The Health Insurance Portability and Accountability Act (HIPAA) is a federal law requiring health care organizations to develop, implement, and maintain administrative, physical, and technical safeguards to protect the security, integrity, and confidentiality of patient information. The HIPAA Privacy Rule provides federal protections for the use and disclosure of personal health information (PHI) held by covered entities.
Covered entities and business associates (BA) whose activities include: claims processing or administration, processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and repricing. BA services are: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. Persons or organizations are not considered to be a BA whose functions or services do not involve the use or disclosure of PHI, and where access to PHI by such persons would be incidental, if at all.
In a continuing effort to ensure data confidentiality, integrity, and availability, Eyonic strives to maintain industry compliance for data protection, handling, and accessibility. As such, we provide for the following aspects of HIPAA Compliance:
Eyonic's Online Backup Provides:
|Business Associate Agreements (BAA)||We have a standardized Business Associate Agreement (BAA) presiding over our storage and protecting health care organizations' client records.|
|Written Information Security Program||We have a comprehensive written Information Security Plan that clearly documents our policies and procedures for all aspects of our services. This Plan includes security controls that safeguard customer information by preventing and detecting the unauthorized creation of, addition to, modification of, or deletion of records. We ensure that our staff understand the importance of our Plan and operate by all policies and procedures. The Plan is reviewed annually to ensure it continues to meet the needs for which it was created in the evolving environments of business and technology.|
|Administrative Safeguards||As part of our security controls, each employee is given a clearly defined set of roles and responsibilities in protecting our customer's data. Employees are trained about the importance of information security, sign customer confidentiality agreements, and employee access is based on the lowest permissions necessary to accomplish the responsibilities assigned to them.|
|A set of clearly defined policies and procedures for all of our services ensure our staff understand and cooperate with these procedures.|
|Physical access to our data centers is limited and strictly controlled. Only those employees with a demonstrated need are permitted access. Access is controlled by a series of technical controls such as physically keyed and/or combination locks on cabinets and safes. Physical access is documented and logged.|
|Third-party data centers are not used in conjunction with our services.|
|To ensure the secure transmission and maintain the integrity of customer information, we utilize industry standard 256-bit encryption for all documents in transit.|
|Customer information is disposed of in a secure way including, but not limited to, micro-cut shredding of paper documents, and NSA, HIPAA and HITECH compliant drive destruction for broken or replaced storage media.|
|Activity logs include the complete audit history of who accessed, modified, or deleted files stored within our services.|
|Access to files is available only to customers using valid credentials through an authenticated login; no anonymous sharing of files.|
|Internal support personnel may access customer accounts for support purposes only, but cannot open, modify, or alter files in any way. Support personnel with this access are limited to the lowest access level necessary while still providing sufficient customer support.|
|Part of our security controls are to continually gather and analyze new information regarding security threats and vulnerabilities to keep all systems as secure and up to date as possible.|
|We promptly revise our controls and procedures to adapt to new threats as they arise and ensure the effectiveness of our policies.|
Private information, medical or otherwise, stored with Eyonic Systems does not get shared, viewed, distributed, monitored, or copied by any third party which helps support HIPAA compliance for those health care organizations, covered entities, and business associates required to do so. HIPAA is a health care organization obligation and Eyonic Systems takes every reasonable safety precaution to protect the integrity of all private information stored within, which provides our customers with the tools needed to work in a HIPAA-compliant manner.
To learn more about HIPAA Compliance, statutes and rules, or consumer protections, please visit the HHS website.