My Vault® HIPAA Compliance
My Vault Online Storage is HIPAA compliant. If you store health information on My Vault; there is no unauthorized access or disclosure of health information. Make sure you understand HIPAA compliance, whom it applies to, and how My Vault online storage fits into HIPAA compliance. The following information is to help educate you on HIPAA and My Vault’s role as an online data storage solution, where one may store medical records in addition to other digital assets.
HIPAA stands for Health Insurance Portability and Accountability Act (HIPAA) created for the protection of patient health information and requires safeguards for the handling and storing of medical data held by Covered Entities.
If you are not familiar with HIPAA we recommend you go the US Department of Health and Human Services website, www.hhs.gov to understand HIPAA.
It’s important to understand that HIPAA consists of 5 primary components, referred to as “Titles”:
- 1) HIPAA Health Insurance Reform and Health Insurance Portability and Accountability Act - maintaining worker’s insurance coverage during job changes
- 2) HIPAA Administrative Simplification Statue and Rules and the associated security and privacy concerns of health information
- 3) HIPAA Provisions for Tax Related Structures a such as Medical Savings Accounts and Health Insurance Tax Deductions
- 4) HIPAA Group Health Plan Requirements and Enforcement Provisions
- 5) HIPAA Revenue Offset Provisions
Titles 1, 3, 4, and 5 are not relevant to My Vault online storage, data back-up, business data storage or data recovery solutions. However, Title 2, dealing with HIPAA Administrative Simplification Statute and Rules and the standards of electronic health care related transactions and the related security and privacy concerns, is of relevance to online data storage providers such as My Vault.
With respect to Title 2, Administrative Simplification, there are two rules, The HIPAA Privacy Rule and the HIPAA Security rule. These rules contain relevant information for storage providers of medical data such as medical data warehouses, online storage solutions or data recovery providers.
It’s important to understand the two primary rules that form the underlying basis for HIPAA compliance according to the US Department of Health and Human Services which are:
- 1) The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
My Vault online storage does not engage in the use or disclosure of personal health information. My Vault storage is fully encrypted and general account access and access share controls to personal health information on My Vault are limited to and endorsed by the account holder of a My Vault account.
- 2) The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for Covered Entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
My Vault meets or exceeds these safeguards.
It is also important to understand that federal HIPAA regulation must be followed by “Covered Entities.” The US Department of Health and Human Services defines that Covered Entities include the following three broad categories:
- Health insurance companies
- Company health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
Health Care Providers
- Nursing Homes
- ...but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
Health Care Clearinghouses.
- This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
My Vault is not viewed as a “Covered Entity” by HIPAA. However, in addition to “Covered Entities”, compliance with HIPAA may be relevant to a business if that business is viewed by the Department of Health and Human Services as a “Business Associate” that serves a Covered Entity.
Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and re-pricing. Business Associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
Persons or organizations are not considered Business Associates if their functions or services do not involve the active use or disclosure of protected health information (PHI). My Vault is an Online Data Storage solution. My Vault is not in the business of: use of Health Information nor the disclosure of protected Health Information. My Vault is an organization that acts merely as a protected data storage solution for private information. My Vault data is stored in a highly secure data center and cloud environment with encryption. The storage process does not require third party human interaction. Any third party access to personal health information on My Vault would be required by the operation of law, such as a valid subpoena. Thus, as an automated digital online data storage solution provider My Vault is not considered to be a default “Business Associate” for the medical services industry and although we are not required to be compliant with the HIPAA Privacy Rule, our storage is private. Stored information on My Vault does not get viewed or handled by any third party.
Data recovery and online storage solution services should comply with the security rule requirements for HIPAA; as Covered Entities must be compliant with HIPAA Security. The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. My Vault complies with the HIPAA security rules for Business Associates through implementation of the appropriate safeguards into its online storage solution offerings. These safeguards include disaster recovery measures and restricted biometric data center access standards, a variety of control measures. Physical Safeguards include: Facility Access and Control, Workstation and Device Security. Website and or Data Center Technical Safeguards: Access Control. Audit Controls, Integrity Controls, Transmission Security. Administrative Safeguards: Security Management Process, Information Access Management, Workforce Training and Management.
While My Vault provides many digital asset management solutions to individual and business users of all sorts, My Vault is not a primary patient medical records management solution and not viewed as a “Covered Entity” as our primary business is not as an agency to furnish, bill or receive payment for, health care in the normal course of business. Our business focus is not on the management of medical records for the medical industry, rather our business is focused on the safe secure storage of digital information of all sorts – medical or not. No “Covered Entity” can assert that My Vault is their primary “Business Associate” without a Business Associate Contract in place.
If you need to create a data back up for medical information to stay HIPAA complaint you can do so with My Vault online storage. If you are an individual, a non-covered entity, wanting to use My Vault for private storage of personal records, including medical records, your information is private, secure and safe. My Vault is a HIPAA compliant online data storage solution. Information stored on My Vault, medical or not, does not get shared, distributed, viewed, copied, or monitored by any third party within the bounds of the law.
Keep in mind, no national HIPAA compliance documentation or certification process exists for online backup applications, online data storage solution providers, so, in effect, an online storage solution cannot be certified to be compliant with HIPAA. Rest assured, My Vault has taken every reasonable precaution to safeguard your privacy, whether required by law or not.