How Do UNICSOFT and Virgil Support HIPAA Compliance?

HIPAA Compliance solution

The HIPAA Privacy Rule set national standards for the protection of Protected Health Information (“PHI”). PHI is individually identifiable health information transmitted or maintained in any form by the three types of covered entities (health plans, health care clearinghouses, and health care providers), who conduct certain health care transactions electronically, and their business associates.

The HIPAA Security Rule establishes national standards to protect individuals’ electronic PHI (“ePHI”) that is created, received, used, or maintained by a covered entity or their business associates.

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which was updated in 2009 by the Health Information Technology for Economic and Clinical Health Act (HITECH), included provisions that required the U.S.

Department of Health and Human Services (“HHS”) to adopt national standards for electronic healthcare transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information.

Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy and security protections for individually identifiable health information. These are embodied in the Privacy Rule, Security Rule, and Breach Notification Rule.

How Do UNICSOFT and Virgil Support HIPAA Compliance?

The Virgil Stack provides end-to-end encryption, passwordless authentication using public/private key cryptography, and secure communications to protect ePHI and as an access control mechanism. As shown in the table below, these features can support a wide variety of HIPAA requirements.

Virgil has obtained an expert opinion that that the method of encryption it uses de-identifies the data in accordance with the HIPAA Privacy Rule (See §164.514(b)(1) of the HIPAA privacy rule.) For more information, please contact Josh Marpet ( or Dmitry Dain (

Unicsoft provides a secure implementation of Virgil stack for Solutions provider on behalf of our Customers over which end-to-end encrypted information travels and can optionally be stored. As the data is encrypted the entire time it travels over or is stored within Solution and as no-one, even Customer or hosting provider staff have no ability to decrypt the data, the communications data is not considered PHI.

Such implementation makes the data within Solution non-PHI, therefore Customer is not involved in the use or disclosure of PHI, and is not a business associate in this context.

How Do Unicsoft and Virgil Support HIPAA Security Rule Requirements?
Administrative procedures and technical security services to guard data integrity, confidentiality, and availability

Secure information transfer ensures that employees’ communications and healthcare providers’ access to patient information is made secure. Only patients and their providers are able to access the patient information.

End-to-end encryption enables data security in the cloud protecting patient ePHI, health care provider communications, healthcare records, and other information classified as ePHI.

Unicsoft and Virgil Security make developing HIPAA Security Rule compliant applications fast to implement and transparent to the end users
How Do Unicsoft and Virgil Support HIPAA Security Rule Requirements?

Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract. (164.504)

Using Virgil APIs Unicsoft provide strong protections to assist in meeting HIPAA contractual obligations required under BAA. Cryptographic standards use to encrypt information conform to all aspects of NSA Suite B and are suitable for use in healthcare ePHI scenarios.

Make available the information required to provide an accounting of disclosures (an individual has a right to receive an accounting of disclosures of Protected Health Information made by a covered entity in the six years prior to the date on which the accounting is requested). (164.528)

With secure, end-to-end encrypted data transfer neither Unicsoft nor Virgil have the ability to decrypt the ePHI.

Make available Protected Health Information for amendment and incorporate any amendments to Protected Health Information (an individual has the right to have a covered entity amend Protected Health Information or a record about the individual). (164.526)

With secure, end-to-end encrypted data transfer neither Customer nor Virgil have the ability to decrypt the ePHI.

A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. A covered entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of HIPAA. (164.530)

Unicsoft’s authentication and authorization APIs built over Virgil Security cryptography API and Key Management API provide everything required to fulfill the technical and physical safeguards for Protected Health Information and protect unauthorized users from gaining access to information.

How Do Unicsoft and Virgil Support HIPAA Privacy Rule Requirements?

Not use or further disclose PHI other than as permitted or required by the contract or as required by law. (164.502)

Secure, end-to-end encrypted data transfer ensures that employee and patient/provider communications can be made secure and only authorized parties are able to view information even if a breach of the cloud infrastructure has occurred. By using Virgil APIs Unicsoft and provide an effective way to verify user identity and enforce applicable authorization rules. Virgil’s encryption technology assists in keeping unauthorized users from gaining access to PHI thereby eliminating the healthcare provider from data at rest exposure.

Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware. (164.504)

Virgil provide Unicsoft developers with the ability to store and access audit logs and other metadata associated with the use of the APIs. This allows automated or semi-automated usage/disclosure report generation. It is important to note that the user identity string, which you define in your application, is usually stored in an unencrypted fashion. Therefore, these strings should not contain any PHI. As an example, if an email address or name constitutes PHI in your particular use case, you should not use those as the user identity string. Instead you could use a randomly generated alphanumeric string.

With End-to-End encryption and secure data transfer implemented by Unicsoft neither Customer nor Virgil have the ability to decrypt the sensitive information. Authentication and authorization mechanisms implemented by Unicsoft over Virgin APIs make it impossible for unauthorized user to access the ePHI.
Download Full Whitepaper

First name*

Last name*



We value your privacy. All information is kept confidential.

Contact Us
[javascript protected email address]
Aleksey Zavgorodniy, CEO, Tel: +1 650 515 36 99
[javascript protected email address]
Julia Liubevych, CBDO, Tel: +1 650 451 11 06
[javascript protected email address]
Alyona Zhurba, Account manager, Tel: +44 131 208 08 07