Laboratories are, by nature and definition, Healthcare Service Providers (HSPs), and as such are the primary audience of HIPAA.
Netlims, is not an HSP but rather a vendor of a tool used by the HSPs. Netlims neither creates or processes any PHI (its tool does by the customer’s personnel), but does have access to PHI in certain cases, and is therefore considered a Business Associate of the HSPs. Netlims has BA Agreements (BAAs) in place with many of our customers, and regardless of the BAA obligation, and has the utmost interest in protecting all PHI accessed by any individual acting on Netlims’ behalf while performing Netlims’ contractual duties. Strict adherence to protecting our customers’ PHI and maintaining confidentiality is therefore not only a legal requirement of HIPAA imposed on Business Associates – it is logical and justified.
The objective of this document is to define Netlims’ policy and practices to achieve this goal.
The full compliance is the responsibility of each and every individual acting on Netlims behalf, as they perform their duties when it requires access to PHI.
Protected Health Information
PHI refers to individually identifiable personal and/or health information received by Netlims, that relates to the past or present health of an individual or to payment of health care claims. PHI includes personal ID elements like first and last name, SSN, date of birth, address, phone numbers and such, and medical conditions and records, including health status, medical history, test results, genetic information, etc.
PHI is not to be shared, published, disclosed to any 3rd party (except to comply with legal requirement by competent governmental entities) and under no circumstances.
Accessing and storing PHI
No PHI is to be stored on Netlims’ Servers, Netlims’ employees’ computers or devices (including laptops, iPads, etc.). In case Netlims’ duties call to access PHI on customers’ servers, login will be done only via the customers’ pre-approved customer authentication and frequency changing procedures. All logins are to be logged by the gateway process.
In case there is a need to transfer PHI over the web – the following guidelines will be followed:
- Only the minimal amount of data necessary to satisfy the specific need/task (e.g. unexpected system behavior on certain data).
- All PHI data to be transferred must be encrypted prior to transmission.
- Transmission will be done only on a secured line, point to point / tunnel, and using secured transfer protocol.
- Once completed, ALL transferred data (and any copy whether modified or intact thereof) must be destroyed.
- Any change performed to data on customers’ server must be logged (modifier ID, date, time, original value, new value or action performed).