What is HIPAA and how does it concern the relationship between clients/partners and Altris Inc.?
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed into law by Congress in 1996. HIPAA includes requirements for ensuring that health information is kept private, establishes patient rights with regard to that information, and creates standards for the protection of electronic health information.
HIPAA has several goals, one of which is to make health insurance more accessible and reduce health care costs by simplifying the administration of health insurance. The law also aims to improve the efficiency of healthcare administration by encouraging the electronic transmission of standardized health insurance information. However, the use of large electronic data sets could lead to misuse, such as identifying individuals with expensive medical conditions and hindering their ability to obtain insurance coverage or employment. Because of public concern over privacy, Congress included privacy and security requirements in HIPAA. These provisions were promulgated as the HIPAA Privacy Rule and the HIPAA Security Rule. To strengthen the patients’ protection, HIPAA was also supplemented by the Enforcement Rule, Breach Notification Rule, and Final Omnibus Rule.
The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and C of Part 164) requires appropriate safeguards to protect the privacy of protected health information (PHI) and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The HIPAA Security Rule requires appropriate technical safeguards to ensure the confidentiality, integrity, and security of PHI. Breach Notification Rule Requires the covered entities to provide notification following a breach of PHI unless the probability of re-identification is low.
What is PHI?
Protected healthcare information (PHI) is Individually identifiable information transmitted or maintained in any form. Individually identifiable information (III) is information that is a subset of health information, including demographic information collected from an individual, and (1) is created or received by a Healthcare Provider, Health Plan, employer, or Healthcare Clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and: (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
In other words, PHI refers to any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. PHI compasses a wide range of data points, e.g., medical records from doctor’s notes, laboratory test results, billing and payment information, details of insurance coverage, or any other payment data, demographic information, names, addresses, birthdates, Social Security numbers, doctors’ or nurses’ notes about patient interactions or treatment, etc. With the digitalization of healthcare, the term ePHI has become common, referring to electronically processed health information.
Who Falls Within HIPAA Regulation?
HIPAA covers a wide range of healthcare data issues and applies to all market players, but it’s important to note that the regulations implement different requirements for different entities. Each case requires a specific protective layer to be implemented depending on touchpoints. HIPAA’s regulations refer to two parties: Covered Entities and Business Associates. Covered Entities are directly involved in the creation, processing, or storage of health information. These include Healthcare Providers, Health Plans, and Healthcare Clearinghouses.
Healthcare Provider is a provider of services, a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Health Plan covers health insurance companies, HMOs, company health plans, and government programs that pay for healthcare, such as Medicare and Medicaid.
Healthcare Clearinghouse means a public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches, that (i) processes or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, (ii) receive a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Business Associate is an entity or individual that performs certain activities or functions on behalf of, or provides certain services to, a Covered Entity that involves the use, disclosure, or access to Protected Health Information (PHI). Covered Entities are primarily healthcare providers, health plans, and healthcare clearinghouses.
If you have any doubts about your role under HIPAA, you can use the Covered Entity Decision Tool to check it.
What are Patients’ Rights under HIPAA?
HIPAA establishes clear rights to ensure individuals maintain control over their PHI. Covered entities must respect those rights, enabling autonomy and promoting trust in healthcare. In some scenarios, business associates may also have obligations under the Privacy Rule in addition to the covered entities.
It is possible to distinguish the following categories of rights:
- Rights of PHI Use Restriction;
- Right of Access to PHI;
- Right of Amendment PHI;
- Rights of Accounting;
- Right of Complaining.
Sometimes, an individual cannot exercise their rights themselves. For example, if a person has no necessary knowledge, lacks legal power (minor or legally incapable person), or has passed away. An individual’s personal representative (generally, a person with authority under State law to make health care decisions for the individual or the one authorized by the individual) also has the right to apply for a respective individual’s right enforcement, upon request, consistent with the scope of such representation.
Altris is not a covered entity but a business associate providing data-aggregation services to healthcare providers. Altris is not the right person to send HIPAA individuals’ rights requests to; its ability to process such requests is restricted by business associate agreements with respective covered entities and the applicable law. Please contact your healthcare services provider for this matter.
