Who recognizes HIPAA?

If you are employed by an organization that gathers health data from individuals, you are termed as a ‘covered entity’, and you are expected to adhere to this law. Covered entities encompass the following:

• Healthcare centers and clinics.
• Insurance players in the health and medical space.
• Private practitioners – includes general and specialized practice doctors and others.
• Psychiatrists and Psychologists
• Medical billing outlets and collection companies.

Whether you employ a few or many people, safeguarding patient data is of paramount importance.

Records secured by HIPAA

Patients going to a healthcare center or a clinic must be guaranteed of discretion. It is necessary that confidential records are not compromised and cannot be accessed by people who do not have the required authority. Medical data secured by these federal laws encompass, but are not restricted to:

• Prescription data.
• Medical history logs.
• Appointment records.
• Phone and voicemail data.
• Insurance documents.
• Billing records.

Complying with HIPAA requirements

Old and obsolete patient records must be destroyed to ensure the patient’s privacy. A company adhering to HIPAA rules must be ready to exterminate documents in accordance with policies. Any and all documents have to be shredded thoroughly as just dumping papers cannot assure security – any person with a malicious intent could go through the garbage and obtain important personal information. Retaining the services of a professional is a sure way to ensure your safety also.

Adhering to the HIPAA pertinent to your business will provide you with the peace of mind needed to run without any hitches.

Related Hipaa Posts

• May 29, 2010 — HIPAA and the Internet: Intranet Collaboration Software requirements
• April 19, 2010 — Need for adherence to HIPAA regulations
• April 13, 2010 — Status of claims and remittance advice
• May 31, 2010 — Increasing Computer Network Security for effective HIPAA Compliance
• May 25, 2010 — HIPAA Emails compliance – Safeguard your private information
• April 24, 2010 — What Are HIPAA Laws?
• April 24, 2010 — HIPAA: What is it?
• April 21, 2010 — Complete HIPAA Guide
• April 17, 2010 — Problems in HIPAA compliance
• April 16, 2010 — Queries on HIPAA training

The 2 important parts of HIPAA that pertains to computer network security are:

1. Administrative Safeguards:

To attain HIPAA compliance the provider must recognize, protect and intimate any malevolent software program in the system. The compromised emails are carriers of worms, virus and Trojans, and there has to be a safeguard measure to stop the unwanted breach. For managing the computer systems network efficiently, it is important to keep a watch by installing specialized security measures as noted below:

Gateway and virus blocking mechanism should be in place.

The safeguard system should be able to carry out, deep packet penetration, inspect and provision for relevant web filtering mechanisms to the network. Signature systems that refresh at every half hour should be used as they are the premier defense shields against rapidly moving worms.

Security Measures

For a computer network to be HIPAA compliant, it is essential for the organization to draft a security system, which gives authority to the key people or software systems to access the confidential health information.

Appropriate encryption mechanisms should be in place to code the confidential health information when in transit to stop unauthorized access or intercept. The sending of information must be encrypted in a high security encryption and must be received by authorized users who must use the decryption code to decrypt the message.

Ultimately, it is necessary for all parties concerned in the healthcare system, like health service providers, insurance providers, transcription service providers, labs, internet service providers, hospitals and billing services to cement a relation of trust to ensure confidentiality of patient information shared between them. This can be achieved through a linkage of computers that stick to HIPAA rules and regulations to achieve a safe and protected transmission, of private health information on a public platform.

Related Hipaa Posts

• May 29, 2010 — HIPAA and the Internet: Intranet Collaboration Software requirements
• April 17, 2010 — Problems in HIPAA compliance
• June 1, 2010 — Reasons medical businesses should comply with HIPAA regulations
• May 25, 2010 — HIPAA Emails compliance – Safeguard your private information
• May 24, 2010 — Factors influencing HIPAA Compliance
• May 20, 2010 — HIPAA Implementation Procedure
• April 24, 2010 — What Are HIPAA Laws?
• April 24, 2010 — HIPAA: What is it?
• April 21, 2010 — Complete HIPAA Guide
• April 20, 2010 — Medical billing software and HIPAA

HIPAA also commonly known as The Health Insurance Portability and Accountability Act, requires employment of stringent measures by the health care providers, to assure the patient that his/her personal health records are protected from the unauthorized access over the internet.

