Why do HIPAA regulations apply to par8o?
Title II of HIPAA, which contains the Administrative Simplification (AS) provisions, establishes a set of national standards to protect electronically transmitted personal identifiable health information (PHI). par8o is required to meet these standards because our referral platform transmits PHI between healthcare providers to facilitate the referral of a patient.
How is par8o classified from a regulatory perspective?
par8o is classified as a Business Associate (BA) of our users, who are defined as health care providers (HCPs). Per the HIPAA Privacy Rule, health care providers are considered covered entities and therefore obligated to comply with the full security and privacy/Administrative Simplification (AS) provisions. BAs are required to comply with a portion of these provisions.
What are par8o's obligations regarding the HIPAA and the HITECH acts?
In accordance with the HITECH interim final rule, all HIPAA security and privacy/AS provisions are extended to business associates such as par8o. We've taken appropriate measures to ensure compliance with the full HIPAA AS provisions.
Does par8o have additional contractual obligations as a BA?
Per privacy rule provisions, par8o is required to enter into a BA agreement with all users of the referrals platform. This agreement must contain the elements specified at 45 CFR 164.504(e) – namely, the BA agrees to use protected information only for the purposes specified in the agreement, to safeguard the information from misuse, and to help the covered entity comply with its duties under the Privacy Rule.
Does par8o extend these obligations to its users?
par8o has incorporated all necessary BA provisions into our Terms of Service (ToS) agreement. All new users must review the ToS and sign electronically during the new user registration process.
When, specifically, is par8o permitted to use and/or disclose PHI?
The HIPAA Title II Privacy Rule permits the use and disclosure of PHI for the purpose of treatment, payment, and health care operations, in this case, facilitating referrals from one physician to another one.
Section 45 CFR 164.501 describes treatment as the provision, coordination, or management of health care and related services for an individual by one or more HCPs, including consultation between providers regarding a patient and referral of a patient by one provider to another.
Which par8o employees are permitted to use and/or disclose PHI?
par8o employees are not permitted to use or disclose PHI in any way.
How does par8o ensure that PHI is only disclosed to the appropriate HCPs?
We share our users' concerns over the necessity to deliver details critical to the receiving physician and their staff, to deliver patient referrals only to the intended recipients both responsibly and effectively, without exposing PHI to any unintended recipients.
To address this need, par8o incorporated the following procedural and technical safeguards:
- No PHI is shared with un-registered HCPs. The method by which the par8o platform first contacts un-registered HCPs regarding a potential new referral is the same method by which much of our healthcare system delivers referrals today – by fax and/or phone call to the receiving physician office. Although information transmitted over a phone line is not subject to HIPAA provisions, as an additional security measure par8o does not share any personally identifiable patient data with un-registered users.
- par8o’s pre-launch ethnographic research among physicians and their office staff confirms that, often, the only information required to accept a referral includes the patient’s age, insurance, the reason for the referral, and the sending physician’s name. For that reason, no additional patient information is disclosed prior to authentication and validation of the receiving party. The intended recipient’s identity is authenticated and verified during the user registration process, using a number of mechanisms, including, but not limited to:
- Fax numbers attained from credible data sources (including both public and private databases). A sequence of steps ensures that the individual is in fact who they claim to be and that they are an authorized representative of the HCP.
- Required acceptance of the par8o referral platform’s Terms of Service prior to the disclosure of sensitive identifiable patient information/PHI.
- Stringent data security measures were employed to prevent both unintentional and malicious breaches of the system, including secure, HIPAA-compliant hosting services; including multi-factor authentication; active monitoring; data-level and transmission level 128-bit encryption.
- PHI is only accessible to HCPs and their staff with no access to PHI for software developers or non-BA vendors. All PHI data is encrypted using state of the art 128 bit encryption.
- Transmission of data within the par8o application and to users leverages SSL (Secure Socket Layer) encryption to ensure against “man in the middle” attacks or data interception.
How does par8o ensure that its employees maintain confidentiality of PHI?
The par8o technology has been designed so that the majority of workflow and customer service functionalities can be performed without access to PHI. This lowers the risk of inappropriate access to PHI. Furthermore, functional and technical firewalls exist between the software development and live application environments. This maintains strict separation, so our employees can perform system development, maintenance, and quality assurance without any access to PHI.