Under the HIPAA privacy rules Medprex LLC is considered a Business Associate.
It is our policy to comply with the rules and regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Through our Service Agreement and a Business Associate Agreement (BAA) with the Covered Entity, we give contractual guarantees that we will use Protected Health Information (PHI) that we are granted access to only for the purposes for which we have been contracted. We will safeguard the information from misuse, and will help the Covered Entity comply with their obligations under the HIPAA rules. If the Covered Entity does not have a BAA of its own we will provide one as an addendum to our Service Agreement. If required by the Covered Entity we will make the necessary changes to our Service Agreement and/or our BAA to ensure our HIPAA compliance meets their needs.
We have taken the necessary steps to assure Medprex is compliant as follows:
Accounting of disclosures and audit trail issues:
We are appointed by and contracted to the Covered Entity to assist with physician peer reviews, both incident-based cases and routine performance audits. A Covered Entity is not required by HIPAA regulation to keep an accounting of anyone within its own organization who has received (or had access to) medical information. The accounting provision only covers “disclosures,” which are defined as the sharing of health information with someone outside of an organization that is not a part of the treatment, payment, or health care operations (TPO). See Section 164.528(a) (right to accounting of disclosures) and Section 164.501 (definition of “disclosure”). The regulation specifically states that a Covered Entity does not have to keep an accounting of information disclosed to someone outside of the organization for the purposes of treatment, payment, or health care operations. See Section 164.528(a)(1)(i). The result of these exclusions are that a Covered Entity is required to account for only a narrow category of disclosures that primarily are not related to health care, such as those made to law enforcement personnel or pursuant to a request for documents in a lawsuit.
Data is protected from unauthorized viewing/usage:
Medtprex access is restricted via username and password to only those employees that have a need to know. Servers and data storage units are in a secured computer room with limited access. Data is received and forwarded via automated, electronic processes where no direct human intervention is required. Access or viewing of PHI is only allowed when required to provide further support to the Covered Entity.
Proper disposal of data:
At the end of a Covered Entity’s contract with Medprex their data is deleted from the Medprex computer systems. No printed reports or paper copies are ever retained in our facility.
Privacy and Security Rule(s):
To protect the privacy and security of the PHI we have implemented the following processes:
- Covered Entities must execute a Service Agreement and BAA to subscribe to our service
All employees, contractors, sub-contractors, agents and representatives are required to sign an agreement to abide by the HIPAA Privacy Act and a Confidentiality & Non- Disclosure agreement
- Support for 128 bit encryption for all reports
- E-mail address verification
- Restricted access to PHI on a need to know basis (via passwords and company policy)
- Restricted access to the Computer Room
- Restricted outside access to all servers and production workstations
- Automated data backups
- Data backups stored in secured safe
- HIPAA and Security awareness training for all employees, contractors, sub- contractors, agents and representatives is mandatory
- Employee termination security procedures in place
- HIPAA Transaction and Code Set Rule
- HIPAA compliant EDI transactions are used when applicable
- HIPAA compliant Code Sets are used when applicable
Medprex is committed to full and complete compliance with all HIPAA rules and regulations. As necessary, we will adjust our policies to adhere to our clients’ needs and to adjust to any changes in the HIPAA rules. If you have any questions concerning our HIPAA compliance policies, please contact our attorney, Tobias Teeter, at 3126 Wisconsin Avenue, Joplin, Missouri 64804.