MEDISCRIBE© AND HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) of 1996
(P.L.104-191) [HIPAA] was enacted by the U.S. Congress and signed by President
Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy (D-Mass.)
and Sen. Nancy Kassebaum (R-Kan.). Title I of HIPAA protects health insurance
coverage for workers and their families when they change or lose their jobs and does
not pertain to the MEDISCRIBE© Project.
Whereas Title II of HIPAA, known as the Administrative Simplification (AS)
provisions, requires the establishment of national standards for electronic health
care transactions and national identifiers for providers, health insurance plans, and employers and directly impacts The MEDISCRIBE© Project.
The Administration Simplification (AS) provisions also address the security and privacy of health data that MEDISCRIBE© must consider and the standards that MEDISCRIBE© must meet in the effort for AS to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
In addition, Title II of HIPAA defines numerous offenses relating to health care and sets civil and criminal penalties for them. It also creates several programs to control fraud and abuse within the health care system. However, the most significant provisions of Title II that are related to MEDISCRIBE© are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.
These rules apply to MEDISCRIBE© as defined by HIPAA and the HHS. Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. The HHS Rules that affect MEDISCRIBE© are as follows:
The effective compliance date of the Privacy Rule was April 14, 2003. The HIPAA Privacy Rule regulates the use and disclosure of certain information that is held by MEDISCRIBE©. It establishes regulations that MEDISCRIBE© must comply with and disclosure as part of Protected Health Information (PHI). PHI is defined as any information held by MEDISCRIBE© which concerns health status and provision of health care that can be linked to an individual.
The way that MEDISCRIBE© is designed, each individual will have either joined the system themselves and will have full disclosure upon joining, or if the individuals is part of a group of patient’s in which a doctor has subscribed, the individual will be notified as to this action by their doctor. In any event, MEDISCRIBE© will disclose PHI to the individual immediately and MEDISCRIBE© will explain their rights. Under PHI and HIPAA MEDISCRIBE© will also disclose PHI when required to do so by law.
Since the primary design of MEDISCRIBE© is to disclose PHI to facilitate treatment and health care operations, MEDISCRIBE© the individual will have already agreed as to what entity is authorized or MEDISCRIBE© will obtain authorization from the individual prior to releasing the information to any entity that is not on the preauthorized list. When MEDISCRIBE© discloses any PHI, it will only disclose the minimum necessary information required to achieve its purpose.
MEDISCRIBE©, in accordance with the Privacy Rule, will also give individuals the right to correct any inaccurate PHI. MEDISCRIBE© will also ensure the confidentiality of communications with individuals. For example, an individual can ask to be called at his or her work number, instead of home or cell phone number.
In addition, MEDISCRIBE© will adhere to the Privacy Rule and notify individuals of uses of their PHI. MEDISCRIBE© will also keep track of disclosures of PHI and document privacy policies and procedures. MEDISCRIBE© also has an appointed Privacy Official that any individual can contact who is responsible for receiving complaints and training all members of the MEDISCRIBE© Project in procedures regarding PHI.
It is the goal of the MEDISCRIBE© Project that all individuals who believe that the Privacy Rule is not being upheld are able to file a complaint with the company and also have the ability to file a claim with the Department of Health and Human Services Office for Civil Rights (OCR).
TRANSACTIONS AND CODE SETS RULE
The HIPAA/EDI provision took effect on October 16, 2003. On January 1, 2012 the newest version 5010 becomes effective, replacing the version 4010. This allows for the larger field size of ICD-10-CM as well as other improvements.
Key EDI(X12) transactions used by MEDISCRIBE© for HIPAA compliance are:
EDI Health Care Service Review Information (278) This transaction set is used by MEDISCRIBE© to transmit health care service information, such as subscriber, patient, demographic, diagnosis or treatment data for the purpose of request for review, certification, notification or reporting the outcome of a health care services review.
EDI Functional Acknowledgement Transaction Set (997) this transaction set is used by MEDISCRIBE© to define the control structures for a set of acknowledgments to indicate the results of the syntactical analysis of the electronically encoded documents. Although it is not specifically named in the HIPAA Legislation or Final Rule, it is necessary for X12 transaction set processing. The encoded documents are the transaction sets, which are grouped in functional groups, used in defining transactions for the business data interchange by MEDISCRIBE©.
