Privacy & Security
Statement on Privacy, Security & HIPAA Compliance
October 31, 2012
As everyone in the healthcare industry is aware, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires “covered entities” to protect the privacy and security of protected health information (PHI). In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law to promote the adoption and meaningful use of health information technology. Among other things, the HITECH Act made “business associates” of a covered entity directly liable for complying with certain privacy and security protections in HIPAA.
While MedVirginia is not a covered entity, it has always been a business associate of those covered entity clients to whom MedVirginia provides health information technology services. As a business associate, MedVirginia has been, and continues to be, committed to complying with the privacy and security protections in HIPAA. In furtherance of this commitment, MedVirginia has implemented the following proactive, preventive privacy and security features in its service offerings:
- MedVirginia enters into a Business Associate Agreement with each of its covered entity clients, which outlines MedVirginia’s responsibilities concerning the protected health information (PHI) that MedVirginia may have access to in its performance of services for the client and memorializes MedVirginia’s commitment to HIPAA compliance.
- MedVirginia only discloses protected health information, on behalf of its clients, in limited, clearly defined situations where disclosure is permitted under HIPAA and any other applicable state or federal privacy laws. For instance, in MedVirginia’s health information exchange (HIE), PHI can only be shared for the limited purposes of treatment, payment or healthcare operations or based on an authorization from the individual. These disclosures are permissible under HIPAA.
- MedVirginia recognizes that not all PHI is created equal. There are some types of PHI that are so sensitive that the information cannot be exchanged through MedVirginia’s services or, if exchanged, an additional layer of security is needed or required. MedVirginia works with its clients to ensure that this sensitive information is appropriately protected and only disclosed as allowed by applicable state and federal privacy laws.
- MedVirginia uses traditional security mechanisms like identity proofing, authentication and role-based access controls to help ensure that those sending and receiving PHI through MedVirginia’s services are who they say they are and have the proper permissions to exchange information.
- MedVirginia carefully monitors and audits the use of its services to identify any potential problems. If any potential problem is identified, MedVirginia quickly investigates and responds appropriately.
- MedVirginia’s systems are hosted in a secure data center that uses state-of-the-art technology to protect the PHI that is maintained by or exchanged through MedVirginia’s services. The technologies used may include, but are not limited to, the use of VPN tunnels, secured communications, firewalls, network segmentation and access restrictions.