The most commonly asked question is: "How does NPAR comply with HIPAA requirements?"
HIPAA expressly permits the sharing of patient medical records for treatment purposes, subject to patient consent and appropriate safeguards.
HIPAA explicitly allows disclosure of PHI for treatment, payment, or healthcare operations without patient consent (see 45 CFR §164.506). However HIPAA allows covered entities to institute stricter consent policies if they so choose.
NPAR provides a mechanism for flagging patients who have withheld their consent. Any NPAR searches that match such a patient will be blocked, with an override option in case of a life-threatening emergency.
NPAR enters into a Business Associate Agreement with each client. Among other obligations, NPAR will:
- Use appropriate safeguards to prevent unauthorized use or disclosure of Protected Health Information ("PHI"),
- Implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI,
- Report any inappropriate use or disclosure of PHI to our client facilities,
- Allow our client facilities to view the data they provided to NPAR,
- Allow our client facilities to examine our policies, procedures, and records pertaining to Protected Health Information.
As part of the NPAR subscription agreement, each client facility agrees to use the data in NPAR for treatment purposes only. There is a reminder to that effect on the user login screen.
NPAR provides multiple levels of IT security, to help preclude inadvertent exposure of PHI and to detect inappropriate usage:
- A valid ID and password are required in order to access patient data,
- Secure network connections are used for all data transfers,
- All patient data is encrypted while "at rest",
- NPAR's Upload Manager hashes and encrypts SSNs before they are sent to the NPAR server,
- NPAR logs all user activity,
- NPAR has automated and manual checks for unusual activity, and
- NPAR servers are located in hardened facilities with redundant power and networking, biometric access controls, and 24x7 staff.