Archive for category Billing Software
HIPAA compliance requires special focus and effort as failure to comply carries significant risk of damage and penalties. A practice with multiple separate systems for patient scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. This article presents an integrated approach to HIPAA compliance and outlines key HIPAA terminology, principles, and requirements to help the practice owner to ensure HIPAA compliance by medical billing service and software vendors.
The last decade of the previous century witnessed accelerating proliferation of digital technology in health care, which, along with reduced costs and greater service quality, introduced new and greater risks for accidental disclosure of personal health information.
The Health insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress to establish national standards for privacy and security of personal health data. The Privacy Rule, written by the US Department of Health and Human Services took effect on April 14, 2003.
Failure to comply with HIPAA risks accreditation and reputation damage, lawsuits by federal government, financial penalties, ranging from $100 to $250,000, and imprisonment, ranging from one year to ten years.
Protected Health Information (PHI)
The key term of HIPAA is Protected Health Information (PHI), which includes anything that can be used to identify an individual and any information shared with other health care providers or clearinghouses in any media (digital, verbal, recorded voice, faxed, printed, or written). Information that can be used to identify an individual includes:
- Dates (except year)
- Zip code of more than 3 digits, telephone and fax numbers, email
- Social security numbers
- Medical record numbers
- Health plan numbers
- License numbers
Information shared with other healthcare providers or clearinghouses
- Nursing and physician notes
- Billing and other treatment records
Principles of HIPAA
HIPAA intends to allow smooth flow of PHI for healthcare operations subject to patient’s consent but prohibit any flow of unauthorized PHI for any other purposes. Healthcare operations include treatment, payment, care quality assessment, competence review training, accreditation, insurance rating, auditing, and legal procedures.
HIPAA promotes fair information practices and requires those with access to PHI to safeguard it. Fair information practices means that a subject must be allowed
- Access to PHI,
- Correction for errors and completeness, and
- Knowledge of others who use PHI
Safeguarding of PHI means that the persons that hold PHI must
- Be accountable for own use and disclosure
- Have a legal recourse to combat violations
HIPAA Implementation Process
HIPAA implementation begins upon making assumptions about PHI disclosure threat model. The implementation includes both pre-emptive and retroactive controls and involves process, technology, and personnel aspects.
A threat model helps understanding the purpose of HIPAA implementation process. It includes assumptions about
- Threat nature (Accidental disclosure by insiders? Access for profit? ),
- Source of threat (outsider or insider?),
- Means of potential threat (break in, physical intrusion, computer hack, virus?),
- Specific kind of data at risk (patient identification, financials, medical?), and
- Scale (how many patient records threatened?).
HIPAA process must include clearly stated policy, educational materials and events, clear enforcement means, a schedule for testing of HIPAA compliance, and means for continued transparency about HIPAA compliance. Stated policy typically includes a statement of least privilege data access to complete the job, definition of PHI and incident monitoring and reporting procedures. Educational materials may include case studies, control questions, and a schedule of review seminars for personnel.
Technology Requirements for HIPAA Compliance
Technology implementation of HIPAA proceeds in stages from logical data definition to physical data center to network.
To assure physical data center security, the manager must
- Lock data center
- Manage access list
- Track data center access with closed circuit TV cameras to monitor both internal and external building activities
- Protect access to data center with 24 x 7 onsite security
- Protect backup data
- Test recovery procedure
For network security, the data center must have special facilities for
- Secure networking – firewall protection, encrypted data transfer only
- Network access monitoring and report auditing
For data security, the manager must have
- Individual authentication – individual logins and passwords
- Role Based Access Control (see below)
- Audit trails – all access to all data fields tracked and recorded
- Data discipline – Limited ability to download data Read the rest of this entry »