SolarWinds Service Desk HIPAA and HITECH Overview and FAQ

Frequently Asked Questions

  • In 2014, SolarWinds Service Desk announced its ability to support the HIPAA and HITECH regulations, as well as the ability to sign HIPAA Business Associate Agreements (BAAs) with customers. SolarWinds Service Desk is one of the few cloud-based application providers that signs HIPAA Business Associate Agreements (BAAs), demonstrating our ongoing investment in enterprise security, compliance and control for our customers.

  • HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal mandate that requires specific security and privacy protections for Protected Health Information (PHI). More information around HIPAA can be found here.

    • The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, to promote the adoption and meaningful use of health information technology in the U.S.
    • In 2013, the final HIPAA Omnibus rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of Protected Health Information (PHI) — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as Covered Entities under HIPAA.

    • The SolarWinds Service Desk service/platform meets the obligations required by HIPAA, HITECH, and the final HIPAA Omnibus ruling.
    • As a cloud service provider with many healthcare customers, SolarWinds Service Desk deemed it important to develop our own agreement that addresses those parts of HIPAA that are specific to the services we provide. SolarWinds Service Desk has worked with HIPAA legal experts to develop its own BAA which is available for review on request for customers who want to be HIPAA ready. A signed BAA should be in place between SolarWinds Service Desk and the customer prior to starting deployment on SolarWinds Service Desk.
    • SolarWinds Service Desk does not expect the SolarWinds Service Desk system to be used as cloud storage for medical records or medical information, but rather for service requests that may incidentally contain PHI. Customers who manage PHI should properly train their employees to safely manage PHI and only enter the minimal amount of PHI that is necessary to create a service request in the SolarWinds Service Desk system.
    • To the extent that PHI, in compliance with HIPAA’s minimum necessary requirements is entered and stored in the SolarWinds Service Desk system, SolarWinds Service Desk will manage this PHI according to the HIPAA security and privacy rules.
    • Customers are responsible for configuring SolarWinds Service Desk in a HIPAA compliant manner and for enforcing policies in their organizations to meet HIPAA compliance, including but not limited to the minimum necessary requirements.

  • There are no official government or industry certifications for HIPAA compliance. In order to support HIPAA compliance, SolarWinds Service Desk has reviewed the HIPAA regulations and updated its product, policies and procedures to support customers around their need to be HIPAA compliant.

    • Data encryption in transit
    • Restricted physical access to production servers
    • Strict logical system access controls
    • Configurable administrative controls available to the customer to:
      • Grant explicit authorization to customer files to read, download or edit files
      • Monitor access
      • Reporting and audit trail of account activities on both users and content
      • Routine penetration testing by external 3rd party
      • Training of employees on security policies and controls
      • Employee access to customer data files are highly restricted
      • In addition, SolarWinds Service Desk has the following Certifications and Accreditations - SOC 2, ISO 27001, TRUSTe and Skyhigh Enterprise-Ready. For more information, click here.

    • Controls to provide reasonable assurance that instructions and information provided to SolarWinds Service Desk by the customer are in accordance with the provisions of the SolarWinds Service Desk Master Subscription Agreement with the customer, or other applicable governing agreements or documents between SolarWinds Service Desk and its customers.
    • Controls to provide reasonable assurance that only authorized individuals from the user entity are granted the ability to access, modify, and delete information from SolarWinds Service Desk’s application.
    • Controls to provide reasonable assurance that the user entity’s method for accessing SolarWinds Service Desk’s application is configured with proper logical security protocols.
    • Controls to provide reasonable assurance that the confidentiality of the user entity’s sensitive information is not compromised by its users.
    • Controls to provide reasonable assurance for defining and granting access to users permitted by the user entity.
    • Controls to provide reasonable assurance that user accounts and access permissions are correctly specified on an ongoing basis, including revoking accounts.

  • Yes, SolarWinds Service Desk has signed BAAs with several healthcare and life sciences customers to date.

    • SolarWinds Service Desk applies the same security and privacy controls for all of its customers.
    • However, customers who are required by law to comply with HIPAA, such as HIPAA Covered Entities and HIPAA Business Associates, must sign a HIPAA Business Associate Agreement (BAA) with SolarWinds Service Desk. To comply with HIPAA they must configure SolarWinds Service Desk and enforce policies within their organizations to meet HIPAA requirements.

  • Yes, SolarWinds Service Desk has the ability to enter into a direct Business Associate Agreement (BAA) with the partner as well as directly with the partner’s customer as needed.

    • HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.HIPAA is a federal mandate that requires protections regarding security and privacy on Protected Health Information (PHI). More information around HIPAA can be found here.

  • Protected Health Information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that is collected by a healthcare professional to identify an individual and determine appropriate care.

  • Personally Identifiable Information (PII) is a subset of Protected Health Information (PHI), and refers to information that is uniquely identifying to a specific individual. Protected Health Information (PHI) is specific to medical and health-related use.

    • A HIPAA Covered Entity (CE) stewards Protected Health Information (PHI) and/or Personally Identifiable Information (PII) on patients in the process of providing healthcare care or paying for care. Examples of HIPAA Covered Entities (CE) are one of the following:
      • Healthcare provider:
        • Including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies that transmits any information in an electronic form in connection with a transaction for which the U.S. Department of Health and Human Services (HHS) has adopted a standard.
      • Health plan:
        • Including health insurance companies, HMOs, company health plans, government programs that pay for health care (like Medicare and Medicaid)
      • Health care clearinghouses:
        • Including entities that process non-standard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

    • A HIPAA Business Associate (BA) refers to a person or organization that conducts business with the HIPAA Covered Entity (CE) and touches the Protected Health Information (PHI) or Personally Identifiable Information (PII) that the covered entity is stewarding on behalf of the patient.
    • Business Associates (BAs) include those vendors or services that do business with the HIPAA covered entity (CE). Examples are service organizations or vendors that contract with the HIPAA Covered Entity (CE) that may provide: software such as Electronic Health Records (EHRs), claims processing, data analysis, utilization review, billing, legal services, actuarial services, accounting services, consulting services, data aggregation, accreditation services, or financial services. To be a HIPAA Business Associate (BA), the work of an organization must deal directly with the use or disclosure of Protected Health Information (PHI) and/or Personally Identifiable Information (PII).

  • A HIPAA Business Associate Agreement (BAA) is a legal document that a HIPAA Business Associate (BA) enters into with a HIPAA Covered Entity (CE).

  • The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology in the U.S.

  • Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

    • The final omnibus rule is based on statutory changes under the HITECH Act, and was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009. The rule made the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented in 1996.
    • The omnibus rule greatly enhanced a patient’s privacy rights and protections, as well as included support for the Genetic Information Nondiscrimination Act of 2008 (GINA). It also strengthened the government’s ability to enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a HIPAA covered entity (like a health plan, a health care provider or retail pharmacy) or one of their third party contractors that is a HIPAA Business Associate.

Close
{{STATIC CONTENT}}
{{CAPTION_TITLE}}

{{CAPTION_CONTENT}}

{{TITLE}}