Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.
A Covered Entity is one of the following:
A Health Care Provider
A Health Plan
A Health Care Clearinghouse
This includes providers such as:
...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
|This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.|
To help ensure compliance with HIPAA, YourTech will:
- Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
- Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.
- Implement procedures for creating, changing, and safeguarding passwords.
- Establish business associate contracts for those associates who have access to protected health information.
- Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
- Establish policies to protect workstations and other devices containing protected health information from unauthorized access.
- Ensure the safety of equipment that is removed or disposed of to protect against unauthorized access to protected health information.
- Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
- Ensure that employees are using a unique name and/or number for identifying and tracking user identity.
- Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
- Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
- Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.