HIPAA Policy on Electronic Protected Health Information

Practice Insight, LLC

May 2005

 

Introduction

 

HIPAA is an acronym referring to The Health Insurance Portability and Accountability Act.  The primary purpose of HIPAA is to insure improved efficiency in healthcare delivery by standardizing electronic data interchange via standardization of electronic patient health, administrative and financial data and protection of confidentiality and security of health data through setting and enforcing standards.   HIPAA defines covered entities to include virtually all healthcare organizations – including all health care providers, health plans, public health authorities, healthcare clearinghouses, and self-ensured employers – as well as life insurers, information systems vendors, various service organizations, and universities. 

 

HIPAA covers four general areas dealing with PHI (Protected Health Information):

 

1) Privacy Rule (http://www.hhs.gov/ocr/hipaa/privrulepd.pdf)

 

2) Electronic Transaction Code Sets (http://www.cms.hhs.gov/hipaa/hipaa2/regulations/transactions/finalrule/txfinal.pdf)

 

3) National Identifiers (http://www.cms.hhs.gov/hipaa/hipaa2/regulations/identifiers/NPI-FR-GeneralOverview-REV-2-18-04.pdf)

 

4) Security (http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf)

 

Definitions

 

Electronic protected health information (ePHI) means protected health information that is created, received, maintained or transmitted in electronic format.

 

Confidentiality means the assurance that ePHI data is shared only among authorized persons or organizations.

 

Availability means the assurance those systems responsible for delivering; storing and processing ePHI are accessible when needed, by those who need them under both routine and emergency circumstances.

 

Integrity means the assurance that ePHI is not changed or destroyed in an unauthorized manner.  It is an assurance that the information is authentic and complete, and that the information can be relied upon to be accurate for its purpose.

 

EDI staff members are the individuals with overall responsibility for the EDI claims management support.

 

 

 

The HIPAA Security Standards make up the bulk of the regulations and are divided into the following:

 

ADMINISTRATIVE SAFEGUARDS

Administrative safeguards are administrative actions and policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.

 

Security Management Process

Assigned Security Responsibility

Workforce Security

Information Access Management

Security Awareness and Training

Security Incident Procedures

Contingency Plan Evaluation

Business Associate Contracts and Other Arrangements

 

Physical Safeguards

 

Physical safeguards are physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

 

Facility Access Controls

Workstation Use

Workstation Security

Device and Media Controls

 

Technical Safeguards

 

Technical safeguards are the technology and the policies and procedures for its use that protect ePHI and control access to it.

 

Access Control

Audit Control

Integrity

Person or Entity Authentication

Transmission Security

 

 

Organization Requirements

 

Business Associate Contracts & Other Arrangements

 

Policies & Procedures & Documentation Requirements

 

Compliance requirements include:

• Building initial organizational awareness of HIPAA
• Comprehensive assessment of the organization's privacy practices, information security systems and procedures, and use of electronic transactions
• Developing an action plan for compliance with each rule
• Developing a technical and management infrastructure to implement the plans
• Implementing a comprehensive implementation action plan, including
• Developing new policies, processes, and procedures to ensure privacy, security and patients' rights
• Building business associate agreements with business partners to support HIPAA objectives
• Developing a secure technical and physical information infrastructure
• Updating information systems to safeguard protected health information (PHI) and enable use of standard claims and related transactions
• Training of all workforce members
• Developing and maintaining an internal privacy and security management and enforcement infrastructure, including providing a Privacy Officer and a Security Officer

 

Policy

 

As required by the HIPAA Security Rule, Practice Insight, LLC provides administrative, physical and technical safeguards for electronic protected health information (ePHI) that is used for EDI transaction processing. Responsibility for compliance with the Security Rule rests jointly with Practice Insight, LLC and its resellers.   The policy is summarized in the Practice Insight Business Agreement shown below:

 

BUSINESS ASSOCIATE AGREEMENT

 

(Capitalized terms used in this Exhibit and not otherwise defined in the Agreement have the meanings set forth in HIPAA, which definitions are hereby incorporated by reference.)

 

1.         Practice Insight agrees to use or disclose Protected Health Information only as permitted or required by the Agreement or as required by law.  Practice Insight agrees that its right to use or disclose Protected Health Information under this Agreement extends only to the provision of Transaction Services (per 45 C.F.R. § 164.502(a)(1)(iii)), the creation of information that is not “individually identifiable health information” (per 45 C.F.R. § 164.502(d)), disclosure to a Business Associate of Practice Insight as part of Practice Insight’s provision of Transaction Services provided it enters into a written agreement with the Business Associate on terms substantially similar to this Business Associate Agreement, pursuant to 45 C.F.R. § 164.504(e)(1)(i) and 164.504(e)(1), and for proper management and administration of Practice Insight as a Business Associate, including archival purposes, or to carry our the legal responsibilities of Practice Insight as a Business Associate under 45 C.F.R. § 164.504(e)(4).

 

2.         Practice Insight agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by the Agreement.

 

3.         Practice Insight agrees to report to Reseller any use or disclosure of the Protected Health Information of which it is aware that is not provided for by the Agreement and will make that report to Reseller’s designated privacy manager within a reasonable time after it becomes aware of the use or disclosure.

 

4.         Practice Insight agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from Reseller, or created or received by Practice Insight on behalf of Reseller, agrees to the same restrictions and conditions that apply to Practice Insight with respect to that information.

 

5.         Practice Insight agrees to provide to Reseller, at Reseller’s request, access to Protected Health Information or, as directed by Reseller, to an Individual, in order to meet the requirements of 45 C.F.R. § 164.524.

 

6.         Practice Insight agrees to make any amendments to Protected Health Information that Reseller directs or agrees to pursuant to C.F.R. § 164.526, which amendments will be provided to Practice Insight’s designated privacy manager.

 

7.         Practice Insight agrees to document any disclosures of Protected Health Information and information related to those disclosures as would be required for Reseller to respond to a request by an Individual for an accounting of disclosures of Protected Health Information, and agrees to provide to Reseller or an Individual that documented disclosure information so as to permit Reseller to respond to an Individual’s request for an accounting under 45 C.F.R. § 164.524.

 

8.         Practice Insight agrees to make available to Reseller or to the Secretary of the Department of Health and Human Services all internal practices, books, and records, including policies, procedures and Protected Health Information, that relate to use and disclosure of Protected Health Information received from Reseller, or created or received by Practice Insight on behalf of Reseller, in order to determine compliance with HIPAA.

 

9.         Practice Insight agrees that upon termination of the Agreement it will return or destroy all Protected Health Information received from Reseller, or created or received by Practice Insight on behalf of Reseller, that Practice Insight maintains in any form and retain no copies of that information, provided the return or destruction is feasible, or, if the return or destruction is not feasible, as in the case with archived Transaction data, will extend the protection of this Agreement to that information for so long as Practice Insight maintains the information and will limit further uses and disclosures of that information to those purposes that make the return or destruction infeasible. 

 

10.       Practice Insight will comply, and will require any subcontractor or agent involved with Transactions to comply, with all applicable requirements of 45 C.F.R. Part 162.  In connection with the processing of Transactions that comply with HIPAA Standards for Electronic Transactions regulations, Practice Insight will not, and will not permit its subcontractors or agents:  (a) to change the definition, data condition, or use of data element or segment; (b) to add any data elements or segments to the maximum defined data set; (c) to use any code or data element that is marked “not used” in the implementation specification or is not in the implementation specification; or (d) to change the meaning or intent of the implementation specification.

 

11.       Practice Insight and Reseller agree to amend this agreement from time to time as necessary for the parties to comply with the requirements of HIPAA.