Sydasoft's premiere billing software is already HIPAA-compliant and ready for your
use.Click here to download a free demo of our HIPAA
Compliant Software.
Prepare for HIPAA with Standard Identifiers, Auto Log Off, and Consents and Authorizations
features.
What is HIPAA?
The Internet poses unique opportunities and challenges to the healthcare industry.
It enables the industry to lower transaction and operational costs while providing
better service to customers, partners, and physicians. Leveraging an open network
such as the Internet also raises concerns about the privacy of individually identifiable
patient information. To address these security concerns, the United States Congress
passed HIPAA "The Health Insurance Portability and Accountability Act" - also known
as Public Law 104-191-, a set of standards that simplify electronic transactions
and define minimum requirements for network security. As healthcare organizations
strive to leverage the Internet, they need to deploy a security architecture to
meet government regulations and ensure the trust of patients.
The Administrative Simplification section of HIPAA is designed to improve the efficiency
and effectiveness of the healthcare system by standardizing the electronic data
for specified administrative and financial transactions, while protecting the security
and confidentiality of that information.
Who Is Affected By HIPAA?
- Insurance payers will be required to accept the standard transactions.
- Healthcare providers that uses electronic transactions must use the HIPAA
standards
- Healthcare "clearinghouses" must meet HIPAA standards. Providers and health
plans also have the option of using a claims clearinghouse, which can accept nonstandard
claims and other transactions. The clearinghouse would then convert them to HIPAA
standards.
Requirements
HIPAA will require standards in all of the following areas:
- Transactions and code sets
- Identifiers
- Security
- Privacy
Transactions and code sets
Currently, there is no common standard for the transfer of information between healthcare
providers and payers. As a result, providers had to meet many different payer requirements.
For some providers who submit claims to hundreds of payers, programming their computer
systems to meet these requirements has been a difficult and expensive process. HIPAA
will change this practice by requiring payers to accept the following transaction
standards for EDI:
Nine electronic transaction standards:
- Health claims/encounters
- Claim payment and remittance advice
- Healthcare claim status
- Eligibility
- Referrals
- Healthcare enrollment
- Health plan premium payments
- First report of injury
- Claims attachments
The Accredited Standards Committee X12 (ASC X12) standards have been adopted for
nearly all of these transactions. In particular, the standardized implementation
guidelines developed by X12N will be adopted, starting with version 4010. These
implementation guidelines can be found at www.wpc-edi.com/hipaa .
Identifiers
In order to support standard transactions, HIPAA will mandate the use of unique
identifiers for:
- Providers. The proposed rule for the unique identifier for providers is the National
Provider Identifier (NPI), originally intended for use in the Medicare system. The
identifier will probably have 10 numeric positions with a check digit as the tenth
digit. Implementation of this standard will require DHHS to establish a system to
assign and deploy the identifiers.
- Health plans. The proposed rule for the unique identifier for health plans is expected
to apply the work that HCFA did for a Medicare PayerID to all health plans nationwide.
The identifier will probably have 10 numeric positions with a check digit in the
tenth position.
- Employers. The employer identifier is based on the the Internal Revenue Service
assigned Employer Identification Number (EIN). The EIN has nine numeric positions.
- Individuals receiving healthcare services (patients). The most controversial of
the proposed identifiers, the patient identifier is on hold pending privacy legislation.
However, industry experts speculate that the identifier will consist of approximately
10 numeric digits with a check digit.
Security
The proposed security standards are technology neutral and and scaleable for the
size and complexity of healthcare organizations.
At minimum, all health plans, clearinghouses and healthcare providers that transmit
or maintain electronic health information must conduct a risk assessment and develop
a security plan to protect this information.
They must also document these measures, keep them current, and train their employees
on appropriate security procedures.
The proposed security standard is divided into four categories:
- Administrative procedures used to guard data integrity, confidentiality and availability.
These are documented, formal procedures for selecting and executing information
security measures. These procedures also address staff responsibilities for protecting
data.
- Physical safeguards to guard data integrity, confidentiality and availability. These
safeguards protect physical computer systems and related buildings and equipment
from fire and other environmental hazards, as well as intrusion. The use of locks,
keys, and administrative measures used to control access to computer systems and
facilities are also included.
- Technical data security services to guard data integrity, confidentiality and availability.
These include the processes used to protect, control and monitor information access.
- Technical security mechanisms, including processes used to prevent unauthorized
access to data transmitted over a communications network.
Privacy
Uncertain of how safe and secure electronic transactions are, most patients are
demanding healthcare organizations protect the individual's right to privacy. Privacy
is a critical foundation for the ability to move toward electronic transactions
and new e-health strategies.
These privacy rules outline specific rights for individuals regarding protected
health information and obligations of healthcare providers, health plans, and health
care clearinghouses. This rule would:
- Requires consent to use protected health information for treatment, payment and
operations for healthcare;
- Allows health information to be disclosed without patient authorization for certain
purposes (such as research, public health and oversight) but only under defined
circumstances;
- Requires written authorization for use and disclosure of health information for
other purposes;
- Creates a set of fair information practices to inform patients how their information
is used and disclosed, ensure they have access to information about them; and
- Requires health plans and providers to maintain administrative and physical safeguards
to protect the confidentiality of health information and guard it from unauthorized
access.
Under the rule, healthcare providers, health plans and clearinghouses are prohibited
from using or disclosing health information except as authorized by the patient
or as specifically permitted by the regulation.
It's important to note that these protections are afforded to health information
that identifies a specific individual. A healthcare provider, health plan or clearinghouse
may use de-identified health information in any way it chooses, as long identifiers
have been "stripped" and a key is not disclosed that would allow the information
to be re-identified.
To review the proposed regulations in their entirety go to: aspe.os.dhhs.gov/admnsimp.
Personalized HIPAA Training and Education:
Sydasoft will provide you with extensive, yet simplified HIPAA training that can
enable you to become a consultant for your clients on HIPAA issues. This training
can help you a great deal during the marketing stage when you are presenting your
services to potential clients.
Our HIPAA Training Includes the Following:
- HIPAA at a Glance Material
- HIPAA Model Compliance Plan
- HIPAA Quiz (Test your client's knowledge on HIPAA! Use as ice-breaker for presentations)
- Effective HIPAA Educational Flyer (To use when marketing your services)
- HIPAA Sample Consent Forms
- Simplified HIPAA Frequently Asked Questions
- HIPAA Resources
- One Full Hour of One-on-One Consulting with a Sydasoft HIPAA Professional