Enhance is committed to protecting the privacy and security of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. As a healthcare technology provider, we understand the critical importance of safeguarding patient data and maintaining the trust of healthcare providers and their patients.
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPAA applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates who handle PHI.
Enhance operates as a Business Associate under HIPAA. We enter into Business Associate Agreements (BAAs) with all covered entities that use our platform, ensuring that we are contractually obligated to protect PHI in compliance with HIPAA requirements. Our BAA outlines the permitted uses and disclosures of PHI, safeguards we implement, and breach notification procedures.
Enhance implements comprehensive administrative safeguards to ensure HIPAA compliance, including:
We maintain strict physical safeguards to protect the infrastructure that stores and processes PHI:
Enhance employs robust technical safeguards to protect the confidentiality, integrity, and availability of ePHI:
In the event of a breach of unsecured PHI, Enhance will notify affected covered entities without unreasonable delay and no later than 60 days after discovery of the breach, as required by the HIPAA Breach Notification Rule. We maintain detailed incident response procedures to quickly identify, contain, and remediate any potential breaches, and we cooperate fully with covered entities in fulfilling their breach notification obligations to affected individuals and the Department of Health and Human Services (HHS).
Enhance supports covered entities in upholding patient rights under HIPAA, including the right to access their health records, request amendments to their PHI, receive an accounting of disclosures, and request restrictions on certain uses and disclosures. Our platform is designed to facilitate these rights through built-in tools and workflows that make it easy for healthcare providers to respond to patient requests in a timely manner.
Enhance adheres to the HIPAA minimum necessary standard, which requires that access to PHI is limited to the minimum amount necessary to accomplish the intended purpose. Our role-based access controls and data segmentation features ensure that each user only has access to the specific information they need to perform their duties.
Enhance maintains Business Associate Agreements (BAAs) with all subcontractors and third-party service providers who may have access to PHI in the course of providing services on our behalf. These agreements ensure that all downstream entities are held to the same HIPAA compliance standards that we uphold.
We conduct regular internal audits and risk assessments to evaluate the effectiveness of our HIPAA compliance program. These assessments help us identify potential risks and vulnerabilities so we can implement corrective actions promptly. We also engage third-party auditors to perform independent assessments of our security controls and compliance posture.
All Enhance employees undergo mandatory HIPAA training upon hire and receive annual refresher training. Our training program covers HIPAA Privacy and Security Rules, proper handling of PHI, incident reporting procedures, and emerging threats. Specialized training is provided to employees whose roles involve direct access to PHI.
If you have questions about our HIPAA compliance practices or need to report a potential security concern, please contact our Privacy and Security team. We are committed to transparency and will work promptly to address any inquiries or concerns related to the protection of PHI.