How We Process Personal Health Information (PHI)

We understand the critical nature of the data we manage through our various services tailored for healthcare providers. This document aims to educate about the measures we take to protect PHI, demonstrating our unwavering commitment to maintaining the confidentiality and integrity of sensitive health data in accordance with HIPAA and other regulations. It serves to inform you of our continuous efforts to implement effective security protocols and respect for patient privacy, embodying our role as a trusted partner in healthcare technology. We invite you to explore this guide to better understand our PHI handling procedures and your corresponding rights.

At Insight Health AI, safeguarding Protected Health Information (PHI) is a critical component of our services for healthcare professionals. We collect PHI to facilitate the provision of virtual care and in compliance with HIPAA regulations. Our commitment is to ensure that PHI is utilized solely for delivering personalized healthcare services, maintaining the privacy and security of patient data as our utmost priority.

‍

Types of PHI

• Patient PHI: As a provider of digital health services, we collect and manage patient PHI submitted by healthcare professionals. This includes medical history, diagnoses, treatment plans, test results, and other sensitive health information.
• Medical Records and Reports: Essential for delivering personalized care and assistance, these records encompass appointment details, prescription information, and other health-related data.

Strict PHI Handling Practices

• "Minimum Necessary": We ensure that only the least amount of PHI required to accomplish a task is accessed, used, or disclosed across our systems.
• Confidentiality and Security: All data, and especially PHI, is treated with the highest level of confidentiality. We employ stringent security measures to protect against unauthorized access, disclosure, or misuse.
• No PHI Sharing with Third Parties for Marketing or Analytics: We never share PHI with third-party analytics or advertising providers. PHI is not used for marketing purposes or any unrelated analytics.
• Limited Disclosure for Service Provision: PHI is only shared with third parties when necessary for providing our Services. In such cases, Business Associate Agreements (BAAs) are in place with those third parties processing PHI, ensuring they adhere to the same high standards of privacy and security as we do.
• Compliance with HIPAA: Our practices are in strict compliance with HIPAA regulations, ensuring the highest level of confidentiality and security for your sensitive health information.

Our HIPAA compliance program encompasses a comprehensive range of technical, administrative, and physical safeguards designed to protect PHI, as detailed below:

Technical Safeguards

• Encryption: PHI is encrypted both in transit and at rest, utilizing industry-standard encryption methods to ensure data security.
• Access Controls: We implement stringent access controls, including multi-factor authentication and role-based access, to ensure that only authorized personnel can access PHI.
• Data Monitoring: Continuous monitoring of data access and usage helps us promptly identify and respond to any unauthorized activity.

Administrative Safeguards

• HIPAA Training: All employees undergo mandatory HIPAA compliance training to ensure they understand how to handle PHI responsibly.
• Privacy Policies: Our internal policies are regularly reviewed and updated to align with evolving HIPAA regulations and best practices in PHI protection.
• Risk Assessments: Regular risk assessments are conducted to identify potential vulnerabilities in our handling of PHI and address them proactively.

Physical Safeguards

• Device Security: All devices used to access PHI are secured and regularly audited for compliance with our security standards.

In our capacity as a HIPAA Business Associate at Insight Health AI, we acknowledge the essential privacy rights of patients under the Health Insurance Portability and Accountability Act (HIPAA). While primary responsibility for managing patient access, amendments, and related rights rests with the covered healthcare providers, our commitment in supporting these rights is outlined as follows:

Support for Covered Entities in Upholding Patient Rights

• Facilitating Access and Amendments: While the covered entities manage direct patient access and amendment requests, we provide necessary support to ensure they can fulfill these requests efficiently and in compliance with HIPAA.
• Data Accessibility: We ensure that PHI is accessible to healthcare providers so they can address patient rights such as access, amendments, and accountings of disclosures.

Compliance, Collaboration and Education

• Collaborative Compliance: We work collaboratively with covered entities to ensure compliance with HIPAA, facilitating their capacity to uphold patient rights.
• Alignment with Policies: Our policies and procedures are aligned with the requirements of HIPAA, ensuring that we support the covered entities in maintaining compliance.
• Transparency and Communication: We maintain open lines of communication with covered entities, keeping them informed about our practices and any changes that may impact PHI handling.
• Informing Covered Entities: We actively inform and educate our healthcare provider clients about our role and capabilities in supporting patient rights.
• Transparent Communication: Any limitations or capabilities regarding our role in supporting patient rights are communicated clearly to the covered entities.

Staff Training and Awareness

• HIPAA Training for Employees: All employees with access to PHI undergo comprehensive HIPAA training to understand and fulfill their responsibilities in handling sensitive data.
• Cultivating Compliance Awareness: A culture of compliance and awareness regarding PHI protection is fostered throughout our organization.

Ensuring Security and Confidentiality

• Data Protection Measures: Our security measures are designed to maintain the confidentiality, integrity, and availability of PHI.
• Continuous Security Monitoring: We actively monitor our systems to prevent, detect, and respond to any incidents involving PHI.

Proactive Risk Management

• Regular Risk Assessments: To identify and address potential risks to PHI, we conduct regular risk assessments.
• Incident Response Preparedness: We maintain an incident response plan to ensure prompt and effective action in case of any PHI breach or unauthorized access.

Incident Response and Reporting

• Support in Incident Management: In the event of a data breach or incident, we promptly inform the covered entities to enable them to take necessary steps in protecting patient rights and fulfilling reporting obligations.

Continuous Review and Improvement

• Evolving Practices: We continuously review and update our practices to ensure robust support for covered entities in upholding patient rights.

For any inquiries or concerns about how we handle PHI, please contact us at:

Email: privacy@insighthealth.ai

Address: PO BOX 170945, Austin, Texas 78717-0037, United States