Presagia Sports HIPAA and HITECH Compliance Summary
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of U.S. laws that protect the security and privacy of health information held by Covered Entities. The term covered entity refers to three specific groups: health plans, health care clearinghouses, and healthcare providers that transmit health information electronically.
Presagia Sports includes some specific features that help Covered Entities comply with HIPAA (or comply with similar guidelines in other regions):
- Presagia Sports implements technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
- The system’s login process ensures that access via the Internet is restricted so that only authorized and authenticated users can gain access.
- User accounts consist of a user name and strong password to gain entry to the application.
- Users must change their password periodically. Previously used passwords cannot be re-used.
- User sessions automatically time-out after a period of inactivity, and then the user must type in his or her password to continue working in the system.
- Each user account must be configured with specified levels of access to specific groups of employees and access to specific types of functions and data.
- User activities and data modifications are logged in audit trails.
- All data and file attachments are encrypted when at rest, and reside behind firewalls within our hosting environment.
- Data is encrypted in transit, to and from the user’s computer or mobile device. SSL encryption is used, when sending and receiving data via the Internet.
- Athletes’ health data is not stored on the users’ devices or computers.
- The email notifications sent from Presagia Sports to its users contain no e-PHI.
Business Associate Agreement
The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the American Recovery and Reinvestment Act of 2009 (ARRA) confer additional responsibilities to Business Associates who have access to Covered Entities’ Protected Health Information.
In some cases, Presagia may qualify as a Business Associate. At our customer’s request (if the customer is a covered entity), Presagia will sign a Business Associate Agreement, acknowledging that:
- Presagia will act as the custodian of the customer’s PHI data (because we manage the hosting servers)
- Certain Presagia employees have access to the data on an as-needed and Minimum Necessary basis
- Presagia will protect the privacy, confidentiality, integrity, and availability of that data, and will safeguard the PHI from unauthorized access and disclosure
Presagia’s access to the hosting environment and our customers’ Protected Health Information is restricted via a number of security mechanisms. Only those Presagia employees who absolutely require it are given access credentials, for the purposes of managing the hosting environment and/or providing technical support to our customers. As a further measure of protection, any of Presagia’s employees who have such access are required to sign a Privacy and Non-Disclosure Agreement with their employer (Presagia), and are educated by Presagia on their responsibilities in this regard and on policies and procedures to ensure the protection of the PHI.
Below is an image of Presagia Sports’ role and group-based security model.
Request a demo
To arrange an online demonstration, or if you would like more information on Presagia Sports, please fill out the form below and a Presagia representative will contact you as soon as possible.