patient authorization.
The HIPAA Security Rule requires Covered Entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect PHI. The Security Rule allows Covered Entities to analyze their own needs and implement solutions appropriate for their business or practice. In other words, what works for a particular Covered Entity will depend on their respective business, size, and resources.
The HIPAA Breach Notification Rule requires Covered Entities to notify affected patients, the U.S. Department of Health and Human Services, and (in some cases) the media of a PHI breach. Most notifications must be made without unreasonable delay and no later than 60 days following the discovery of a breach. The Breach Notification Rule also requires Business Associates to notify the Covered Entity of a breach of PHI held by the Business Associate.
HIPAA requires Covered Entities to enter into contracts called Business Associate Agreements, or BAAs, with their Business Associates to ensure that the Business Associate will safeguard their PHI. The BAA spells out the permissible uses and disclosures of PHI based on the relationship between the parties and the services being performed by the Business Associates. The BAA includes many of the requirements under the Privacy Rule, the Security Rule, and the Breach Notification Rule. Progress provides you with a Business Associate Agreement to protect your data and help conform to your business’s HIPAA compliance program.
To comply with HIPAA, Progress operates secure computing environments in its corporate offices, development environments, and production cloud products. Each of these areas are equipped with security technologies, processes, and people needed to protect sensitive information. The Progress Internal Audit team audits use of security solutions and processes, evaluated by annual SOC2 assessments and validated by annual HIPAA audits. Copies of the SOC2 assessments and audit reports are available to our customers upon request. Progress corporate administration and human resources functions are also audited for HIPAA compliance on an annual basis.
Not by itself. Entering into a BAA with Progress means Progress will comply with its obligations with HIPAA in its relationship with your organization, but the BAA by itself does not create an adequate compliance program for your organization or provide corporate policies enough to meet all your organization’s required obligations under HIPAA.
Progress’ BAA meets statutory requirements and ensures that certain products made available to Covered Entities are compliant with HIPAA privacy and security, so as a result there should be no need to modify the BAA.
The BAA covers Progress products aimed at specifically assisting customers in the healthcare industry. These products presently include our Kinvey / Progress Health Cloud offerings. More information about HIPAA reports for specific products can be found on https://www.progress.com/security.
Security is part of everyone's responsibility at Progress. From development to production, employees across all areas of the company are charged with incorporating security into their duties. Whether it is physical security of their work areas, secure coding during the development process, network security, cloud security, or participating in audits, keeping our environment and our products safe is part of everyone's job.
If you have comments or questions about this Policy, you may contact us by mail e-mail (Privacy@progress.com) or by regular mail at:
PSC Data Protection Office
15 Wayside Rd, Suite 400
Burlington, MA 01803
Questions about Progress’ privacy practices and how we handle your personal email@example.com
Use of Progress Software copyrighted materials or notice of copyright firstname.lastname@example.org
Questions about or requests to use Progress Software trademarks, logos or email@example.com
Questions about Security, Privacy, Compliance and Due Diligencesecurity@progress.com