HIPAA Compliance
Sociocs complies with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Sociocs maintains appropriate administrative, physical, and technical safeguards to provide for continuing security & privacy of your PHI or ePHI.
Our commitment to HIPAA compliance
We believe privacy and data protection are core aspects of trust in today’s technology-driven world. We take our security and privacy commitment to you and your customers very seriously. We are acutely aware that we need to earn and maintain your trust on a daily basis.
Our commitment to ensuring that our customer data is safe, secure, and always available to them, is one of our top priorities.
Sociocs & HIPAA
HIPAA regulations require that covered entities and their business associates—in this case, Sociocs, enter into a contract to ensure that those business associates adequately protect PHI. This contract, or Business Associate Agreement (BAA), clarifies and limits how the business associate can handle PHI, and sets forth each party’s adherence to the security and privacy provisions outlined in the HIPAA Act. By agreeing to use our service, you are also agreeing with our Terms of Service, which includes Business Associate Agreement.
Currently, there is no official certification for HIPAA compliance.
HIPAA covers information about a person’s health or healthcare services is classified as Protected Health Information (PHI). Customers are responsible for ensuring that they achieve compliance with HIPAA requirements.
We adhere to the HIPAA obligations by leveraging appropriate security measures.
What is Protected Health Information (PHI)?
It is any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
PHI stands for Protected Health Information and is any information in a medical record that can be used to identify an individual, which was created, used, or disclosed in the course of providing a healthcare service, such as a diagnosis or treatment.
ePHI is Electronic Protected Health Information and is all individually identifiable health information that is created, maintained, or transmitted electronically by mHealth and eHealth products. This includes PHI on desktop, web, mobile, wearable, and other technology such as email, text messages, etc.
To whom does HIPAA apply?
HIPAA applies to healthcare providers, health plans, and healthcare clearinghouse services. These providers are required to handle patient personal health information in a way that meets defined security standards. When providers use third-party vendors or services (Business Associates) where personal health information might be stored, those Business Associates need to adhere to the standards as well. For additional information, refer to the US Department of Health and Human Services HIPAA covered entities website.
Key stakeholders
Covered Entity
The HIPAA “Covered Entity” has the same meaning as the term “covered entity” at 45 CFR 160.103. The Privacy Rule defines a Covered HIPAA Entity as any health plan, any healthcare clearinghouse, or any healthcare provider who transmits Protected Health Information (or PHI as per the standards developed by the Department of Health & Human Services) in electronic form.
Business Associate
“Business Associate” has the same meaning as the term “business associate” at 45 CFR 160.103.
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services that make a person or entity a business associate if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business Associate Agreement
A HIPAA business associate agreement is a contract between a HIPAA-covered entity and a vendor used by that covered entity. A vendor of the HIPAA-covered entity that needs to be provided with PHI to perform duties on behalf of the covered entity is called a business associate (BA) under the HIPAA. A vendor is also classed as BA if, as part of the services provided, electronic PHI (ePHI) passes through their systems.
Which Sociocs Customers does HIPAA apply to?
Customers that collect, transmit, and store PHI or ePHI are considered “Covered Entities” under the HIPAA. Covered entities bear the primary responsibility of ensuring that their processing of PHI is compliant with the HIPAA Act.
We act as a “Business Associate”, and shall transmit and store the Protected Health Information (PHI) on behalf of our customers solely for the purpose of performing our obligations; and, for no commercial purpose other than the performance of such obligations and improvement of the services we provide.
Additional resources on HIPAA
Here are some links you can refer to for additional reading on the HIPAA:
- HIPAA Omnibus Rule (The final regulations-modifying HIPAA rules)
- Summary of the HIPAA Security Rule
- Summary of the HIPAA Privacy Rule
- Summary of the HIPAA Breach Notification Rule