DE
HIPAA and HITECH Act
Last updated: Feb 28, 2020
VWO complies with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act. VWO maintains appropriate administrative, physical, and technical safeguards to provide for continuing security & privacy of your PHI or ePHI.
1. VWO’s commitment to HIPAA compliance
VWO believes privacy and data protection are core aspects of trust in today’s technology-driven world. We take our security and privacy commitment to you and your customers very seriously. We are acutely aware that we need to earn and maintain your trust on a daily basis.
Our commitment to ensuring that our customer data is safe, secure, and always available to them, is one of our top priorities. To demonstrate our compliance with security and privacy standards in the industry, VWO has sought and received security and privacy certifications, such as ISO 27001 and ISO 27701 certification, and PCI DSS 3.2.1 Level 2 Self-Assessment.
2. VWO, HIPAA and the HITECH ACT
HIPAA regulations require that covered entities and their business associates—in this case, VWO, enter into a contract to ensure that those business associates adequately protect PHI. This contract, or Business Associate Agreement (BAA), clarifies and limits how the business associate can handle PHI, and sets forth each party’s adherence to the security and privacy provisions outlined in the HIPAA and the HITECH Act. Once a BAA is in place, VWO customers (covered entities) can use its services to process and store PHI.
Currently, there is no official certification for HIPAA or HITECH Act compliance. However, VWO has undergone audits conducted by accredited independent auditors for the VWO ISO/IEC 27001 and ISO 27701 certification.
HIPAA covers information about a person’s health or healthcare services is classified as Protected Health Information (PHI). VWO customers who are subject to HIPAA and wish to use the VWO products with PHI must sign a BAA with VWO. Customers are responsible for ensuring that they achieve compliance with HIPAA and HITECH Act requirements.
We adhere to the HIPAA obligations by leveraging appropriate security configuration options for all VWO products. Additionally, we make our Business Associate Agreement (BAA) available for execution by subscribers.
Refer to the following document for more details:
- VWO NIST 800-53 Rev4 Crosswalk with HIPAA and ISO 27001/2 Assessment
- How to configure Your VWO account to be HIPAA compliant
3. Which VWO Customers Does HIPAA Apply To?
VWO customers that collect, transmit, and store PHI or ePHI are considered “Covered Entities“ under the HIPAA. Covered entities bear the primary responsibility of ensuring that their processing of PHI is compliant with the HIPAA and HITECH Act.
VWO acts as a “Business Associate,“ and shall transmit and store the Protected Health Information (PHI) of our customers solely for the purpose of performing our obligations under our existing contract(s) with our subscribers; and, for no commercial purpose other than the performance of such obligations and improvement of the services we provide.
4. How VWO Complies with HIPAA?
At Wingify, we ensure that our customer data is secure and easily accessible. Wingify product- VWO is built on a foundation of trust, security, and compliance to ensure that our internal data practices are HIPAA-ready. An equally important part for us is to assist our customers and partners in their journey toward compliance. Customers can also view the below table for more detailed information on how to use VWO Services to comply with HIPAA and HITECH Act.
With that in mind, we have the following details about the VWO Experience Optimization Platform:
|
VWO Features |
How It Works |
|
|
Storing and managing data for visitors |
Session Recordings |
By default, VWO anonymizes all key presses to avoid storing or transmitting any PHI or sensitive information on VWO servers. We have features to anonymize the following:
|
|
Custom Dimensions |
We have the process of creating a custom dimension in VWO to include the following features:
|
|
|
Location Information |
Customers can customize what location information of visitors is stored or completely disable storing any location information. IP Address- By default, VWO replaces the last octet of IP address with 0 before saving it. Customers can now customize this setting and disable storing the IP address. |
|
|
Collecting Consent |
On-page Surveys |
We have the option to display a consent message at the beginning of each survey. The message can also include links to policies and other information. |
|
Browser Privacy Settings |
Customers can configure their privacy settings in the VWO app to stop recording any information about the website visitors who have the “Do Not Track” setting enabled on their browsers. |
|
|
Consumer Rights |
Security Settings |
Customers can request data for their website or mobile app visitors through a visitor’s UUID. A link will be generated by VWO that will collect all the data for specific UUID or potential data such as URLs and visitor recordings for a defined time period. |
|
Security Settings |
Customers can request the deletion of data for their website or mobile app visitors through their visitor’s UUID. |
5. Frequently asked questions
I. What are HIPAA and HITECH?
“HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations passed by the U.S. Congress designed to protect privacy and ensure the security of Personal Health Information (PHI) and electronic Personal Health Information (ePHI).