This article serves purely for informational purposes and should not be considered a replacement for legal counsel. Altris does not provide legal advice, so it is essential to consult with your legal counsel for guidance in all matters of law.
HIPAA-related recommendations for clients on how to be compliant;
- Build HIPAA-Compliant Practice. Altris is dedicated to safeguarding protected health information and other data uploaded to our platform by our customers. While HIPAA imposes additional obligations on covered entities (healthcare providers, health plans, and clearinghouses), our primary duty lies in ensuring the secure and compliant operation of the Altris Platform for users. In turn, clients must take the lead in ensuring that their medical operations adhere to regulatory standards.
- Security Risk Assessment and Risk Management. Ensuring HIPAA compliance and safeguarding ePHI against unauthorized access, disclosure, alteration, or destruction requires proper risk analysis and management. Neglecting to conduct a thorough risk analysis or implementing necessary management measures can lead to non-compliance, security breaches, or other incidents. Risk Analysis is the process of identifying potential vulnerabilities and threats to ePHI and assessing the impact and likelihood of those threats occurring. Vulnerabilities refer to weaknesses in systems or processes that could be exploited by threats. Managing risk involves analyzing potential risks and implementing security measures to reduce them to a reasonable level. This includes both technical and non-technical measures, and prioritizing risks based on their potential impact and likelihood of occurrence. It’s important to regularly assess the effectiveness of implemented security measures by testing and monitoring security controls to ensure they are working as intended.
- Notices of Privacy Practices. The HIPAA Privacy Rule requires health plans and covered health care providers to develop and distribute a notice that provides a clear, user-friendly explanation of individuals’ rights with respect to their PHI and the privacy practices of health plans and health care providers.
- Business Associate Agreement. If a practice shares PHI with a third party we recommend it enter into business associate agreements with its providers. If a covered entity is a client of Altris, a business associate agreement with Altris may be accessed here. It is a part of Altris DPA and is already implemented in the contract with our customers.
- Cybersecurity Measures. To address cybersecurity threats, HIPAA established the Security Rule. Implementing the following measures will help covered entities resist security hazards and comply with the rule:
- Access controls limit access to ePHI only to authorized personnel, based on the principle of least privilege;
- Strong authentication methods, such as a strict password policy and two-factor authentication can significantly reduce the risk of unauthorized access;
- Solutions allowing encryption of ePHI during transmission and at rest can protect against unauthorized access or disclosure;
- Regular back-ups of ePHI can protect the data from loss or corruption;
- Hardware and software firewalls will block unauthorized access and protect the network perimeter;
- Regular security audits and vulnerability scans help identify and address potential weaknesses in the IT infrastructure;
- Developed and regularly tested incident response and breach notification plans help ensure a coordinated and timely response in case of a security incident;
- Employees trained on cybersecurity best practices, HIPAA compliance, and corporate security policies and procedures are statistically less vulnerable to cyber threats.
Altris HIPAA Security Measures Policy. to be added.
Altris Business Associate Agreement
Despite any acceptance/execution of this Business Associate Agreement, it applies to covered entities under the HIPAA regulation only. An entity which is uncovered by the HIPAA regulation may not be a party hereto.
This Altris Business Associate Agreement (the “BAA”) is an agreement between Altris and you or the entity you represent (the “Client”, “Covered Entity”, or “you/your”, as contextually appropriate). The BAA is an addendum to: (1) the Data Processing Agreement entered into by Altris and the Client (if any), (2) Altris Terms and Conditions available at https://app.altris.ai/terms-and-conditions (as updated from time to time) by and between the Altris and the Client, or (3) other agreement between the Altris and the Client governing your use of the Altris Platform (the “Agreement”). The Agreement is hereby incorporated herein by reference. In the event of any discrepancy between the BAA and Agreement, the terms of the BAA shall prevail.
The Client agrees to be bound by the terms hereof by (a) accepting the BAA through the Account created by the Client on the Website or a Website itself, (b) accepting a document that incorporates the BAA or Agreement, or (c) using the OCT Software, OCT Equipment, or Solutions (the “Services”) and share the PHI with Altris. The BAA Effective Date is the date when the BAA deems to be entered into by the Parties/accepted by the Client.
