In order to be considered HIPAA compliant, we must safeguard the integrity of our technology platform. In particular, our platform must be secure so that we have as high a degree of confidence as possible that any information transmitted to or accessed within it, including Protected Health Information (PHI), can’t be accessed or seen by anybody other than the intended recipients and that the information is safe from being stolen or removed from the platform. So how do we achieve this?
vTail chooses its service providers with care. We use Stream (www.getstream.io) for its HIPAA compliant chat infrastructure, Twilio® (www.twilio.com) for their video communications and AWS (www.aws.com) for its data storage. Stream provides PHI industry leading security, whilst Twilio is used by notable HIPAA compliant software solutions such as Doximity, Doctor on Demand, Zocdoc and Epic System’s telehealth service within their EHR system. Similarly, AWS provides HIPAA compliant cloud-based storage for companies and organizations such as Philips, MedStar Health, and Cerner.
In addition to having implemented a set of HIPAA compliant security policies and procedures that enables us to manage the way in which our company and its personnel operate, we train our staff on information security awareness, encryption, password protection, end-user awareness and preventative strategies, as well as on HIPAA compliance. In addition, we engage a well-established specialist HIPAA compliance firm to assist us in the monitoring and ongoing development of our policies and procedures and they provide us with independent verification of the robustness of our technology by carrying out periodic testing and audits.
Our platform is only as secure as the personnel who manage it, so all personnel are fully background checked at the time of joining our company and prior to being given access to the system.
With all the technology, systems and controls in place for HIPAA compliance, the remaining step is to make sure that all users of our platform who may share PHI using the platform, enter into a Business Associate Agreement (BAA) with us. A BAA may sometimes be known as a business associate contract.
PHI relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of healthcare to an individual that is:
PHI includes all individually identifiable health information. This includes demographic data, medical history, test results, insurance information and any other information which is used to identify a patient or used to provide healthcare services. All such information is protected under the HIPAA Privacy Rule.
Not every healthcare practitioner needs a BAA but:
A business associate is any organization or person which works in association with, or provides services to, a covered entity which generates, discloses or handles PHI. Under HIPAA, vTail is a business associate to the covered entities that use our platform and who transmit or access PHI over it.
A BAA is a written agreement that sets out the responsibilities of each party with regard to PHI. Specifically, the BAA describes the permitted and required uses of the PHI by the business associate and its sub-contractors, it sets the parameters within which the business associate and any sub-contractors may use the PHI; and obligates the business associate to put in place appropriate safeguards to prevent inappropriate use or disclosure of PHI whilst the PHI is in their hands.
As a business associate, vTail is required to enter into BAAs with our own service providers, as well as with our customers. For healthcare professionals which are covered entities to be able to share PHI using our platform (and where vTail would therefore be a business associate to those healthcare professionals), they are required to enter into a BAA with us so that both parties fully understand what their respective responsibilities are under HIPAA when PHI passes through and is handled by the vTail platform. If you are a covered entity and you intend to transmit or access PHI using vTail, then you won’t be HIPAA compliant unless you sign a BAA – it’s as simple as that. If, of course, you believe that you will not be sharing PHI on vTail, then there is no reason for you to sign a BAA.
If you do not intend to transmit or access PHI on the vTail platform, you won’t need to sign a BAA and the End User Licence Agreement (EULA) that you will have signed up to when downloading our app will govern the relationship between us. The EULA defines what PHI is and provides that, insofar as you do not sign a BAA with us, that you should not share PHI on the vTail platform.
Within the chat function on our app, you will see a light gray box at the top of screen gently reminding you to not share PHI and also letting you know that, if desired, you can change your status so that you may share PHI in a HIPAA compliant manner.
If you do intend to share – or have a high level of confidence that you will share – PHI on the platform, then you should ensure that you sign a BAA with us before doing so. If, as a covered entity you do not take this step, you won’t be HIPAA compliant when sharing PHI using vTail.
A BAA may be signed by you but, in some circumstances, it may be the facility in which you work that needs to sign it. Either way, if you or your facility need to sign a BAA with us, the process is as follows:
You will be asked if you have the ability to sign the BAA on your own, or if somebody else within your facility needs to sign it. Typically, if you are regarded as part of the workforce by the facility in which you work, the BAA will need to be signed by your facility. Rules vary between facilities so, if you are unsure, we suggest that you seek the advice of your facility’s compliance officer or a person within a similar role.
If you are able to sign the BAA on your own, after having read the terms of the BAA, you simply need to check the box to indicate that that you agree to its terms, and you will be HIPAA compliant when using our app. When you are in the chat function of our app, you will see a light yellow box at the top of the screen reminding you that it is OK for you to share PHI.
If you are unable to sign the BAA on your own and if someone else in your facility needs to sign the BAA, the process is as follows:
During the time in which the BAA is being reviewed by your facility and before it is signed, we would encourage you to use the vTail app, but please make sure not to share PHI during this time.
If you work in different facilities and you intend to share PHI when you work in all of those facilities, each of those facilities may be required to sign a BAA.
https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
https://www.hhs.gov/hipaa/for-professionals/index.html
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
Have further questions?
Contact us at: compliance@vtail.co
vTail Healthcare Telecommunications Limited is a company registered with limited liability in England under registration number 12646131 and having its registered office address at 264 Banbury Road, Summertown, Oxford OX2 7DY, England, United Kingdom.
