Title II of HIPAA, which contains the Administrative Simplification (AS) provisions, establishes a set of national standards to protect electronically transmitted personal identifiable health information (PHI). par8o is required to meet these standards because our referral platform transmits PHI between healthcare providers to facilitate the referral of a patient.
par8o is classified as a Business Associate (BA) of our users, who are defined as health care providers (HCPs). Per the HIPAA Privacy Rule, health care providers are considered covered entities and therefore obligated to comply with the full security and privacy/Administrative Simplification (AS) provisions. BAs are required to comply with a portion of these provisions.
In accordance with the HITECH interim final rule, all HIPAA security and privacy/AS provisions are extended to business associates such as par8o. We've taken appropriate measures to ensure compliance with the full HIPAA AS provisions.
Per privacy rule provisions, par8o is required to enter into a BA agreement with all users of the referrals platform. This agreement must contain the elements specified at 45 CFR 164.504(e) – namely, the BA agrees to use protected information only for the purposes specified in the agreement, to safeguard the information from misuse, and to help the covered entity comply with its duties under the Privacy Rule.
par8o has incorporated all necessary BA provisions into our Terms of Service (ToS) agreement. All new users must review the ToS and sign electronically during the new user registration process.
The HIPAA Title II Privacy Rule permits the use and disclosure of PHI for the purpose of treatment, payment, and health care operations, in this case, facilitating referrals from one physician to another one. Section 45 CFR 164.501 describes treatment as the provision, coordination, or management of health care and related services for an individual by one or more HCPs, including consultation between providers regarding a patient and referral of a patient by one provider to another.
par8o employees are not permitted to access or use PHI in any way.
We share our users' concerns over the necessity to deliver details critical to the receiving physician and their staff, to deliver patient referrals only to the intended recipients both responsibly and effectively, without exposing PHI to any unintended recipients. To address this need, par8o incorporated the following procedural and technical safeguards:
The par8o technology has been designed so that the majority of workflow and customer service functionalities can be performed without access to PHI. This lowers the risk of inappropriate access to PHI. Furthermore, functional and technical firewalls exist between the software development and live application environments. This maintains strict separation, so our employees can perform system development, maintenance, and quality assurance without any access to PHI.