HIPAA Compliance
Is Zingtree HIPAA compliant?
The system itself is HIPAA compliant, and Zingtree does have some HIPAA oriented features. However, since Zingtree is a toolkit, it's up to the decision tree designer to gather information in such a way as to protect the identity of the patient.
For example, instead of asking for a patient's name, you may want to use a patient number instead, or some other abstract identifier.
Deleting Data
You can set a Data Retention Policy for your account. Data can be retained from all logs and records for a minimum of two days, after which time it is deleted.
Zingtree also has an API call to delete session data, so if you are collecting identifiable patient info, your system can extract the data collected using our API, and then delete the patient records from Zingtree.
The HIPAA Privacy Rule
The Privacy Rule protects most individually identifiable health information held or transmitted, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” or “PHI.” Individually identifiable health information is information, including demographic information, that relates to:
- The individual’s past, present, or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual.
In addition, individually identifiable health information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.
For example, a medical record, laboratory report, or hospital bill would be PHI if the information contained therein includes a patient’s name and/or other identifying information.
See the full US Government HIPAA Privacy and Security presentation document here:
HIPAA-privacy-and-security-guide.pdf