“HITECH” refers to the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
II. What is considered PHI under HIPAA Rules?
Under HIPAA, PHI is any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA – covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.
It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health-related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information.
Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers. Demographic information is also considered PHI under HIPAA rules, as are many common identifiers such as patient names, Social Security numbers, driver’s license numbers, insurance details, and birth dates when they are linked with health information. The 18 identifiers that make health information PHI are:
|
18 Identifiers that make health information PHI |
||
|
Names |
Dates expect year |
Telephone numbers |
|
Geographic data |
Fax numbers |
Social Security numbers |
|
Email addresses |
Medical record numbers |
Account numbers |
|
Any unique identifying number or code |
Certification/license numbers |
Vehicle identifiers and serial numbers including license plates |
|
Web URLs |
Device identifiers and serial numbers |
Full face photo and comparable images |
|
Internet protocol addresses |
Biometrics identifiers (i.e. retinal scan, fingerprints) |
Health plan beneficiary numbers |
One or more of these identifiers turn health information into PHI, and PHI HIPAA Privacy Rule restrictions will then apply, which limit usage and disclosures of the information. HIPAA covered entities and their business associates also need to ensure appropriate technical, physical, and administrative safeguards are implemented to ensure the confidentiality, integrity, and availability of PHI, as stipulated in the HIPAA Security Rule.
What is Protected Health Information (PHI)?
It is any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
III. To whom does HIPAA apply?
HIPAA applies to healthcare providers, health plans, and healthcare clearinghouse services. These providers are required to handle patient personal health information in a way that meets defined security standards. When providers use third-party vendors or services (Business Associates) where personal health information might be stored, those Business Associates need to adhere to the standards as well. This agreement is contractually defined in a Business Associate Agreement (BAA). For additional information, refer to the US Department of Health and Human Services HIPAA covered entities website.
PHI stands for Protected Health Information and is any information in a medical record that can be used to identify an individual, which was created, used, or disclosed in the course of providing a healthcare service, such as a diagnosis or treatment.
ePHI is Electronic Protected Health Information and is all individually identifiable health information that is created, maintained, or transmitted electronically by mHealth and eHealth products. This includes PHI on desktop, web, mobile, wearable, and other technology such as email, text messages, etc.
IV. How does HIPAA work with a platform like VWO?
The term “Business Associate” refers to those entities that perform a service related to claims processing or administration; data analysis processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. For example, a third-party administrator that assists a health plan with claims processing would be considered a HIPAA “Business Associate,” and its customers would expect the administrator to be HIPAA compliant on their behalf.
VWO can enter into a Business Associate Agreement (BAA) with HIPAA covered customers. While customers have the ability to use the VWO Experience Optimization Platform in various ways to meet their business needs, HIPAA covered customers must configure the correct configuration level and appropriately configure their VWO access controls and usage to help safeguard Protected Health Information (PHI) from misuse and wrongful disclosure.
Although VWO, as a Business Associate, is HIPAA compliant, ultimately, customers are responsible for evaluating their own HIPAA compliance. In addition, VWO should not be considered the ‘Designated Record Set’ holder under HIPAA.
V. Is VWO HIPAA compliant?
Yes, VWO is HIPAA compliant when covered entities or business associates configure the platform correctly and have a business associate agreement with VWO.
Note that there is no certification recognized by the US Department of Health and Human Services (HHS) for HIPAA compliance. HIPAA compliance, specifically the relationship between a covered entity and a Business Associate, is a shared responsibility.
To provide assurance and external verification, VWO undergoes several audits regularly. These audits test VWO’s documentation and approach to security and privacy for datastores, infrastructure, and operations. VWO has annual audits for the following certifications:
- ISO 27001:2013 Information Security Management Systems [ISMS]: ISO 27001 ensures a systematic approach to managing sensitive company information so that it remains secure. ISMS includes people, processes, and IT systems by applying a risk management process.
