kwiqreply complies with the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Kwiqreply maintains appropriate administrative, physical, and technical safeguards to provide for continuing security & privacy of your PHI or ePHI.
1. Kwiqreply’s commitment to HIPAA compliance
Kwiqreply believes privacy and data protection are core aspects of trust in today’s
technology-driven world. We take our security and privacy commitment to you and your
customers very seriously. We are acutely aware that we need to earn and maintain your
trust on a daily basis.
Our commitment to ensuring that our customer data is safe, secure, and always available
to them, is one of our top priorities.
2. Kwiqreply, HIPAA and the HITECH ACT
HIPAA regulations require that covered entities and their business associates—in this
case, Kwiqreply, enter into a contract to ensure that those business associates
adequately protect PHI. This contract, or Business Associate Agreement (BAA), clarifies
and limits how the business associate can handle PHI, and sets forth each party’s
adherence to the security and privacy provisions outlined in the HIPAA and the HITECH
Act. Once a BAA is in place, Kwiqreply customers (covered entities) can use its services
to process and store PHI.
Currently, there is no official certification for HIPAA or HITECH Act compliance.
However, Kwiqreply has undergone audits conducted by accredited independent auditors for
Kwiqreply.
HIPAA covers information about a person’s health or healthcare services is classified as
Protected Health Information (PHI). Kwiqreply customers who are subject to HIPAA and
wish to use the Kwiqreply products with PHI must sign a BAA with Kwiqreply. Customers
are responsible for ensuring that they achieve compliance with HIPAA and HITECH Act
requirements.
We adhere to the HIPAA obligations by leveraging appropriate security configuration
options for all Kwiqreply products. Additionally, we make our Business Associate
Agreement (BAA) available for execution by subscribers.
3. Which Kwiqreply Customers Does HIPAA Apply To?
Kwiqreply customers that collect, transmit, and store PHI or ePHI are considered “Covered
Entities“ under the HIPAA. Covered entities bear the primary responsibility of ensuring
that their processing of PHI is compliant with the HIPAA and HITECH Act.
Kwiqreply acts as a “Business Associate,“ and shall transmit and store the Protected
Health Information (PHI) of our customers solely for the purpose of performing our
obligations under our existing contract(s) with our subscribers; and, for no commercial
purpose other than the performance of such obligations and improvement of the services
we provide.
4. How Kwiqreply Complies with HIPAA?
At Kwiqreply, we ensure that our customer data is secure and easily accessible. The
Kwiqreply product is built on a foundation of trust, security, and compliance to ensure
that our internal data practices are HIPAA-ready. An equally important part for us is to
assist our customers and partners in their journey toward compliance. Customers can also
view the below table for more detailed information on how to use Kwiqreply Services to
comply with HIPAA and HITECH Act.
With that in mind, we have the following details about the Kwiqreply 24/7 Answering
Software:
Kwiqreply Features How It Works
| Cases | Feature | How it works |
|---|---|---|
| Storing & Managing Messages | Conversations | By default, Kwiqreply encrypts all messages to avoid storing or transmitting any PHI or sensitive information on kwiqreply servers. We have features to encrypt the following: – Encrypt all text in the conversation body. – Any transfer of data is also encrypted – Single tenant architecture to for higher level data security for each account. |
| Customer Rights | Security | Customers can request data of their conversations or agents. Kwiqreply will generate a link to fetch database for specific customers. |
| Customer Rights | Security | Customers can delete or insert data of messages, multimedia, or contact details. |
Frequently Asked Questions
“HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations passed by the U.S. Congress designed to protect privacy and ensure the security of Personal Health Information (PHI) and electronic Personal Health Information (ePHI).
“HITECH” refers to the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
No. Under HIPAA, PHI is any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA – covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services.
It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health-related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information.
Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual identifiers. Demographic information is also considered PHI under HIPAA rules, as are many common identifiers such as patient names, Social Security numbers, driver’s license numbers, insurance details, and birth dates when they are linked with health information. The 18 identifiers that make health information PHI are:
18 Identifiers that make health information PHI
One or more of these identifiers turn health information into PHI, and PHI HIPAA Privacy Rule restrictions will then apply, which limit usage and disclosures of the information. HIPAA covered entities and their business associates also need to ensure appropriate technical, physical, and administrative safeguards are implemented to ensure the confidentiality, integrity, and availability of PHI, as stipulated in the HIPAA Security Rule.
Names Dates expect year Telephone numbers Geographic data Fax numbers Social Security numbers Email addresses Medical record numbers Account numbers Any unique identifying number or code Certification/license numbers Vehicle identifiers and serial numbers including license plates Web URLs Device identifiers and serial numbers Full face photo and comparable images Internet protocol addresses Biometrics identifiers (i.e. retinal scan, fingerprints) Health plan beneficiary numbers
What is Protected Health Information (PHI)?
It is any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
HIPAA applies to healthcare providers, health plans, and healthcare clearinghouse services. These providers are required to handle patient personal health information in a way that meets defined security standards. When providers use third-party vendors or services (Business Associates) where personal health information might be stored, those Business Associates need to adhere to the standards as well. This agreement is contractually defined in a Business Associate Agreement (BAA). For additional information, refer to the US Department of Health and Human Services HIPAA covered entities website.
