The Health Insurance Portability and Accountability Act (HIPAA) sets stringent requirements for protecting health information that can identify individuals. At Desk365, we are committed to providing features that help our customers use our service in a HIPAA-compliant manner. This article explains how you can implement HIPAA compliance in Desk365.
Understanding HIPAA Requirements
HIPAA is a U.S. law that provides data privacy and security provisions to protect medical information. The law has become more significant due to numerous health data breaches caused by cyber-attacks.
The Health Insurance Portability and Accountability Act (HIPAA) has several key purposes, all aimed at protecting patient information and improving the healthcare system. Here are the main objectives:
- Privacy of Health Information: HIPAA sets national standards to protect medical records and personal health information. It ensures that healthcare providers, health plans, and other entities handle patient information with care, maintaining its confidentiality and security.
- Security of Electronic Records: HIPAA includes provisions for safeguarding the security of electronic health records (EHRs). These rules require appropriate administrative, physical, and technical safeguards to ensure the integrity, confidentiality, and availability of electronic protected health information (ePHI).
- Portability of Insurance Coverage: One of the original purposes of HIPAA was to improve the portability and continuity of health insurance coverage. It helps individuals maintain insurance coverage when they change or lose their jobs, reducing the risk of being uninsured due to pre-existing conditions or gaps in employment.
- Healthcare Administration Simplification: HIPAA aims to reduce the administrative costs and burdens in the healthcare system by standardizing the electronic transmission of financial and administrative transactions, including billing, claims processing, and eligibility verification.
- Enforcement of Standards: HIPAA also sets forth a series of enforceable standards and practices. It includes provisions for addressing violations and imposes penalties on entities that fail to comply with HIPAA requirements, thereby reinforcing the importance of adherence to privacy and security standards.
- Improving Healthcare Efficiency: By standardizing transactions and encouraging the use of electronic systems, HIPAA seeks to improve the efficiency and effectiveness of the healthcare system, facilitating quicker and more reliable access to health information by healthcare providers.
HIPAA plays a critical role in modern healthcare by providing a framework for managing the use and disclosure of sensitive patient information, thus enhancing patient trust and contributing to the overall quality of the healthcare system.
HIPAA-Covered Entities
HIPAA applies to “covered entities” and their Business Associates (BAs). Covered entities are organizations that handle Protected Health Information (PHI) or personal health records (PHRs). Business associates refer to those who do not engage directly with patients, but they are still involved in creating, receiving, or transmitting patients’ Electronic Protected Health Information (ePHI).
HIPAA mandates that Covered Entities and Business Associates take measures to protect health information and one crucial requirement is that Covered Entities must sign a Business Associate Agreement (BAA) with their Business Associates.
Requesting a Business Associate Agreement (BAA)
As part of HIPAA compliance, you may need to sign a Business Associate Agreement with Desk365. Email us at help@desk365.io to sign a BAA with Desk365.
Actions you can take for HIPAA Compliance in Desk365
To help ensure the security of your customers’ information, you can take the following actions in Desk365:
- Creating ePHI Fields
- Using ePHI Fields in Forms
- Administering Roles and Permissions
Let’s go through each action in detail.
1. Creating ePHI Fields
If a field contains the health information of your customers or patients, you can mark it as ePHI (electronic Protected Health Information). This process helps in identifying and protecting sensitive data.
Steps to Add ePHI Fields in Desk365:
- Navigate to Settings > Admin > Ticket Fields.
- Select the Encrypted Text Input under Encrypted Field Types.
- Edit the field type and label it appropriately for agents and contacts.
- Check the Mark as ePHI box.
- Click Save and add it to the desired ticket form.
2. Using ePHI Fields in Forms
Encrypting fields that contain personal health information adds an extra layer of security. While encryption is not mandatory, it is highly recommended to prevent unauthorized access to confidential data. When adding an ePHI Field to a form in Desk365, encryption is automatically enabled. This is on top of the encryption of all data in Desk365 (all data is encrypted at rest and in transit). Learn more about adding ePHI Fields to Forms in Desk365.
3. Administering Roles and Permissions
Desk365 allows you to define roles and permissions to control who in your organization can access specific electronic Protected Health Information (ePHI). By setting up roles and field-level permissions, you can further secure sensitive data. Here are the detailed steps to administer roles and permissions:
Steps to Administer Roles and Permissions:
- Navigate to Settings > Admin > Roles.
- Create or edit roles to define who can access what information.
- Customize field-level permissions to restrict or grant access to ePHI fields by checking the “Can Modify Displayed Fields in Ticket Properties” option.
- Checking the option gives access to modify the displayed fields in ticket properties in the ticket details page. You can now find the ticket form along with the ticket fields displayed automatically below the ticket properties on the ticket details page.
- By clicking on the edit option in the ticket properties section, you can opt to make the ePHI field visible and control the access.
Learn more about setting up custom roles
By utilizing these features in Desk365, you can enhance the security of your customers’ health information and ensure compliance with HIPAA regulations. For more detailed guidance, feel free to reach out to our support team.
