HIPAA Overview
Last updated: June 29th, 2025.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for protecting patient health information. SMS-iT is committed to maintaining HIPAA compliance for healthcare organizations that use our platform to communicate with patients and handle Protected Health Information (PHI).
This document outlines SMS-iT's HIPAA compliance measures, including administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of PHI.
SMS-iT serves as a Business Associate for covered entities and other business associates in the healthcare industry, providing secure communication solutions that meet HIPAA requirements.
Covered Entities and Business Associates
HIPAA applies to covered entities and their business associates:
Covered Entities
- Healthcare providers (doctors, hospitals, clinics, pharmacies)
- Health plans (insurance companies, HMOs, government health programs)
- Healthcare clearinghouses (billing services, community health information systems)
Business Associates
- Companies that provide services to covered entities involving PHI
- Technology vendors, consultants, and service providers
- SMS-iT acts as a Business Associate when providing services to healthcare organizations
SMS-iT's Role
When healthcare organizations use SMS-iT to communicate with patients or handle PHI, SMS-iT serves as a Business Associate and enters into a Business Associate Agreement (BAA) to ensure HIPAA compliance.
Business Associate Agreement (BAA)
SMS-iT enters into Business Associate Agreements with healthcare customers to establish the terms and conditions for handling PHI:
BAA Requirements
- Defines permitted uses and disclosures of PHI
- Establishes safeguards to protect PHI
- Requires reporting of security incidents and breaches
- Ensures return or destruction of PHI upon contract termination
- Allows covered entity to audit compliance
SMS-iT's Commitments
- Use PHI only as permitted by the BAA and HIPAA
- Implement appropriate safeguards to protect PHI
- Report any security incidents or breaches promptly
- Ensure subcontractors also comply with HIPAA requirements
- Make PHI available to individuals upon request
- Allow amendment of PHI when required
Obtaining a BAA
Healthcare organizations can request a Business Associate Agreement by contacting our compliance team at [email protected].
Protected Health Information (PHI) Protection
SMS-iT implements comprehensive measures to protect PHI in accordance with HIPAA requirements:
What is PHI?
Protected Health Information includes any individually identifiable health information that is:
- Created, received, maintained, or transmitted by a covered entity
- Related to past, present, or future physical or mental health
- Related to healthcare provision or payment
- Contains identifiers that could be used to identify an individual
PHI Identifiers
HIPAA identifies 18 types of identifiers that must be protected:
- Names and initials
- Geographic subdivisions smaller than a state
- Dates (birth, admission, discharge, death)
- Telephone and fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and license plate numbers
- Device identifiers and serial numbers
- Web URLs and IP addresses
- Biometric identifiers
- Full-face photographs
- Any other unique identifying number or code
Minimum Necessary Standard
SMS-iT adheres to the minimum necessary standard by:
- Limiting access to PHI to the minimum necessary for job functions
- Implementing role-based access controls
- Regularly reviewing and updating access permissions
- Training employees on minimum necessary principles
HIPAA Security Rule Compliance
SMS-iT implements the administrative, physical, and technical safeguards required by the HIPAA Security Rule:
Security Rule Requirements
- Ensure confidentiality, integrity, and availability of ePHI
- Protect against reasonably anticipated threats and hazards
- Protect against reasonably anticipated unauthorized uses or disclosures
- Ensure workforce compliance with security procedures
Implementation Specifications
SMS-iT addresses both required and addressable implementation specifications:
- Required: Must be implemented as specified
- Addressable: Implemented if reasonable and appropriate, or alternative measures documented
Administrative Safeguards
SMS-iT has implemented comprehensive administrative safeguards to protect PHI:
Security Officer (Required)
- Designated Security Officer responsible for HIPAA compliance
- Authority to develop and implement security policies
- Regular review and update of security measures
Workforce Training and Access Management (Required)
- Comprehensive HIPAA training for all employees
- Role-based access controls and user authentication
- Regular access reviews and permission updates
- Immediate access termination for departing employees
Information Access Management (Required)
- Formal authorization procedures for PHI access
- Unique user identification and authentication
- Automatic logoff after periods of inactivity
- Encryption of PHI in transit and at rest
Security Awareness and Training (Addressable)
- Periodic security updates and reminders
- Malware protection training
- Log-in monitoring and password management
- Security incident response procedures
Security Incident Procedures (Required)
- Formal incident response plan
- Immediate containment and assessment procedures
- Documentation and reporting requirements
- Corrective action and prevention measures
Contingency Plan (Required)
- Data backup and recovery procedures
- Disaster recovery and emergency mode operations
- Regular testing and revision of contingency plans
- Business continuity planning
