To our valued Customers and Business Partners,
The Department of Health and Human Services promulgated new amendments to the privacy, security, enforcement and breach notification regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), together with the changes required by the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA). Together these amendments make up the Omnibus Rule and affected organizations were required to comply with most provisions by September 23, 2013.
Pulsar360, Inc. has received questions from several Customers and Business Partners asking if Pulsar360, Inc. also complies with the provisions of the Omnibus Rule.
Pulsar360, Inc.'s position, based on our own internal review and after consultation with a nationally recognized HIPAA Security compliance expert, is that Pulsar360, Inc. is not a business associate within the meaning of the Omnibus Rule. The Omnibus Rule expands the definition of a business associate to include any party that "creates, receives, maintains or transmits protected health information" on behalf of a covered entity.
In the Omnibus Rule, HHS explains that "...data transmission organizations that do not require access to protected health information on a routine basis would not be treated as business associates." See 78 Fed. Reg. 5571 (January 25, 2013). This is consistent with its prior interpretation of the definition of "business associate," in which HHS stated that "entities that act as mere conduits for the transport of protected health information but do not access the information other than on a random or infrequent basis are not business associates." See 78 Fed. Reg. 5571.
Pulsar360, Inc. has always employed robust industry standard security and privacy measures to ensure the security and privacy of all our customers' data, whether covered by HIPAA or not. Our network is HIPAA compliant in its security. Further, we do not store any patient data. However since the Customer, and in some cases the Partner, has access to the PBX and is responsible for the security of user voicemail and portal passwords there, we can't control HIPAA compliance on a PBX. Additionally, if voicemail to e‐ mail is activated that would technically violate HIPAA if any caller left any PHI in the voicemail.
You can rest assured that Pulsar360, Inc. will be HIPAA–compliant and will sign business associate agreements if it becomes clear that the rules apply to Pulsar360, Inc. as well as to other service providers.
If you have any additional questions, please feel free to contact me directly at my email address, firstname.lastname@example.org.
Scott Grim CTO/CIO
What are you waiting for? Let's get started! Contact Us