General HIPAA Questions
What is HIPAA? Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to cover the electronic transmission of certain Protected Health Information (PHI). The privacy provisions of HIPAA apply to health information created or maintained by health care providers, health plans, and health care clearinghouses. This regulation has three major purposes: to protect and enhance the privacy rights of consumers, to restore trust in the health care system among consumers and anyone involved in health care; and to create a national framework for health privacy protection.
Where can I find additional information about HIPAA? In the section at the end of this FAQ, you will find a number of useful resources available to you to assist you in understanding HIPAA and its impact on the healthcare industry. The main resource for information is the United States Centers for Medicare and Medicaid Services web site: (http://www.cms.hhs.gov/HIPAAGenInfo/01_Overview.asp#TopOfPage).
Will I be required to follow HIPAA requirements? Due to the nature of DeJarnette’s products, any entity or organization that is a customer of DeJarnette will be impacted in some way by HIPAA, and will be required to follow the regulations. HIPAA is a regulation and not optional, therefore if your organization is a Covered Entity, it is required to follow the regulations. If you have any questions as to whether you are required to follow HIPAA regulations, please contact DeJarnette. See the section at the end of the FAQ regarding HIPAA resources for more information.
Are there future time frames associated with the HIPAA regulations? Most compliancy dates have been met. However, a compliance calendar is maintained at the Centers for Medicare & Medicaid web site: (http://www.cms.hhs.gov/HIPAAGenInfo/05_ComplianceDeadlines.asp#TopOfPage).
What must I do to be HIPAA compliant? HIPAA requirements cover more than medical imaging, they include: medical records/health information management, information technology, patient accounting/business office, patient intake, clinicians, legal/risk management, public relations/marketing, compliance office, human resources, education. Each organization is impacted differently and in areas other than those that DeJarnette products address. There are a number of resources available for you to review. See the section at the end of the FAQ regarding HIPAA resources for more information.
DeJarnette and HIPAA
Can DeJarnette help us meet HIPAA compliancy? DeJarnette will work with our customers to ensure HIPAA compliancy. This includes signing a Business Associate Agreement (see section below), assessing your HIPAA needs, adding or providing features that will assist your institution in meeting compliancy, and training your personnel how to use our products within a HIPAA-compliant environment. DeJarnette will work with our customer’s HIPAA/Privacy/Security Project Team or Project Coordinator to assist in addressing any HIPAA concerns or issues that they may have.
How will DeJarnette handle any future changes in the HIPAA Regulations?
DeJarnette works with the NEMA Privacy Task Force to keep up-to-date on BAA and Privacy issues. Also, DeJarnette’s Regulatory department would evaluate any regulation changes to determine their impact on both DeJarnette and DeJarnette’s customers.
The company’s Engineering and Research &Development departments will develop products with new features that will assist customers in their ability to fulfill any future HIPAA requirements. Sales and Service Agreements/Contracts will be updated as necessary to reflect any changes in the HIPAA regulations. Any changes will be reflected as necessary in both the DeJarnette HIPAA Policy Paper and these Frequently Asked Questions (FAQ). DeJarnette shall, from time to time, free of charge to the customer, supply any necessary modifications to the purchased vendor equipment, such that the equipment shall allow the customer to meet HIPAA requirements when using the equipment in a manner consistent with the equipment’s intended use and operating instructions supplied in the equipment usage documentation provided by the vendor. The term of this guarantee is from date of equipment purchase, running for 10 years thereafter, so long as the customer maintains the equipment under an annual vendor service agreement, in an uninterrupted fashion, for that 10 year period. If the customer fails to maintain the vendor equipment under an annual vendor service agreement, this guarantee shall expire as of the last date of continuous service coverage under a vendor service agreement.
DeJarnette Products
Why does HIPAA impact DeJarnette products? DeJarnette provides products for which the purpose is the creation, transmission, and storage of medical images and the patient information that is attached to those images. Since patient information is transmitted using our products, our customers must have policies and procedures in place to govern how that information is used within their organization, as well as if this information leaves their organization. How this is done is up to the individual organization, as long as the result complies with the HIPAA requirements.
Which DeJarnette products are HIPAA-compliant? No vendor is able to claim their products are HIPAA-compliant. The way the regulations are written, it is the organization (hospital, clinic, doctor’s office, health care provider) that is HIPAA-compliant, not the products/technology that is used. Depending on the organization’s needs, policies, and procedures, the solution for your organization may be culture-related, procedure-related and/or technology-related. DeJarnette may be able to assist you with many of these. See our HIPAA Policy Paper for more information on specific company products and how they can help to address HIPAA compliancy. If you have a need to be filled that involves HIPAA compliance, please contact our Sales department, too; we would be happy to discuss your needs with you.
Business Associate Agreements
Who do we contact regarding a Business Associate Agreement? Please contact our Sales/Marketing department, if your organization has a standard Business Associate Agreement (BAA) that must be signed. Alternatively, DeJarnette has an agreement prepared that may be signed immediately. This agreement is a template agreement developed with the Medical Informatics Privacy Task Force of NEMA (National Electronic Manufacturers Association), of which DeJarnette is a member.
Why must we have DeJarnette sign a Business Associate Agreement? HIPAA requirements require that each Covered Entity (each of our customers) obtain a Business Associate Agreement with every business associate that they deal with. The regulations are written such that, with DeJarnette’s (a business associate) signing of a Privacy/Business Associate agreement with one covered entity, the agreement does not transfer over to another covered entity. Under no circumstances will DeJarnette disclose Protected Health Information (PHI) of one Covered Entity to another Covered Entity without the explicit authorization of the original Covered Entity. Additionally, DeJarnette will require, if it becomes necessary, any affiliates or subcontractors to abide by the same privacy requirements established for DeJarnette.
Are there any customers with whom DeJarnette will not have to sign a Business Associate Agreement? If the customer is not a covered entity as defined by HIPAA, then a Business Associate Agreement will not be necessary. Additionally, if there is any servicing that will not violate the customer’s privacy policies, or will not allow access to any patient information, then a BAA is not required. Since most servicing of DeJarnette’s product involves PHI in some form, a DeJarnette employee needing to access any PHI where the customer did not have a BAA in effect would cause the customer to be in violation of HIPAA.
Still Have Questions
Contact DeJarnette's HIPAA resource at: hippa@dejarnette.com.
Miscellaneous HIPAA Resources
NEMA (http://www.nema.org/search/results.cfm?srchString=hipaa) Information on Security & Privacy Initiatives.
HIPAA Advisory (http://www.hipaadvisory.com)† Excellent resource, sponsored by Phoenix Health Systems. HIPAA regulations, articles, presentations, surveys, news.
United States Centers for Medicare & Medicaid Services (http://www.cms.hhs.gov/HIPAAGenInfo/) HHS HIPAA Administrative Simplification Web site.
United States Department of Health and Human Services Office for Civil Rights-HIPAA (http://www.hhs.gov/ocr/hipaa/) National Standards to Protect the Privacy of Personal Health Information Web Page.
HIPAA Resource Center (http://www.aishealth.com/Compliance/HIPAAResource.html)† Good articles selection, sponsored by Atlantic Information Services.
Otech, Inc. (http://www.otechimg.com)† Information regarding DICOM and HIPAA.
I still have questions, or am unsure of what I need to do. Please contact hipaa@dejarnette.com, and we will be able to assist you.
† Commercial sites