StediDOCS

Compliance

Updated March 15, 2022

HIPAA Compliance on Stedi

A growing number of companies are using Stedi’s APIs and resources to process, store, and transmit protected health information (PHI). Stedi enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure Stedi environment to process, maintain, and store protected health information.

HIPAA Overview

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is legislation that is designed to make it easier for US workers to retain health insurance coverage when they change or lose their jobs. The legislation also seeks to encourage electronic health records to improve the efficiency and quality of the US healthcare system through improved information sharing.

Along with increasing the use of electronic medical records, HIPAA includes provisions to protect the security and privacy of protected health information (PHI). PHI includes a very wide set of personally identifiable health and health-related data, including insurance and billing information, diagnosis data, clinical care data, and lab results such as images and test results. The HIPAA rules apply to covered entities, which include hospitals, medical services providers, employer sponsored health plans, research facilities, and insurance companies that deal directly with patients and patient data. The HIPAA requirement to protect PHI also extends to business associates.

HIPAA and EDI

Because PHI is often shared between business associates, electronic data interchange (EDI) systems often process and exchange this data. Additionally, EDI standards committees, like ANSI X12, publish specific implementation guidelines–like HIPAA TR3–which regulate what data can and cannot be sent via electronic means.

Becoming a Business Associate

Under the HIPAA regulations, cloud service providers (CSPs) such as Stedi are considered business associates. The Business Associate Addendum (BAA) is a Stedi contract that is required under HIPAA rules to ensure that Stedi appropriately safeguards protected health information (PHI). The BAA also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by Stedi, based on the relationship between Stedi and our customers, and the activities or services being performed by Stedi.

Customers who wish to process PHI using Stedi’s APIs must review and sign Stedi’s standard Business Associate Addendum (BAA). This BAA takes into account the unique products Stedi provides, and outlines the responsibility model.

To review, accept, and manage the status of the BAA for your account, please request one directly by filling out our contact form.

HIPAA compliant products

Customers may use any Stedi product in an account designated as a HIPAA account, but they should only process, store, and transmit protected health information (PHI) in the HIPAA-eligible products defined in the Business Associate Addendum (BAA). Below is the latest list of HIPAA-eligible Stedi products:

  • EDI Core
  • Mappings
  • Converter

Stedi follows a standards-based risk management program to ensure that the HIPAA-eligible products specifically support the security, control, and administrative processes required under HIPAA. Using these services to store and process PHI allows our customers and Stedi to address the HIPAA requirements applicable to our utility-based operating model. Stedi prioritizes and adds new eligible services based on customer demand.

For more information about our business associate program, or to request new eligible services, please contact us.