HIPAA when enacted required health-providing entities to assure the confidentiality of patient information in the following ways:

• Responsibility for security was to be assigned to a person or organization.
• Assessment of risks to find out any security or privacy threats to medical information.
• Establishment of a program to address physical, personnel and technical security controls.

• Certification of effectiveness of the employed security controls.

• Creating procedures, guidelines and policies to use computing devices, and ensuring that the suitable mechanisms are there to allow or ban access to an individual’s status.

• Implementation of controls on access which include user-based access, encryption, role-based access, context-based access and auditing control mechanisms, authentication of data, and authentication of entity.

Security is the key

HIPAA provides for both civil and criminal action against the violations and violators, as data access and security is top priority for a healthcare firm. To assure HIPAA compliance, security features that should be included in online documents are:

• Secure web server – A server should be running secure socket layers. It is the bare minimum required.

• Encrypted database – All data has to be encrypted.  Modern Encryption Software is available that encrypts all the data sent between two computer and any device on the internet.

• Session timeout – This assures that private data is not left unattended and is only viewed by unauthorized personnel.

• Server monitoring – monitoring of the web server is required to detect break-in attempts and hacking attempts.

• Secure access control – Apart from user id and password, for additional security, strong passwords and smart cards should be used.

• Regular security audits – all security precautions need to be checked for their state of readines and proper working. For this regular audits should be carried out.

• Personnel – Qualified personnel familiar with HIPPA requirements should be employees for system maintenance.

Related Hipaa Posts

• June 1, 2010 — Reasons medical businesses should comply with HIPAA regulations
• May 31, 2010 — Increasing Computer Network Security for effective HIPAA Compliance
• April 13, 2010 — Status of claims and remittance advice
• May 25, 2010 — HIPAA Emails compliance – Safeguard your private information
• May 24, 2010 — Factors influencing HIPAA Compliance
• May 20, 2010 — HIPAA Implementation Procedure
• April 24, 2010 — What Are HIPAA Laws?
• April 24, 2010 — HIPAA: What is it?
• April 21, 2010 — Complete HIPAA Guide
• April 20, 2010 — Medical billing software and HIPAA

HIPAA is implementing strict rules and regulations to deal with health insurance related malpractices like the sale of important health data of patients to lawyers to earn money. Recently action has been taken with the aim to make sharing of people’s electronic health records.

In the month of November 2009, 8 federal agencies sanctioned a notice approval form. This form makes compulsory for the health agencies to reveal to the customers the procedure through which their data is obtained and disbursed. This helps the customer to take an effective decision to avail or reject the service.

The new rule empowers the government to initiate legal proceedings against the defaulter for not adhering to HIPAA compliance, taking criminal action and levying hefty fines.

The last rule of Federal Trade Commission (FTC) in accordance with American Recovery and Reinvestment Act makes it compulsory for the health agencies to inform any violation of patient health record to the customer. The media should be informed if there is breach of 500 or more patient health data. The rule also specifies the time, matter and procedure of conveying the breach.

The Recovery act makes it compulsory for HHS or Department of Health and Human Services to carry out a research on the stakeholders that dispense health services but are not under the umbrella of the HIPAA. The intent is to draw up norms on how such parties can dispense their healthcare services simultaneously safeguarding important patient information.

Ultimately, newer and more stringent rules point towards the exercises of the regulatory bodies to put an end to malpractices that are inherent to the process despite security measures that are in place. The only intention is to ensure the electronic sharing of confidential health records safe and resistant to tampering. This will plug the losses that the state and the people incur on account of fraudulent claims.

