The information that is being collected and stored by ChiroUp creates an EMR for each of your patients and is subject to HIPAA requirements. To meet HIPAA requirements, ChiroUp follows the same required privacy and security safeguards for its EMR that subscribers would use for patient records created in their chiropractic practice. The following points describe how ChiroUp and its subscribers meet HIPAA requirements:
Business Associate Agreement
The Privacy Rule allows a covered entity (you) to use a business associate (ChiroUp) to perform functions or activities on behalf of, or provide services to, the covered entity that involves the use or disclosure of protected health information (PHI), provided the covered entity obtains satisfactory assurances, through a contract or agreement, that the business associate will appropriately safeguard the information. (See 45 C.F.R. §§ 164.502(e), 164.504(e)).
Upon initial registration, ChiroUp automatically provides subscribers with a valid Business Associate Agreement (BAA) stating that ChiroUp is “a business associate with whom covered entities are permitted to share PHI” and that ChiroUp will provide “all assurances and appropriate safeguards” for the patient records created. If you need a copy of the BAA, please navigate to your user settings or contact support@chiroup.com. If your clinic has a separate BAA that you would like our assigned security officer to sign, please email it to support@chiroup.com.
Patient Notification
As a condition of subscribing, you should have read the ChiroUp Terms of Use that states you must notify patients that their PHI will be shared with ChiroUp and that ChiroUp will conduct patient surveys. In other words, you must give your patient notice and the opportunity to decline having information sent to ChiroUp and to decline being surveyed. A link to the current ChiroUp terms of use can be found here.
Data Security and Encryption
Finally, because the EMR is provided to a covered entity (you), ChiroUp must abide by the HIPAA/ HITECH Act’s security provisions. To meet these requirements ChiroUp employs:
⌾ Administrative safeguards that include background checks and training for ChiroUp employees.
⌾ Physical safeguards for ChiroUp facilities and devices.
⌾ Technical safeguards within the program include authentication, automatic log-off, and encryption.
HIPAA’s final rule on security standards covers transmission security (i.e. email and file sharing): “With respect to transmissions from covered entities, covered entities must protect electronically protected health information when they transmit that information” (pp. 8338).
To achieve this security standard, HIPAA recommends two potential solutions:
1) “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
2) “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” (pp. 8338)
HIPAA allows discretion when choosing a method of encryption and does not specifically name requirements for encryption: “Covered entities are encouraged to consider the use of encryption technology for transmitting electronic protected health information, particularly over the internet…We remain committed to the principle of technology neutrality and agree with the comment that rapidly changing technology makes it impractical and inappropriate to name a specific (encryption) technology.” (pp. 8357)
In order to achieve HIPAA compliance, ChiroUp encrypts email data via transport layer security (TLS). Download ChiroUp’s HIPAA Business Associate Agreement located under your user settings.
Is ChiroUp HIPAA compliant?
Have more questions? Contact us