- ISO 27701:2019 Privacy Information Management System [PIMS] & CCPA Act Compliance: ISO 27701 is internationally recognized and built as an extension of the widely-used ISO/IEC 27001 and ISO/IEC 27002 standards for information security management. It is a global privacy standard that focuses on the collection and processing of personally identifiable information (PII). This standard was developed to help organizations comply with international privacy frameworks and laws.
- Payment Card Industry Data Security Standard [PCI DSS] version 3.2.1 Level 2 Service Provider: PCI DSS helps organizations in managing risks to the data and verifying adherence to PCI DSS requirements to prevent fraud through increased controls of data.
Customers may refer to these audit reports to determine how VWO meets the HIPAA compliance program.
Additionally, you might also want to review VWO documentation related to privacy principles practices and data security measures.
VI. Where is my information located?
The data of vwo.com and app.vwo.com customers will reside in the US with Google Cloud Platform (GCP).
VII. Does having a BAA with VWO ensure my organization’s compliance with HIPAA and HITECH Act?
No, having a BAA with VWO does not ensure your organization’s compliance with the HIPAA and HITECH Act. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of VWO aligns with HIPAA and the HITECH Act.
VIII. Who are the key stakeholders?
Covered Entity – The HIPAA Covered Entity has the same meaning as the term “covered entity” at 45 CFR 160.103. The Privacy Rule defines a Covered HIPAA Entity as any health plan, any healthcare clearinghouse, or any healthcare provider who transmits Protected Health Information (or PHI as per the standards developed by the Department of Health & Human Services) in electronic form.
Business Associate – “Business Associate” has the same meaning as the term “business associate” at 45 CFR 160.103.
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services that make a person or entity a business associate if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business Associate Agreement – A HIPAA business associate agreement is a contract between a HIPAA-covered entity and a vendor used by that covered entity. A vendor of the HIPAA-covered entity that needs to be provided with PHI to perform duties on behalf of the covered entity is called a business associate (BA) under the HIPAA. A vendor is also classed as BA if, as part of the services provided, electronic PHI (ePHI) passes through their systems. A signed HIPAA business associate agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI.
HIPAA Rules – “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
IX. What are the penalties for non-compliance?
Penalties for HIPAA violation can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA. The four categories used for the penalty structure are as follows:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.
- Tier 2: A violation that the covered entity should have been aware of, but could not have avoided even with a reasonable amount of care. (But falling short of willful neglect of HIPAA Rules)
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.
X. Where can I find additional resources on HIPAA?
Here are some links you can refer to for additional reading on the HIPAA:
- HIPAA Omnibus Rule (The final regulations-modifying HIPAA rules)
- Summary of the HIPAA Security Rule
- Summary of the HIPAA Privacy Rule
- Summary of the HIPAA Breach Notification Rule
Please feel free to ask questions and share concerns with us at privacy@vwo.com
HIPAA and the HITECH Act Overview
The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities — doctors’ offices, hospitals, health insurers, and other healthcare companies — with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf. (Most covered entities do not carry out functions such as claims or data processing on their own; they rely on business associates to do so.)
The law regulates the use and dissemination of PHI in four general areas:
- Privacy, which covers patient confidentiality.
- Security, which deals with the protection of information, including physical, technological, and administrative safeguards.
- Identifiers, which are the types of information that cannot be released if collected for research purposes.
- Codes for electronic transmission of data in a healthcare-related transaction, including eligibility and insurance claims and payments.
The scope of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Together, HIPAA and HITECH ACT rules include:
- The HIPAA Privacy Rule, which focuses on the right of an individual to control the use of their personal information, and covers the confidentiality of PHI, limiting its use and disclosure.
- The HIPAA Security Rule, which sets the standards for administrative, technical, and physical safeguards to protect electronic PHI from unauthorized access, use, and disclosure. It also includes organizational requirements such as Business Associate Agreements (BAAs).
- The HITECH Breach Notification Final Rule, which requires giving notice to individuals and the government when a breach of unsecured PHI occurs.
