HIPAA Compliance

1. Our Commitment to HIPAA Compliance

VettlyGlobal is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

This document outlines our HIPAA compliance framework and demonstrates our commitment to protecting the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).

2. HIPAA Regulations Overview

2.1 HIPAA Privacy Rule

The Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) establishes national standards for the protection of individually identifiable health information, including:

• Permissible uses and disclosures of PHI
• Individual rights regarding their health information
• Requirements for privacy notices and authorizations
• Administrative, physical, and technical safeguards

2.2 HIPAA Security Rule

The Security Rule (45 CFR Part 164, Subparts A and C) establishes standards for protecting electronic Protected Health Information (ePHI):

• Administrative safeguards
• Physical safeguards
• Technical safeguards
• Organizational requirements
• Policies, procedures, and documentation

2.3 HIPAA Breach Notification Rule

The Breach Notification Rule (45 CFR Part 164, Subpart D) requires notification of breaches of unsecured PHI to:

• Affected individuals
• The Secretary of Health and Human Services (HHS)
• Media outlets (for breaches affecting 500+ individuals)

2.4 HITECH Act

The HITECH Act strengthened HIPAA by:

• Extending obligations to Business Associates
• Increasing penalties for violations
• Requiring breach notifications
• Enhancing enforcement mechanisms

3. VettlyGlobal as a Business Associate

3.1 Business Associate Definition

VettlyGlobal acts as a Business Associate when we create, receive, maintain, or transmit PHI on behalf of Covered Entities (healthcare providers, health plans, healthcare clearinghouses) to perform functions or activities including:

• Identity verification for healthcare providers
• Background screening for healthcare employees
• Risk assessment and fraud detection services
• Data analytics and reporting for healthcare organizations
• Compliance and credentialing services

3.2 Business Associate Obligations

As a Business Associate, we are required to:

• Comply with applicable HIPAA Privacy and Security Rule requirements
• Use and disclose PHI only as permitted by the Business Associate Agreement (BAA)
• Implement appropriate safeguards to prevent unauthorized use or disclosure
• Report security incidents and breaches to the Covered Entity
• Make PHI available to individuals upon request
• Account for disclosures of PHI as required
• Make internal practices and records available for HHS compliance reviews
• Ensure subcontractors comply with HIPAA requirements

3.3 Business Associate Agreements (BAAs)

We enter into HIPAA-compliant Business Associate Agreements with all Covered Entities and healthcare clients. Our BAAs include:

• Permitted and required uses and disclosures of PHI
• Responsibilities for safeguarding PHI
• Breach notification procedures and timelines
• Individual access and amendment rights
• Minimum necessary requirements
• Subcontractor obligations
• Termination provisions
• Return or destruction of PHI upon termination

To request a Business Associate Agreement, please contact us.

4. Administrative Safeguards

We implement comprehensive administrative safeguards as required by 45 CFR § 164.308:

4.1 Security Management Process

• Risk Analysis: Annual comprehensive risk assessments of ePHI threats and vulnerabilities
• Risk Management: Implementation of security measures to reduce risks to reasonable and appropriate levels
• Sanction Policy: Disciplinary actions for workforce members who violate security policies
• Information System Activity Review: Regular review of system logs, access reports, and security incidents

4.2 Assigned Security Responsibility

We have designated a Security Officer responsible for developing, implementing, and maintaining our HIPAA security program:

4.3 Workforce Security

• Authorization/Supervision: Procedures for workforce authorization and supervision
• Workforce Clearance: Background checks and clearance procedures
• Termination Procedures: Procedures for terminating access upon employment termination

4.4 Information Access Management

• Isolating Healthcare Clearinghouse Functions: Separation of clearinghouse functions where applicable
• Access Authorization: Formal authorization processes for ePHI access
• Access Establishment and Modification: Procedures for granting, reviewing, and modifying access rights

4.5 Security Awareness and Training

All workforce members receive comprehensive HIPAA training covering:

• Security reminders (periodic security updates)
• Protection from malicious software
• Log-in monitoring and password management
• Annual refresher training
• Role-specific training for employees handling PHI

4.6 Security Incident Procedures

• Documented incident response and reporting procedures
• Security incident identification and escalation protocols
• Incident investigation and root cause analysis
• Corrective action and mitigation procedures

4.7 Contingency Plan

• Data Backup Plan: Regular encrypted backups of ePHI with tested recovery procedures
• Disaster Recovery Plan: Procedures for restoring access to ePHI after emergencies
• Emergency Mode Operation Plan: Procedures for continuing critical operations during emergencies
• Testing and Revision: Annual testing and updates of contingency plans
• Applications and Data Criticality Analysis: Assessment of critical systems and data

