Couchdrop and HIPAA
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information and Protected Health Information.
The HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.
Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.Reference
What is Protected Health Information (PHI)?
Protected health information “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is:
- Transmitted by electronic media;
- Maintained in electronic media; or
- Transmitted or maintained in any other form or medium.
There are 18 identifiers that can be used to identify, contact, or locate a person. If health information is used with any of these identifiers it is considered identifiable. If PHI has all of these identifiers removed, it is no longer considered to be protected health information.
1. Names (Full or last name and initial)
2. All geographical identifiers smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
3. Dates (other than year) directly related to an individual
4. Phone Numbers
5. Fax numbers
6. Email addresses
7. Social Security numbers
8. Medical record numbers
9. Health insurance beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers (including serial numbers and license plate numbers)
13. Device identifiers and serial numbers;
14. Web Uniform Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger, retinal and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data
Who is covered?
HIPAA applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).
HIPAA and SFTP
According to HIPAA Journal
“If FTP is required to transfer protected health information, healthcare providers, health plans, healthcare clearinghouses and business associates of HIPAA-covered entities must ensure their service provider uses a HIPAA compliant SFTP server. A HIPAA compliant SFTP server could use AES-256 symmetric cryptography for stored data and protect transmitted data using a RSA 2048 bit key, both of which meet NIST and HIPAA standards.”
Is Couchdrop HIPAA certified?
Unlike PCI and SOC compliance, there is no official HIPAA certification for a cloud service like Couchdrop. However, Couchdrop provides modern security compliance and redundancy.
For more on HIPAA and Cloud Service Providers please see here
Business Associate Definition
In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.
Business Associate Agreement
A business associate agreement is a written arrangement that specifies each party’s responsibilities when it comes to PHI. The contract must describe permitted and required PHI uses for the business associate, and also state that the business associate “will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law.”
Appropriate safeguards need to be established, ensuring that the business associate will prevent PHI disclosure outside of what is permitted in the contract.
Couchdrop has a BAA ready and available for Premium and Enterprise customers. Please contact Couchdrop’s support or sales team to be provided a BAA for review.
Please note that as a matter of policy, we do not accept redlines or consider changes to any of our terms of service or other legal documents unless a customer is on an Enterprise plan. For Enterprise customers, we are happy to discuss changes, however, changes that substantially increase our risk will only be considered with a significant offsetting change.