PicSafe allows you to comply with HIPAA & HITECH
Many people ask us, "Is PicSafe is HIPAA Compliant?" That is the wrong question. There is no official accreditation that allows one to say a tool or service is "Officially HIPAA compliant." The right question is, "Does PicSafe allow me to remain HIPAA Compliant?" To that, the answer is, Yes.
Under HIPAA, PicSafe is considered a "conduit" that transmits "Protected Health Information," somewhat like a digital U.S. Postal Service, or UPS or FedEx. PicSafe is not considered a "Business Associate," meaning a "Covered Entity" can use PicSafe to remain HIPAA compliant and avoid vicarious liability for PicSafe's actions much like a Covered Entity is not liable for the actions of a courier.
Below we discuss how we came to the determination that PicSafe allows you to comply with HIPAA.
HIPAA stands for Health Insurance Portability and Accountability Act of 1996. It is a US act designed to modernize the flow of healthcare information and stipulate how healthcare and healthcare insurance industries should be protecting health information.
HITECH stands for "Health Information Technology for Economic and Clinical Health" Act (2009). It is a US act that expanded the scope of privacy and security protections available under HIPAA. Below we will only refer to HIPAA rather than HIPAA and HITECH.
From a HIPAA perspective, PHI is any health information contained in a medical record that relates to an individual and is created, received, used, or is maintained by a HIPAA "Covered Entity" to provide healthcare services or payment for healthcare services.
Clearly, from a PicSafe perspective, we are dealing with PHI.
A "Covered Entity" is a healthcare provider, a health plan, or a health care clearinghouse. For more information, see the HHS website. Individuals, organizations, and agencies that meet the definition of a "Covered Entity" must comply with HIPAA Rules.
If a covered entity engages a "Business Associate" to help it carry out its health care activities and functions, the covered entity must have a written business associate contract, and they, in turn, have to meet HIPPA requirements.
Certainly, PicSafe is not a "Covered Entity." To determine whether one should deem PicSafe a "Business Associate," we need to explore the definition of a Business Associate.
Here it gets quite technical, and we have to dive into the semantics (semantics matter concerning the law). We will look at the definition of Business Associate in HIPAA.
| HIPAA definition (45 CFR § 160.103): | Comment with respect to PicSafe: |
|---|---|
| Business associate includes: | If any of these definitions apply, then PicSafe is deemed a Business Associate. |
|
|
| PicSafe clearly does not offer Personal Health Records. See the section below called, What is a PHR? |
| PicSafe offers its service to "Covered Entities". PicSafe is clearly not a subcontractor acting on behalf of a Business Associate. |
Based on the above assessment, PicSafe is not a Business Associate.
The Office of Civil Rights published an article entitled "The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment." In it, they provide this:
There is no universal definition of an HIO; however, for purposes of this guidance, an HIO is "an organization that oversees and governs the exchange of health-related information among organizations according to nationally recognized standards."
PicSafe is, therefore, not an HIO.
The Office of Civil Rights published an article entitled "Personal Health Records and the HIPAA Privacy Rule." In it, they provide this definition;
A PHR is an electronic record of an individual's health information by which the individual controls access to the information and may have the ability to manage, track, and participate in his or her own health care. A PHR should not be confused with an electronic health record (EHR). An EHR is held and maintained by a health care provider and may contain all the information that once existed in a patient's paper medical record, but in electronic form.
PicSafe is, therefore, not a provider of PHRs.
Initially, HIPAA rules did not apply to Business Associates. The 2013 Final Rule (Federal Register, Vol. 78, No. 17, Friday, January 25, 2013, Rules and Regulations) expands the definition of a Business Associate as discussed above. In the 2013 Final Rule, some of the comments help further define whether PicSafe is covered.
| Excerpts from the 2013 Final Rule | Comment with respect to PicSafe: |
|---|---|
| ... we have stated that entities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates. | PicSafe does not have access to PicSafe reports sent via email. Reports sent via text message or other messaging tools, or sent to My PicSafe (to later place into an Electronic Medical Record) are stored temporarily on PicSafe servers in encrypted form. PicSafe does not access these reports and does not need to access these reports to perform its service. Reports sent to third-party storage services are sent directly from the app and not PHI passes through PicSafe's servers. PicSafe, therefore, does not have access." |
| Regarding what it means to have "access on a routine basis" to protected health information with respect to determining which types of data transmission services are business associates versus mere conduits, such a determination will be fact specific based on the nature of the services provided and the extent to which the entity needs access to protected health information to perform the service for the covered entity. | As stated above, PicSafe does not need access to PHI to perform the service for the covered entity. |
| The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents | PicSafe can be considered the electronic equivalent of a courier service. A courier is defined as: a person or company that takes messages, letters, or parcels from one person or place to another. |
| … a conduit transports information but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law. Such occasional, random access to protected health information would not qualify the company as a business associate. In contrast, an entity that requires access to protected health information in order to perform a service for a covered entity … is not considered a conduit and, thus, is not excluded from the definition of business associate. | As stated above, PicSafe does not and does not need to access PHI that it transmits. Given this description, PicSafe is considered a conduit and thus excluded from the definition of a business associate. |
| We note that the conduit exception is limited to transmission services (whether digital or hard copy), including any temporary storage of transmitted data incident to such transmission. In contrast, an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information. " | This clarifies that an entity that temporarily stores data incident to transmission still falls under the classification of a conduit. Where PicSafe stores PHI (encrypted) on its servers (reports that are sent via text message or other messaging tools, or are sent to My PicSafe), it only stores it temporarily. The transient nature of PicSafe's storage is consistent with the definition of "temporary storage". The rules contrasts this with persistent storage such as that provided by a document storage company." |
In summary, PicSafe does not access PHI on a routine basis, and does not need to access PHI on a routine basis.
No. Given PicSafe is not deemed a Business Associate, entering into a BAA is technically not required. Entering into a BAA out of an abundance of caution would mean both parties become subject to contractual liabilities they would not have but for the agreement.
From a covered entities perspective, there is a commonly held mistaken assumption that a covered entity is vicariously liable for a contractor's HIPAA violations. HIPAA clearly states that covered entities are only liable for a business associate's action if the business associate is acting as an agent of the covered entity. That is, the covered entity had the right to control the business associate's actions. (45 CFR 160.402(c); 78 FR 5581). Executing a BAA may serve to suggest an agency relationship or give the covered entity greater control over the actions of the contractor. This relationship may, in turn, trigger vicarious liability. Given it is in the covered entities interest to limit their liability, it is in their interest to avoid signing a BAA.
From a PicSafe perspective, frankly, PicSafe does not want to bear the costs of complying with regulations that do not otherwise apply. Similarly, PicSafe does not wish to expose itself to HIPAA penalties for noncompliance. That said, PicSafe takes every precaution to ensure that PHI is safe and secure.
As discussed above, PicSafe can be considered a transmission service that acts as a conduit. One may regard it as a service provider but not a business associate of a covered entity.