4.8 Evaluation

We conduct periodic technical and non-technical evaluations of our security controls:

• Annual security risk assessments
• Quarterly internal audits
• Annual external security assessments
• Penetration testing and vulnerability scanning

4.9 Business Associate Contracts

We ensure all subcontractors and vendors that handle PHI:

• Sign HIPAA-compliant Business Associate Agreements
• Implement appropriate safeguards
• Comply with applicable HIPAA requirements
• Report security incidents and breaches

5. Physical Safeguards

We implement physical safeguards as required by 45 CFR § 164.310:

5.1 Facility Access Controls

• Contingency Operations: Procedures for facility access during emergencies
• Facility Security Plan: Policies for safeguarding facilities containing ePHI
• Access Control and Validation: Procedures for controlling and validating physical access
• Maintenance Records: Documentation of facility repairs and modifications

5.2 Workstation Use

• Policies specifying proper use of workstations accessing ePHI
• Screen privacy filters and automatic screen locks
• Clear desk policies and secure storage requirements
• Prohibition of unauthorized devices

5.3 Workstation Security

• Physical safeguards to limit workstation access to authorized users
• Cable locks and secure mounting
• Restricted areas for sensitive workstations
• Video surveillance and access logging

5.4 Device and Media Controls

• Disposal: Secure disposal and destruction procedures for hardware and media
• Media Re-use: Procedures for sanitizing devices before re-use
• Accountability: Asset inventory and tracking systems
• Data Backup and Storage: Secure backup procedures and offsite storage

5.5 Data Center Security

Our data centers maintain industry-leading physical security:

• 24/7 security personnel and video surveillance
• Multi-factor access control systems (badge + biometric)
• Mantrap entryways and visitor escort requirements
• Environmental controls (fire suppression, HVAC, power redundancy)
• SOC 2 Type II certified data centers
• Regular security audits and compliance assessments

6. Technical Safeguards

We implement technical safeguards as required by 45 CFR § 164.312:

6.1 Access Control

• Unique User Identification: Unique usernames for all individuals accessing ePHI
• Emergency Access Procedure: Break-glass procedures for emergency access
• Automatic Logoff: Automatic session termination after inactivity
• Encryption and Decryption: Encryption of ePHI at rest and in transit

6.2 Audit Controls

• Comprehensive logging of system activity and ePHI access
• Centralized log management and analysis
• Regular review of audit logs for suspicious activity
• Log retention for minimum of 6 years
• Tamper-proof audit trail mechanisms

6.3 Integrity Controls

• Mechanism to Authenticate ePHI: Digital signatures and checksums to verify data integrity
• Version control and change tracking
• Data validation and error checking
• Protection against unauthorized alteration or destruction

6.4 Person or Entity Authentication

• Multi-factor authentication (MFA) for all ePHI access
• Strong password policies (minimum 12 characters, complexity requirements)
• Regular password rotation (90 days)
• Account lockout after failed login attempts
• Biometric authentication options

6.5 Transmission Security

• Integrity Controls: Measures to ensure ePHI is not improperly modified during transmission
• Encryption: TLS 1.3 encryption for all ePHI transmissions
• Secure file transfer protocols (SFTP, HTTPS)
• Virtual Private Networks (VPNs) for remote access
• End-to-end encryption for email communications containing PHI

6.6 Encryption Standards

We employ industry-standard encryption to protect ePHI:

• Data at Rest: AES-256 encryption
• Data in Transit: TLS 1.3 with strong cipher suites
• Database Encryption: Transparent Data Encryption (TDE)
• Backup Encryption: Encrypted backups with secure key management
• Key Management: Hardware Security Modules (HSMs) for encryption key storage

7. Breach Notification Procedures

7.1 Breach Definition

A breach is the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information, unless:

• The PHI was encrypted pursuant to HHS guidance
• There is a low probability that the PHI has been compromised (based on risk assessment)

7.2 Breach Discovery and Assessment

Upon discovering a potential breach, we:

• Immediately initiate incident response procedures
• Contain the breach and mitigate harm
• Conduct a thorough risk assessment within 24 hours
• Document the breach and assessment findings
• Determine notification requirements

7.3 Risk Assessment Factors

We assess the following factors to determine breach probability:

• Nature and extent of PHI involved
• Identity of unauthorized person(s) who accessed PHI
• Whether PHI was actually acquired or viewed
• Extent to which risk has been mitigated

7.4 Notification to Covered Entities

As a Business Associate, we notify Covered Entities of discovered breaches:

• Timing: Without unreasonable delay and no later than 60 days from discovery
• Content: Identification of each individual affected, brief description of the breach, recommended steps, contact information
• Method: Email, secure portal notification, or as specified in BAA

