This HIPAA compliance statement describes Advarra’s policies, procedures, controls and measures to ensure current and ongoing compliance.
About HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines a set of regulations protecting the privacy and security of certain health information. The Department of Health and Human Services (HHS) has published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.
A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.
The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the HHS has adopted standards under HIPAA (the “covered entities”) and to their Business Associates.
Advarra’s Commitment
Advarra’s works with many organizations who may be defined as a Covered Entity under HIPAA and due to the nature of the services provided, Bio-Optronics may be required to act as a Business Associate under HIPAA.
Advarra has undergone a comprehensive review of all administrative, technical, and physical safeguards to ensure the protection of e-PHI.
This includes:
- Ensuring the confidentiality, integrity, and availability of all e-PHI created, received, maintained, or transmitted
- Identifying and protecting against reasonably anticipated threats to the security or integrity of the information
- Protecting against reasonably anticipated impermissible uses or disclosures
- Ensuring compliance by our workforce
Advarra is also GDPR compliant, and all our technical, operational, and administrative systems comply with the ‘Privacy by design’ and ‘Privacy by default’ standards required by the GDPR. HIPAA compliance provides an additional layer of security in handling any personal healthcare data that may pass through our systems.
Controls Implemented
Advarra has implemented the necessary controls to ensure HIPAA compliance including administrative, physical, and technical controls.
Risk Assessment
As part of our security management process, Bio-Optronics conducts annual risk assessments including likelihood and impact of potential risks. A risk assessment helps ensure that controls are appropriate to address the needs of the organization. Conducting these annually ensures that organizations continue to provide the highest level of security for the data that they have been entrusted to protect.
Administrative Safeguards
Bio-Optronics has implemented a security management process, including appropriate standard operating procedures (SOPs) and policies. A security manager has been assigned to help develop and review procedures and policies. Staff are kept up to date with changes and are trained on HIPAA and security annually. Internal review of these safeguards is done regularly to ensure compliance and for continual improvement.
Physical Safeguards
Bio-Optronics ensures that the data centers have implemented strict facility access policies and all necessary and appropriate controls. Strict policies are in place to ensure e-PHI is only housed in secure locations.
Technical Safeguards
Bio-Optronics has implemented appropriate technical safeguards including authentication and authorization for our employees and for user of our applications. Appropriate auditing and integrity controls are in place. All data transmissions to the data centers require encryption. Additional systems have been implemented where appropriate to ensure the highest level of security for our hosted applications.
Contact Information
Further documentation on specific policies and measures in place is available upon request. This Statement of HIPAA Compliance is meant for informational purposes only and not as a form of covenant, warranty, representation or guarantee of any kind. We encourage the use of Business Associate Agreements to address specific compliance requirements.
For further information, please contact us by one of the following methods:
E-mail: corporatecompliance@advarra.com
Mail: Advarra Headquarters
6100 Merriweather Dr., Suite 600
Columbia, MD 21044
You can call the following telephone number: 410.884.2900