If a representative, an employee, or an agency of the Client enters into the BAA on behalf of the Client, that person represents and warrants that (a) they are an authorized representative (a designated employee, an agency, or an assigned representative) of the Client to bind the Client to the BAA, and (b) they agree to this BAA on the Client’s behalf. Accordingly, the “Client” also comprises all the Client’s representatives, employees, and agencies engaged in exercising the BAA and using the Services on the Client’s end.
- All the terms and definitions used herein but not defined hereby should be interpreted according to the Agreement. Capitalized terms used but not otherwise defined in this BAA have the meanings given those terms in HIPAA and HITECH. The terms below have the following meanings:
- “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity;
- “Business Associate” means Altris to the extent Altris qualifies as a Business Associate of Covered Entity as defined in 45 CFR §160.103;
- “Control” for purposes of Section 1(a) means direct or indirect ownership or control of 50%;
- “Covered Entity” means the Client and its Affiliates;
- “HHS” means the United States Department of Health and Human Services;
- “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing rules and regulations, including the HIPAA Breach Notification Rule, the HIPAA Privacy Rule, and the HIPAA Security Rule;
- “HIPAA Breach Notification Rule” means the Breach Notification for Unsecured Protected Health Information issued by HHS, 45 CFR Parts 160 and 164 (Subparts A and D);
- “HIPAA Omnibus Rule” means the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule issued by HHS, 45 CFR Parts 160 and 164;
- “HIPAA Privacy Rule” means the Standards for Privacy of Individually Identifiable Health Information regulations issued by HHS, 45 CFR Parts 160 and 164 (Subparts A and E);
- “HIPAA Security Rule” means the Security Standards for the Protection of Electronic Protected Health Information issued by HHS, 45 CFR Parts 160 and 164 (Subparts A and C);
- “HITECH” means the Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A of the American Recovery and Reinvestment Act of 2009 and its implementing regulations;
- “Instructions” means the directions, either in writing, in textual form (e.g., by email), or by using the Services, issued by the Client to Altris and directing Altris to use, disclose, or otherwise process the PHI;
- “PHI” or “Protected Health Information” and “Electronic PHI” have the respective meanings given in 45 CFR §160.103, except that each is limited to the PHI (and Electronic PHI) that Business Associate creates, receives, maintains, transmits, or collects for or on behalf of Covered Entity;
- “Subcontractor” has the meaning given in 45 CFR §160.103.
- This BAA applies not to all cases of cooperation between the Client and Altris. The Parties have entered into the Agreement pursuant to which Altris provides the Services to the Client, including on a Paid Subscription basis. Consequently, Altris may, but will not necessarily, provide the Client with some related support services (data conversion, troubleshooting, maintenance and repair, and customer support). The Subscription Services and related support may be performed in a manner that gives Altris access to the PHI. The terms of this BAA apply only if and to the extent the Client uses Altris Services in the United States, and Altris is a Business Associate of the Covered Entity pursuant to 45 CFR §160.103 as a consequence of its access to the information covered by applicable provisions of HIPAA or HITECH.
Permitted and Required Uses and Disclosures
- Altris may Use or Disclose the PHI:
- To perform the Services for, or on behalf of, Covered Entity, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by Covered Entity;
- To provide Data Aggregation services to the Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B);
- For or on behalf of the Covered Entity as specified in the Agreement or directed by the Instructions;
- To train and improve the performance of the Altris AI solution, saved as the only PHI that may be used is OCT scans and depersonalized data, allowing group OCT scans by demographic metrics;
- To report violations of law or certain other conduct to appropriate federal and state authorities or other designated officials in a manner consistent with 45 CFR §164.502(j)(1);
- To downstream subcontractors or agents that provide supporting services to the Business Associate; however, the Business Associate will require such subcontractors and agents to comply with the same terms and conditions that apply to the Business Associate under the BAA and PHI, including the implementation and maintenance of required safeguards.
