The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that provides baseline privacy and security standards for medical information. The U.S. Department of Health and Human Services (HHS) is the federal agency in charge of creating rules that implement HIPAA and also enforcing HIPAA. The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information (PHI) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
What type of information is covered by HIPAA?
Under HIPAA, "health information" is any information (including genetic information) that is created or received by a health care provider, health plan, public health authority, employer, life insurance company, school or university, or health care clearinghouse and relates to:
- a person's past, present, or future physical or mental health or condition;
- treatment provided to a person; or
- past, present, or future payment for healthcare an individual receives.
The HIPAA Privacy Rule applies to "protected health information" (PHI) which includes all "individually identifiable health information" that is transmitted or maintained in any format or medium.
Applying this principle to current CDC guidance on COVID-19, employers may ask employees who report feeling ill at work, or who call in sick, questions about their symptoms to determine if they have or may have COVID-19. Currently these symptoms include, for example, fever, chills, cough, shortness of breath, or sore throat.
What type of information is collected by the Visitor Management system?
Organizations can customize the type of information collected by the VMS, but generally the following information is gathered at the check in:
- Country of origin (if required)
- Photo is taken for the badge
- Legal documents are signed
This data does not constitute protected health information and is not connected to visitor’s health, condition, treatment or payment related information and is kept in separate systems.
How should visitor data (independent of PHI) be protected?
Every step should be taken by the vendors processing visitor data to ensure people, processes and technology are compliant with data protection regulations and laws.
Organizations that undertake SOC2 Type 2 certification have demonstrated that they are able to securely manage client data to protect the interests of both the client’s organization and privacy of their customers.
The following controls ensure that data collected through the SOC2-Type 2 certified visitor management vendor is protected to the highest degree:
Security To ensure the protection against unauthorized access, internal controls need to mitigate the potential abuse or misuse of the platform, theft or the unauthorized removal of data, and disclosure of personal information.
Availability To control the access to a platform as per the contract and/or service level agreement with customers (specifically regarding the minimum acceptable level of performance), internal controls need to monitor performance and availability.
Processing Integrity To assure the intended purpose of a platform is achieved, internal controls need to monitor data processing and quality assurance procedures. The purpose focuses on processing the right data at the right time.
Confidentiality To ensure the restriction of confidential data, internal controls need to define security and data protection procedures.
Privacy To control the collection and use of personal information, internal controls need to support the protection of personal information from unauthorized access.
We hope that when it comes to protecting PHI, this guide provides a clear, transparent picture of what to expect from your visitor management software vendor.