What are the Network security requirements under HIPAA?

With the advancement of technology and increasing exchange of patient information between health organizations, insurance providers and referral agencies exposes patient information to a series of users and facilities. So, health-related organizations must meet certain technology requirements in terms of how their computer networks operate in order to comply with HIPAA. These network requirements provide guidelines for securing patient information and monitoring user activity within the system.

Network security requirements under HIPAA require organizations to employ data encryption, firewall protection and email protection as a means of protecting confidential patient information, according to the American Academy of Family Physicians. Further, the HITECH Act advises the organizations to implement data encryption technology within their system networks. Firewall protection requirements are designed to prevent the likelihood of a system security breach. Email security requirements, though partially handled by a reliable firewall system, can further be secured through encryption software.

To prevent unauthorized access to PHI, network system requirements under HIPAA mandate the use of a medical billing code system that provides a standardized method for recording services rendered and transacting patient billing information between health-related organizations and third-party payers, according to the American Academy of Family Physicians. Organizations handling patient information also are required to maintain updated patient authorization forms that permit organizations to store, record and transmit patient information. In terms of patients being able to gain access to their own records, HIPAA requires organizations to take measures to ensure patient information is available in the event of a fire or a system failure. Compliance with this provision requires organizations to have a reliable backup system capable of storing patient information and/or recovering lost data.

Under HIPAA, auditing requirements refer to an organization’s ability to monitor how authorized personnel are accessing patient records, according to the American Academy of Family Physicians. To do this, a system network must be able to assign unique user names and passwords and assign user access levels for everyone who accesses the system. User access levels limit the types of information a particular user can view and can restrict user access to a particular set or department of patients.

What are the advantages offered by HIPAA 5010?

HIPAA 5010 is the next step towards implementing Administrative Simplification between Healthcare Covered Entities. HIPAA 5010 paves the way for further standardization providing Trading Partners better communication and more efficient, less expensive business processes. In January 2009, CMS mandated conversion to HIPAA version 5010 by January 1, 2012. Generic enhancements made to all of the HIPAA standards (TR3) include:

Consistent TR3 formats – standardized front matter and appendices
Consistent implementation instructions
Clearly define situational requirements
Addresses approximately 500 industry requested changes
Will reduce the need for Companion Guides by providing clearer instructions in the TR3 guides themselves

Major functional changes brought about by HIPAA 5010 include:

HIPAA 5010 supports ICD-9 only, ICD-10 only and dual usage of ICD-9 and ICD-10
Clarifies National Provider ID (NPI) Instructions and states which NPI should be sent.
The instructions state that a provider always reports NPI at the lowest level of specificity.

The major benefits of HIPAA 5010 include:

•    Eligibility Inquiry/Response 270/271
•    Requires alternate search options to reduce member not found responses
•    Added support for 38 additional Patient Service types on the request
•    Nine categories of benefit information must be reported on the response
•    When reporting co-insurance, co-payment and deductible, must also include patient responsibility
•    Overall improvement in the ability to request information and the value of the information returned
•    Supports ICD-10
•    Clarifies NPI Instructions
•    Always report NPI at the lowest level of specificity
•    Improves instructions and data content for COB claims
•    Subscriber/patient hierarchy changes
•    Present on admission indicator – Institutional Claims
•    Significant changes will remove implementation obstacles
•    Medical necessity information added
•    Expect increased use of the transaction once covered entities migrate to 5010

How will HIPAA potentially impact FMLA Certification?

The Family and Medical Leave Act of 1993 (FMLA) is a United States federal law requiring larger employers to provide employees job-protected unpaid leave due to a serious health condition that makes the employee unable to perform his or her job, or to care for a sick family member, or to care for a new child (including by birth, adoption or foster care). The FMLA is administered by the Wage and Hour Division of the Employment Standards Administration of the United States Department of Labor.

The Family and Medical Leave Act (”FMLA”) entitles eligible employees of covered employers to take unpaid, job-protected leave for certain family and medical reasons. These medical reasons include the “serious health condition” of an employee’s spouse, child, or parent, or the “serious health condition” of the employee that prevents him/her from performing the essential functions of their job.

In order to assess whether a covered individual has a “serious health condition”, an employer can require sufficient medical information to support an employee’s request for FML. However, the Health Insurance Portability and Accountability Act (”HIPAA”) generally restricts a healthcare provider from divulging protected health information (”PHI”) of their patients to third-parties, including employers. This article provides tips for maneuvering through the potential conflicts between these two statutes.

The Department of Labor (”DOL”) prescribes FMLA certification forms to verify the existence of a “serious health condition”. To be sufficient, a medical certification should state the following: the date the condition commenced; the probable duration of the condition; appropriate medical facts regarding the condition; a statement that the employee is needed to care for a covered family member or a statement that the employee is unable to perform the essential functions of his or her position; dates and duration of any planned treatment; a statement of the medical necessity for intermittent leave or leave on a reduced schedule; and expected duration of such leave.

What are the HIPAA Notice Requirements?

