HIPAA Compliance

Quick Links

Introduction

Human Service agencies relying in some part on Medicaid, Medicare and Private Health Insurance to underwrite the cost of these services, are required to comply with HIPAA. HIPAA standards govern the interchange, security and privacy of consumer “health information.”

There are four basic sets of requirements:

  1. Effective April 14, 2003 - Privacy Standards governing the protection of individuals' medical records and other personal health information.
  2. Effective Oct 16, 2003 - Transaction and code set standards governing the electronic transmission of data between providers, health plans, and payers—data relating the eligibility and enrollment of individuals and payment for their health care.
  3. Effective Apr 21, 2005 - Security Standards governing the development and maintenance of the security of all electronic individual health information and the use of electronic signatures if and when it has been determined that an electronic signature must be used.
  4. No date yet established - Unique Identifier standards governing the establishment of unique alpha-numeric codes for employers, health plans, providers and individuals.

Top

Privacy Standards

The privacy standards outline specific rights for individuals regarding protected health information and obligations of covered entities--“healthcare” agencies that receive Medicare, Medicaid and other third party insurance and that maintain or transmit electronic health information.” Individually identifiable health information (IIHI) may not be used or disclosed for purposes other than treatment, payment and health care operations except as authorized by the patient or specifically permitted by the regulation.

As a provider of software and services to covered service providers, Danic Technology, Inc. is bound to these same standards. The status of Danic compliance efforts are summarized for each of these standards.

Top

Transaction & Code Set Standards

Code sets:

Human service agencies have come to provide a wide variety of “ancillary” health services allowed under various Medicaid Provisions and Waivers. Each state has defined these services a bit differently and it’s not unusual for payment rates for particular services to vary as a function of client characteristics, provider characteristics, and other variables affecting cost. The challenge is to reconcile the myriad of parochial service codes with the simplification aim of HIPAA, i.e. to establish fewer service definitions and make them uniform across the nation.

The solution devised by the Centers for Medicare and Medicaid Services (CMS) has been to allow a set of thirteen code modifiers that can be used by states to arrive at or near code definitions currently in use, while at the same time, allowing cross-state uniformity in the basic codes. State Medicaid Agencies may choose to assign multiple meanings to each of these modifiers, allowing the circumstances of their use to determine their meaning in each particular instance.

Danic can readily accommodate whatever “U-modifier” definitions and service codes a state may use. No programming will be is required to incorporate the codes.

Top

Transaction Standards

In addition to the generic series of standards (ASCX12) governing the electronic data interchange (EDI), HIPAA requires the following standards relating to eligibility determination and the payment of claims:

  • Health Care Eligibility/Benefit Inquiry 270 - Used to inquire about a consumer's eligibility benefits and to request more specifics regarding their benefits.
  • Health Care Eligibility/Benefit Information 271 - Used by the information source to provide specific information concerning eligibility and benefits provided under the coverage package.
  • Request for Health Care Claim Status 276 - Used to transmit request(s) for status of specific Health Care Claims.
  • Health Care Claim Status Response 277 - >Used by the payer to transmit the current status within the adjudication process to the requester.
  • Health Care Services Review Information 278 - >Used to exchange health care service review information for the purpose of request for review, certification, notification, or reporting the outcome of a HealthCare Services Review.
  • Health Care Claim 837 - Used to transmit details of services rendered to a client and to initiate the request for payment for those services to a payer.
  • Benefit Enrollment and Maintenance 834 - Used to exchange information about a health care consumer and the consumer's insurance coverage.
  • Health Care Claim Payment/Advice 835 - Used to transmit an explanation of benefits (EOB) and/or initiate a payment.

Danic Map allows providers to receive standard and non-standard transactions and convert them one to the other, i.e. that allows providers to generate and process these claim and eligibility data without having to revamp their existing information systems. Danic Map enables agencies to generate HIPAA and associated state transactions to standard using data required from Danic Tools and other agency databases. Danic Map then feeds back any actions and database updates required by the provider to round out a transaction. As most of the human service industries are not yet fully compliant, DanicMap must be configured to handle non-standard transaction requirements peculiar to each state as well as the HIPAA standards, it is tested and certified on a state-by-state basis.

Top

Unique Identifiers

HIPAA mandates the use of unique identifiers for employers, providers, health plans, and individuals receiving health care services. To-date proposed rules have been published for the employer and provider identifiers.

The employer identifier is based on the defacto standard, the Internal Revenue Service assigned Employer Identification Number (EIN). The EIN has nine numeric positions. 

The unique identifier for providers is the National Provider Identifier, which was developed by HCFA for use in the Medicare system. It has 10 numeric positions with a check digit as the tenth digit. Implementation of this standard will require DHHS to establish a system to assign the identifiers, and this may be Web-based. 

The health plan identifier has been drafted to apply the work that CMS did for a Medicare Payer ID to all health plans nationwide. It is expected to have 10 numeric positions with a check digit in the tenth position. The Rule has not yet proposed.

