In April of 2021, Merit announced its compliance with HIPAA as well as its ability to sign a HIPAA Business Associate Agreement (“BAA”). Merit is one of the few cloud-based digital identity providers thati signs HIPAA Business Associate Agreements, showing our continued commitment to security and privacy.
General Information
What is HIPAA?
- HIPAA is the Health Insurance Portability and Accountability Act of 1996
- HIPAA is a federal mandate that requires protections regarding security and privacy for Protected Health Information (“PHI”).
What is the HITECH Act and the Final HIPAA Omnibus rule?
- The Health Information Technology for Economic and Clinical Health (HITECH) Act promotes the adoption and use of health information technology in the U.S.
- The final HIPAA Omnibus rule codified additional requirements that significantly enhanced the rights and protections afforded to patients, including holding all custodians of PHI subject to the same security and privacy rules as Covered Entities under HIPAA.
How does Merit facilitate HIPAA compliance for its customers?
- The Merit platform and service meet the requirements of HIPAA, HITECH, and the final HIPAA Omnibus ruling.
- Merit signs BAA addendums with its customers that provide Merit with PHI and need to be HIPAA compliant. A signed BAA should be in place between Merit and the customer prior to transmitting any PHI to Merit.
- Customers are responsible for using Merit in a HIPAA-compliant manner and for enforcing policies in their organizations in order to meet HIPAA compliance.
Has Merit undergone any industry certifications or third-party attestations proving that Merit is HIPAA compliant?
- There are no official government or industry certifications for HIPAA compliance. In order to verify HIPAA compliance, Merit has reviewed the HIPAA regulations and updated its product, policies and procedures to support customers in their need to be HIPAA compliant.
- Merit has also been evaluated by an independent, third-party assessor who has determined Merit to be HIPAA compliant.
How does Merit support HIPAA compliance within its product and platform?
In addition to being able to sign HIPAA BAAs, Merit features the following as security controls and policy topics:
- Data encryption in-transit and at-rest
- Stringent logical access controls
- Restricted physical access to production servers
What types of controls does Merit have that are relevant to HIPAA requirements?
Merit’s security and privacy programs consist of many controls. A subset of those controls are audited as part of Merit’s annual SOC 2 audit, and a further subset of those apply directly to the HIPAA rules. The table below shows Merit’s mapping of key HIPAA controls to its overall SOC 2 Control Matrix.
| Category | Number | Safeguard | SOC 2 Control(s) |
| Administrative | 1 | Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. | 3.01 |
| Administrative | 2 | Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a). | 3.01 |
| Administrative | 3 | Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. | 1.06 |
| Administrative | 4 | Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. | 4.01, 6.04 8.01 |
| Administrative | 5 | Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity. | 1.1 |
| Administrative | 6 | Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. | 6.04 |
| Administrative | 7 | Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. | 5.07 |
| Administrative | 8 | Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) [the Workforce Clearance Procedure] of this section. | 5.06 |
| Administrative | 9 | Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part [the Privacy Rule]. | 5.01 5.02 5.03 5.04 5.05 |
| Administrative | 10 | If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. | N/A |
| Administrative | 11 | Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. | 5.01 |
| Administrative | 12 | Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process. | 5.07 |
| Administrative | 13 | Implement a security awareness and training program for all members of its workforce (including management): – Periodic security updates. – Procedures for guarding against, detecting, and reporting malicious software. – Procedures for monitoring log-in attempts and reporting discrepancies. – Procedures for creating, changing, and safeguarding passwords. | 1.05 |
| Administrative | 14 | Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. | 2.03 6.05 |
| Administrative | 15 | Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. – Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. – Establish (and implement as needed) procedures to restore any loss of data. – Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. – Implement procedures for periodic testing and revision of contingency plans. | 8.03 |
| Administrative | 16 | Assess the relative criticality of specific applications and data in support of other contingency plan components. – Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule]. | 8.03 8.04 |
| Administrative | 17 | A covered entity, in accordance with § 164.306 [the Security Standards: General Rules], may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a) [the Organizational Requirements] that the business associate will appropriately safeguard the information. – Document the satisfactory assurances required by paragraph (b)(1) [the Business Associate Contracts and Other Arrangements] of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a) [the Organizational Requirements]. | 3.04 |
| Physical | 1 | Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. | CSOC 2 |
| Physical | 2 | Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. | CSOC 3 |
| Physical | 3 | Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. | CSOC 1 CSOC 2 |
| Physical | 4 | Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. | CSOC 2 |
| Physical | 5 | Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks). | CSOC 2 |
| Physical | 6 | Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. | 1.02 1.03 |
| Physical | 7 | Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. | 5.11 |
| Physical | 8 | Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. | 1.02 2.05 9.04 |
| Physical | 9 | Implement procedures for removal of electronic protected health information from electronic media before the media are made available for reuse. | 1.02 2.05 9.04 |
| Physical | 10 | Maintain a record of the movements of hardware and electronic media and any person responsible therefore. | CSOC 5 |
| Physical | 11 | Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. | 8.01 CSOC 3 |
| Technical | 1 | Assign a unique name and/or number for identifying and tracking user identity. | 5.03 |
| Technical | 2 | Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. | 8.01 8.03 CSOC 3 |
| Technical | 3 | Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. | 5.12 |
| Technical | 4 | Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. | 4.03 4.04 6.04 |
| Technical | 5 | Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. | 4.03 4.04 6.04 |
| Technical | 6 | Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. | 4.03 |
| Technical | 7 | Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. | 5.03 |
| Technical | 8 | Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. | 5.02 5.09 |
| Technical | 9 | Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. | 3.04 5.02 5.09 |
| Technical | 10 | Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. | 5.02 5.09 5.11 9.06 |
What types of Merit accounts can be HIPAA compliant?
- Merit applies the same security and privacy controls for all of its customers.
- However, customers who are required by law to comply with HIPAA, such as HIPAA Covered Entities and HIPAA Business Associates, must have a premium subscription with Merit and sign a HIPAA Business Associate Agreement. To comply with HIPAA, they must configure Merit and enforce policies within their organizations to meet HIPAA requirements.
For more information about HIPAA compliance at Merit please reach out to us at privacy@merits.com.