2020 Software

Top EMR Software

HIPAA Compliance

HIPAA, which stands for the American Health Insurance Portability and Accountability Act of 1996, is a set of rules to be followed by doctors, hospitals and other health care providers. HIPAA helps ensure that all medical records, medical billing, and patient accounts meet certain consistent standards with regard to documentation, handling and privacy.

Any healthcare provider that electronically stores, processes or transmits medical records, medical claims, remittances, or certifications must comply with HIPAA regulations. HIPAA does not require a practice to purchase a computer-based system as it applies only to electronic medical transactions.

HIPAA requires that all patients be able access their own medical records, correct errors or omissions, and be informed how personal information is shared used. Other provisions involve notification of privacy procedures to the patient. HIPAA provisions that have led in many cases to extensive overhauling with regard to medical records and billing systems.

* HIPAA 5010 Takes Effect July 1 *

The HIPAA 5010 grace period ends June 30. Starting July 1, if you do not file your electronic claims under the Health Insurance Portability and Accountability (HIPAA) 5010 transaction standards, Medicare, Medicaid, and other health plans will reject the claims.

The Secretary of the Department of Health and Human Services (HHS) has adopted Accredited Standards Committee X12 Version 5010 as the next HIPAA standard used to regulate the electronic transmission of healh-care transactions. The final rule was published Jan. 16, 2009. The prior standard for HIPAA transactions was Version 4010A1.

Covered entities, such as health plans, health care clearinghouses, and health care providers, are required to conform to HIPAA 5010 standards. The compliance deadline for HIPAA 5010 is January 1, 2020.


Here are some of the more commonly-asked questions over time pertaining to HIPAA compliance:

Q. What businesses must comply with HIPAA laws?
A: Any healthcare entity that electronically processes, stores, transmits, or receives medical records, claims or remittances. The keyword here is electronic.

Q. What is Protected Health Information (PHI)?
A: Information collected from an individual by a covered entity that relates to the past, present or future health or condition of an individual and that either identifies the individual or there is basis to believe that the information can be used to identify the individual...and thus must be protected.

Q. What is HITECH and when does it go into effect?
A: Stands for the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act provides over $30 billion for healthcare infrastructure and the adoption of electronic health records (EHR). According to the Act, physicians are eligible to receive up to $44,000 per physician from Medicare for ?meaningful use? of a certified EHR system starting in 2020.

Q. What is a Covered Entity (CE)?
A: Any business entity that must by law comply with HIPAA regulations, which include healthcare providers, insurance companies, and clearinghouses. In this context, health care providers include doctors, medical, dental, vision clinics, hospitals, and related health caregivers.

Q. Does the HIPAA Security Rule require data encryption over a network?
A: The HIPAA Security Rule require encryptions only when individually-identifiable health information is sent over a public network, such as the Internet. Encryption is not be required for other network connections, such as Intranets.

Q. What are the penalties for HIPAA non-compliance?
A: Fines can be up to $250,000 for violations or imprisonment up to 10 years for knowing abuse or misuse of individual health information.

Q. HIPAA-ready v. HIPPA-compliant – what is the difference?
A: HIPAA-ready refers to software and other products used by the healthcare industry that complies with HIPAA guidelines. HIPAA-compliant refers to the actual physicians, clinics, and insurance companies that are in compliance with HIPAA regulations.

Privacy Rule

The HIPAA Privacy Rule is located at 45 CFR Part 160 and Part 164. The Privacy Rule establishes national standards to protect individuals medical records and other personal health information. The Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct health care transactions electronically.

The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

The Privacy Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

The following HIPAA forms are associated with the Privacy Rule:

Notice of Privacy Practices (NPP) Form

Request for Access to Protected Health Information (PHI) Form

Request for Restriction of Patient Health Care Information Form

Request for Accounting Disclosures Form

Authorization for Use or Disclosure Form

Privacy Complaint Form

Security Rule

The HIPAA Security Rule addresses the privacy protection of electronic protected health information (PHI). Similar to the Privacy Rule, the Security Rule also deals with identifiable health information as defined by 18 HIPAA identifiers. The Security Rule defines standards, procedures and methods for protecting electronic PHI with attention to how PHI is stored, accessed, transmitted, and audited.

The HIPPA Security Rule adresses three aspects of security:

Administrative Safeguards - Assignment of a HIPPA security compliance team.

Physical Safeguards - Protection of electronic systems, equipment and data.

Technical Safeguards - Authentication & encryption used to control data access.

Covered entities need to perform a Risk Analysis and utilize Risk Management methodologies so vulnerabilities and possible risks can be reduced. Organizations should assign a security analyst or officer who is responsible or maintaining and enforcing the HIPAA standards within the organization.

Hardware, Software and Transmission Security
Organizations should have a hardware firewall in place. Transmission of personal information should be encrypted and comply with HIPAA rulings. Operating Systems should be hardened and up to date. Policies should cover the updating of hardware, firmware, operating systems and applications.

Disaster Backup and Recovery Plan Policies and Procedures should include a Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This includes keeping the business running, recovering lost data, testing of backup procedures and replacement of equipment.

Incident Response
Policies and procedures should be implemented to include incident response. This information should be used to identify security incidents and how to respond. The security officer for the organization along with management should evaluate the effects of any incidents. Documentation of any incidents should be made along with the outcomes for the possible modification of the policies to prevent any further incidents.

Training of Workforce
Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis. Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations.

Records and Information Access
Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.

Audit Methodss
Audit mechanisms should be in place for all hardware, software and data control.

Transaction & Code Sets Rule

Per HIPAA regulations, a Code Set is any set of codes used for encoding data elements, such as medical terms, medical concepts, medical diagnosis codes, and medical procedure codes. Code sets for medical data are required for administrative transactions under HIPAA for diagnoses, procedures, and drugs.

Medical data code sets used in the health care industry under HIPAA include coding systems for health-related problems and their manifestations; causes of injury, disease or impairment; actions taken to prevent, diagnose, treat, or manage diseases, injuries, and impairments; and any substances, equipment, supplies, or other items used to perform these actions.

Specifically, the following code sets are used in HIPAA transactions:

ICD-9-CM codes
ICD-10-CM codes
CPT-3 Codes
CPT-4 Codes
NDC codes

Unique Identifiers Rule

As part of the HIPAA Administrative Simplification regulation, there are currently three unique identifiers used for covered entities in HIPAA administrative and financial transactions. The use of these unique identifiers will promote standardization, efficiency and consistency.

The unique identifiers under HIPAA regulations are:

Standard Unique Employer Identifier
The same as the Employer Identification Number (EIN) used on an organization's federal IRS Form W-2. This identifies an employer entity in HIPAA transactions.

National Provider Identifier (NPI)
NPI is a unique 10-digit number used for covered health-care providers in all HIPAA administrative and financial transactions.

National Health Plan Identifier (NHI)
The NHI is a Centers for Medicare & Medicaid Services (CMS) proposed identifier to identify health plans and payers.

Enforcement Rule

The HIPAA Enforcment Rule stems directly from the ARRA HITECH Act provisions that distinguishes between violations occurring before, and on or after the compliance date of Feb. 18, 2009 "with respect to the potential amount of civil money penalty and the affirmative defense available to covered entities," according to the rule.

ARRA describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI) The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.

Specificially, the HITECH Act addresses five main areas of the HIPAA regulations:

Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates

Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates

Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing

Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods

Mandates that the new security requirements must be incorporated into all Business Associate contracts