At Crisalix, we take all necessary measures to comply with the strictest privacy and security regulations, including HIPAA guidelines. The Crisalix system is designed to allow customers to meet such requirements under applicable patient privacy laws, and further takes all reasonable measures to limit the use or disclosure of protected health information (PHI) to a strict minimum in order to fulfill the provision of services it has engaged to provide its customers.
Although Crisalix is not a covered entity nor is it directly subject to the privacy and security provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), we recognize the significant role that HIPAA has on our customers. Accordingly, we protect patient privacy and confidentiality in a manner that comports with HIPAA and other applicable laws and regulations. The Crisalix simulation system is utilized to transmit, store and manipulate digital images via the Internet that can contain PHI (patient identifiers, photos, etc.). We have prepared this statement to provide a brief overview of how the HIPAA Privacy and Security Rules pertain to 3D simulations.
The Health Insurance Portability and Accountability Act (HIPAA) has two rules of importance for your practice in how it may relate to the use Crisalix: the Security Rule and the Privacy Rule that fall under a general HIPAA category known as the Administrative Simplification Act. Both rules have some influence on the transmission, storage and management of patient images.
In Security Rule: The HIPAA Security Rule became effective on April 21, 2003. The Security Rule is intended to protect the confidentiality of medical information. The Security Rule establishes requirements that facilitate a medical practice's storage, maintenance and transmission of PHI in a "secure electronic environment." This involves administrative procedures and physical safeguards as well as technical measures to control and monitor access to PHI and to prevent unauthorized access to data during transmission.
Privacy Rule: The HIPAA Privacy Rule, which covers the use and disclosure of protected health information (PHI), became effective on April 14, 2001. It mandated that all practices had to be compliant with the Privacy Rule effective April 14, 2003.
The Privacy Rule requires that practices make reasonable efforts to limit the use and disclosure of such PHI by staff members to the "minimum necessary" to perform their duties. Practices are also expected to minimize the likelihood of "incidental disclosures" to persons who have no legitimate need to view PHI. Further, practices must maintain a log of certain PHI disclosures that are not directly related to patient's treatment.
Crisalix has compiled some suggestions to help ensure that your practice manages patient images in a responsible and HIPAA-compliant manner while using Crisalix:
- Ensure that you have express (preferably written) authorization from patients to use Crisalix’s services.
- Securely store your passwords where unauthorized personnel and patients cannot access them.
- Set up user accounts for your computers that require users to sign in with password.
- Always exit or sign out of your Crisalix account when not using it.
- When using Crisalix with photos of patients, use unique identifiers for patients to enhance privacy.
- Develop standard operating procedures (SOPs) requiring any use of the patients images to be documented.
- Maintain your laptop, computer and digital camera in safe locations with limited access inside your practice.
- Maintain a copy of your Crisalix's Users Agreement (completed at the time of your Crisalix subscription).