The most controversial of the proposed identifiers, the patient identifier is on hold pending publication of the security standards. However, industry experts speculate that this identifier, too, will consist of approximately ten numeric digits with a check digit.

The Danic System can easily incorporate all of these identifier codes for providers, health plans, employers and individuals—no changes to the source code will be necessary.

Top

Privacy Standards

This rule includes standards to protect the privacy of individually identifiable health information (IIHI). It applies to individual health information only, and not to other individual information agencies may retain. It applies to the Danic software, to Danic Technology when performing as an application service provider, and to the providers themselves.

Danic Tools already includes the three technical features required to assure the privacy of IIHI: 1) Consent. Danic can be easily set up as required to obtain the consent of the individual or guardian before IIHI is accessed for purposes other than routine (treatment, payment and health care) operations. 2)Limiting Access. Danic Tools authenticates users and can limit access to IIHI to only those users authorized to have it, and 3) Audit trails. Danic can track who is accessing IIHI and when.

Both Danic Technology, as an application service provider (ASP), and Providers using Danic must have consistent privacy policies and procedures including those listed below. They must have designated “privacy officers” responsible for seeing that these privacy policies and procedures are adopted and followed.

  • A procedure for informing individuals of their privacy rights and how their IIHI will be used
  • The identification of the IIHI considered private
  • A procedure for obtaining an individual’s consent for the release of IHII for non-routine purposes
  • A procedure to disclose protected information that has been authorized for release.
  • A procedure to deny disclosure of protected information that has not been authorized for release.
  • A procedure for related staff training
  • A procedure whereby staff can view and update their own health information
  • A procedure for guarding access to IIHI
  • Defined sanctions for the improper use or disclosure of IIHI
  • A business partner agreement between Danic and provider specifying their mutual responsibilities for assuring the privacy of IIHI.

The Danic System can easily incorporate all of these identifier codes for providers, health plans, employers and individuals—no changes to the source code will be necessary.

Danic has prepared the Privacy Policies and Procedures necessary to govern its operation. In addition, Danic has drafted a Guide for developing practical, HIPAA-compliant privacy policies and procedures for use by its clients. The Guide is available on the Danic Website for download by clients. When configuring client databases, Danic is careful to identify and include all individually identifiable health information as a distinct data set in order to facilitate the setup of the peculiar privacy and security measures required for HIPAA compliance.

Top

Security Standards

The Security Standards are divided into four categories:

Administrative procedures used to guard data integrity, confidentiality, and availability. These are documented, formal procedures for selecting and executing information security measures. These procedures also address staff responsibilities for protecting data.

Physical safeguards to guard data integrity, confidentiality, and availability. These safeguards protect physical computer systems and related buildings and equipment from fire and other environmental hazards, as well as intrusion. The use of locks, keys, and administrative measures to control access to computer systems and facilities are also included.

Technical data security services to guard data integrity, confidentiality, and availability. These include the processes used to protect, control, and monitor information access.

Technical security mechanisms. These include processes used to prevent unauthorized access to data transmitted over a communications network.

Listed below are the principal administrative, physical and technical security measures integral to the security standards, and the related status of Danic. The technical requirements are met by a combination of Danic Tools, the Microsoft Windows 2000 Operating System, Internet Explorer (browser) and / or Microsoft SQL Server.

MEASURES STATUS

ADMINISTRATIVE (internal)

Security Officer Appointed
Security assessment Complete
Risk Analysis Complete
Formal business process control Complete
Contingency planning / disaster recovery Complete
Audit trail policy Complete (read-only as well as record change)
Change control process (Defined by User agencies)
Contract (“chain of trust”) language Complete
Staff security orientation procedure Complete
Security procedures in the wake of staff termination Complete
Information access and access monitoring policy Complete
Security incident reporting Complete
Security plan & configuration documentation Complete
Enforcement Complete

PHYSICAL (internal):

Facility management Complete
Physical / computer room access Complete
Workstation access Complete (Workstation-specific ID and password)
Shredding Complete; shredders in operation
TECHNICAL

Entity Authentication Danic & Windows 2000 support User ID & password.
Windows 2000 also supports more sophisticated and expensive Digital Certificates and Smart Card methods (the latter methods are not HIPAA-endorsed)
Data Integrity Digital signatures (in the form of message digests) can be used to ensure data integrity through Internet Explorer 5.0.
Audit trails Windows 2000 and SQL Server can both track and log record access (read-only) and any change actions.
Encryption SQL Server supports 128 bit encryption of stored and transmitted files for use in building a virtual private network over the public internet
Access Control Danic Tools can assign: see, read-only, change and delete rights based on user identification, role, and / or relationship to the individual owning the record.
Incident reporting / alarms Windows 2000, Windows XP and SQL Server provide the ability to report on a variety of security events, e.g. logon, logoff, directory access, access to particular records or resources; alarms may be built-in for particular events
Firewalls Danic uses ISP firewalls; agencies may use a variety of mechanisms to control access to their private networks.
Virus protection Danic uses McAfee and Zone Alarm; agencies may use a variety of packages

Contact us for more information

Discover how our secure database solutions can help your organization.