Periodic Evaluation (Required)
- Regular security assessments and audits
- Compliance monitoring and reporting
- Continuous improvement of security measures
- Third-party security evaluations
Physical Safeguards
SMS-iT implements physical safeguards to protect systems, equipment, and facilities:
Facility Access Controls (Required)
- Controlled access to data centers and server rooms
- Multi-factor authentication for facility entry
- Visitor access controls and escort procedures
- 24/7 security monitoring and surveillance
Workstation Use (Required)
- Secure workstation configurations
- Automatic screen locks and session timeouts
- Restricted access to PHI processing systems
- Clean desk policies and secure storage
Device and Media Controls (Required)
- Secure disposal and reuse of electronic media
- Data sanitization and destruction procedures
- Inventory and tracking of devices containing PHI
- Secure transportation of electronic media
Technical Safeguards
SMS-iT implements technical safeguards to control access to PHI and protect its integrity:
Access Control (Required)
- Unique user identification for each user
- Emergency access procedures for urgent situations
- Automatic logoff after predetermined time periods
- Encryption and decryption of PHI
Audit Controls (Required)
- Comprehensive logging of PHI access and modifications
- Regular review of audit logs and access patterns
- Automated monitoring for suspicious activities
- Long-term retention of audit records
Integrity (Required)
- Protection against unauthorized alteration or destruction
- Digital signatures and checksums for data integrity
- Version control and change tracking
- Regular integrity verification procedures
Person or Entity Authentication (Required)
- Multi-factor authentication for system access
- Strong password policies and requirements
- Regular authentication credential updates
- Biometric authentication where appropriate
Transmission Security (Required)
- End-to-end encryption for PHI transmission
- Secure communication protocols (TLS 1.2+)
- Network security monitoring and intrusion detection
- Secure email and messaging systems
Breach Notification Procedures
SMS-iT has established procedures to detect, assess, and report security breaches involving PHI:
Breach Definition
A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the information, unless the covered entity or business associate demonstrates a low probability of compromise.
Breach Assessment
SMS-iT conducts a risk assessment for each security incident to determine if it constitutes a breach, considering:
- Nature and extent of PHI involved
- Unauthorized person who used or received the PHI
- Whether PHI was actually acquired or viewed
- Extent to which risk has been mitigated
Notification Timeline
- Business Associate to Covered Entity: Without unreasonable delay, no later than 60 days
- Covered Entity to HHS: Within 60 days of discovery
- Covered Entity to Individuals: Within 60 days of discovery
- Media Notification: If breach affects 500+ individuals in a state/jurisdiction
Breach Response
- Immediate containment and mitigation measures
- Forensic investigation and root cause analysis
- Implementation of corrective actions
- Enhanced monitoring and prevention measures
Audit and Logging
SMS-iT maintains comprehensive audit logs to monitor PHI access and system activities:
Audit Log Contents
- User identification and authentication events
- PHI access, modification, and deletion activities
- System configuration changes
- Failed access attempts and security violations
- Administrative actions and privilege escalations
Log Management
- Centralized log collection and storage
- Tamper-evident log protection measures
- Regular log review and analysis
- Long-term retention (minimum 6 years)
- Automated alerting for suspicious activities
Audit Reporting
- Regular audit reports for covered entities
- On-demand access to audit logs
- Compliance reporting and metrics
- Incident investigation support
Employee Training and Awareness
SMS-iT provides comprehensive HIPAA training to all employees who may have access to PHI:
Training Program
- Initial HIPAA training for new employees
- Annual refresher training and updates
- Role-specific training based on job responsibilities
- Security awareness and best practices
- Incident response and reporting procedures
Training Topics
- HIPAA Privacy and Security Rules
- PHI identification and handling procedures
- Minimum necessary standards
- Access controls and authentication
- Breach prevention and response
- Physical and technical safeguards
Training Documentation
- Training completion records and certificates
- Regular assessment and testing
- Ongoing competency evaluation
- Remedial training when necessary
Compliance Monitoring and Auditing
SMS-iT maintains ongoing compliance monitoring and conducts regular audits:
Internal Audits
- Regular internal HIPAA compliance assessments
- Security control testing and validation
- Policy and procedure reviews
- Risk assessments and vulnerability scans
External Audits
- Third-party security assessments
- Penetration testing and vulnerability assessments
- Compliance certifications (SOC 2, HITRUST)
- Customer audit support and documentation
Continuous Improvement
- Regular policy and procedure updates
- Implementation of new security technologies
- Industry best practice adoption
- Regulatory change monitoring and compliance
Compliance Reporting
- Regular compliance status reports
- Audit findings and remediation tracking
- Risk assessment results and mitigation plans
- Regulatory filing and documentation