HIPAA and HITECH provide national minimum standards to protect an individual’s protected health information (PHI). The U.S. Department of Health and Human Services (HHS) manages and enforces these standards.
HIPAA was originally created to streamline healthcare processes and reduce costs by standardizing certain common health care transactions, while protecting the security and privacy of individuals’ PHI. HITECH expanded on the privacy and security requirements of HIPAA.
HIPAA and HITECH focus on PHI, which generally includes any personally identifiable information regarding an individual’s physical or mental health, the provision of health care to him or her, or payment for related services. PHI also includes any personally identifiable demographic information, including, for example, name, address, phone numbers, and Social Security numbers
These standards affect the use and disclosure of PHI by covered entities (such as health care providers engaged in certain electronic transactions, health plans, and health care clearinghouses) and their business associates.
Vtiger enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure Vtiger environment to process, maintain, and store protected health information.
The 4 HIPAA Rules
HIPAA Privacy Rule
HIPAA’s Privacy Rule restricts intentional and unintentional use or disclosure of PHI that is in violation of the requirements of HIPAA.
- Do not allow impermissible use or disclosure of PHI
- Provide breach notification to covered entity
- Provide individual or the covered entity access to the PHI
- Disclose PHI to the secretary of the HHS if compelled to do so
- Provide an accounting of disclosures
- Comply with the requirements of HIPAA security rule
HIPAA Security Rule
HIPAA’s Security Rule requires covered entities to put in place detailed administrative,
physical, and technical safeguards to protect electronic PHI
HIPAA Enforcement Rule
It spells out penalties, and procedures for hearings
HIPAA Breach Notification Rule
It requires healthcare providers to notify patients in the case of breach of unsecured PHI
Vtiger supports covered entities be HIPAA compliant
Vtiger CRM Service is delivered via servers hosted in data centers belonging to Amazon EC2. Vtiger provides mechanisms to help Healthcare providers (i.e., covered entities) that use Vtiger service, to be HIPAA compliant.
Our Security policy mandates all of the following
- Physical Safeguards – Only authorized Amazon employees can access the servers
- Administrative Safeguards – Access to the data within the application is controlled by the covered entity, while Access to the server is controlled by Vtiger team. Vtiger CRM provides role based access control to restrict access to certain users.
- Technical Safeguards – Vtiger maintains an active monitoring system to find and fix any vulnerabilities in Operating System, Web Server, Database, or in the Vtiger CRM application promptly.
For more details, please click on vtiger.com/security
A note on encryption – Vtiger doesn’t encrypt data ‘in rest’.
Contact data is stored in database without encryption. Direct access to the database is only allowed to users who can login to the server directly. This is restricted to only a few administrators in our operations team. We have logs tracking all access to the servers.
When being transmitted the data is encrypted using SSL.
If a breach has occurred at the service level, Vtiger will alert the Healthcare provider (Vtiger’s customer)