The steps you will need to take to comply with HIPAA when using TrueVault will vary based on your implementation.
If you use our JavaScript widgets so that you never actually touch PHI, then you may be able to avoid the Administrative Safeguards. But, if you handle PHI and then send it to TrueVault you will need to comply with the Administrative components of HIPAA.
The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
HIPAA compliant hosting handles the Physical Safeguards, a set of rules and guidelines that focus on the physical access to protected health information (PHI).
TrueVault handles both the Physical and Technical Safeguards (Encryption and Decryption, Key Management, Key Rotation, Access Control, Unique User Identification, Emergency Access, Automatic Logoff, Audit Controls, Mechanism to Authenticate Electronic PHI, Person or Entity Authentication, Transmission Security, and Integrity Controls). This is all stuff that you would have to build yourself if you use AWS, FireHost, or Rackspace.
You’re right; Administrative Safeguards should not be ignored. The administrative components are really important when implementing a HIPAA compliance program; you are required to assign a Privacy Officer, complete a risk assessment, implement employee training, review policies and procedures, and execute Business Associate Agreements (BAAs) with partners you share protected health information (PHI) with. I think that Accountable does a great job with the Administrative Safeguards. Accountable offers HIPAA compliance management tools that keep your business legal. Checkout -- http://www.accountablehq.com/
Again, the steps you will need to take to comply with HIPAA when using TrueVault will vary based on your implementation. I’m happy to jump on the phone and answer any questions that you may have. We can go over the use case that you have in mind and the HIPAA implications. Feel free to email me directly at trey@truevault.com.
To clarify, a Business Associate is any entity that uses or discloses PHI on behalf of a Covered Entity. Furthermore, a Business Associate is any person who, on behalf of a Covered Entity, performs (or assists in the performance of) a function or activity involving the use or disclosure of PHI.
If you use our JavaScript widgets so that you never actually touch PHI, then you may be able to avoid the Administrative Safeguards. But, if you handle PHI and then send it to TrueVault you will need to comply with the Administrative components of HIPAA.
The HIPAA Security Rule requires appropriate Administrative, Physical, and Technical Safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
HIPAA compliant hosting handles the Physical Safeguards, a set of rules and guidelines that focus on the physical access to protected health information (PHI).
TrueVault handles both the Physical and Technical Safeguards (Encryption and Decryption, Key Management, Key Rotation, Access Control, Unique User Identification, Emergency Access, Automatic Logoff, Audit Controls, Mechanism to Authenticate Electronic PHI, Person or Entity Authentication, Transmission Security, and Integrity Controls). This is all stuff that you would have to build yourself if you use AWS, FireHost, or Rackspace.
You’re right; Administrative Safeguards should not be ignored. The administrative components are really important when implementing a HIPAA compliance program; you are required to assign a Privacy Officer, complete a risk assessment, implement employee training, review policies and procedures, and execute Business Associate Agreements (BAAs) with partners you share protected health information (PHI) with. I think that Accountable does a great job with the Administrative Safeguards. Accountable offers HIPAA compliance management tools that keep your business legal. Checkout -- http://www.accountablehq.com/