Cloud based Carevium Senior Living solution is a HIPAA compliant application used by Senior Living Communities such as assisted living facilities, memory care communities, and residential care homes, and Home Care Agencies. Here is some relevant information on HIPAA law and HIPAA compliance.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. The law was passed in 1996. The legislation was designed to make it easier for workers to retain health insurance coverage when they change or lose their jobs. The legislation also sought to drive the adoption of electronic health records to improve the efficiency and quality of the American healthcare system through improved information sharing.
Along with increasing the use of electronic medical records, the law included provisions to protect the security and privacy of Protected Health Information (PHI). PHI includes a very wide set of personally identifiable health- and health-related data, from insurance and billing information, to diagnosis data, clinical care data, and lab results such as images and test results. The rules apply to “Covered Entities”, which include hospitals, medical services providers, employer sponsored health plans, research facilities and insurance companies that deal directly with patients and patient data. The law and regulations also extend the requirement to protect PHI to “Business Associates”.
HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act in 2009. HIPAA and HITECH establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the “Administrative Simplification” rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For additional information on how HIPAA and HITECH protect health information, visit: http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
What is Covered Entity (CE)?
If an organization bills Medicare, Medicaid or Private Insurer for payment and use a third party to do that billing (electronically), then that organization is a Covered Entity.
What is PHI?
PHI stands for Protected Health Information, which is protected by HIPAA regulations.
Are all Assisted Living Facilities and Home Care Agencies covered by HIPAA?
If an organization is a Covered Entity (CE), then it is covered by HIPAA.
Who are covered by HIPAA?
Your employees and workforce are covered by HIPAA. Your tenants / residents / clients are not covered!
Who are Business Associates?
If you are a Covered Entity, then organizations and service providers used by you are Business Associates. For example, if you are a CE and if you are using Carevium service, then Carevium (the organization) is a Business Associate according to HIPAA regulations.
Where is Carevium Service hosted?
Carevium cloud based service is hosted on Amazon Web Services (AWS) data centers.
Does AWS enable HIPAA compliance?
Yes, AWS enables Covered Entities and their Business Associates subject to the US Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure AWS environment to process, maintain, and store protected health information.
Who uses AWS cloud services?
A large and growing number of healthcare providers, payers and IT professionals are using AWS’s utility-based cloud services to process, store, and transmit PHI.
Where is Carevium hosted?
Carevium application and data are hosted in AWS cloud datacenters in US. Multiple datacenters and locations are used for security, replication and availability of data.
How is Carevium protected PHI information on AWS?
Carevium data is encrypted both during transmission (in-flight) and storage (at-rest) on AWS.
Carevium uses AWS services such as EC2, EBS, S3 and ELB to store, transmit and manage data. Carevium uses secure socket layer (SSL) to protect the in-flight data.
How is the data secured?
AWS Elastic Load Balancing helps Carevium make sure it has a scalable web and API architecture that is both resilient and secure in its Amazon VPC environment, isolating data stores and middle tiers from network exposure to the Internet. By isolating the data stores and middle tiers from network exposure to the Internet, all servers are kept private, ensuring a radically reduced security footprint. Carevium also uses AWS Simple Mail Service for outbound email notification alerts. Carevium employees’ access to customer data is restricted and allowed based on need-to-know for customer support and maintenance.
All application user credentials are encrypted and maintained by the Carevium application. Multiple User Roles in Carevium help restrict the data access to staff and employees based on need to know basis.
HIPAA’s Security Rule also requires in-depth auditing capabilities, data back-up procedures, and disaster recovery mechanisms. Many services in AWS are used by Carevium to address these requirements.
Carevium uses AWS EC2 instances in multiple Availability Zones to create geographically diverse, fault tolerant systems that are highly resilient in the event of network failures, natural disasters, and most other probable sources of downtime. Using Amazon S3, a customer’s data is replicated and automatically stored in separate data centers to provide reliable data storage with a service level of 99.9% availability and no single points of failure.
The following graphic shows how various components of Carevium system are managed.