What is HIPAA and HITECH?
HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed by Congress in 1996. The law, among other things, provides rules and guidelines for healthcare providers to protect and handle patients’ protected health information. HITECH stands for the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009. HITECH updated HIPAA to include and promote the adoption and meaningful use of health information technology. When we talk about HIPAA we also include HITECH as well.
What is a Covered Entity?
Covered Entities are institutions, organizations, or individuals who electronically transmit any health information in connection with transactions for which HIPAA has adopted standards. According to the U.S. Department of Health and Human Services, Covered Entities fall into three categories: (1) health plans, (2) health care clearinghouses, and (3) health care providers.
What is a Business Associate?
A Business Associate is a person or entity that performs certain functions on behalf of a Covered Entity that involve the use or disclosure of protected health information. Technically, HIPAA only applies to Covered Entities; however, Covered Entities may not be fully capable of handling all of their business activities without some help from outside their business. Therefore, HIPAA allows Covered Entities to disclose protected health information to a Business Associate if the Covered Entity obtains assurances that the Business Associate will use the information only for the purposes for which it was engaged and how it will safeguard the information from misuse.
What is Protected Health Information (PHI)?
Protected health information, or PHI, is any information about health status, health care treatment, or health care payment that is created or collected by a Covered Entity or Business Associate and can be linked to a specific individual. There are 18 data points categorized by HIPAA that fall under PHI, ranging from names to IP address numbers and URLs to any other unique identifying number, characteristic, or code that can trace back to the individual patient.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule permits the use and disclosure of PHI needed for patient care and other important purposes as long as the Covered Entity and Business Associate implement appropriate safeguards to protect the privacy of PHI, including imposing certain limits and conditions on the use and disclosure of PHI without patient authorization.
What is the HIPAA Security Rule?
The HIPAA Security Rule requires Covered Entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect PHI. The Security Rule allows Covered Entities to analyze their own needs and implement solutions appropriate for their business or practice. In other words, what works for a particular Covered Entity will depend on their respective business, size, and resources.
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule requires Covered Entities to notify affected patients, the U.S. Department of Health and Human Services, and (in some cases) the media of a PHI breach. Most notifications must be made without unreasonable delay and no later than 60 days following the discovery of a breach. The Breach Notification Rule also requires Business Associates to notify the Covered Entity of a breach of PHI held by the Business Associate.
What is a Business Associate Agreement?
HIPAA requires Covered Entities to enter into contracts called Business Associate Agreements, or BAAs, with their Business Associates to ensure that the Business Associate will safeguard their PHI. The BAA spells out the permissible uses and disclosures of PHI based on the relationship between the parties and the services being performed by the Business Associates. The BAA includes many of the requirements under the Privacy Rule, the Security Rule, and the Breach Notification Rule. Progress provides you with a Business Associate Agreement to protect your data and help conform to your business’s HIPAA compliance program.
What does Progress do to comply with HIPAA and all these rules?
To comply with HIPAA, Progress operates highly secure computing environments in its corporate offices, development environments, and production cloud products. Each of these areas are equipped with security technologies, processes, and people needed to protect sensitive information. The Progress Internal Audit team audits use of security solutions and processes, evaluated by annual SOC2 assessments and validated by annual HIPAA audits. Copies of the SOC2 assessments and audit reports are available to our customers upon request. Progress corporate administration and human resources functions are also audited for HIPAA compliance on an annual basis.
Does having a BAA with Progress ensure my organization’s compliance with HIPAA?
Not by itself. Entering into a BAA with Progress means Progress will comply with its obligations with HIPAA in its relationship with your organization, but the BAA by itself does not create an adequate compliance program for your organization or provide corporate policies enough to meet all your organization’s required obligations under HIPAA.
Can my organization modify the BAA with Progress?
Progress’ BAA meets statutory requirements and ensures that certain products made available to Covered Entities are compliant with HIPAA privacy and security, so as a result there should be no need to modify the BAA.
What Progress products are covered by the BAA?
The BAA covers Progress products aimed at specifically assisting customers in the healthcare industry. These products presently include our Kinvey / Progress Health Cloud offerings. Each are HIPAA-compliant. We anticipate achieving HIPAA compliance with our NativeChat solution in 2019.
What is unique about Progress’ security practices?
Security is part of everyone's responsibility at Progress. From development to production, employees across all areas of the company are charged with incorporating security into their duties. Whether it is physical security of their work areas, secure coding during the development process, network security, cloud security, or participating in audits, keeping our environment and our products safe is part of everyone's job.
If you have comments or questions about this Policy, you may contact us by mail e-mail (Privacy@progress.com) or by regular mail at:
PSC Data Protection Officer
15 Wayside Rd, Suite 400
Burlington, MA 01803