7.5 Covered Entity Responsibilities

The Covered Entity is responsible for:

• Notifying affected individuals within 60 days
• Notifying HHS (immediately if 500+ individuals affected, annually if fewer)
• Notifying media outlets (if 500+ individuals in a jurisdiction affected)

7.6 Documentation

We maintain documentation of all breaches, including:

• Date of breach discovery
• Brief description of the breach
• Individuals and records affected
• Risk assessment findings
• Notification dates and methods
• Corrective actions taken

8. Individual Rights Under HIPAA

8.1 Right of Access

Individuals have the right to access their PHI. We assist Covered Entities in fulfilling access requests by:

• Providing PHI in the requested format (electronic or paper)
• Responding within 30 days (extendable by 30 days with notice)
• Providing copies at reasonable cost-based fees

8.2 Right to Amend

Individuals may request amendments to PHI. We assist Covered Entities by:

• Accepting and processing amendment requests
• Incorporating approved amendments into records
• Notifying relevant parties of amendments

8.3 Right to an Accounting of Disclosures

We maintain records of PHI disclosures to support accounting of disclosures requests:

• Date of disclosure
• Name and address of recipient
• Brief description of PHI disclosed
• Purpose of disclosure

8.4 Right to Request Restrictions

Individuals may request restrictions on uses and disclosures of PHI. We honor restrictions agreed upon by the Covered Entity.

8.5 Right to Request Confidential Communications

We accommodate reasonable requests for confidential communications as directed by the Covered Entity.

9. Minimum Necessary Standard

We adhere to the minimum necessary principle by:

• Accessing, using, and disclosing only the minimum PHI necessary to accomplish the intended purpose
• Implementing role-based access controls to limit PHI exposure
• Reviewing and limiting routine and recurring disclosures
• Training workforce members on minimum necessary principles
• Conducting periodic reviews of access levels

Exceptions: The minimum necessary standard does not apply to disclosures to or requests by healthcare providers for treatment purposes.

10. HIPAA Training Program

10.1 Training Requirements

All workforce members receive comprehensive HIPAA training:

• New Hire Training: Within 30 days of hire or before PHI access
• Annual Refresher Training: Required annually for all workforce members
• Targeted Training: Role-specific training based on job functions
• Policy Update Training: Within 60 days of significant policy changes

10.2 Training Topics

• HIPAA Privacy and Security Rules overview
• Permitted uses and disclosures of PHI
• Individual rights under HIPAA
• Security safeguards and best practices
• Breach notification procedures
• Incident reporting requirements
• Sanctions for violations
• Social engineering and phishing awareness

10.3 Training Documentation

We maintain records of all training activities, including:

• Training content and materials
• Dates of training sessions
• Attendee lists and acknowledgments
• Test scores and completion certificates

11. Compliance Monitoring and Auditing

11.1 Internal Audits

We conduct regular internal audits to assess HIPAA compliance:

• Quarterly compliance assessments
• Annual comprehensive risk analyses
• Access control reviews
• Audit log reviews
• Physical security inspections

11.2 External Assessments

We engage independent third parties to conduct:

• Annual HIPAA security assessments
• Penetration testing and vulnerability assessments
• SOC 2 Type II audits
• HITRUST CSF certification

11.3 Corrective Action

When deficiencies are identified, we:

• Document the finding and root cause
• Develop corrective action plans with timelines
• Implement remediation measures
• Verify effectiveness of corrective actions
• Update policies and procedures as needed

12. Sanctions and Disciplinary Actions

We enforce HIPAA compliance through a progressive discipline policy:

12.1 Violations and Sanctions

• Minor Violations: Verbal/written warning, additional training
• Moderate Violations: Suspension of access, formal reprimand, probation
• Serious Violations: Termination of employment or contract
• Criminal Violations: Reporting to law enforcement, termination

12.2 Examples of Sanctionable Conduct

• Unauthorized access, use, or disclosure of PHI
• Failure to report security incidents
• Sharing passwords or access credentials
• Circumventing security controls
• Failure to complete required training
• Violating minimum necessary principles

13. Subcontractor Management

We ensure all subcontractors that create, receive, maintain, or transmit PHI on our behalf:

• Sign HIPAA-compliant Business Associate Agreements before accessing PHI
• Undergo security and compliance assessments
• Implement required HIPAA safeguards
• Report security incidents and breaches
• Participate in audits and compliance reviews
• Maintain appropriate insurance coverage

Approved Subcontractors

We maintain a list of approved subcontractors and sub-processors. This list is available to Covered Entities upon request.

14. Contact Us

For questions about HIPAA compliance or to report security incidents: