Status of HIPAA Customers in 2012, Part 1

Summary:

This document describes the HIPAA compliance status of five healthcare organizations (Kaiser, Intermountain Healthcare, Aetna, Blue Cross of Idaho, and SMDC) regarding their logs and electronic protected health information (ePHI). All customers except Aetna and Blue Cross of Idaho have established specific procedures for handling ePHI. For Kaiser and Intermountain Healthcare, all logs are considered ePHI and must be transferred securely using the HIPAA zone. Intermountain Healthcare has detailed SSO FTP site retrieval via HTTPS. SMDC has a BAA in place but lacks defined specific procedures. The document mandates that when ePHI status changes, customers must notify support immediately, notifying all relevant parties. However, it does not specify the frequency of this procedure or actions to take upon receiving ePHI.

Details:

This document outlines the status of HIPAA customers for i.R.O.C.K., including details on how their logs and data should be handled to ensure compliance with HIPAA regulations. The customers listed include Kaiser, Intermountain Healthcare, Aetna, Blue Cross of Idaho, and SMDC. For Kaiser and Intermountain Healthcare, all logs are considered protected health information (ePHI) and must be transferred securely using the HIPAA zone. Intermountain Healthcare has specific procedures for retrieving these logs from an SSO FTP site via HTTPS. Aetna and Blue Cross of Idaho have signed on as HIPAA customers but do not yet have defined specific procedures, while SMDC has a Business Associate Agreement (BAA) in place. The document outlines a procedure where the support team needs to follow regular log transfer procedures when receiving electronic protected health information (ePHI) from the customer, as mandated by HIPAA regulations. When there is a change in the ePHI status, the customer will be responsible for notifying support. This notification will occur whenever the ePHI status changes, and it should be communicated to all relevant parties involved. The document does not provide specific details on how often this procedure needs to be followed or what actions need to be taken upon receiving ePHI; these aspects are left unspecified in the text provided.