User Guide — Security and HIPAA
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA includes the Final Privacy Rule, which regulates the handling of individually identifiable healthcare information to safeguard patient privacy. It is the responsibility of your practice to ensure that your staff follows your internal policies and procedures.
athenaOne offers many safeguards to help you comply with the Final Privacy Rule and data security regulations:
Information security is both your and our responsibility. We must each do our part diligently.
All the data passing between your offices and athenaOne is encrypted to a high industry standard (128-bit SSL).
athenahealth is responsible for keeping unauthorized people out of athenaOne, and you are responsible for keeping unauthorized people off your network by having appropriate physical, technical, and administrative controls. We promise to each other to have up-to-date HIPAA security and privacy plans and that we will cooperate in investigating security incidents.
You maintain your list of users and their permissions. To know with certainty that what the athenaOne audit trails say is true, all accounts must belong to individual people, not "NURSE1" or "billingoffice." You need to make sure that no one to whom you have granted access is sharing his or her password. athenahealth will do the same.
When it is no longer appropriate for someone currently or formerly on your staff to have access to your athenaOne data, you commit to disable his or her account immediately. athenahealth will do the same. Remember, athenaOne is on the Internet and unless you take extra care to restrict access, an angry former employee could go straight home and do something dumb or harmful. You and we must also satisfy the HIPAA "minimum necessary" requirement.
Data storage media (CD, DVD, floppy disk, hard drive, thumb drives, etc.) received by athenahealth will be destroyed and not forwarded or returned to you. Please instruct your trading partners to send storage media to your office location, not your pay-to address.
We also require that if you want to grant access to someone not employed by you (a consultant, for example), that you notify us and, subject to our approval, have that person sign a short third-party access agreement. Similarly, athenahealth promises to have business associate agreements with any third party we hire who needs access to your data, for example claims intermediaries.