What can I do to keep my IVRHQ application process HIPAA compliant?
The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by "covered entities" and their "business associates" and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use so they can assure the confidentiality, integrity, and availability of electronically protected health information.
More information is available on the official HIPAA website.
By law, the HIPAA Privacy Rule applies only to covered entities – health plans, healthcare clearinghouses, and certain health care providers. IVRHQ is not a covered entity and not a business associate.
A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
One way to be compliant is not to process, store, or transmit individual protected health information (PHI) data on IVRHQ.
Ensure that the customer application never transmits PHI over unencrypted channels including voice, SMS or DTMF.
IVRHQ recommends that customers familiarize themselves with the HIPAA requirements and security assessment procedures.
Also, IVRHQ recommends that customers seek guidance from their legal counsel if they have any compliance questions concerning their applications.
According to the HIPAA website, PHI generally includes individually identifiable health information” is information, including demographic data, that relates to the following items.
The individual’s past, present or future physical or mental health or condition,
The provision of health care to the individual, or
The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
IVRHQ's position is that it is not a business associate. However, IVRHQ is open to working with our customers in order to help our customers with their business needs.