HIPAA Compliance PLAN

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates standards for the way your organization sends data electronically, seeks protections for the privacy and security of patient data, and establishes uniform healthcare identifiers.

HIPAA is a series of federal regulations and it is important that you understand what is expected of you within the workplace under these new federal guidelines.

Overview of Privacy Rule

The Privacy Standard seeks to protect the privacy of information related to an individuals’ HIPAA’s health, treatment, or healthcare payment. The Privacy Rule, which overlays entire Administrative Simplification provision, has the following requirements:

• Inform people of how their information is used;
• Give people access to information about them;
• Require health plans and providers to maintain administrative and
physical safeguards;
• Allow health information to be used and shared for treatment and
payment of health care;
• Allow disclosures for national priorities;
• Require written authorization for use and disclosure for all other
purposes;
• Require NO disclosure except to individual (and HHS for investigation
for enforcement.

Overview of Security Rule

The new Security Standard will provide a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.

There are four main security provisions included in HIPAA:

• Administrative Procedures (security practices)
• Physical Safeguards (protection from intrusion)
• Technical Safeguards (which provide security over data at rest and in transit).

The Security Rule applies not only to the transactions adopted under, but also to all individual health information that is maintained or transmitted electronically. Since the Security Standard does not require specific technologies to be used, solutions will vary.

WHO DOES HIPAA APPLY TO?

Any organization that transmits or maintains protected health information either at their location or through a third party organization.

This includes:

1. Medical Providers 6. Life Insurance
2. Health Plans 7. Billing Agencies
3. Clearinghouses 8. Information Systems
4. Employers 9. Service Organizations
5. Public Health Authorities 10. Universities

WHAT INFORMATION IS PROTECTED?

Any health information that is individually identifiable to a patient is protected by the HIPAA privacy rule. This includes information in written, oral & electronic formats.

WHAT IS INVOLVED IN HIPAA COMPLIANCE?

Compliance with the HIPAA Administrative Simplification will require your organization to meet the following requirements:

1. Implement operation changes to ensure the security & confidentiality of health information.
2. Development of policies & procedures to facilitate HIPAA requirements by having a manual in the office.
3. Notify patients of their rights under HIPAA & your organizations legal responsibilities.
4. Implement Administrative, Technical & Physical Safeguards to secure electronic PHI
5. Transmit electronic transactions using HIPAA compliant formats (as adopted by ANSI)
6. Obtain written assurances from vendors that they will safeguard health information.
7. Train members of the work force on HIPAA & the organization’s
policies & procedures.

HIPAA PROVIDES PATIENTS WITH MORE RIGHTS

As provided by the HIPAA privacy rule patients may:

1. Request an accounting of disclosures made of their health record

2. Request amendments to their health information

3. Access & copy their health information.

4. Receive confidential communication about their health information

5. Restrict uses & disclosures of their health information.

6. Complain to your organization & to the Secretary of HHS

Privacy vs..Security

Privacy: Patients right over the use and disclosure of Personal Health Information (PHI).
• when shared
• how shared
• extent shared

Security: Measures health care entities must take to protect access to Personal Health Information (PHI).
• prevent unauthorized breaches of privacy
• ensure against loss of PHI

Major Components of Effective Privacy Policies

These principles are also appropriate for organizations.

1. Openness. There should be a general practice of openness about practices and policies with respect to personal information. Means should be available to establish the existence and nature of personal information and the main purposes of its use.

2. Purpose Specification. The purpose for collecting personal information should be specified at the time of collection. Further uses should be limited to those purposes.

3. Collection Limitation. The collection of personal information should be obtained by lawful and fair means and with the knowledge and consent of the subject. Only that information necessary for the stated purpose should be collected, nothing more.

4. Use Limitation. Personal information should not be disclosed for secondary purposes without the consent of the subject or by authority of law.

5. Individual Participation. Individuals should be allowed to inspect and correct their personal information. Whenever possible, personal information should be collected directly from the individual.

Helpful HIPAA Hints – Privacy

Covered entities could use & disclose protected health information without individual authorization for:

• Oversight of the health care system, including QA;
• Public health, and in emergencies;
• Treatment, payment or operations;
• Judicial and administrative proceedings;
• Law enforcement;
• To provide information to next-of-kin;
• For identification of the body of a deceased person;
• For facilities’ (hospitals, etc.) directories;
• To financial institutions, for processing payments for health care; and
• In other situations where use or disclosure is mandated by other law, consistent with the
requirements of the other law.

Helpful HIPAA Hints - Security

Security & Electronic Signatures Mandates requirements in five broad areas:

Administrative Requirements:
Make sure you are following your organization’s procedural policies for the monitoring and administering of access to health information.

Physical Security Requirements:
Make sure that you help to maintain the security within restricted access areas of your organization by reporting any unauthorized access or suspicious activity.

Technical Security Services:
Keep your username and password confidential and make sure that you do not leave a computer terminal unattended.

Technical Security Mechanisms:
These mechanisms include the use of antivirus software and encryption of health information. To find out what mechanisms are employed by your organization sees your system administrator or review your organizations security policies.

We send all claims in Ansi 4010 or 837P format direct to Medicare, Blue Cross, & Preferred Health Professionals and to the clearinghouse.

We have all the HIPAA forms that you need to run your doctor office plus we can do the manual that you need in your office. We have software that is HIPAA Compliance and has the HIPAA form build into the software. It also has the Ansi 4010 program into the software.