Is Noterro HIPAA Compliant?

Yes, Noterro is HIPAA-compliant

In this article, we'll provide more details about the privacy and security measures Noterro has in place to protect Patient data and some useful tips for your practice.

Understanding and following the rules of HIPAA can be tough for businesses like allied health clinics. Health and Human Services states private healthcare clinics rank second in violating privacy laws.

Noterro aims to simplify HIPAA compliance for you.

This information is not a legal interpretation of the law and is not binding. This information is not intended to, nor should it ever replace, formal legal counsel.

Privacy Laws in the United States

In the U.S., privacy rules vary because they're a mix of federal and state laws, often tailored to specific types of information. Also, there are guidelines from regulating bodies; though they're not laws, they're considered best practices.

HIPAA compliance is necessary for U.S. organizations storing Personal Health Information (PHI), especially electronically. This includes allied health clinics, particularly those using electronic record-keeping. Understanding HIPAA is key to managing privacy in these clinics. If HIPAA doesn't cover all local requirements, state laws or guidelines kick in.

The Role of HIPAA

Since its introduction, HIPAA has transformed how health data is managed, especially with the shift from paper to electronic records, which can increase the risk of data exposure. HIPAA is important legislation that guides how allied health clinics handle Personal Health Information (PHI), fostering confidence and trust in the confidentiality of patient records.

Personal Health Information

Protected Health Information (PHI) encompasses past, present, and future physical and mental health data, along with an individual's condition. It's handled by HIPAA-covered entities and their associates regarding healthcare provision, operations, and payment. PHI, a type of personally identifiable information (PII), is safeguarded under HIPAA.

It includes identifiable health details like demographics, medical history, test results, and insurance information. Regardless of storage or transmission method, whether electronic or not, it remains classified as PHI.

HIPAA's Security Rule

The Security Rule under HIPAA mandates that covered entities establish reasonable and appropriate administrative, physical and technical safeguards to protect electronic Protected Health Information (e-PHI). These safeguards must ensure the confidentiality, integrity, and availability of e-PHI, guarding against threats and unauthorized uses or disclosures.

Confidentiality means preventing unauthorized access to e-PHI, supporting the Privacy Rule's restrictions on PHI use and disclosure. The Rule also emphasizes maintaining integrity, ensuring data isn't altered or destroyed improperly, and availability, ensuring e-PHI is accessible when needed by authorized individuals.

Recognizing the diversity of covered entities, from small providers to large health plans, the Security Rule is flexible and scalable. It allows entities to assess their needs and implement suitable solutions based on their business nature, size, and resources.

When choosing security measures, covered entities must consider their size, capabilities, infrastructure, and the potential risks to e-PHI. They must regularly review and adjust security measures to adapt to environmental changes and safeguard e-PHI effectively.

Administrative Safeguards

Administrative Safeguards encompass policies and procedures outlining how electronic systems and their management comply with HIPAA regulations. This involves daily protection measures such as device and password security. A crucial Administrative Safeguard is the mandate for healthcare professionals to sign Business Associate Agreements with third parties handling electronic PHI on their behalf. These agreements establish a written contract between the healthcare provider or clinic (the Covered Entity) and the third party, ensuring compliance with HIPAA requirements.

Administrative Safeguards at Noterro: Our support team can access high-level account data, but we only do so when you ask for help. Our employees undergo background checks, sign strict confidentiality agreements and understand the sensitive nature of your data. Access to medical records is limited to senior managers, ensuring your privacy. All staff go thorough training to uphold our privacy policies diligently. Noterro, as a whole, practices the principle of least privilege (PoLP), an information security concept that maintains that a user or entity should only have access to the specific data, resources and applications needed to complete a required task.

Physical Safeguards

Physical access to areas where data is stored must be controlled.

Physical Safeguards at Noterro: Noterro utilizes data centers with modern security, surveillance and access control measures. PHI is only stored with our infrastructure partner, Amazon Web Services (AWS), with which we have an active Business Associate Agreement. All AWS facilities which store our clinic's PHI are SOC2 audited and compliant. If you're interested, you can read more about AWS's security and compliance.

Technical Safeguards

The storage and transmission of PHI must be protected.

Technical Safeguards at Noterro: Noterro prioritizes your data security with modern and advanced measures. Some of these measures are:

• Data encryption in transit
• Data encryption at rest
• Regular backups to multiple physical locations
• Web application firewalls
• Network isolation and restrictions
• Ephemeral and elastic, self-healing infrastructure
• Staff access controls based on the principle of least privilege
• Intrusion detection and automatic account locks
• Access and activity logging
• 24/7 monitoring and alerting
• Third-party audit and penetration testing

In addition to the above safeguards of your PHI, Noterro also takes the software development process's security very seriously. We follow the DevSecOps approach. This means that security is integrated into every step of our development lifecycle. Our development team follows the “security by design” principle, ensuring that security considerations are incorporated from the early stages of product design. Part of this principle includes:

• Software Composition Analysis (SCA)
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Manual review by multiple team members of every code change

Technical Safeguards available to you in Noterro: Each of your staff members has their own accounts, and you control their permissions. These accounts are protected by passwords, and two-factor authentication is also available. You're able to limit staff access to specific IP addresses. Access and activity logs are available to you.