HIPAA has various notice requirements as part of its regulatory scheme. The Department of Labor publishes a Compliance Assistance Guide that organizes the notice requirements in HIPAA into a chart, applicable as of October 2010. Various requirements under HIPAA Notice can be listed down as:

HIPAA Certificate of Creditable Coverage
The HIPAA certificate of creditable coverage notice is generally given when there is a loss of coverage. The notice requirement includes a list of items, which include the plan administrator’s name, address and phone number; the individual’s creditable coverage information; and an educational statement regarding HIPAA, which explains such things as the preexisting condition exclusion rules and the prohibitions against discrimination based on any health factor.

General Notice of Preexisting Condition Exclusion
The general notice of preexisting condition exclusion is generally given with any written materials provided for enrollment. This is notice of the existence and terms of any preexisting condition exclusion under the plan, including the length of the plan’s look-back period, the maximum preexisting condition exclusion period under the plan and how the plan will reduce the maximum preexisting condition exclusion period by creditable coverage, among other provisions.

Individual Notice of Preexisting Condition Exclusion
This notice is provided as soon as possible after termination of creditable coverage and states the plan’s or issuer’s determination of any preexisting condition exclusion period that applies to the individual, including the last day on which the exclusion applies and the basis for the determination.

Notice of Special Enrollment Rights and Wellness Program Disclosure
The notice describing special enrollment rights is required at or before the time an employee is given the opportunity to enroll in a health care plan. The wellness program disclosure is required in all written materials that relate to these programs. This notice states those who find it unreasonably difficult due to a medical condition to comply with the wellness rewards program can contact the provider to qualify in a different way.

Hospital Stays in Connection with Childbirth
The description of rights with respect to hospital stays in connection with childbirth must be provided in the summary plan description. It must include a statement describing any requirements under federal or state law applicable to the plan, among other provisions.

WHCRA Enrollment and Annual Notices
Women’s Health and Cancer Rights Act (WHCRA) notices are provided upon enrollment and annually, and include special statements for participants and beneficiaries who are receiving mastectomy-related benefits.

Common mistakes which should be avoided by employers

One of the most common mistakes that employers make is failing to update the notice of privacy practices and/or send the three-year reminder. As per HIPAA, the notice must be amended when a material revision is made to its privacy practices and this updated notice must be sent to participants within 60 days. Health and Human Services has advised that a covered entity must revise and reissue its privacy notice when there has been a material change to an applicable state privacy law.

In addition, employers are required to remind participants about the privacy notice, and how to obtain it, at least once every three years. The first reminder was required to be sent to participants by April 14, 2006, for large health plans or by April 14, 2007, for small health plans. For large health plans, the next reminder must be provided by April 14, 2009. Health and Human Services has clarified that this requirement may be met by providing the full privacy notice once every three years, issuing a brief reminder notice or even by providing the reminder in a newsletter.

Covered entities should be aware that HIPAA’s rules regarding distribution of privacy notices are typically more stringent than requirements for other types of plan notices. Therefore, such notifications may not have been made in accordance with HIPAA requirements.

Again, covered entities are frequently unsure of the appropriate corrective measures necessary to resolve HIPAA complaints. Although not technically required by HIPAA, maintaining a written procedure for investigating and resolving privacy complaints may go a long way toward avoiding the assessment of penalties if a complaint is filed with Health and Human Services. The department will not assess a penalty if a privacy rule violation was due to reasonable cause and not willful neglect, and is corrected within 30 days of when the covered entity knew (or should have known) of the violation.

When a potential violation has occurred, an employer should take corrective action as soon as possible by following a written procedure for investigating the complaint. The results of the investigation should be in writing, and might include the nature of the complaint or potential violation, the steps taken to investigate the complaint, the facts revealed by the investigation, the internal HIPAA policies or procedures related to the facts and the appropriate remedial action to resolve the issue.

In this regard, the report might include sanctions against employees who violated the policies, in addition to any actions required to mitigate the harmful effects of the violation. The report might also include steps that should be followed in the future to minimize the possibility of recurrence.

Knowing what the Privacy Standards provide for

The primary objective of the Privacy Rule is to protect the privacy of all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. As such, HIPAA establishes the first “set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care”. Here is what the Privacy standards do:

1.    They give patients new rights to access their medical records, restrict access by others, request changes, and to learn how they have been accessed.
2.    They Restrict most disclosures of protected health information to the minimum needed for healthcare treatment and business operations
3.    They provide that all patients are formally notified of covered entities’ privacy practices.
4.    They Enable patients to decide if they will authorize disclosure of their protected health information (PHI) for uses other than treatment or healthcare business operations.
5.    They establish new criminal and civil sanctions for improper use or disclosure of PHI.
6.    They Establish new requirements for access to records by researchers and others
7.    They also establish business associate agreements with business partners that safeguard their use and disclosure of PHI.

The Privacy standards also implement a comprehensive compliance program, including conducting an impact assessment to determine gaps between existing information practices and policies and HIPAA requirements, reviewing functions and activities of the organization’s business partners to determine where Business Associate Agreements are required, developing and implementing enterprise-wise privacy policies and procedures to implement the Rule, assigning a Privacy officer who will administer the organizational privacy program and enforce compliance, training all members of the workforce on HIPAA and organizational privacy policies and updating systems to ensure they provide adequate protection of patient data.

