This spring, Ledidi underwent a HIPAA compliance examination by a certified public US accounting firm. The examination resulted in an AICPA AT-C 315 HIPAA compliance attestation report, which confirms that Ledidi complies with the applicable HIPAA compliance criteria. The report proves that Ledidi Core is suitable for storing and managing patient data in the US, in compliance with federal laws.
“This confirmation on meeting the requirements for HIPAA is important to demonstrate to our US customers that Ledidi Core is a safe choice for their needs for data management and analytics of health data,” says Einar Martin Aandahl, CEO of Ledidi.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. It is a US federal law that was enacted in 1996 to protect the privacy and security of patients' health information. HIPAA establishes national standards for protecting certain health information, called Protected Health Information (PHI). PHI includes any individually identifiable health information.
HIPAA mandates that healthcare organisations, their business associates, and subcontractors adhere to specific data privacy and security measures to protect PHI. The law consists of several rules, including the Privacy Rule, Security Rule, and Breach Notification Rule, which set guidelines and requirements for safeguarding PHI in electronic and non-electronic forms.
As a service provider, and, thereby, business associate, of American healthcare and health research organisations, it is fundamental for Ledidi to meet the requirements of HIPAA. By adhering to the legal HIPAA requirements for suppliers, Ledidi ensures the protection of PHI, maintenance of a strong business relationship with US-based healthcare entities, and avoidance of potential penalties for non-compliance.
The HIPAA compliance examination focused on Ledidi’s alignment with the security and breach notification requirements of HIPAA. The audit was performed in accordance with the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18, AT-C Section 315, Compliance Attestation.
Compliance across international borders
Ledidi’s vision is to enable collaborations on health data on a global scale. Compliance with laws and privacy regulations is uncompromisable. Therefore, data protection and privacy have been top priorities for Ledidi from the start.
“We’ve developed Ledidi Core to support multicenter studies and clinical registers across national borders and continents. Hence, it is imperative that we are able to satisfy the local requirements clinicians and researchers face when they are processing health data - both in the EU, the US and on other continents,” says Aandahl.
Last fall, Ledidi obtained ISO-27001 certification, and we are using state-of-the-art technologies in all our components handling customers’ data to ensure our cloud solution can be used in compliance with GDPR requirements.
“This is also important for researchers and hospitals who want to establish transatlantic collaborations - with our solution being both GDPR compliant, ISO-certified and HIPAA compliant, they are guaranteed compliance with privacy and data protection laws and regulations on both sides of the Atlantic.”
HIPAA requirements for suppliers
Here are some concrete legal HIPAA requirements for suppliers :
1: Business Associate Agreement (BAA): Suppliers must sign a BAA with the US-based healthcare entity or business associate they are working with. This agreement outlines the responsibilities of both parties in protecting PHI and defines the permitted uses and disclosures of the information.
2: Privacy Rule: Suppliers must comply with the Privacy Rule, which sets standards for the use and disclosure of PHI. They must implement policies and procedures to ensure that PHI is only accessed, used, and disclosed for authorised purposes.
3: Security Rule: The Security Rule requires suppliers to implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI). This includes access controls, data encryption, regular risk assessments, and workforce training on security policies and procedures.
4: Breach Notification Rule: In case of a breach involving unsecured PHI, suppliers must notify the US-based healthcare entity or business associate without unreasonable delay and no later than 60 days after discovering the breach. They must also cooperate with the entity in investigating the breach and mitigating any potential harm to affected individuals.
5: Document Retention: Suppliers must retain HIPAA-related documentation, such as policies, procedures, and BAAs, for a minimum of six years from the date of creation or the last effective date, whichever is later.
6: Workforce Training: Suppliers must provide training to their employees who handle PHI, ensuring they are aware of HIPAA regulations and the organization's policies and procedures related to data privacy and security.
7: Compliance Audits: Suppliers should regularly conduct internal audits to assess their compliance with HIPAA requirements and identify any potential gaps or areas for improvement.
8: Cooperation with the US Department of Health and Human Services (HHS): In case of an investigation or compliance review by the HHS Office for Civil Rights (OCR), European suppliers must cooperate and provide the necessary documentation to demonstrate their compliance with HIPAA.