Human Service agencies relying in some part on Medicaid, Medicare and Private Health Insurance to underwrite the cost of these services, are required to comply with HIPAA. HIPAA standards govern the interchange, security and privacy of consumer “health information.”
There are four basic sets of requirements:
The privacy standards outline specific rights for individuals regarding protected health information and obligations of covered entities--“healthcare” agencies that receive Medicare, Medicaid and other third party insurance and that maintain or transmit electronic health information.” Individually identifiable health information (IIHI) may not be used or disclosed for purposes other than treatment, payment and health care operations except as authorized by the patient or specifically permitted by the regulation.
As a provider of software and services to covered service providers, Danic Technology, Inc. is bound to these same standards. The status of Danic compliance efforts are summarized for each of these standards.
Human service agencies have come to provide a wide variety of “ancillary” health services allowed under various Medicaid Provisions and Waivers. Each state has defined these services a bit differently and it’s not unusual for payment rates for particular services to vary as a function of client characteristics, provider characteristics, and other variables affecting cost. The challenge is to reconcile the myriad of parochial service codes with the simplification aim of HIPAA, i.e. to establish fewer service definitions and make them uniform across the nation.
The solution devised by the Centers for Medicare and Medicaid Services (CMS) has been to allow a set of thirteen code modifiers that can be used by states to arrive at or near code definitions currently in use, while at the same time, allowing cross-state uniformity in the basic codes. State Medicaid Agencies may choose to assign multiple meanings to each of these modifiers, allowing the circumstances of their use to determine their meaning in each particular instance.
In addition to the generic series of standards (ASCX12) governing the electronic data interchange (EDI), HIPAA requires the following standards relating to eligibility determination and the payment of claims:
Danic Map allows providers to receive standard and non-standard transactions and convert them one to the other, i.e. that allows providers to generate and process these claim and eligibility data without having to revamp their existing information systems. Danic Map enables agencies to generate HIPAA and associated state transactions to standard using data required from Danic Tools and other agency databases. Danic Map then feeds back any actions and database updates required by the provider to round out a transaction. As most of the human service industries are not yet fully compliant, DanicMap must be configured to handle non-standard transaction requirements peculiar to each state as well as the HIPAA standards, it is tested and certified on a state-by-state basis.
HIPAA mandates the use of unique identifiers for employers, providers, health plans, and individuals receiving health care services. To-date proposed rules have been published for the employer and provider identifiers.
The employer identifier is based on the defacto standard, the Internal Revenue Service assigned Employer Identification Number (EIN). The EIN has nine numeric positions.
The unique identifier for providers is the National Provider Identifier, which was developed by HCFA for use in the Medicare system. It has 10 numeric positions with a check digit as the tenth digit. Implementation of this standard will require DHHS to establish a system to assign the identifiers, and this may be Web-based.
The health plan identifier has been drafted to apply the work that CMS did for a Medicare Payer ID to all health plans nationwide. It is expected to have 10 numeric positions with a check digit in the tenth position. The Rule has not yet proposed.
The most controversial of the proposed identifiers, the patient identifier is on hold pending publication of the security standards. However, industry experts speculate that this identifier, too, will consist of approximately ten numeric digits with a check digit.
This rule includes standards to protect the privacy of individually identifiable health information (IIHI). It applies to individual health information only, and not to other individual information agencies may retain. It applies to the Danic software, to Danic Technology when performing as an application service provider, and to the providers themselves.
Danic Tools already includes the three technical features required to assure the privacy of IIHI: 1) Consent. Danic can be easily set up as required to obtain the consent of the individual or guardian before IIHI is accessed for purposes other than routine (treatment, payment and health care) operations. 2)Limiting Access. Danic Tools authenticates users and can limit access to IIHI to only those users authorized to have it, and 3) Audit trails. Danic can track who is accessing IIHI and when.
Both Danic Technology, as an application service provider (ASP), and Providers using Danic must have consistent privacy policies and procedures including those listed below. They must have designated “privacy officers” responsible for seeing that these privacy policies and procedures are adopted and followed.
Danic has prepared the Privacy Policies and Procedures necessary to govern its operation. In addition, Danic has drafted a Guide for developing practical, HIPAA-compliant privacy policies and procedures for use by its clients. The Guide is available on the Danic Website for download by clients. When configuring client databases, Danic is careful to identify and include all individually identifiable health information as a distinct data set in order to facilitate the setup of the peculiar privacy and security measures required for HIPAA compliance.
The Security Standards are divided into four categories:
Administrative procedures used to guard data integrity, confidentiality, and availability. These are documented, formal procedures for selecting and executing information security measures. These procedures also address staff responsibilities for protecting data.
Physical safeguards to guard data integrity, confidentiality, and availability. These safeguards protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion. The use of locks, keys, and administrative measures to control access to computer systems and facilities are also included.
Technical data security services to guard data integrity, confidentiality, and availability. These include the processes used to protect, control, and monitor information access.
Technical security mechanisms. These include processes used to prevent unauthorized access to data transmitted over a communications network.
Listed below are the principal administrative, physical and technical security measures integral to the security standards, and the related status of Danic. The technical requirements are met by a combination of Danic Tools, the Microsoft Windows 2000 Operating System, Internet Explorer (browser) and / or Microsoft SQL Server.
MEASURES | STATUS |
ADMINISTRATIVE (internal) |
|
Security Officer | Appointed |
Security assessment | Complete |
Risk Analysis | Complete |
Formal business process control | Complete |
Contingency planning / disaster recovery | Complete |
Audit trail policy | Complete (read-only as well as record change) |
Change control process | (Defined by User agencies) |
Contract (“chain of trust”) language | Complete |
Staff security orientation procedure | Complete |
Security procedures in the wake of staff termination | Complete |
Information access and access monitoring policy | Complete |
Security incident reporting | Complete |
Security plan & configuration documentation | Complete |
Enforcement | Complete |
PHYSICAL (internal): |
|
Facility management | Complete |
Physical / computer room access | Complete |
Workstation access | Complete (Workstation-specific ID and password) |
Shredding | Complete; shredders in operation |
TECHNICAL | |
Entity Authentication | Danic & Windows 2000 support User ID & password. Windows 2000 also supports more sophisticated and expensive Digital Certificates and Smart Card methods (the latter methods are not HIPAA-endorsed) |
Data Integrity | Digital signatures (in the form of message digests) can be used to ensure data integrity through Internet Explorer 5.0. |
Audit trails | Windows 2000 and SQL Server can both track and log record access (read-only) and any change actions. |
Encryption | SQL Server supports 128 bit encryption of stored and transmitted files for use in building a virtual private network over the public internet |
Access Control | Danic Tools can assign: see, read-only, change and delete rights based on user identification, role, and / or relationship to the individual owning the record. |
Incident reporting / alarms | Windows 2000, Windows XP and SQL Server provide the ability to report on a variety of security events, e.g. logon, logoff, directory access, access to particular records or resources; alarms may be built-in for particular events |
Firewalls | Danic uses ISP firewalls; agencies may use a variety of mechanisms to control access to their private networks. |
Virus protection | Danic uses McAfee and Zone Alarm; agencies may use a variety of packages |
Discover how our secure database solutions can help your organization.