How to manage access to critical data to protect privacy?

Protecting intellectual property and confidential personal, financial, and business information is a business priority, and often a legal requirement. To secure their data and ensure that only authorized people have access to it, organizations use a variety of access management disciplines. Access management includes identity management solutions that control permissions for critical data stores by managing Access Control Lists (ACLs). But identity management solutions in isolation risk access inflation, workarounds, and coverage gaps.

Comprehensive access management deploys identity management within a framework that includes disciplines for data protection, integration with hiring and promotion, and especially monitoring. Monitoring augments access management with a second line of defense, protection against unanticipated threats, a source of feedback for the continuous improvement of access management practices, and an audit trail.

The transition to comprehensive access management disciplines starts with an inventory and classification of data and a definition of appropriate IT security controls, along with the creation of a risk model to establish priorities. Typically, this planning process identifies areas of inappropriate access despite restrictive access rules, along with poorly defined controls, inadequate monitoring, and no real metrics for program effectiveness. Once under way, comprehensive access management relies on tight integration with business processes and frequent audits to maintain alignment with policy. And it depends on monitoring to identify, prioritize, and respond to unauthorized access.

What are the computer regulations under HIPAA Security Rules?

With the growing use of technology, government also needed to ensure HIPAA compliance in the use of computers also. HIPAA computer regulations fall under the HIPAA security rules and health care providers have to follow HIPAA guidelines when transmitting personal health information in electronic format. Here are some regulations which need to be followed by healthcare providers in order to ensure HIPAA compliance with computer usage.

All entities covered under HIPAA rules are required to write and implement procedures and policies that outline the proper access and use of all computer equipment. The policies and procedures must be based on an individual risk analysis conducted by the facility’s management.

The facility or business in question must outline and understand the use of computers and technology in its day-to-day routines and in the overall management of its patient records. Electronic interaction with outside vendors, like billing companies, laboratories and product suppliers, should be included in the risk analysis.

HIPAA regulations require a written procedure and a software control tool for the following: user access, system audit and data integrity. Access control should allow only authorized users to enter and use the computer system. Password and log-in procedures along with firewall software can protect the computer from intruders at several levels.

Unauthorized access of records during transmission from one entity to another is included in HIPAA regulations. Offices or facilities that do not connect to an outside computer system, but instead use only a local (on site) network of computers, will create a different solution to transmission security than those with networks that reach into other businesses.

Entities falling under the requirements of HIPAA regulations should examine their transmission options with their software and hardware vendors. Information Security Publication number 800-63 entitled “Electronic Authentication Guideline,” produced by the National Institute of Standards and Technology, provides insight into the ways federal agencies design electronic authentication or e-authentication. The information is recommended reading for health care managers handling the implementation of HIPAA regulations.

Why hospitals hesitate to follow Clinical Documentation Improvement Programs?

Clinical documentation improvement programs enable high-quality treatment to patients and eventually lead to the betterment of the hospital but there is a general myth that they hinder the proper functioning of the clinical audit which is considered essential for the proper functioning of medical institutions. It is because of this myth that many hospitals do not favor it.

The basis of this myth is the belief that documentation needs to be done right from the time the treatment of a patient starts and that accurate coding is to be given more importance than documentation. However, there is no truth in this myth as a good clinical documentation improvement program requires that health professionals must know how to put the documentation instruments into use and therefore, keep a record of the rigorousness of the cases of patients from the time he or she is admitted.

Some hospitals also believe that clinical audits are difficult and costly to apply is that it is difficult to put into practice and costly to apply. However, the fact is that it is not only affordable and effective but that an appropriate documentation is in itself recompense and that it is supportive. In fact, they eventually lead to the betterment of the hospital.

Access to patients’ medical records under HIPAA

According to federal law, the patients have the right to have a copy of most of their medical records including doctors’ notes, medical test results, lab reports and billing information. HIPAA also states that the patients as well as the parents and guardians of them can seek these records. Caregivers may be able to access records if the patient has provided written permission to the provider.

Healthcare providers are required to keep most adult medical records for six years or more. However, the period varies by the state where the records are stored. In most states, children’s records must be kept for three to 10 years beyond age 18 or 21.

Providers are required to share any notes or records they have created themselves, or any test results for which they have copies. They are also required to share any information provided to them about you by another doctor if that information was used for the diagnosis and/or treatment being discussed with you.

Diagnostic lab test records, for such tests as blood tests, CT scans, x-rays, mammograms or others, should be requested from the doctor who ordered them, or your primary care physician. In most states, the lab will not provide them to you directly.

If you seek hospital records or records from any other medical facility, you’ll want to request them directly from that facility.

However, access to some records may be denied, usually related to mental health records. If a provider believes that letting you look at your medical records can endanger your physical health, your request may be refused. However, this denial cannot be just on the basis that it could upset you, unless they believe that upset will lead to an attempt to physically harm yourself. If you are refused, the provider must make that clear, in writing.