What are the unintended consequences of HIPAA

HIPAA & HITECH compliance


HIPAA and HITECH provide national minimum standards for protecting an individual's Protected Health Information (PHI). The United States Department of Health and Human Services (HHS) administers and enforces these standards.

Originally designed to simplify healthcare processes and reduce costs by standardizing certain common healthcare transactions, HIPAA was originally designed while protecting the security and privacy of individuals' personal information. HITECH expanded HIPAA's privacy and security requirements.

HIPAA and HITECH focus on the PHI, which generally includes any personally identifiable information relating to a person's physical or mental health, providing health care for them, or paying for related services. PHI also contains all personal demographic information, including name, address, phone numbers, and social security numbers

These standards impact the use and disclosure of PHI by the companies concerned (e.g., medical providers performing certain electronic transactions, health plans, and health care clearinghouses) and their business partners.

Vtiger enables insured companies and their business partners that are subject to the US Health Insurance Portability and Accountability Act (HIPAA) to use the secure Vtiger environment to process, maintain and store protected health data.

The 4 HIPAA rules

HIPAA privacy rule

The HIPAA privacy policy limits the intentional and unintentional use or disclosure of PHI that violates the requirements of HIPAA.

  1. Do not allow unauthorized use or disclosure of PHI
  2. Bring a notification of the breach to the affected unit
  3. Allow individuals or the covered entity access to the PHI
  4. Pass the PHI on to the HHS secretariat if forced to do so
  5. Provide a balance sheet for the information
  6. Be aware of the requirements of the HIPAA security rule

HIPAA security rule

According to the security rule of the HIPAA, the companies concerned must take detailed administrative, physical and technical security precautions to protect electronic PHI

HIPAA enforcement rule

It prescribes penalties and procedures for hearings

HIPAA Violation Notification Rule

Healthcare providers must notify patients in the event of an unsecured PHI violation

Vtiger supports the deployment of HIPAA compliant businesses

The Vtiger CRM Service is provided through servers hosted in Amazon EC2 data centers. Vtiger provides mechanisms by which healthcare providers (i.e. Covered Companies) who use the Vtiger service can become HIPAA compliant.

Our security policy prescribes the following

  1. Physical security measures - Only authorized Amazon employees can access the servers
  2. Administrative Security Measures - Access to the data in the application is controlled by the affected entity, while access to the server is controlled by the Vtiger team. Vtiger CRM offers role-based access control to restrict access to specific users.
  3. Technical security measures - Vtiger maintains an active monitoring system in order to immediately find and fix weak points in the operating system, web server, database or in the Vtiger CRM application.

For more information, please click on vtiger.com/security

Enable encryption at rest with new encrypted fields.

When you store sensitive information about someone, such as: For example, your health data or your national ID number, you may need to encrypt this data at rest. Vtiger's field encryption does this while providing other safeguards that significantly reduce the risk of misuse by employees or malicious actors

To learn more, check out our documentation on Encrypted Data Fields in Vtiger CRM

During transmission, data is always encrypted with SSL.

Violation Notification

When a breach has occurred at the service level, Vtiger notifies the healthcare provider (Vtiger customer).