At B & B Benefits International (“B & B Benefits”, “we”, “us”, “our”), we take all necessary measures to comply with the most stringent privacy and security regulations. In addition, to the EU`s General Data Protection Regulation (“GDPR”) compliance, we work hard meet or exceed industry standards with respect to the U.S. Health Insurance Portability and Accountability Act ("HIPAA") of 1996.
What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) establishes two important rules for in connection with the use of protected health information: the security provision and the privacy provision, which are established under a general HIPAA category called the Administrative Simplification Act. Both provisions affect the transmission, storage, and management of protected health information.
In the security provision: the HIPAA security provision became effective on April 21, 2003. Its purpose is to protect confidential medical information. The security provision establishes guidelines to facilitate the storage, maintenance, and transmission of protected health information in a "secure electronic environment". This includes administrative procedures and physical safeguards, as well as technical measures to control and monitor access to protected health information and prevent unauthorized access to data during transmission.
Privacy Rule: HIPAA's privacy rule addresses the use and disclosure of protected health information and became effective April 14, 2001. The Privacy Rule requires to make reasonable efforts to limit the use and disclosure of such protected health information by staff to the "minimum necessary" to perform their services. Service Providers are further expected to limit the likelihood of "inadvertent disclosure" to individuals for whom there is no reasonable need to know as a matter of law. In addition, service providers must maintain a log of disclosures of certain protected health information that is not directly related to the patient's care.
Our Policy To implement these requirements for business associates and to protect the confidentiality and integrity of protected health information received, the HIPAA Policy sets forth the following:
It provides that B & B Benefits will retrieve and use confidential protected health information provided by its users only to the extent necessary to perform customer service and support.
It restricts access to such data to those employees and agents who provide specific service and support.
It prohibits the disclosure of protected health information provided by users to anyone who is not an employee or agent of B & B Benefits, unless specifically authorized by B & B Benefits and by the service user, as appropriate.
It requires all B & B Benefits employees and agents to report any use or disclosure of protected health information in violation of our HIPAA Policy.
It provides that B & B Benefits will investigate all reports that protected health information has been used in a manner not permitted by our HIPAA Policy and will impose appropriate sanctions on conduct prohibited by the policy.
It specifies that B & B Benefits employees who may come into contact with protected health information receive training on our privacy and security policies and the importance of protecting the confidentiality and security of protected health information.
It provides for transferring protected health information provided by users in a secured manner so that the integrity, confidentiality, and availability of the data is protected.
In addition to complying with HIPAA security recommendations, B & B Benefits adheres to the FTC's Security by Design Guidelines:
Data security is carefully assessed for each component of the B & B Benefits platform
Data is encrypted both in transit and at rest
B & B Benefits is protected against common vulnerabilities
Our team keeps up to date with new vulnerabilities and keeps the platform updated accordingly
Network Protection B & B Benefits servers and supporting systems are protected from hackers and network intrusion by firewalls and other leading security measures.
Controlled Employee Access Certain B & B Benefits staff and system administrators may need to access the B & B Benefits platform to provide operational / administrative support. Access rights are strictly controlled, and access is granted only to those who need it to support the B & B Benefits platform and its users. All B & B Benefits employees and subcontractors are required to sign confidentiality agreements. Access to the system is granted only after validation of the user's identification data, assigned role and system permissions.
Encryption Encryption provides users with a secure way to exchange information. This makes it unusable for anyone who does not have a protected decryption key to (decrypt) the information. B & B Benefits provides encryption for user interactions through Secure Socket Layer (SSL) technology with a robust 256-bit encryption key. B & B Benefits also uses industry-proven encryption standards, TLS) when health information is transmitted into or out of B & B Benefits.
Physical Security The B & B Benefits server and supporting systems are physically secured and protected in world-class data centers. Access to the physical systems is carefully controlled through security measures at multiple levels. of authentication requirements (e.g., user keys, biometrics), security guard and registration check-in requirements, and state-of-the-art security monitoring and alert systems.
Access tracking and disclosure In accordance with HIPAA standards, B & B Benefits logs relevant details each time health information is viewed, edited, or exported to ensure system integrity.
Your HIPPA Rights When it comes to your health information, you have additional rights. To exercise any of these rights, contact us at the contact information listed above.
In particular:
You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you.
You can ask us to correct health information about you that you think is incorrect or incomplete.
You can ask us to contact you in a specific way (for example, home or office phone) or at a specific location (for example, to send mail to a different address).
You can tell us your choices about what we share.
You can ask us to limit what we use or share
You can get a list of those with whom we have shared information
You can get a copy of this Notice
You can choose someone to act for you
You can file a complaint if you feel your rights are violated
We encourage you to contact us if you have any information requests, requests for information or objections about data processing or concerns. However, you also have the right to file a complaint with your local supervisory authority. However, we would appreciate it if you would contact us with your concern before turning to a supervisory authority.
Updating your information If you believe that the information, we hold about you is inaccurate or request its rectification, deletion, or object to its processing, please do so by contacting us.
Withdrawing your consent You can withdraw consents you have given at any time by contacting us.
Access Request In the event you want to make a Data Subject Access Request, please contact us. We will respond to requests regarding access and correction as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days, we will tell you why and when we will be able to respond to your request. If we are unable to provide you with any PII or to make a correction requested by you, we will tell you why.
