HIPAA Policy
Aremedis provides telemedicine consultation services. Telemedicine consultation involves the use of videoconferencing, telephone calls, secure messaging or other electronic communications technology to enable healthcare providers at different locations, including international locations to share individual patient medical information for the purpose of providing improved patient care. Telemedicine consultation may also include the use of artificial intelligence technology to take notes during or transcribe consultation sessions.
Purpose & Scope
The Aremedis HIPAA policy is intended to address how Aremedis will protect patient’s protected health information (PHI) while providing the telemedicine consultation services and/or maintaining any remote access to PHI.
Responsibility
Aremedis Privacy Officer for HIPAA Compliance is Dr. Kamilah Spencer at care@aremedis.com.
Policy Guidelines
All efforts have been made to ensure the security of patient’s PHI through use of HIPAA compliant devices and telehealth platforms for both the patient and clinical staff. We sign Business Associate Agreements (BAAs) with all telehealth platform vendors or others that may create, receive, maintain or transmit electronic protected health information (PHI) as part of our telehealth processes to ensure HIPAA compliance. All other contingencies are made; the Security Officer has reviewed our policies and procedures to ensure that we are HIPAA complaint and have mitigated any risks, including updating the security risk analysis with any changes resulting from the use of telehealth.
Aremedis protects and controls access to its platform, devices, and PHI. All platform users (patient, designated caregiver, provider, staff, vendor, etc.) have individual unique access credentials that require authentication. PHI is encrypted while stored and if transmitted outside of the platform. Use or storage of PHI on personal devices is strictly prohibited. Providers, staff, and vendors are prohibited from accessing the PHI remotely unless they utilize a secure and encrypted network. Any device used to access the platform and/or PHI must maintain protection, including firewalls, antivirus software, security fixes from developers. The Aremedis platform shall capture a log of user activity and PHI access and maintain the information for a minimum of six (6) years. The extent Aremedis uses artificial intelligence (AI) to collect, record, review or analyze PHI, the AI use and access to PHI is limited to the purposes of the platform and Aremedis. The AI should be a closed loop system that does not share or transmit the PHI or information about the PHI outside of Aremedis or the platform; nor does the AI use the PHI for any machine learning, large language models, or other ancillary purposes.
Training
Aremedis shall have All Provider/Staff training at least once per year to review policies and procedures regarding the protection of PHI. When new providers or staff are engaged/hired, Aremedis shall train them regarding current policies and procedures to regarding protection of PHI. Aremedis shall maintain documentation and sign certifications of training participation. Aremedis shall require vendors and service providers who are subject to a Business Associate Agreement (BAA) to provide details of their staff training regarding protection of PHI. In the absence of such training, Aremedis may require vendors and service providers to participate in the Aremedis training for its providers and staff.
Breach Notification
In the event of a breach, as defined by HIPAA regulations (an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information) Aremedis will notify affected users within sixty (60) days or as soon as required by the most stringent applicable law. Notice shall be in writing and sent by U.S. Mail unless Aremedis has obtained user consent for notice by electronic mail. Aremedis shall comply with all other HIPAA regulations regarding notice or the most stringent applicable law. Aremedis shall require vendors and service providers to provide prompt notice to Aremedis of any breach affecting PHI in their respective Business Associates Agreements (BAA).
Upon notice of any breach, Aremedis shall save separately audit trails and user activity logs for the platform for at least ninety (90) days preceding the estimated date of the breach. Aremedis shall engage platform developers and/or information technology experts to investigate and determine the status, extent, cause, and/or source of the breach. Aremedis shall engage platform developers and/or information technology experts to repair or remedy the breach or employ platform upgrades or modifications to prevent similar recurrent breaches. Aremedis shall identify any operational or training modifications necessary for providers, staff, or vendors, to prevent similar recurrent breaches.
1 Synaptiq, LLC d/b/a Aremedis, is a Georgia limited liability company organized under the laws of the state of Georgia, in the United States of America. Synaptiq, LLC d/b/a Aremedis is registered as a foreign business and authorized to do business in Grenada.