PHI stands for Protected Health Information and is any information in a medical record that can be used to identify an individual, which was created, used, or disclosed in the course of providing a healthcare service, such as a diagnosis or treatment.
ePHI is Electronic Protected Health Information and is all individually identifiable health information that is created, maintained, or transmitted electronically by mHealth and eHealth products. This includes PHI on desktop, web, mobile, wearable, and other technology such as email, text messages, etc.
The term “Business Associate” refers to those entities that perform a service related to claims processing or administration; data analysis processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. For example, a third-party administrator that assists a health plan with claims processing would be considered a HIPAA “Business Associate,” and its customers would expect the administrator to be HIPAA compliant on their behalf.
Kwiqreply can enter into a Business Associate Agreement (BAA) with HIPAA covered customers. While customers have the ability to use the Kwiqreply’s 24/7 support channel in various ways to meet their business needs, HIPAA covered customers must configure the correct configuration level and appropriately configure their Kwiqreply access controls and usage to help safeguard Protected Health Information (PHI) from misuse and wrongful disclosure.
Although Kwiqreply, as a Business Associate, is HIPAA compliant, ultimately, customers are responsible for evaluating their own HIPAA compliance. In addition, Kwiqreply should not be considered the ‘Designated Record Set’ holder under HIPAA.
Yes, Kwiqreply is HIPAA compliant when covered entities or business associates configure the platform correctly and have a business associate agreement with Kwiqreply.
Note that there is no certification recognized by the US Department of Health and Human Services (HHS) for HIPAA compliance. HIPAA compliance, specifically the relationship between a covered entity and a Business Associate, is a shared responsibility.
To provide assurance and external verification, Kwiqreply plans to undergo several audits regularly. These audits will test Kwiqreply’s documentation and approach to security and privacy for datastores, infrastructure, and operations. Additionally, you might also want to review Kwiqreply’s documentation related to privacy and terms
The data of kwiqreply.io & app.kwiqreply.io customers will reside in the US with Microsoft Asure
No. No, having a BAA with Kwiqreply does not ensure your organization’s compliance with the HIPAA and HITECH Act. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place and that your particular use of Kwiqreply aligns with HIPAA and the HITECH Act.
Covered Entity – The HIPAA Covered Entity has the same meaning as the term “covered entity” at 45 CFR 160.103. The Privacy Rule defines a Covered HIPAA Entity as any health plan, any healthcare clearinghouse, or any healthcare provider who transmits Protected Health Information (or PHI as per the standards developed by the Department of Health & Human Services) in electronic form.
Business Associate – “Business Associate” has the same meaning as the term “business associate” at 45 CFR 160.103.
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A covered healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services that make a person or entity a business associate if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules.
Business Associate Agreement – A HIPAA business associate agreement is a contract between a HIPAA-covered entity and a vendor used by that covered entity. A vendor of the HIPAA-covered entity that needs to be provided with PHI to perform duties on behalf of the covered entity is called a business associate (BA) under the HIPAA. A vendor is also classed as BA if, as part of the services provided, electronic PHI (ePHI) passes through their systems. A signed HIPAA business associate agreement must be obtained by the covered entity before allowing a business associate to come into contact with PHI or ePHI.
HIPAA Rules – “HIPAA Rules” means the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
Penalties for HIPAA violation can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA. The four categories used for the penalty structure are as follows:
- Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules.
- Tier 2: A violation that the covered entity should have been aware of, but could not have avoided even with a reasonable amount of care. (But falling short of willful neglect of HIPAA Rules)
- Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.
- Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation.
Here are some links you can refer to for additional reading on the HIPAA:
Please feel free to ask questions and share concerns with us kwiqreply.io
- HIPAA Omnibus Rule (The final regulations-modifying HIPAA rules)
- Summary of the HIPAA Security Rule
- Summary of the HIPAA Privacy Rule
- Summary of the HIPAA Breach Notification Rule
HIPAA and the HITECH Act Overview
The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities — doctors’ offices, hospitals, health insurers, and other healthcare companies — with access to patients’ protected health information (PHI), as well as to business associates, such as cloud service and IT providers, that process PHI on their behalf. (Most covered entities do not carry out functions such as claims or data processing on their own; they rely on business associates to do so.)
The law regulates the use and dissemination of PHI in four general areas:
- Privacy, which covers patient confidentiality.
- Security, which deals with the protection of information, including physical, technological, and administrative safeguards.
- Identifiers, which are the types of information that cannot be released if collected for research purposes.
- Codes for electronic transmission of data in a healthcare-related transaction, including eligibility and insurance claims and payments.
The scope of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Together, HIPAA and HITECH ACT rules include:
- The HIPAA Privacy Rule, which focuses on the right of an individual to control the use of their personal information, and covers the confidentiality of PHI, limiting its use and disclosure.
- The HIPAA Security Rule, which sets the standards for administrative, technical, and physical safeguards to protect electronic PHI from unauthorized access, use, and disclosure. It also includes organizational requirements such as Business Associate Agreements (BAAs).
- The HITECH Breach Notification Final Rule, which requires giving notice to individuals and the government when a breach of unsecured PHI occurs