HIPAA POLICY Effective Date: February 24, 2024 1. Purpose and Scope: At B&B Benefits, LLC (“B&B Benefits,” “we,” “us,” “our”), as a Business Associate, we are committed to complying with the most stringent privacy and security regulations, particularly in relation to the U.S. Health Insurance Portability and Accountability Act ("HIPAA") of 1996. This policy is designed to outline the specific measures we take as a Business Associate in handling Protected Health Information (PHI) on behalf of Covered Entities. 2. What is HIPAA for Business Associates? As a Business Associate, we play a crucial role in supporting Covered Entities in their compliance with HIPAA. HIPAA establishes rules for the protection of PHI, and as a Business Associate, we are required to adhere to these rules when handling PHI on behalf of Covered Entities. 3. Our Responsibilities as a Business Associate: Definitions The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: (a) Business Associate: “Business Associate” shall generally have the same meaning as the term “business associate” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean B&B Benefits. (b) Covered Entity: “Covered Entity” shall generally have the same meaning as the term “covered entity” at 45 CFR 160.103, and in reference to the party to this agreement, shall mean B&B Benefits. (c) HIPAA Rules: “HIPAA Rules” shall mean the Privacy, Security, Breach Notification, and Enforcement Rules at 45 CFR Part 160 and Part 164.
Obligations and Activities of Business Associate Business Associate (B&B Benefits) agrees to: (a) Use and Disclosure of PHI: Not use or disclose protected health information other than as permitted or required by the Agreement or as required by law. (b) Safeguards: Use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information to prevent use or disclosure of protected health information other than as provided for by the Agreement. (c) Reporting Incidents: Report to covered entity (B&B Benefits) any use or disclosure of protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware. (d) Subcontractors: Ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions, conditions, and requirements that apply to the business associate with respect to such information. (e) Access to PHI: Make available protected health information in a designated record set to B&B Benefits as necessary to satisfy covered entity’s obligations under 45 CFR 164.524. (f) Amendment of PHI: Make any amendment(s) to protected health information in a designated record set as directed or agreed to by the covered entity pursuant to 45 CFR 164.526 or take other measures as necessary to satisfy covered entity’s obligations under 45 CFR 164.526. (g) Accounting of Disclosures: Maintain and make available the information required to provide an accounting of disclosures to B&B Benefits as necessary to satisfy covered entity’s obligations under 45 CFR 164.528. (h) Covered Entity's Obligations: To the extent the business associate is to carry out one or more of covered entity's obligation(s) under Subpart E of 45 CFR Part 164, comply with the requirements of Subpart E that apply to the covered entity in the performance of such obligation(s). (i) Access for Compliance: Make its internal practices, books, and records available to the Secretary for purposes of determining compliance with the HIPAA Rules.
Term and Termination Term. The Term of this Agreement shall be effective as of 13th February, 2024, and shall terminate on the date covered entity terminates for cause as authorised in paragraph (b) of this Section, whichever is sooner.
Miscellaneous (a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in effect or as amended. (b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for compliance with the requirements of the HIPAA Rules and any other applicable law. (c) Interpretation. Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules. Security Measures: In addition to complying with HIPAA security recommendations, B&B Benefits adheres to the FTC's Security by Design Guidelines:
Data security is carefully assessed for each component of the B&B Benefits platform.
Data is encrypted both in transit and at rest.
B&B Benefits is protected against common vulnerabilities.
The team keeps up to date with new vulnerabilities and updates the platform accordingly.
Network Protection: B&B Benefits servers and supporting systems are protected from hackers and network intrusion by firewalls and other leading security measures. Controlled Employee Access: Certain B&B Benefits staff and system administrators may need to access the B&B Benefits platform to provide operational/administrative support. Access rights are strictly controlled, and access is granted only to those who need it to support the B&B Benefits platform and its users. All B&B Benefits employees and subcontractors are required to sign confidentiality agreements. Encryption: Encryption provides users with a secure way to exchange information. B&B Benefits provides encryption for user interactions through Secure Socket Layer (SSL) technology with a robust 256-bit encryption key. B&B Benefits also uses industry-proven encryption standards (TLS) when health information is transmitted into or out of B&B Benefits. Physical Security: The B&B Benefits server and supporting systems are physically secured and protected in world-class data centres. Access to the physical systems is carefully controlled through security measures at multiple levels, including authentication requirements (e.g., user keys, biometrics), security guard and registration check-in requirements, and state-of-the-art security monitoring and alert systems. Access Tracking and Disclosure: In accordance with HIPAA standards, B&B Benefits logs relevant details each time health information is viewed, edited, or exported to ensure system integrity. Validity and Questions: This HIPAA Statement was last updated on Saturday, February 13, 2024, and is the current and valid version. However, we want to point out that from time to time, due to actual or legal changes, a revision to this statement may be necessary. If you have any data protection questions, please feel free to contact us. This includes reviewing their security practices, data protection policies, and compliance with relevant regulations. Updates and Changes: This section of the policy will be updated promptly to reflect any changes in the use of third-party software or services, ensuring ongoing compliance with privacy and security regulations.