Top 10 To-Do List

This list of Top 10 recommendations is not comprehensive and serves as a brief overview of suggestions from the U.S. Department of Health and Human Services. It's important to note that neither this list nor the entire article is intended as legal advice.

1. Establish clinic-wide privacy procedures

• Designate a Privacy Officer and a point of contact for privacy concerns. This individual should oversee complaint handling and staff training on privacy, emphasizing limitations and practices regarding Protected Health Information (PHI) disclosure.
• Document all privacy practices and procedures. Provide patients with a Notice of Privacy Practices detailing how their PHI will be used, including consent forms for collecting, using, and disclosing PHI.
• Keep records of PHI disclosures and ensure minimum necessary disclosure. Avoid selling PHI or identifying information to third parties. Regularly train staff on privacy procedures, especially regarding disclosure.

2. Obtain Consent for Collecting, Using, and Disclosing PHI

• Develop and document policies and procedures for obtaining consent.
• Adhere to criteria for using and disclosing PHI and obtaining consent unless exceptions apply, such as when sharing medical records with specialists for treatment.
• Refer to HIPAA's Use and Disclosure Criteria for comprehensive guidelines on consent requirements.

3. Develop an Emergency Plan

• Establish a comprehensive plan to be activated during emergencies threatening PHI security and privacy.
• Ensure designated personnel have access to PHI during emergencies. For instance, maintain backup copies to access clinic PHI during data center outages or transfer data between locations if necessary.
• Determine breach response procedures. Reporting may not be required if safeguards are in place and data is encrypted. However, significant breaches must adhere to the Breach Notification Rule, involving patient and Health and Human Services notification and breach severity assessment.

4. Facilitate Patient Access to Records

• Comply with HIPAA's Privacy Rule, which mandates clinics to provide copies of health records within 30 days of receiving a written request.
• Allow individuals to correct health records promptly as needed.
• Ensure access to health records extends to various formats, including paper and electronic records, appointment schedules, medical bills, dictated notes, conversations, and patient portals.
• Fulfill PHI disclosure obligations in suspected child abuse cases to aid child welfare agencies in suspect or witness identification or location.

5. Ensure Device, Website, and Network Security

• Develop and maintain a website compliant with HIPAA privacy standards for identifying information, operating on a secure network with necessary safeguards. Seek professional support if required.
• Implement Access Controls:
  
  • Enforce secure, password-protected logins.
  • Ensure each user accessing PHI has unique identifiers covering clinical notes, patient schedules, and financial statements related to healthcare.
  • Set timeouts on devices for automatic logout during inactivity periods.
  • Train staff to handle electronic PHI with integrity, refraining from record destruction or alteration.
  • Mandate authentication for all individuals or entities accessing PHI.
  • Verify encryption for data transfers containing PHI.
• Assess clinic security using resources available on the U.S. HealthIT website, including the Security Risk Assessment Tool.

6. Evaluate PHI Storage Options

• Consider the advantages and drawbacks of different storage methods for your clinic's PHI, whether it's hard copy in your physical facility, on-site servers, or a cloud-based practice management solution.
• Aim for a solution aligning with your workflow needs while simplifying HIPAA compliance. Some clinics choose a combination of storage options, while others choose a single method.
• When selecting a cloud-based practice management solution, prioritize features facilitating HIPAA compliance and operational efficiency:
  • Ensure all system activities are logged and can be accessed through reports for auditing purposes.
  • Implement role-based access control to restrict PHI access to necessary personnel only.
  • Verify that the vendor's servers meet the highest security standards to minimize breach risks.
  • Confirm the vendor and its employees adhere to HIPAA regulations regarding PHI handling, viewing, and disclosure, ensuring comprehensive compliance and data security.

7. Execute a Business Associate Agreement (BAA) with Software Vendors

• HIPAA mandates a written contract between clinics and any entity handling PHI. Two key entities defined by HIPAA are:
  • Covered Entity: Organizations recording data, typically health clinics and practitioners.
  • Business Associate: Entities assisting in data storage and processing for Covered Entities.
• The BAA delineates Business Associates' roles, responsibilities, and compliance limitations under HIPAA. Ensure your Privacy Officer regularly reviews and updates any signed BAA as needed.
  Consider state laws.

8. Assess State Laws for Additional Privacy Requirements Beyond HIPAA

• Where state laws are less stringent, HIPAA applies.
• Where state laws are stricter, state law takes precedence.
• Stricter state laws often pertain to reporting public health information, such as communicable diseases or child abuse, and birth and death records.
• Clinics should make good faith efforts to comply with all applicable laws, regulations, and bylaws in their healthcare business location. Establishing and adhering to policies and procedures demonstrates a commitment to compliance. While these actions may not entirely absolve legal liability, they are recognized to significantly mitigate risks.

9. Consult your Regulating Body

• Reach out to your regulating body specific to your discipline for additional guidance.
• Regulating bodies often establish "best practices" guidelines concerning privacy matters and can assist in understanding and implementing relevant laws in your region.

10. Stay Updated

• Recognize that laws frequently evolve.
• Ensure your Privacy Officer implements a strategy to stay informed about any changes in privacy requirements.
• Keep your clinic or practice current with the latest regulations by periodically refreshing policies.

If you have any inquiries about this guide or any other privacy-related concerns, don't hesitate to reach out to privacy@noterro.com. We're here to assist and clarify anything you're uncertain about!