- Altris may use and disclose the PHI as necessary for the proper management and administration of Altris Services. Any Disclosures under this section will be made only if Altris obtains reasonable assurances from the recipient of the PHI that (a) the recipient will hold the PHI confidentially and will Use or Disclose the PHI only as required by law or for the purpose for which it was disclosed to the recipient, and (b) the recipient will notify Altris of any instances of which it is aware in which the confidentiality of the information has been breached.
Obligations of Business Associate
- Where applicable, and to the extent the Business Associate carries out one or more of the Covered Entity’s obligation(s) under the HIPAA Privacy Rule, Business Associate shall comply with the requirements of the HIPAA Privacy Rule that apply to the Covered Entity in the performance of such obligation(s).
- The Business Associate will use reasonable and appropriate safeguards to prevent the Use or Disclosure of the PHI other than as provided for by this BAA, consistent with the requirements of Subpart C of 45 C.F.R. Part 164 (with respect to Electronic PHl) as determined by Altris and as reflected in the Agreement.
- The Business Associate will ensure that any Subcontractors that create, receive, maintain, or transmit the PHI on behalf of the Business Associate agree to restrictions and conditions at least as stringent as those found in this BAA, and agree to implement reasonable and appropriate safeguards to protect the PHI.
- The Business Associate will make the PHI in a Designated Record Set available to the Client so that it can comply with 45 C.F.R. §164.524. The Business Associate will make the PHI in a Designated Record Set available to the client for amendment and incorporate any amendments to the PHI, as may reasonably be requested by the Client in accordance with 45 C.F.R. §164.526.
- The Business Associate will make available to the Client the information required to provide an accounting of Disclosures in accordance with 45 C.F.R. §164.528 of which the Business Associate is aware, if requested by the Client. Since the Business Associate cannot readily identify which Individuals are identified or what types of PHI are included in the Content you or any User (a) run on the Services, (b) cause to interface with the Services, or (c) upload to the Account or otherwise transfer, process, use, or store in connection with your Account, the Client will be solely responsible for identifying which Individuals, if any, may have been included in the Client’s Data that the Business Associate has disclosed and for providing a brief description of the PHI disclosed.
- The Business Associate will make its internal practices, books, and records relating to the Use and Disclosure of the PHI available to the Secretary of the HHS for purposes of determining the Covered Entity’s compliance with HIPAA. Nothing in this section will waive any applicable privilege or protection, including with respect to trade secrets and confidential commercial information.
- The Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to the Business Associate of a use or disclosure of the PHI by the Business Associate in violation of the requirements of this BAA.
- The Business Associate will not use or disclose the PHI for sale, marketing, or fundraising violating the HIPAA Omnibus Rule.
Obligations of Covered Entity
- To the extent that it may impact the Business Associate’s use or disclosure of the PHI, the Covered Entity agrees to inform the Business Associate in writing of any limitation in its Notice of Privacy Practices, any changes to or revocation of a patient’s authorization with respect to the PHI, any restriction to a use or disclosure agreed to by the Covered Entity with respect to a patient’s PHI, and any opt-out by a patient from marketing or fundraising activities by the Covered Entity.
- The Covered Entity will not ask the Business Associate to use or disclose the PHI in any manner that would not be permitted under HIPAA if done by the Covered Entity. The Covered Entity will disclose the PHI to the Business Associate in accordance with HIPAA and HITECH and will be responsible for using appropriate safeguards to maintain the confidentiality, privacy, and security of the PHI transmitted or disclosed to the Business Associate.
- Since the Business Associate does not know the nature of the PHI contained in the Client’s Account, does not have access thereto by default, and cannot link any portion of information with a certain individual, for the Business Associate, it will not be possible to substantively respond to any individuals’ requests regarding their rights under the HIPAA Privacy Rule or the related laws. Thus, the Business Associate shall not review on the merits any individual’s requests related to, including their rights of access, amendment, accounting, etc. (the “Rights Requests”)
- Once the Business Associate receives a Rights Request, it shall instruct an individual to address the request to the respective covered entity. If the Business Associate can identify the request as submitted by the Client’s patient, the Business Associate shall additionally notify the Client of the Rights Request within 5 business days from the date the Business Associate understood the connection.