Related Hipaa Posts

• August 4, 2009 — HIPAA At The Workplace
• April 15, 2010 — Security rules under HIPAA
• September 1, 2009 — Authorization and submission of your medical claims
• April 27, 2010 — What does HIPAA Privacy rule constitutes?
• May 24, 2010 — Factors influencing HIPAA Compliance
• September 3, 2009 — HIPAA tools for your medical practice
• July 29, 2009 — HIPAA Compressed
• June 1, 2010 — Reasons medical businesses should comply with HIPAA regulations
• May 20, 2010 — HIPAA Implementation Procedure
• July 31, 2009 — Differences between EMR and HIPAA

However, transfer of personal and private data from paper documents that utilizes direct faxes to an electronic process that relies on unsecure email will naturally raise security concerns. Data in transportation via non-secure channels can be breached with relative ease and could be used with a malicious intent. Patients are predictably worried that best practices might not be observed to safeguard their confidential data.

To be abreast of these updates in Health Information Technology (HIT), health centers and physicians are required to find and utilize safe and secure computers and email programs that are compliant with both HITECH and HIPAA standards. Just as different treatments are available for different ailments, a wide range of options exists regarding security and email applications. It can be confusing for health centers and doctors to go through such vast options and find the one that is suited to their needs and budgets.

Some organizations have implemented an economical system that can be scaled to suit your requirements. Whether it is a tiny clinic or a large healthcare center, systems can be tailored to meet the demands of their patients. There are some applications which obliterate the need for on-site IT resources or maintenance and work on most known web browser or merge with outlook email accounts too.

HITECH medical data software is anticipated to be completely implemented by 2014. With this, the US will move a step closer to the world standard of health care data storage. It will be on the same level as other first-world countries who have their data securely stored a conveniently used.

If you are a covered entity under HIPAA, then you must also make sure that your email system has the required safeguards and encryptions to ensure safe transfer of medical data.

Related Hipaa Posts

• June 1, 2010 — Reasons medical businesses should comply with HIPAA regulations
• May 31, 2010 — Increasing Computer Network Security for effective HIPAA Compliance
• May 29, 2010 — HIPAA and the Internet: Intranet Collaboration Software requirements
• April 24, 2010 — What Are HIPAA Laws?
• April 24, 2010 — HIPAA: What is it?
• April 21, 2010 — Complete HIPAA Guide
• April 19, 2010 — Need for adherence to HIPAA regulations
• April 17, 2010 — Problems in HIPAA compliance
• April 16, 2010 — Queries on HIPAA training
• April 13, 2010 — Status of claims and remittance advice

HIPAA compliance needs specific attention and effort, if any failure to adhere involves high risk of reputation damage, fines starting from $100 to $250,000 and imprisonment varying from 1 year to 10 years. Different various HIPAA management efforts are required for a practice with various different systems for patient timetable, electronic and medical files and billing. This article shows an honest way to HIPAA management adherence and is a summary of main important HIPAA terminology, principles, and requisites to assist the practitioner to adhere to HIPAA compliance through medical billing and software retailers.

The last 10 years of the 19^th century saw a rapid increase of digital technology in health care, with lesser expenditure and much better service quality, also resulted in new and higher risks for accidental revelation of private health information.

Protected Health Information (PHI)

The main requirement of HIPAA is PHI, which covers any aspect that can be required to identify a person and any information or data exchanged or disclosed to other health care providers in any medium viz. digital, verbal, recorded, faxed, printed or written).

Information that is required to recognize a person includes:

1. Name
2. Health plan numbers
3. Zip code not less than 3 digits, telephone and fax numbers, email
4. License numbers
5. Social security numbers
6. Dates (excluding year)
7. Medical record numbers
8. Photographs

Details shared with other healthcare firms or clearinghouses are:

1. Data about treatment and billing
2. Notes made by nurses and physicians

HIPAA principles

HIPAA aims to ensure smooth running of PHI for healthcare operations with the patient’s approval; however, bans unauthorized PHI for any other reasons. Healthcare procedure involves payment, competence review training, treatment, care quality assessment, accreditation, auditing, legal procedures and insurance rating,

HIPAA encourages unbiased information practices and sets guidelines for those who have access to PHI to protect it.

