Galaxkey works with HIPAA

Galaxkey works with HIPAA

This article was put together to reference HIPAA elements and how Galaxkey software and solutions works with HIPAA

Reference
The Health Insurance Portability And Accountability Act (HIPAA)
U.S. Department of Labor
Employee Benefits Security Administration
December 2004
The Health Insurance Portability and Accountability Act (HIPAA) offers protections for millions of American workers that improve portability and continuity of health insurance coverage.
HIPAA Protects Workers And Their Families By
• Limiting exclusions for preexisting medical conditions (known as preexisting conditions).
• Providing credit against maximum preexisting condition exclusion periods for prior health coverage and a process for providing certificates showing periods of prior coverage to a new group health plan or health insurance issuer.
• Providing new rights that allow individuals to enroll for health coverage when they lose other health coverage, get married or add a new dependent.
• Prohibiting discrimination in enrollment and in premiums charged to employees and their dependents based on health status-related factors.
• Guaranteeing availability of health insurance coverage for small employers and renewability of health insurance coverage for both small and large employers.
• Preserving the states’ role in regulating health insurance, including the states’ authority to provide greater protections than those available under federal law.
Preexisting Condition Exclusions
• The law defines a preexisting condition as one for which medical advice, diagnosis, care, or treatment was recommended or received during the 6-month period prior to an individual’s enrollment date (which is the earlier of the first day of health coverage or the first day of any waiting period for coverage).
• Group health plans and issuers may not exclude an individual’s preexisting medical condition from coverage for more than 12 months (18 months for late enrollees) after an individual’s enrollment date.
• Under HIPAA, a new employer’s plan must give individuals credit for the length of time they had prior continuous health coverage, without a break in coverage of 63 days or more, thereby reducing or eliminating the 12-month exclusion period (18 months for late enrollees).
Creditable Coverage
• Includes prior coverage under another group health plan, an individual health insurance policy, COBRA, Medicaid, Medicare, CHAMPUS, the Indian Health Service, a state health benefits risk pool, FEHBP, the Peace Corps Act, or a public health plan.
Certificates Of Creditable Coverage
• Certificates of creditable coverage must be provided automatically and free of charge by the plan or issuer when an individual loses coverage under the plan, becomes entitled to elect COBRA continuation coverage or exhausts COBRA continuation coverage. A certificate must also be provided free of charge upon request while you have health coverage or anytime within 24 months after your coverage ends.
• Certificates of creditable coverage should contain information about the length of time you or your dependents had coverage as well as the length of any waiting period for coverage that applied to you or your dependents.
• For plan years beginning on or after July 1, 2005, certificates of creditable coverage should also include an educational statement that describes individuals’ HIPAA portability rights. A new model cerfiticate is available on EBSAs Web site.
• If a certificate is not received, or the information on the certificate is wrong, you should contact your prior plan or issuer. You have a right to show prior creditable coverage with other evidence — like pay stubs, explanation of benefits, letters from a doctor — if you cannot get a certificate.
Special Enrollment Rights
• Are provided for individuals who lose their coverage in certain situations, including on separation, divorce, death, termination of employment and reduction in hours. Special enrollment rights also are provided if employer contributions toward the other coverage terminates.
• Are provided for employees, their spouses and new dependents upon marriage, birth, adoption or placement for adoption.
Discrimination Prohibitions
• Ensure that individuals are not excluded from coverage, denied benefits, or charged more for coverage offered by a plan or issuer, based on health status-related factors.

Reference https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
Who is Covered by the Privacy Rule
The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”). For help in determining whether you are covered, use CMS’s decision tool.
Health Plans. Individual and group plans that provide or pay the cost of medical care are covered entities.4 Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions—a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity. Two types of government-funded programs are not health plans: (1) those whose principal purpose is not providing or paying the cost of health care, such as the food stamps program; and (2) those programs whose principal activity is directly providing health care, such as a community health center,5 or the making of grants to fund the direct provision of health care. Certain types of insurance entities are also not health plans, including entities providing only workers’ compensation, automobile insurance, and property and casualty insurance. If an insurance entity has separable lines of business, one of which is a health plan, the HIPAA regulations apply to the entity with respect to the health plan line of business.
Health Care Providers. Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule.6 Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all “providers of services” (e.g., institutional providers such as hospitals) and “providers of medical or health services” (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care. (Galaxkey acknowledges this and understands this many users use our software in health and Medicare)

Health Care Clearinghouses.Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.7 In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse’s uses and disclosures of protected health information. Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions. (Galaxkey acknowledges this but it’s not relevant to us or our software)
Business Associates like Galaxkey
Business Associate Defined. In general, a business associate is a person or organization (Galaxkey in this case), other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of (we encrypt stuff, or at least our software does), or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9 Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. A covered entity can be the business associate of another covered entity. (Galaxkey do not store any data relating to patients at all)
Business Associate Contract. When a covered entity uses a contractor or other non-workforce member to perform “business associate” services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). (Galaxkey follow very stringent security controls in any event and comply with ISO 27001, in saying this we don’t store or ever have access to any data, we do this for good measure) In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.10 Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule. Covered entities that had an existing written contract or agreement with business associates prior to October 15, 2002, which was not renewed or modified prior to April 14, 2003, were permitted to continue to operate under that contract until they renewed the contract or April 14, 2004, whichever was first.11 See additional guidance on Business Associates and sample business associate contract language. (GalaxKey acknowledges this but it’s not relevant to us or our software)
What Information is Protected
Protected Health Information. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”12(Galaxkey do not store any PHI in anyway, instead Galaxkey helps customer keep the PHI confidential whilst providing strong authentication mechanisms to ensure that data integrity confidentiality is maintained.)
“Individually identifiable health information” is information, including demographic data, that relates to:
• the individual’s past, present or future physical or mental health or condition,(Galaxkey protects this data but never has access to it as the process is performed on customer site by the customer using their own keys and their own computers that Galaxkey does not have access to)
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, (Galaxkey acknowledges this but it’s not relevant to us or our software)
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). (Galaxkey acknowledges this but it’s not relevant to us or our software)
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. (Galaxkey acknowledges this but it’s not relevant to us or our software)
De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information.14 De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.15(Galaxkey acknowledges this but it’s not relevant to us or our software)