Dropbox or any other cloud storage provider (CSPs)? Yes, yes. According to HHS.gov, when a covered entity uses a PSC “to create, receive, maintain or transfer ePHI (e.g.B. ePHI to process and/or store), the PSC is a business partner under HIPAA…. This is true, even if the CSP only processes and stores encrypted ePHI and does not have an encryption key for the data. ” www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html) Thus, if a covered entity uses a type of PSC, be it Dropbox to store documents or an electronic health registry system, the covered entity and the CSP must enter a BAA, even if the data is encrypted and cannot be effectively accessed by the CSP. This is because, while encryption helps protect the privacy of ePHI, there is no help to ensure the integrity and availability of PIs, and the security rule requires that the confidentiality, integrity and availability of PIs be protected by appropriate measures. The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 as a federal law against insurance fraud and medical identity theft. The law`s data protection rule states that health care providers and their business partners must “implement appropriate administrative, technical and physical safeguards to protect the privacy of protected health information.” Therefore, you must prevent unauthorized access to this information when PHI is removed. Here, we share our knowledge on ensuring hipAA-compliant document destruction in your business. Shredding is not a total destruction of paper – the one who is really motivated can still recompose the pieces. If the paper is brought to a third-party recycler after shredding, how do shredding services know what is going on there? They should have a plan to look at all the suppliers they work with, or rather, but they should be recycling in their own plant. Crushing companies? That depends. When a covered unit hires a crushing company to destroy documents with PHI and the company removes the documents for crushing the site, then the crushing company is probably a business associate and there should be a BAA between the insured unit and the crushing company.
There are many grinding companies that present themselves as HIPAA compliant and even make their own BAAs available to customers who need such an agreement, and it is important to look for a company that understands and meets HIPAA`s requirements. NAID (National Association for the Destruction of Information) certifies that shredding services really know what they are doing. It is entirely voluntary; Shredding services don`t need to have NAID certification, but it`s a quick way for you to get a level of comfort that shredding services take seriously privacy and privacy. There are many institutions and individuals who provide services that would be subject to a BAA. However, many institutions and individuals of this type are not health care providers and do not know the requirements of HIPAA. Many AAS may be willing to sign an BAA that considers it to be akin to a confidentiality or confidentiality agreement, but without really understanding what is required by HIPAA. Since AABs are probably not familiar with the specifics of HIPAA, it is important that each BAA contain specific information about HIPAA compliance, including the specific processes ba BA will follow in the event of a data breach, the security measures BA will use to ensure that PHI is only used as described in the BAA, and how the BA will respond to an auditocratic.