The Health Insurance Portability and Accountability Act (HIPAA) final Privacy regulations were published on December 28, 2000 with a compliance deadline of April 14, 2003. IMS Northwest agrees to adhere to the Standards of Privacy of Individually Identifiable Health Information published by the US Department of Health and Human Services Offices for Civil Rights (CFR 45 Parts 160 and 164). The Privacy Rule under HIPAA requires that “covered entities” enter into “business associate” agreements with entities that perform services on their behalf involving protected health information (“PHI”). In some instances, to effectively provide service to our clients, it is necessary for us to receive and utilize your PHI. Therefore, to the extent you are a “covered entity,” and to the extent we act as a “business associate” on your behalf, we are providing you with these written assurances as required for your compliance with the HIPAA Privacy Rule. HIPAA has established a deadline of April 5, 2005 for all health care providers to implement secure networks for the transmission of all private health information.
For information transmission to be considered secure, three elements are necessary:
- Authentication – identification of the senders/receivers of the information.
- Non-repudiation – verification that the senders/receivers of the information are who they say they are.
- Integrity – verification that information cannot be tampered with, ‘hacked’ or ‘broken-into’ during transit.
To be considered “secure” under HIPAA guidelines, the network used by the covered entity must require that users have both a unique username and password and take steps to ensure that data is transmitted over the system in a way such that it cannot be easily intercepted by an entity outside the network. IMS Northwest has implemented a secure network that meets all criteria. Our network security is similar in design, function and compliance to those used by the banking and financial industries for electronic monetary transactions.
IMS Northwest is committed to providing the highest data security and integrity standards in its software and operations to meet or exceed the requirements set forth by published HIPAA regulations. Protected Health Information (PHI) shall be used solely under the Treatment, Payment or Healthcare Operations (TPO), as defined by the US Department of Health and Human Services.
IMS Northwest’s networks are protected by the latest firewall technology and it utilizes SSL (128 bit Secured Socket Layer technology) for transmission of all web-based transactions. All file transfers occur over encrypted communications lines using 128 bit Secured Socket Layer technology and all data is encrypted at the client site and at IMS Northwest before such transmission. We utilize Verisign, Inc. as our Certificate Authority for all SSL-based communications. PHI data and personal identifying information that resides at IMS Northwest is also encrypted using the Advanced Encryption Standard (AES) before storage.
IMS Northwest strives to have in place appropriate means to protect your information. We employ industry standard encryption technologies such as SSL (128 bit Secured Socket Layer technology) both internally and externally and utilize the latest firewall technologies to mitigate risks. However, in providing your information over a public or third party network, it is important to understand you do so at your own risk. All internal IMS Northwest processes related to the Protected Health Information (PHI) have been assessed to ensure that current operations comply with HIPAA privacy and security requirements. Each IMS Northwest employee, contractor and Strategic Business Partner has received the HIPAA Privacy Training necessary to understand and adhere to the provisions of this important piece of legislation. In addition, on-going employee communication and education of HIPAA-related issues is being facilitated through the internal corporate intranet.
IMS Northwest will, effective April 15, 2006, carry out our responsibilities in compliance with the HIPAA Privacy Rule to protect the privacy of any personally-identifiable PHI that we collect, process or learn of as a result of providing services on your behalf.