What is HIPAA?

The Health Insurance Portability and Accountability Act (“HIPAA”) requires certain companies and individuals to take steps to protect medical records and other types of sensitive information.  Under HIPAA, this information is called “protected health information” or “PHI” for short.  HIPAA prohibits disclosing PHI under some circumstances and requires people and companies who handle PHI to take certain steps to protect PHI.  For example, HIPAA requires electronic PHI to be “encrypted” when it is in transit.  While HIPAA restricts who can access PHI and when it can be disclosed, doctors, counselors, and social workers can communicate with foster parents and each other for treatment purposes without a signed authorization. (45 C.F.R. § 164.502(a)(1)) (2009).)

Additionally, covered entities may disclose health care information to individuals, parents, and other representatives, including persons who are acting in loco parentis (persons having the authority to act on behalf of the child in making health care decisions), without a signed authorization.  HIPAA defers to state law in defining who is an appropriate representative for a minor. (45 C.F.R. § 164.502(g)(3) (2009).)

HIPAA also gives patients, parents, foster parents and guardians certain rights with respect to their, or their children’s, PHI. PHI belongs to patients, parents or other legal guardians.  This means they can share their children's PHI with whoever they want, including FosterCare.Team.  We encourage everyone to be careful about sharing PHI and other sensitive information and, as you will see below, we take steps to make sure any PHI or information you share with us is safe and secure.  Additionally, just because you can share PHI, it doesn't mean you should.  For example, we do not encourage counselors to upload unsecured session notes into FosterCare.Team for the entire team to read.  If it's not something you would share in person with everyone on the team, then don't share it on FosterCare.Team with everyone on your team.  Instead, session notes can be uploaded to your team with custom access privileges limiting who on the team can access the information.

Does HIPAA apply to FosterCare.Team?

HIPAA applies to “covered entities” and “business associates.”  Covered entities include hospitals, doctors, insurers and, sometimes, employers.  Business associates are entities that perform certain tasks for covered entities.  Business associates include lawyers, accountants, medical record companies and other entities that store or transmit PHI to and/or from covered entities. 

FosterCare.Team is not considered a covered entity or a business associate.  This is the assessment of multiple HIPAA attorneys and multiple consulting firms that specialize in ensuring companies are HIPAA compliant.  FosteCare.Team is a private, pay to access site where professionals responsible for the care, well-being, and supervision of a foster child can upload information, including PHI, for viewing by other members of their private foster care team who are also responsible for the care, well-being, and supervision of the foster child.

Does FosterCare.Team still comply with HIPAA?

Absolutely.  FosterCare.Team recognizes foster parents, guardians, caseworkers, and others use our website to share sensitive information and sometimes PHI.  We want to make sure that information is safe and secure and viewed by people you have authorized to view it.  We also want our agency partners to feel comfortable working with us, so we take steps required by HIPAA to protect your information and we are willing to sign a BAA with your agency.

Often, the consequences of the loss or compromise of protected health information could cause irreparable damage to an agency's reputation, if not even more serious legal penalties. In order to ensure our customers are protected, we make sure the technical controls, backup management, safeguards, and physical security policies are in place, all to verify that your data is secured to HIPAA and industry standards.

Your foster care agency's biggest HIPAA blind spot

Most foster care agencies are extremely diligent regarding HIPAA compliance, and they should be because the cost of HIPAA violations can be up to $50,000 per record!  Plus, securing PHI and ePHI is the right thing to do.  While most agencies have great policies and procedures about how they manage and store that PHI once they have it, many agencies overlook how they collect that PHI from birth parents, foster parents, and others.

Typically, this information is transmitted to foster care agencies via email, text message, or even Facebook messages.  The documents sent could include prescription information, mental health diagnoses, general health information, completed medical forms, etc.  All of those items are considered PHI and all of those methods of communication are unsecured and sent without encryption in violation of HIPAA guidelines.  Even if an agency uses a secure messaging solution to upload formal medical documentation, they're still missing the informal PHI that is included in unsecured, casual communication between caseworkers and others.

That's where FosterCare.Team steps in and offers a secure, encrypted method for communicating all information, including PHI.  This can include casual communication or formal communication requiring digital signatures with a detailed audit trail and signature evidence package.

Outlook Integration

With our Microsoft Outlook plugin, we make caseworker-initiated messages convenient, easy, and HIPAA compliant.  It's accessible from a familiar system they use every day.  A click of a toolbar button in Outlook allows agency employees to send secure, HIPAA compliant email and text message notifications.  Furthermore, these notifications and their responses are all automatically recorded within the appropriate team.  Like all our posts within a team, access permissions can be set for the entire team or only certain members of the team.  This makes the entire communication thread HIPAA compliant, not just the initial send.

Securing Your PHI

US-based data center

24/7/365 on-site data center support

Fully Managed Server

Instant offsite backup

Server secured in a locked cabinet

High Availability Infrastructure

Business Associate Agreement (BAA) Available

Extensive Safeguards

Backup Management

Your data is continuously protected our robust Guardian backup solution. Guardian continuously captures our entire system configuration to an off-site facility for disaster recovery.  Guardian uses replication, synchronization, and point-in-time snapshots to provide protection of our complete server environment, so our Sonar® Monitoring team can recover our exact server configuration in the case of a catastrophic event.  When you pair the Guardian backup solutions with our state-of-the-art, secure Data Center - featuring SSAE-16, PCI compliance, Safe Harbor Certification, and 24x7x365 on-site support - our data center can ensure unparalleled uptime and safeguard against data loss in even the most extreme circumstances.