HIPAA & HITECH compliance

Introduction

HIPAA and HITECH provide national minimum standards to protect an individual’s protected health information (PHI). The U.S. Department of Health and Human Services (HHS) manages and enforces these standards.

HIPAA was originally created to streamline healthcare processes and reduce costs by standardizing certain common health care transactions, while protecting the security and privacy of individuals’ PHI. HITECH expanded on the privacy and security requirements of HIPAA.

HIPAA and HITECH focus on PHI, which generally includes any personally identifiable information regarding an individual’s physical or mental health, the provision of health care to him or her, or payment for related services. PHI also includes any personally identifiable demographic information, including, for example, name, address, phone numbers, and Social Security numbers

These standards affect the use and disclosure of PHI by covered entities (such as health care providers engaged in certain electronic transactions, health plans, and health care clearinghouses) and their business associates.

Vtiger enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure Vtiger environment to process, maintain, and store protected health information.

The 4 HIPAA Rules

HIPAA Privacy Rule

HIPAA’s Privacy Rule restricts intentional and unintentional use or disclosure of PHI that is in violation of the requirements of HIPAA.

1. Do not allow impermissible use or disclosure of PHI
2. Provide breach notification to covered entity
3. Provide individual or the covered entity access to the PHI
4. Disclose PHI to the secretary of the HHS if compelled to do so
5. Provide an accounting of disclosures
6. Comply with the requirements of HIPAA security rule

HIPAA Security Rule

HIPAA’s Security Rule requires covered entities to put in place detailed administrative, physical, and technical safeguards to protect electronic PHI

HIPAA Enforcement Rule

It spells out penalties, and procedures for hearings

HIPAA Breach Notification Rule

It requires healthcare providers to notify patients in the case of breach of unsecured PHI

Vtiger supports covered entities be HIPAA compliant

Vtiger CRM Service is delivered via servers hosted in data centers belonging to Amazon EC2. Vtiger provides mechanisms to help Healthcare providers (i.e., covered entities) that use Vtiger service, to be HIPAA compliant.

Our Security policy mandates all of the following

1. Physical Safeguards - Only authorized Amazon employees can access the servers
2. Administrative Safeguards - Access to the data within the application is controlled by the covered entity, while Access to the server is controlled by Vtiger team. Vtiger CRM provides role based access control to restrict access to certain users.
3. Technical Safeguards - Vtiger maintains an active monitoring system to find and fix any vulnerabilities in Operating System, Web Server, Database, or in the Vtiger CRM application promptly.

For more details, please click on vtiger.com/security

Enable encryption at rest with new encrypted fields.

When you store a person's sensitive data, like their health information or national ID number, certain laws may require you to encrypt that data at rest. Vtiger’s field encryption accomplishes that, while providing other protections that significantly reduce the risk of misuse by employees or malicious actors

To learn more, read our documentation on Encrypted data fields in Vtiger CRM

In transmission, data is always encrypted using SSL.

Breach notification

If a breach has occurred at the service level, Vtiger will alert the Healthcare provider (Vtiger’s customer)