The Health Insurance Portability and Accountability Act of 1996 (HIPAA) turns 20 years old this year. Technology has evolved significantly in that time, meaning the requirements for managing Privileged Health Information have evolved with it. While we are not a healthcare software company, CompanyMileage is considered a “Business Associate,” a special class of company that comes with its own rules and regulations. Business Associate agreements must be made with healthcare providers in order to receive Privileged Health Information for data management purposes. In CompanyMileage’s case, that data is used to track mileage for Travel & Expense reimbursement. Because so many of our clients are home healthcare services, we have a significant amount of data to protect!
As we outline on our HIPAA compliance statement page, we have a three-tiered system for keeping Privileged Health Information private and secure. By encrypting all data, housing that data in a secure facility with secure equipment and maintaining strict privacy policies for our data architecture, we work tirelessly to keep Privileged Health Information safe.
Business Associate Agreements are similar to non-disclosure agreements. As a company, we work with healthcare services, who share with us Privileged Health Information. The Business Associate Agreement is between us and those services, mutually agreeing to not disclose the data we share. In our case, the data we have is client addresses, but other Business Associates may keep other data. As a Business Associate, we provide a written agreement that:
- Restricts the use and disclosure of Privileged Health Information;
- Applies “appropriate safeguards” to enforce the restrictions;
- Binds agents and subcontractors to the same restrictions and safeguards;
- Requires the reporting of unauthorized use or disclosures, and the return or destruction of all Privileged Health Information upon the termination of the agreement (or, if not possible, to extend the Privileged Health Information protections as long as the Privileged Health Information is retained);
- Accords Health & Human Services audit rights over the use and disclosure of the Privileged Health Information, and obligates the Business Associate to assist Health & Human Services with the same;
- Requires the amendment or correction of Privileged Health Information held by the Business Associate as may be directed by the Covered Entity. (source: http://www.aigclaw.org/tic103.html)
In 2009, the HITECH Act was passed, with final implementation completing in 2013. One of the key elements of this new law is that the burden of security is placed on the Business Associates, and not the Covered Entities with whom they are partnered. As a Business Associate, CompanyMileage takes this responsibility very seriously.
One of the biggest hurdles to guaranteeing HIPAA compliance is when Privileged Health Information is accessed on BYOD by employees. Sometimes even having company devices isn’t enough, as evidenced in a case from 2012. A compliance case was filed in Minnesota against Accretive Health after a laptop with thousands of instances of patient data was stolen out of a rental car. Because it was not password-protected, all of the data was immediately accessible by anyone who used the laptop. This is an extreme example of a significant and preventable data breach.
This sort of data breach is a concern for users of mileage tracking software, as homecare patients’ addresses are Privileged Health Information. Since most users of CompanyMileage, specifically our SureMobile application, are using their own mobile devices, it is our responsibility to ensure client data is protected at all times. Mobile phone loss and theft are common concerns for all of us, so it is important for Privileged Health Information to not be vulnerable. SureMobile requires a login at every use, so should a user lose their device, Privileged Health Information would not be accessible.
Not all potential weak points are in mobile or laptop usage, however. We take steps to make sure we provide CompanyMileage users with effective HIPAA compliance software on the administrator end as well. All data entered into SureMobile or SureMileage is housed in SSAE 16/ISAE 320 Certified Data Centers, with firewalls to prevent unauthorized access, and protected by 256 bit encryption SSL. For extra care, client address books can be segregated by individual user, department or division, and client names can be suppressed on physical reports generated by users. With this, administrators can report on and analyze all sorts of data without breaking confidentiality, which can then be used to improve any number of facets of your service.
Most importantly of all: CompanyMileage will not share client data with any third parties without express written authorization from that client.
Data is a powerful tool. It is important that it is always used responsibly and by the people authorized to access it. CompanyMileage is committed to making sure your company has the tools it needs to be successful, while keeping your customers and their privacy safe.
Contact us today for a demo for both SureMileage and SureMobile.