HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) is designed to help protect people’s healthcare data. Organizations such as hospitals, doctors’ offices, health plans, or companies dealing with protected health information (PHI) are required to be HIPAA-compliant. This may also extend to companies that work with these businesses and come into contact with PHI on their behalf.

Here are some key terms you should know:

• Protected Health Information (PHI)

PHI is healthcare data relating to a patient and collected by a healthcare provider, employer, or plan. It includes names, social security numbers, phone numbers, medical history, current medical condition, test results, and more. PHI is the content that HIPAA aims to protect and keep private.

• Covered Entity

A covered entity is anyone who provides treatment, payment, and operations in healthcare. Examples include doctors, hospitals, pharmacies, insurance companies, and more. These covered entities are responsible for the privacy and security of health information.

• Business Associate

A business associate is anyone who has access to a patient’s information whether it is directly, indirectly, physically, or virtually. A business associate does not work under the covered entity’s workforce but instead performs some type of service on their behalf (i.e. a lawyer, a phone company, etc.). A business associate is subject to HIPAA rules.

• Business Associate Agreement (BAA)

A BAA is a contractual assurance from the business associate to the covered entity that they follow HIPAA’s requirements. This agreement must be in place before the transfer of PHI from the covered entity to the business associate. 

Is Process Street HIPAA compliant?

HIPAA is available on Process Street on our Enterprise plan. Please note that if you are on this plan and later downgrade to another plan, you will no longer be covered under the HIPAA compliance program anymore.

How do I enable HIPAA compliance?

You do not need to do anything to enable HIPAA compliance, we will do this for you once an Enterprise contract and BAA are in place.

What happens to Process Street when HIPAA compliance is enabled?

When HIPAA compliance is enabled, the following will happen:

• Enhanced File Security will be enabled.
• Form field values will be redacted in Approvals emails.

Additional product use considerations

• PHI storage should be limited to form fields, comments and attachments.
• You should not @mention someone in a comment that contains PHI.
• You should not use variables containing PHI in the Send Email form field.
• You should not use variables containing PHI in AI Tasks.
• Process Street is not an EHR (Electronic Health Record). Process Street does not maintain the designated record set and should not be the system of record for health information. Customers may not create Process Street accounts in their domain for their patients, patient family members, plan members, or any other external parties to communicate.
• When contacting Process Street support, you should not provide PHI in any support tickets. Please do not share PHI when on calls with Process Street representatives.

Additional data security options

1. Strengthen authentication

We recommend using SAML Single Sign-On (SSO) to add a layer of protection to your Process Street account.

2. Conduct regular access reviews

To ensure that any sensitive data in your Process Street account can only be accessed by appropriate people, we recommend that you frequently review the list of your members.