The Final Rule on Security Standards was issued on February 20, 2003. It took effect on April 21, 2003 with a compliance date of April 21, 2005. The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with MEDISCRIBE© and the Electronic Protected Health Information (EPHI). In full compliance and with internal Securities Rules that far exceed the EPHI, MEDISCRIBE© has at least three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the MEDISCRIBE© identifies the various security standards, and for each standard, it names both required and addressable implementation specifications. MEDISCRIBE© has designed, adopted, and exceed the required specifications as dictated by the Rule.
The MEDISCRIBE© standards and specifications are as follows:
Administrative Safeguards – policies and procedures designed to clearly show how the entity will comply with the act
1) MEDISCRIBE© has a written set of privacy procedures and has designated a privacy officer to be responsible for developing and implementing all required policies, procedures, and training.
2) The MEDISCRIBE© policies and procedures reference management oversight and organizational buy-in to compliance with the documented security controls.
3) The MEDISCRIBE© procedures clearly identify employees or classes of employees who will have access to electronic protected health information (EPHI). MEDISCRIBE© has restricted this access to only those employees who have a need for it to complete their job function.
4) The MEDISCRIBE© procedures address access authorization, establishment, modification, and termination.
5) MEDISCRIBE© has developed an appropriate ongoing training program regarding the handling of PHI is provided to employees performing health plan administrative functions.
6) MEDISCRIBE© ensures that their vendors also have a framework in place to comply with HIPAA requirements.
7) MEDISCRIBE© has a contingency plan for responding to emergencies. MEDISCRIBE© far exceed the industry standards for backing up their data and having disaster recovery procedures in place. The MEDISCRIBE© plan documents data priority and failure analysis, testing activities, and change control procedures.
8) MEDISCRIBE© internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. MEDISCRIBE© policies and procedures specifically document the scope, frequency, and procedures of audits. The MEDISCRIBE© audits are both routine and event-based.
9) MEDISCRIBE© procedures document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.
Physical Safeguards – controlling physical access to protect against inappropriate access to protected data
1) MEDISCRIBE© controls govern the introduction and removal of hardware and software from the network. When and MEDISCRIBE© equipment is retired it will be disposed of properly to ensure that PHI is not compromised.
2) Access to any MEDISCRIBE© equipment containing health information is carefully controlled and monitored.
3) Access to any MEDISCRIBE© hardware and software is limited to properly authorized individuals.
4) Required access to MEDISCRIBE© controls consist of facility security plans, maintenance records, and visitor sign-in and escorts.
5) MEDISCRIBE© policies address proper workstation use. All MEDISCRIBE© workstations are removed from high traffic areas and monitor screens are not in direct view of the public.
6) All MEDISCRIBE© contractors or agents, are fully trained on their physical access responsibilities.
Technical Safeguards – controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.
1) The MEDISCRIBE© information systems housing PHI are protected from intrusion. When information flows over open networks, encryption must be utilized. MEDISCRIBE© employees a closed systems and closed networks.
2) MEDISCRIBE© has safeguards and policies in place that ensure that the data within the MEDISCRIBE© Systems has not been changed or erased in an unauthorized manner.
3) MEDISCRIBE© has in place data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
4) MEDISCRIBE© also has an extensive authenticate system with which all individuals or entities must communicate. The MEDISCRIBE© authentication consists of corroborating that an entity is who it claims to be and that information is verified.
5) MEDISCRIBE© makes documentation of their HIPAA practices available to the government to determine compliance.
6) In addition to policies and procedures and access records the MEDISCRIBE© information technology documentation also includes a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.
7) MEDISCRIBE© also has documented risk analysis and risk management programs are required. MEDISCRIBE© carefully considers the risks of their operations as they implement systems to comply with the act.
MEDISCRIBE© and the HITECH Act: Privacy Requirements
As part of MEDISCRIBE© ongoing compliance with HIPAA, MEDISCRIBE© is in full compliance with Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This Act was enacted as part of the American Recovery and Reinvestment Act of 2009, addresses the privacy and security concerns associated with the electronic transmission of health information.
This subtitle extends the complete Privacy and Security Provisions of HIPAA to business associates of MEDISCRIBE©. This includes the extension of newly updated civil and criminal penalties to business associates. These changes are also included in all business associate agreements with MEDISCRIBE©.