Unbiased information practices means that a person should be permitted to

1. Access to PHI,
2. Rectifying mistakes and completeness,
3. Know who else are using PHI.

Protecting PHI means that the subject who possess PHI should

1. be responsible for self use and disclosure
2. have a legal source to counter violations

Related Hipaa Posts

• May 31, 2010 — Increasing Computer Network Security for effective HIPAA Compliance
• May 29, 2010 — HIPAA and the Internet: Intranet Collaboration Software requirements
• May 20, 2010 — HIPAA Implementation Procedure
• April 20, 2010 — Medical billing software and HIPAA
• August 25, 2009 — CIO Knowledge on HIPAA compliance

A privacy breach is said to have been perpetuated, when a properly authenticated and authorized user looks into a patient’s record without any particular need or requirement to do so. For example, a doctor looking at a record of a patient to review information, if he is not treating that person at the moment, is termed as privacy breach.

This privacy breach has to be disclosed under the HITECH regulations. The same doctor, however, cannot be booked for privacy breach when he pulls up the records a week later, as he is treating that patient at that particular time.

A security breach occurs when there is a successful hacking carried out into a system, disks or unencrypted laptops and computers containing identifiable patient details. This also implies a privacy breach, as it is an unauthorized access to private data. But strangely enough, a privacy breach cannot be termed as a security breach.

Many experts conclude that protection against security breaches is a prevention of privacy breaches. Prevention of security breaches can be easily accomplished through a two-factor authentication at the data workstation, locking terminals to prevent improper and unauthorized usage of data; other authentication approaches for clinical users should also be included. The latter is an important way to prevent privacy breaches, but is the more difficult of the two to achieve.

The introduction of HITECH regulations has extended the bite of the HIPAA framework. Healthcare organizations are now required, under law, to disclose a patients privacy breach to the patient who has been effected. In certain cases, a notification of the same has to be made to the secretary of Health and Human Services. This much talked about HIPAA and HITECH compliance and the application and desktop virtualization can therefore be an effective means of protecting against security breaches.

Related Hipaa Posts

• April 27, 2010 — What does HIPAA Privacy rule constitutes?
• April 15, 2010 — Security rules under HIPAA
• August 14, 2009 — HIPAA protection during a job shift
• April 10, 2010 — Using backup HIPAA data
• April 14, 2010 — Software, which is in compliance with HIPAA
• July 29, 2009 — HIPAA Compressed
• May 19, 2010 — Details on HIPAA laws
• May 11, 2010 — How Does OCR HIPAA help individuals?
• August 15, 2009 — HIPAA Training
• April 13, 2010 — Status of claims and remittance advice

HIPAA has given a number of rights to an individual regarding his or her medical records. The individual can demand to see his medical records from his doctor or the hospital where he is getting the treatment. The individual has the right to demand the records without providing any specific reasons for it and the doctor or hospital must give him a copy of his records within 30 days of the request.

But the institution or doctor can impose a small fee in return of the provided records. If the patient wants them to post the records, then he will have to pay for the postage and handling charges. Even though, you will get most of the information in your medical records, but in some rare cases, your doctor may hold some information from you. This is done in the cases where the doctor feels that disclosing a particular piece of information may hurt you or people around you or endanger your health in any way.

Even though with the introduction of electronic medical records and strict rules, the chance of error in medical records has decreased considerably, but still, you can get any mistakes in your medical records rectified. Similarly, if there is an omission of certain information from your medical records, then it’s the duty of the hospital or doctor who issued the records to correct it and provide the updated version of records free of cost.

Even if your doctor or hospital doesn’t think that there is a mistake in your medical records, you can still ask them to register your disagreement in your medical records. This will inform your future doctors about the conflict of opinions between you and your doctor.

Our medical history is extremely private to us and it should stay that way. Thankfully, HIPAA has provided many rules which ensure that nobody can abuse our privacy.

