What is HIPAA Compliance?

Bringing your commerce strategy online and digitizing your business solution is oftentimes a no brainer as it drives more convenience for your customers and creates an overall better customer experience. However, when your business strategy requires your customers to share Protected Health Information (PHI) such as medical records, health insurance records or billing details, your eCommerce strategy becomes more complex. Businesses that operate with this type of information need to ensure that they can remain secure per the federal law known as HIPAA. So what is HIPAA and how does Elastic Path help to support your business’ HIPAA compliance?

What is HIPAA?

HIPAA, formally known as the Health Insurance Portability and Accountability Act of 1996, is a federal law created to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Department of Health and Human Services (HHS) issued the HIPAA Privacy rule which establishes important protections of individually identifiable health information also known as Protected Health Information (PHI), when created, received, maintained, or transmitted by a HIPAA covered entity (health care plan, health care provider, healthcare clearinghouse) or business associate (A person or organization using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity.)

These protections include:

• Limitations on uses and disclosure of the information
• Safeguards against appropriate uses and disclosures
• Individuals rights with respect to their health information

While businesses don’t receive a certification for meeting HIPAA compliance rules, a failure to meet these guidelines could result in significant fines, lack of loyalty, and loss of customers. Therefore, it is imperative for your eCommerce business to be fully compliant.

How Do I know If My eCommerce Business Needs To Be HIPAA Compliant?

The simple answer is, if you are handling any type of Protected Health Information (PHI), your business will need to be HIPAA compliant. So, this means any type of healthcare businesses along with their business associates (BAs) will require HIPAA compliance in order not meet regulatory guidelines. Examples of these types of businesses include Dentists, doctors' offices, insurance companies, pharmacies, and optometrists, while examples of their Business Associates include: Billing companies, answering services, and shredding companies. Of course, this not an exhaustive list, so we recommend only using this as a baseline and working with a lawyer to determine where your business stands.

What is a Business Associate Addendum (BAA)?

Under the HIPAA regulations, eCommerce service providers such as Elastic Path Commerce Cloud may in some circumstances considered business associates. The Business Associate Addendum (BAA) is an Elastic Path Commerce Cloud contract that is required under HIPAA regulations to ensure that Elastic Path Commerce Cloud appropriately safeguards PHI. To the extent that HIPAA applies to the services provided by Elastic Path, the BAA also serves to clarify and limit the permissible uses and disclosures of PHI by Elastic Path Commerce Cloud.

Can my organization enter in a BAA with Elastic Path?

Yes, Elastic Path completed a third-party Independent Practitioner’s Report for HIPAA. This means that Elastic Path Commerce Cloud now enables HIPAA compliance. A standard BAA is now available for customers.

Does having a BAA with Elastic Path ensure my compliance with HIPAA?

It does not. The Elastic Path Commerce Cloud BAA will help support your organizations HIPAA compliance, but using Elastic Path Commerce Cloud does not, on its own, achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and appropriate internal processes in place that align with HIPAA requirements.

Is a copy of the Independent Practitioner's Report available?

Yes, a copy of the report is available to organizations through an NDA via our legal team.

In summary, achieving HIPAA compliance is a must for any business storing Protected Health Information and you can certainly work with Elastic Path to maintain HIPAA compliance while still delivering your unique eCommerce experiences. If you’re still unsure about how your business can work with Elastic Path to meet your requirements, feel free to set up a call with one of our internal experts to understand how we can help to achieve your goals.