Protected Health Information (PHI) and HIPAA Compliance
Every business that is part of the U.S. healthcare industry must comply with Federal standards regulating sensitive and private patient information. In addition to protecting worker health insurance coverage, the Health Insurance Portability and Accountability Act (HIPAA) sets forth standards for protecting the integrity, confidentiality, and availability of electronic health information.
While no single product or solution can make an organization HIPAA-compliant, the Mikroscan telemicroscopy solution can help organizations meet HIPAA guidelines for the privacy and security of remote access to healthcare information and can be used within a larger system to support HIPAA Compliance.
Although HIPAA compliance per se is applicable only to entities covered by HIPAA regulations (e.g., healthcare organizations), the technical security controls employed in our solutions meet
various HIPAA technical standards. Furthermore, the administrative configuration and control features provided by these products support healthcare organization compliance with the
Administrative and Physical Safeguards sections of the final HIPAA Security Rules.
Definitions: (Ref: 45 CFR 160.103)
The Health Information Profitability and Accountability Act of 1996 (HIPAA) represents a federal law which prevents a health care provider from releasing individually identifiable PHI (protected health information) without the consent of an individual. The purpose of HIPAA is to protect the confidentiality, integrity and the availability of electronic protected health information (EPHI) when stored, maintained or transmitted.
Covered Entity means:
(1) A health plan.
(2) A health care clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
Health Care Clearinghouse
Health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and ‘‘value-added’’ networks and switches, that processes or facilitates the processing of health information received from another entity.
Business associate means, with respect to a covered entity, a person who performs, or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information.
Protected Health Information (PHI)
PHI means any information, whether oral or recorded in any form or medium that is (a) individually identifiable information, and (b) related to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provisions of health care to an individual. Individually identifiable information includes the individual’s:
• Telephone and Fax Numbers
• Electronic Email Addresses
• Date of Birth
• Social Security Number
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers
• Finger and voice prints
• Full face photographic images and any comparable images
• Any other information that can be used to identify the individual
Policy and Recommendations:
Mikroscan is not a covered entity, or a business associate of a covered entity. However Mikroscan-manufactured devices, systems, and software are used by covered entities to enable the covered entity to transmit health information in electronic form.
Depending on the policies and procedures of the Health Care Provider, slide images that are scanned by the Mikroscan system may contain Protected Health Information. It is the responsibility of the Health Care Provider to ensure adequate security of this electronic information in accordance to HIPAA regulations and any other applicable requirements.
In the normal course of business, Mikroscan does not typically receive PHI. However, if Mikroscan receives suspected PHI from a covered entity, Mikroscan will:
(a) contact the sender to request direction on the actions to be taken to address all
possible PHI, and take action accordingly.
(b) not copy or make a record of any of the materials received, either physical or electronic copies, until the PHI is redacted (removed or eliminated).
Remote connectivity to the Mikroscan system uses Splashtop software. For details on how Splashtop software addresses HIPAA compliance, please visit: www.splashtop.com/compliance