What Is HIPAA

On August 21, 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104-191). The regulations went into effect as scheduled on April 14, 2003. Briefly stated, the federal law requires that all healthcare organizations meet certain standards for healthcare information, privacy and security.

Who Benefits From HIPAA And How Do They Benefit

Patients, providers, payers and plan administrators will benefit from the new regulations with:

• A renewed attention by the healthcare industry to protect the privacy and security of patient data.
• Anticipated cost savings for payers and providers using electronic data interchange (EDI) standards.
• Industry standards that will reduce or eliminate the incidence of fraud.
• The establishment of industry standards should result in better, faster and cheaper healthcare.

PhDx Systems - Your HIPAA Business Associate

A business associate provides services for health plans, providers and clearinghouses (the "covered entities") involving the use and/or disclosure of protected health information. As a Business Associate and an application service provider, PhDx Systems provides web-based solutions that will keep your existing HIPAA compliance intact.

What are a Business Associate's obligations? A Business Associate must provide to its clients (the covered entities) satisfactory assurances that it will protect information and help the client comply with its obligations under the rule. These assurances are generally provided within a written contract.

Concerning the Transaction Rule

• PhDx applications can accept external data in many different formats, including XML interfaces and ASCII file import/exports.
• PhDx external interfaces can easily accommodate the specifications of the Transaction Rule if a client requires such functionality.

Concerning the Privacy Rule

• PhDx client contracts specifically address points and provisions of 45 CFR 164.502(e)(2).
• PhDx employee access to protected health information is on a need-to-know basis.
• PhDx employees are all bound by confidentiality agreements to protect patient health information.
• PhDx applications can prevent the entry of any patient data until a signed patient authorization form has been received.
• PhDx reports any unauthorized release of protected health information.
• PhDx software applications are protected with role-based security for user validation, setting restrictions on application functionality and limiting data access.

Concerning the Security Rule

• PhDx client sites are accessed via 40-bit or 128-bit SSL encrypted links.
• PhDx databases are backed up daily using triply redundant methods.
• PhDx disaster recovery plans include redundant servers and offsite data backups.
• PhDx Internet access is controlled and protected using firewall technology.
• PhDx intranet access is restricted to authenticated users only.
• PhDx computing facilities are protected with secure, controlled access.

Concerning Proposed Rules and Rule Changes

• PhDx applications can easily accommodate national standard identifiers for physicians, employers and health plans.
• PhDx constantly monitors proposed changes and additions to HIPAA legislation.

Patient Authorization

Effective August 4, 2003, in accordance with HIPAA policy and in response to our customers' needs, PhDx will no longer collect patient authorizations to participate in studies. The Privacy Rules place the responsibility of collecting and maintaining patient authorizations on the physician as Covered Entity.

In some situations, a patient authorization may not be required because the data collection is considered to fit the Treatment, Payment or Operations (TPO) exclusion. In other situations, your IRB requires more complex patient informed consent duplicating authorization and adding confusion. Many states have medical privacy rules that override or work with HIPAA. No universal authorization form can include all those variables.

Information resources on patient authorization requirements

To assist you in developing an appropriate patient authorization form, we recommend the following links:

• HIPAA
  U.S. Dept of Health and Human Services Office for Civil Rights
  Standards for Privacy of Individually Identifiable Health Information - www.hhs.gov/ocr/combinedregtext.pdf
  October 2002
  The following sections are relevant to authorization:
  § 164.508 Uses and disclosures for which an authorization is required
  § 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object
  § 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required
  
• The HIPAA Privacy Rule and Research
  Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
  Produced by the Department of Health and Human Services, this booklet provides valuable and easy to understand information on the role of HIPAA in medical research.
  
• State Medical Privacy Statutes
  State Health Privacy Laws - www.healthprivacy.org/info-url_nocat2304/info-url_nocat.htm
  For information on individual state medical privacy statutes, the Health Privacy Project summarizes state rules and provides links to each state's legislature
  
• The Department of Health and Human Services, Office for Civil Rights - www.hhs.gov./ocr/hipaa
  This government site has good information that includes Frequently Asked Questions, Fact Sheets, links to the rules, recent press releases, consumer and educational material.

For Further Information on PhDx and HIPAA

Click here for a more detailed document explaining HIPAA, the rules, PhDx's role and more links to the Department of Health and Human Services.

For Further Information on HIPAA

Department of Health and Human Services, Administrative Simplification - aspe.os.dhhs.gov/admnsimp

HIPAA compliance is overseen by the chief security officer. Please send any inquiries to:
     Chief Security Officer
     Email: privacy@phdx.com