DPA Annex 2: HIPAA Compliance

As Business Associate, Actual Report ensures compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and their implementing regulations.

• “PHI (Protected Health Information)” Any individually identifiable health information maintained or transmitted in any form, whether electronic, paper, or oral.
• “Business Associate (BA)” A person or entity performing services or functions for a Covered Entity involving the use or disclosure of PHI.
• “Covered Entity (CE)” A health plan, healthcare provider, or healthcare clearinghouse that transmits PHI in electronic form in connection with a HIPAA transaction.
• “Breach” An impermissible use or disclosure of PHI that compromises the security or privacy of the information.
• “Security Rule / Privacy Rule” Federal regulations under HIPAA establish standards for the protection of electronic and other forms of PHI.

All PHI that the Business Associate may access, use, disclose, or process in the provision of services to the Covered Entity. It supplements the Service Agreement and is intended to satisfy the applicable requirements under 45 CFR Parts 160 and 164.

• Use PHI only as required to perform contracted services or as required by law.
• Implement administrative, physical (if applicable), and technical safeguards in accordance with the HIPAA Security Rule.
• Report any PHI breach or unauthorized use/disclosure to the Covered Entity promptly.
• Ensure that subcontractors or agents who receive PHI are bound by equivalent HIPAA-compliant terms.
• Provide access, amendment, and accounting of disclosures of PHI when requested by the Covered Entity or data subject.
• Make internal records related to the use of PHI available to the U.S. Department of Health and Human Services upon request.

• As Business Associate, Actual Reports will not request any use or disclosure of PHI data for any purpose.
• End to end PII and PHI data transit and process through APIs with encrypted channel.
• All test data with PII and PHI data, Covered Entity should mask PII and PHI data before handover those test data to Actual Reports
• Any PHI content PDF files will not be stored in Actual Reports environment.

• Notify the Business Associate of any changes in privacy practices or restrictions.
• Not requesting the Business Associate to use or disclose PHI in a manner not permitted under HIPAA.
• Coordinate with the Business Associate to ensure proper responses to PHI access and amendment requests.

The Business Associate will notify the Covered Entity without unreasonable delay, but no later than 5 business days, upon discovering a breach of Unsecured PHI or any security incident that could compromise PHI integrity.