Legal

HIPAA Compliance

Last updated: January 2024

myHealthTrack, Inc. ("myHealthTrack," "we," "our," or "us") is committed to protecting the privacy and security of patient health information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

1. Our HIPAA Commitment

myHealthTrack operates as a Business Associate under HIPAA when we receive, process, or transmit Protected Health Information (PHI) on behalf of Covered Entities — including hospitals, physician practices, health systems, and health plans. We execute a Business Associate Agreement (BAA) with every partner organization before any PHI is shared.

2. What Is Protected Health Information (PHI)?

PHI includes any individually identifiable health information that we create, receive, transmit, or maintain on behalf of a Covered Entity. This includes:

  • Patient names, dates of birth, and contact information
  • Medical record numbers and account numbers
  • Diagnosis, procedure, and condition information
  • Health plan beneficiary numbers
  • Biometric identifiers such as fingerprints and voiceprints
  • Full-face photographs and comparable images
  • Any other unique identifying numbers or codes

3. Safeguards We Maintain

Administrative Safeguards

We maintain a comprehensive HIPAA compliance program that includes:

  • Designation of a Privacy Officer and a Security Officer
  • Regular workforce training on HIPAA requirements and privacy practices
  • Written policies and procedures governing the use and disclosure of PHI
  • Sanction policies for workforce members who fail to comply with our policies
  • Regular risk assessments to identify and mitigate vulnerabilities

Physical Safeguards

  • Secure data centers with physical access controls
  • Workstation use policies and device controls
  • Media controls governing the use and disposal of media containing PHI

Technical Safeguards

  • End-to-end encryption of PHI in transit (TLS 1.2 or higher)
  • Encryption of PHI at rest using AES-256
  • Access controls and unique user identification for all systems containing PHI
  • Automatic logoff from sessions containing PHI
  • Audit logs tracking access to and modifications of PHI
  • Integrity controls to prevent improper alteration or destruction of PHI

4. Business Associate Agreements

Before receiving any PHI from a Covered Entity, myHealthTrack executes a Business Associate Agreement (BAA) that:

  • Describes the permitted and required uses and disclosures of PHI
  • Requires us to use appropriate safeguards to protect PHI
  • Requires us to report breaches and security incidents to the Covered Entity
  • Requires us to ensure that any subcontractors who handle PHI on our behalf agree to the same restrictions
  • Requires us to return or destroy PHI upon termination of the agreement

Partners wishing to review or execute a BAA should contact our Privacy Officer at [email protected].

5. Permitted Uses and Disclosures

We use and disclose PHI only as permitted by our BAAs and as permitted or required by HIPAA, including:

  • To provide the services described in our partner agreements
  • For our own management and administration
  • As required by law
  • To report violations of law to appropriate authorities

We do not sell PHI and do not use PHI for marketing purposes without explicit authorization.

6. Breach Notification

In the event of a breach of unsecured PHI, myHealthTrack will:

  • Notify affected Covered Entities without unreasonable delay and within 60 days of discovery
  • Provide notification to affected individuals as required under our BAA
  • Cooperate fully with Covered Entities in any required notifications to the Secretary of HHS

7. Patient Rights

Patients whose PHI myHealthTrack processes on behalf of a Covered Entity have rights under HIPAA, including the right to:

  • Access their PHI
  • Request amendments to their PHI
  • Request an accounting of disclosures
  • Request restrictions on certain uses and disclosures
  • File a complaint with the Secretary of HHS if they believe their rights have been violated

Patients should direct these requests to the Covered Entity (their provider or health plan) that shared their information with us, as myHealthTrack processes PHI on behalf of those entities.

8. Contact Our Privacy Officer

For questions about our HIPAA compliance practices, to request a BAA, or to report a potential compliance issue, please contact:

Privacy Officer
myHealthTrack, Inc.
Email: [email protected]
Phone: 844-MH-TRACK

Complaints may also be filed directly with the U.S. Department of Health & Human Services, Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint.

Related: Privacy Policy Terms of Service Contact Us