- For all reporting obligations under this BAA, the Parties acknowledge that, because the Business Associate does not know the nature of the PHI contained in the Client’s Account, it will not be possible for the Business Associate to provide information about the identities of the Individuals may have been affected, or a description of the type of information that may have been subject to a Security Incident, Impermissible Use or Disclosure, or Breach.
- The Business Associate will report to the Covered Entity any Use or Disclosure of the PHI not permitted or required by this BAA of which the Business Associate becomes aware.
- The Business Associate will report to the Client on no less than a quarterly basis any Security Incidents involving PHI of which the Business Associate becomes aware in which there is a successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an Information System in a manner that risks the confidentiality, integrity, or availability of such information. Notice is hereby deemed provided, and no further notice will be provided, for unsuccessful attempts at such unauthorized access, use, disclosure, modification, or destruction, such as pings and other broadcast attacks on a firewall, denial of service attacks, port scans, unsuccessful login attempts, or interception of encrypted information where the key is not compromised, or any combination of the above.
- The Business Associate will report to the Client any Breach of your Unsecured PHI that the Business Associate may discover to the extent required by 45 C.F.R. § 164.410. The Business Associate wi II make such report without unreasonable delay, and in no case later than 60 calendar days after discovering such Breach. The Covered Entity will be responsible for providing notice of the Breach to HHS or the media as required by the HIPAA Breach Notification Rule. The Covered Entity will also be responsible for providing any additional notice of a breach required of the Covered Entity by applicable law. The Covered Entity may request the Business Associate to assist with its notice obligations. The Business Associate will promptly notify the Covered Entity of the assistance it will provide in this regard.
Term and Termination
- The term hereof will commence on the BAA Effective Date and will remain in effect with respect to the Agreement until the earlier of (a) the termination or expiration of the Agreement, or (b) termination of the BAA by either Party as set forth below.
- Termination of this BAA is subject to Article 10 of the Agreement. In addition, either Party may terminate the BAA upon prior written notice sent to the other Party (the “Defaulting Party”) if the Defaulting Party materially breaches this BAA, and such breach remains uncured for 30 days after notice. At the same time, the Client may not refer to or use the aforementioned 30-day cure period to postpone the due payment date or extend or otherwise change the payment term specified in the Agreement.
- Within 180 days after the termination or expiration of this BAA, the Business Associate shall return or destroy all the PHI, if feasible to do so, including all the PHI in possession of the Business Associate’s Subcontractors. If the return or destruction of the PHI is not feasible, the Business Associate shall notify the Covered Entity in writing of the reasons return or destruction is not feasible, and the Business Associate shall extend any and all protections, limitations, and restrictions contained in this BAA to the Business Associate’s use and/or disclosure of any PHI retained after the termination or expiration of this BAA, and to limit any further uses and/or disclosures solely to the purposes that make return or destruction of the PHI not feasible.
- The BAA amends, restates, and replaces in its entirety any prior business associate agreement between the Parties. This BAA supersedes all prior or contemporaneous written or oral contracts or understandings between Altris and the Client relating to their compliance with health information confidentiality laws and regulations, including HIPAA and HITECH.
- Nothing in this BAA is intended to make either party an agent of the other. Nothing in this BAA is intended to confer upon you the right or authority to control Altris’ conduct in the course of Altris complying with the Agreement and BAA.
- The provisions of this BAA will prevail over any contrary or inconsistent provision in the Agreement or related documents with respect to the PHI. All other terms of the Agreement or related documents remain in force and effect.
- Nothing herein confers on anyone other than the Client and Altris (and their respective successors and assigns) any rights, remedies, obligations, or liabilities whatsoever. There are no third-party beneficiaries of this BAA. Altris may assign its rights and responsibilities with respect to information covered under this BAA to the fullest extent permitted by applicable law.
- Except as preempted by HIPAA or other federal law, this BAA is construed and governed by the laws of the State of California. Each Party is obligated to comply with all applicable state and federal privacy laws and regulations.
- From time to time, Altris may modify the terms of the BAA that it offers to its client, but no modification or amendment of any portion of this BAA will be effective unless in writing and accepted by the Client, which acceptance may be made electronically through the Website or through other electronic means made available by Altris for such purpose.
Contact us if you have any questions regarding HIPPA compliance: