Oracle and HIPAA

The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) requires Covered Entities to implement processes and safeguards designed to protect the privacy and security of electronic protected health information (ePHI or simply PHI).

HIPAA has evolved through subsequent legislation:

• The Privacy Rule was added in December 2000. It gives patients rights over their health information and sets rules for how information is used, shared, accessed and protected. Moreover, the rule explicitly lists ePHI identifiers like name and social security number.

• The Security Rule was added in February 2003.

• The HITECH Act that was passed in February 2009 which dictates how the privacy and security of health information must be managed by Covered Entities and Business Associates (or BAs).

• The Omnibus Rule that is effective as of September 2013. Among other things, it extended the definition of a BA to parties that create, receive, maintain and transmit PHI on behalf of a Covered Entity.

By definition of the Omnibus Rule Oracle is considered a BA when Oracle performs functions on behalf of a a Covered Entity that involve access to PHI. That is even the case when no specific customer Business Associate Agreement (or BAA) is in place.

To address the requirements coming from this, Oracle implemented:

• standard BAAs with its suppliers as well as standard BAAs for use by Oracle’s customers that enables them to fulfill their requirements.

• processes that address compliance with the administrative, physical and technical requirements of the Security Rule.

• annual audit that are conducted by a third party to assess Oracle’s level of compliance. This includes cloud services and consulting engagements.