Related Hipaa Posts

• April 27, 2010 — HIPAA Security Rule
• July 30, 2009 — Changes by HIPAA in the stimulus package
• July 29, 2009 — HIPAA Compressed
• July 27, 2009 — Hipaa Introduction
• July 24, 2009 — HIPAA products guide
• July 24, 2009 — HIPAA Legislation Guide
• August 22, 2009 — Personal Impact of HIPAA
• April 14, 2010 — Software, which is in compliance with HIPAA
• April 15, 2010 — Security rules under HIPAA
• April 17, 2010 — Problems in HIPAA compliance

This training is provided by independent training centers. Companies hire professionals from these centers to train and educate their employees and high level management about every aspect of HIPAA. Once the training is completed, the training institutes provides a HIPAA certification to every employee who has completed the training successfully. These certifications are used to prove the skills of the employees during OCR inspections.

HIPPA training can be done in many different manners. The employees can choose a one-on-one instructor led training method, classroom training, online training, virtual classroom training or on-site training. Different companies choose different methods to provide this training.

Covered entities like hospitals, health insurance providers, healthcare clearing houses etc. are required by the law to provide training to their employees. Failure to comply with this law might end-up in a fine for them. Most covered entities prefer to provide group training instead of one-on-one training as it is much more time consuming. In big companies, one-on-one training may also cost too much and disrupt the company’s budget.

On-site training is also more preferred as compared to classroom training as the employees can get first hand idea about how to manage the records and other formalities in their own work place. This also saves a lot of time of the employees and they don’t need to waste time in commuting to and from the training center.

But classroom training also has a number of benefits. It provides a more focused training as students only concentrate on their training and are not interrupted by constant phone calls and emails at their workstations. Classroom training also facilitates better interaction between students, which facilitates a better understanding about training.  Visual and hearing aid can also be provided in the classroom training to help the students.

If you are planning to arrange for HIPAA training sessions for yourself or your firm, make sure that the training provider you choose is capable in handling your firm. Every company has different requirements in terms of situation, time period and method of training. Training provider must be capable in this.

HIPAA training is an important aspect of the HIPAA law and should not be taken lightly.

Related Hipaa Posts

• May 1, 2010 — HIPAA Certification: Who needs it?
• April 16, 2010 — Queries on HIPAA training
• August 20, 2009 — Need for HIPAA training
• August 15, 2009 — HIPAA Training

This law also prevents malpractice by insurance companies and doctors and also provides a savings account for medical purposes. This law was in response to the demand of health industry to shift to electronic transaction standards to help hospitals and other concerns cut cost and increase the security of the medical records of patients.

Thus HHS or Department of Health and Human Services created HIPAA standards to control and regulate administrative and financial transaction in medical field. They have created codes for health plans, hospitals, retail pharmacies, nursing homes etc. to ensure security and privacy of identifiable information in medical records of individual.

These codes were standardized so that the multiple versions of electronic HCFA 1500 and UB-92 can be replaced. These standards were adopted back in April 2007 and are applicable to all kinds of health plans, clearing houses, hospitals etc. These standards streamline billing and make the inquiries for eligibility and referral authorizations much easier.

The required transactions codes are:

• Health plan identifiers
• Country codes
• Employer identification number
• Provider taxonomy codes

Based on these standards, a transaction through HHS HIPAA is performed in following manner:

1. A person is enrolled into a health plan and pays the premium on it.
2. His eligibility is verified.
3. His referral is authorized electronically or via phone or fax.
4. A health care claim is made by the insured person.
5. Bills and documents are submitted to prove the claim
6. The claims are checked and verified.
7. If there is no dispute, then the claim is remitted to the patient.

All the covered entities under are required to conduct electronic transactions for everything, including eligibility confirmation and sending claims through a clearinghouse.

HIPAA standards have made the task of managing and clearing health insurance claims really fast. It has also reduced the chances of human error or delay in delivery as all the data is now transferred electronically.

Related Hipaa Posts

• May 6, 2010 — What is HIPAA HHS?