HIPAA Compliance


HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a US federal law that sets down requirements for protecting and safeguarding protected health information (PHI). HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses (known as Covered Entities) and to service providers used to handle PHI on their behalf (known as Business Associates).

Under HIPAA, PHI is individually identifiable health information relating to an individual, transmitted or maintained in various forms by Covered Entities and their Business Associates. PHI may include the following examples: names, email addresses, medical record numbers, patient identifiers, IP addresses, web URLs, phone numbers, and more. 

HIPAA requires the protection and confidentiality of PHI to ensure that a patient's sensitive health information is kept secure and not disclosed or misused without the individual's consent or as allowed by law. Failure to protect PHI can result in significant penalties and legal consequences under HIPAA.

Tonkean’s Commitment to HIPAA Compliance

At Tonkean, we view data privacy and security as paramount, particularly in the healthcare sector, which involves the processing of sensitive data. Tonkean’s progress towards HIPAA compliance marks a significant milestone in our ongoing efforts to prioritize data privacy and security. We are dedicated to ensuring that our platform and processes meet the HIPAA security requirements. As stated on the Security & Compliance page, Tonkean complies with industry-recognized security and privacy standards, including SOC II Type II, which also covers the HIPAA Security Rule requirements. This is part of our efforts to demonstrate our support for PHI processing through the Tonkean platform.

Tonkean’s Role Under HIPAA and BAA

According to HIPAA, Covered Entities are required to have a Business Associate Agreement (BAA) in place with any service provider used to process PHI on behalf of the Covered Entity. Such BAA provides for the requirements on the service provider to safeguard the PHI and essentially ensures that it can process PHI in a manner that complies with HIPAA. For this purpose, Tonkean offers its BAA and executes it between Tonkean and its customers, who are HIPAA-Covered Entities and wish to submit PHI to the Tonkean platform. Such BAA applies solely to the processing of PHI, and any processing of personal data that is not considered PHI will still be subject to our Data Processing Addendum (DPA).