The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that seeks to improve the efficiency of the health care industry while ensuring the security and confidentiality of patient health information. HIPAA generally applies to “covered entities” (including any health care provider) and “business associates” (any third party engaged by a covered entity to help carry out its health care activities and functions.) Thus, under HIPAA, you are a covered entity and Rubix is your business associate.
HIPAA privacy regulations require that you and your business associates develop and follow procedures that ensure the confidentiality and security of your patients’ protected health information (PHI) whenever it is transferred, received, handled, or shared. This requirement applies to all forms of PHI, whether on paper, in oral communications, or in electronic format. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.
As your business associate, Rubix follows detailed policies governing the protection of your patients’ PHI, including employing administrative, physical, and technical safeguards as required by HIPAA rules and regulations. You can be confident that we will protect your patient data to help you stay compliant.
Providers may be concerned that cloud-based platforms are more vulnerable to internet-based attacks, but—with the proper security measures in place—cloud-based solutions carry no more threat of data breach than on-site data storage. In fact, a quality cloud-based software can be more secure because it is more closely monitored; small businesses like healthcare practices can’t typically afford to staff team members responsible for managing the security of their server. The encrypted data stored within the Rubix platform is constantly monitored by experts who are committed to keeping your data safe. With the peace of mind that comes with choosing Rubix, some of the complexity involved in staying compliant with HIPAA regulations is alleviated.
HIPAA COMPLIANT MARKETING
There are some instances where HIPAA requires that you obtain prior authorization from the patient when using their PHI for marketing purposes. HIPAA defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
However, HIPAA offers an exemption that allows covered entities to communicate about their own products and services. So, messages you send to patients about products and services are not considered “marketing” under the HIPAA definition so long as they are products and services provided by you.
THIS IS NOT LEGAL ADVICE
Please note that, while we are dedicated to giving you tools that will help you stay compliant with HIPAA, the information we provide is not legal advice. You are responsible for ensuring the compliance of your patient messages. We encourage you to seek out competent legal counsel for specific direction and guidance.
We have provided the following information to help you understand what your responsibilities are, and how the Rubix service aids you in remaining compliant with these objectives.