As a medical courier, Am-Tran is responsible for transporting packages that include Protected Health Information (PHI) on behalf of hospitals, laboratories, and pharmacies. As such, we enforce strict protocols amongst all our staff to adhere to HIPAA standards for protecting PHI.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, establishes national standards for the transmission of protected healthcare information (PHI) with the goal of ensuring patient privacy. HIPAA also defines health records and determines who has the right to access such records and for what purpose.
What is PHI?
PHI stands for Protected Health Information and is carefully protected under HIPAA regulations. The HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Where do couriers encounter PHI?
Am-Tran couriers transport the following items that contain PHI and for which there are careful safety and confidentiality protocols in place:
- Medical specimens between hospitals, clinics, laboratories, and at times airports
- Pharmacy products between pharmacies and hospitals, assisted living facilities and patient homes
In the course of delivery, Am-Tran dispatchers, drivers, and administrators may encounter PHI like demographic data (names, addresses, dates of birth) as well as information about an individual's past, present or future health condition. As such, all Am-Tran employees are HIPAA certified and undergo rigorous safety training each year.
Our security measures to protect PHI
We establish PHI safety and security protocols with each new customer, facility, etc. In each instance, our overarching strategy is the same: create processes that enable packages to move through the delivery system with no electronic PHI collected at all that connects a patient to a medical condition, any visible PHI to be limited to a name and address, and all packages with PHI to be sealed and accounted for as part of the delivery (we retain no PHI).
Limit any visible PHI
Physically, PHI visible outside a sealed container is not sufficient to actually connect an individual to their past, present or future medical condition. PHI that does make a connection exists within the packages being transported, but those packages are sealed and all PHI is turned over to the recipient upon delivery.
Limit any electronic PHI
Electronic PHI also can not be connected to both an individual and a medical condition. Beyond the name address (and occasionally a birthdate), the only additional references pertain to the temperature at which the package must be maintained during transport.
Administrative and Physical Safeguards
With this in mind, Am-Tran believes its risk of PHI disclosure is low. Nevertheless, we have several controls in place to further mitigate the limited risk that exists.
Restricted access to sensitive information
Access to PHI is limited to essential personnel, each of whom has been trained in the proper use and protection of PHI.
Electronic access to limited PHI (name, address, birthdate) is password protected, and the portal allowing access to PHI over the internet has a secure socket layer certificate ensuring an encrypted connection. The enterprise software provider (Key software Systems, dba Xcelerator) responsible for our PHI stores its data in Rackspace servers located around the country. Those servers are password and firewall protected, and we have received a third party audit of their system.
Physical items containing PHI are turned over to our customers with each delivery. Packages containing PHI that are undeliverable are returned to the customer.
Rigorous safety training
All personnel with access to PHI must complete a training course in HIPAA awareness prior to taking custody of any package containing PHI, and that course must be repeated at least annually. In the event of a violation of PHI policies, an incident report is issued to the appropriate customer, all personnel involved in the incident are sanctioned, and they go through a retraining process prior to accessing any further PHI. Certificates of completion are maintained electronically for all individuals with access to PHI and are made available to our customers at any time.
Facility and Vehicle Access and Control
Am-Tran’s office does not contain any PHI. PHI under the Company’s control at customer locations is always in the custody of trained personnel or locked away. Delivery vehicles are locked at all times.
Workstation and Device Security
All workstations and devices are password protected. Electronic data is transmitted between workstations and devices via a secure SSL portal. It is not necessary in the course of work to transfer PHI to any sort of electronic media, and as a matter of policy no PHI may be downloaded.
Periodic assessments
Am-Tran assesses PHI security with the acquisition of a new customer or the establishment of a new process. This effectively enables the Company to regularly keep PHI security in the forefront, and to build awareness into the entire Company culture.
Why is HIPAA compliance important for couriers?
It is vital that medical couriers treat all patient information as private. This includes including patient records, information on patient, samples, and any patient information that have been overheard while working in the laboratory or physician office. Leaked personal health information not only infringes on personal privacy but can also put a covered entity, such as a medical courier, in a position of risk and liability. Any medical courier must follow HIPAA standards for protecting patient privacy and train their employees to do so as well.
Conclusion
Am-Tran is very aware of its responsibility for PHI security as a business associate of many covered entities. It has established policies to reduce its exposure to PHI to an absolute minimum, and to further mitigate risk by creating various safeguards including access restriction, training, device security, and awareness. Taken in total, we believe that it has met and exceeded both the letter and intent of the regulations.
Safety is a top priority at Am-Tran. We enforce fundamental safety certifications for HIPAA and Bloodborne Pathogen Awareness as well as advanced safety certifications like Formaldehyde Awareness and Chemotherapy (cytotoxic drugs) handling. Rest assured our couriers are expertly trained to handle your sensitive medical transports.