HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that requires the protection and confidential handling of protected health information (PHI). HIPAA applies to covered entities and their business associates.

Key HIPAA Requirements

• • Privacy Rule: Protects individual health information held by covered entities
• • Security Rule: Sets standards for protecting electronic PHI (ePHI)
• • Breach Notification Rule: Requires notification of PHI breaches
• • Omnibus Rule: Strengthens patient privacy protections

Who Must Comply?

Business Associate Agreement (BAA)

CrownDesk signs a Business Associate Agreement with all healthcare customers automatically upon subscription. This agreement outlines our responsibilities for protecting PHI and our compliance with HIPAA requirements.

PHI Handling Safeguards

Minimum Necessary Standard

CrownDesk implements role-based access controls ensuring users only access the minimum PHI necessary to perform their job functions. This includes granular permissions and audit trails for all data access.

Encryption Requirements

Access Controls

• • Unique user identification for each person accessing PHI
• • Role-based access control with principle of least privilege
• • Multi-factor authentication required for all users
• • Automatic logoff after period of inactivity
• • Encryption and decryption controls

Audit Controls

• • Comprehensive audit logs for all PHI access
• • Immutable audit trail storage
• • Real-time monitoring and alerting
• • Regular audit log review and analysis

As a Covered Entity

• • Ensure all workforce members are trained on HIPAA requirements
• • Implement and maintain required administrative, physical, and technical safeguards
• • Designate a HIPAA Security Officer and Privacy Officer
• • Conduct periodic security assessments
• • Have an incident response plan for potential breaches

Using CrownDesk Compliantly

• • Use strong, unique passwords and enable multi-factor authentication
• • Log out of the system when not in use
• • Do not share login credentials with other users
• • Report any suspected security incidents immediately
• • Only access PHI when necessary for your job duties

Patient Rights

• • Right to access their PHI
• • Right to request amendments to their PHI
• • Right to an accounting of PHI disclosures
• • Right to request restrictions on use/disclosure
• • Right to request confidential communications

What Constitutes a Breach?

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI.

CrownDesk Breach Response

• • Immediate containment and assessment of the incident
• • Investigation to determine scope and cause
• • Notification to affected customers within 24 hours
• • Assistance with breach notification requirements
• • Implementation of corrective measures

Your Breach Notification Requirements

Training and Education

• • HIPAA compliance training for your staff
• • Regular security awareness updates
• • Best practices documentation
• • Compliance webinars and workshops

Documentation

• • Business Associate Agreement template
• • Security policies and procedures
• • Risk assessment templates
• • Incident response planning guides

Support

Our compliance team is available to answer questions about HIPAA requirements and how CrownDesk supports your compliance efforts. Contact us at hello@xaltrax.com for assistance.