Is Photon Health HIPAA Compliant? How to Check (2024 Update)

✅ Photon Health states on their official website that they are a HIPAA compliant e-Prescribing software suitable for use in healthcare.

Photon.Health empowers healthcare professionals by offering a comprehensive healthcare analytics platform. It enables data-driven decision-making by aggregating and analyzing patient data from various sources, enhancing clinical insights, and improving care coordination. Healthcare providers can optimize patient outcomes, resource allocation, and operational efficiency while maintaining data security and compliance.

They state on their website that Photon Health is HIPAA compliant which is clearly a positive sign, but the Health Insurance Portability and Accountability Act (HIPAA) legislation states that you can’t stop here and you need to thoroughly vet the vendor.

According to the HIPAA rules for Covered Entities and Business Associates:

'If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.'

Source: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

Below we provide some general guidelines on how to first quickly screen this vendor for the HIPAA compliance fundamentals, and if all initial checks pass successfully, then to proceed and do your own in-depth audit to ensure that this vendor will qualify as your HIPAA-compliant Business Associate.

Quick Check on HIPAA Compliance Fundamentals for Photon Health

A. Does Photon Health claim to be HIPAA compliant?

✅ They communicate they are HIPAA compliant which is a positive sign, as they legally commit from their side using such public statements.

'As part of using the Services, you agree that you will comply with all laws, rules, and regulations applicable to you and/or your business, including the Health Insurance Portability and Accountability Act (“HIPAA”). '

B. Does Photon Health sign a Business Associate Agreement (BAA)?

✅ They state they will sign their standard BAA with covered entities/business associates, which is again a good sign because if they don’t sign a BAA then it’s a deal-breaker for HIPAA compliance.

'If either of you or your organization are subject to HIPAA as a Covered Entity or Business Associate (as defined in HIPAA) and intend to use the Services in a manner that will cause us to create, receive, maintain, or transmit Protected Health Information on your behalf, then, at the outset of creating an account to use the Services for yourself or your organization, you will be required to agree to the Business Associate Agreement made available to you at such time,'

C. Does Photon Health claim they take measures to keep patient data private & secure?

✅ They publicly outline various of the privacy & security safeguards they have in place, but these can be very broad statements and you need to check the low level details here.

'We take reasonable steps to protect the Personal Information provided to us from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. '

Vendor Audit for Checking if Photon Health is HIPAA Compliant

There is no one-size-fits-all set of requirements when selecting a 3rd party vendor as one of your HIPAA-compliant Business Associates, but here are some general guidelines:

1. Eligible Plan

First, you need to determine on which plans they offer HIPAA compliance and whether pricing makes sense for you:

You need to contact the vendor directly about which plans are eligible for HIPAA compliance.

2. Legal Contracts

Then, you need to carefully review & sign their legal contracts, especially their Business Associate Agreement and Terms of Service (ask them for the latest versions - in some cases, you might need to sign an NDA):

Photon Health’s Business Associate Agreement
Photon Health's Terms of Service
Photon Health's Privacy Policy

3. HIPAA Safeguards

4. PHI Access

5. Re-assessment

Finally, at least once a year, reassess whether or not the vendor is still in compliance with HIPAA.

Source 1: U.S. Department of Health & Human Services HIPAA Privacy Rule Guidance Material
Source 2: U.S. Department of Health & Human Services HIPAA Security Rule Guidance Material

Final Remarks on Photon Health’s HIPAA Compliance Status

HIPAA compliance has no one-size-fits-all vendor assessment methodology but we have covered here various best practices on how to thoroughly evaluate Photon Health for HIPAA compliance, so that they can be eventually trusted to process or store your sensitive patient data.

Regardless of the above, for all your 3rd party vendors, you need to follow the fundamental HIPAA principle and always disclose to them the 'minimum necessary' information, which means only disclosing the amount of PHI you absolutely have to.

If you follow the 'minimum necessary' principle and you regularly evaluate your 3rd party vendors for their commitment to the HIPAA standards while having solid Business Associate Agreements with them in place, then you can minimize the risk of a potential HIPAA violation and decrease the probability of a damaging data breach happening in the first place.