| HIPAA defines
companies that provide service to Healthcare Providers
as Business Associates. Though
the guidelines and regulations of HIPAA are not
directly enforced upon Business
Associates, but rather on the Healthcare Providers,
At Billing Paradise, we are meticulously
working on complying to very details of the Security
and Privacy regulations of HIPAA.
Besides, we are active participants and followers
of guidelines by HL7 EHR
Security and Privacy Issues and JCAHO
(http://www.jointcommission.org/)
We help the Providers to fulfill the PHI Privacy
and Security requirements. We always enter into
a written agreement with each physician or physician
group that we will honor the privacy guidelines
established by HIPAA and maintain technical and
personnel safeguards to maintain the security
of that data. Click here to find the detailed
Security and Privacy regulations (link to Security
Guidelines of Administrative Simplification document)
Online
Archival
Our HIPAA compliant and secured online
facility lets you to access Transcripts anytime
anywhere. Transcripts are made available for 12
months in our Archival systems. This facility
comes with convenient search options to retrieve
patient reports you are looking for. Our organization
is an active participant in HL7
EHR
Security and Privacy Issues.
Security
Guidelines of Administrative Simplication
Administrative
Procedures :
Documented formal practices to manage the selection
and execution of security measures
to protect data and the conduct of personnel in
relation to the protection of data.
Contingency - Data Backup, Disaster Recovery,
Emergency Mode
Information Access Control - Access Authorization,
Access Establishment, Access Modification
Personnel Security - Personnel clearance including
custodial services
Security Configuration Mgmt - Hardware/software
installation and maintenance
Virus checking
Security Incident Procedures - Report/Response
Procedures
Security Mgmt. Process - Risk analysis and Management
Sanction
and Security policy :
Termination Procedures - locks changed, removal
from access lists and user account(s)
Training - User ed. Concerning virus protection
and password management
Physical
Safeguards :
The protection of physical computer systems and
related buildings an equipment form fire and other
natural and environmental hazards, as well as
from intrusion. Physical safeguards also cover
the use of locks, keys, and administrative measures
used to control access to computer systems and
facilities.
Media Controls - Access control, Accountability,
Data Backup and Storage, Disposal
Physical Access Controls - Disaster Recovery,
Emergency Mode Operation, Equipment Control
(limited access) Need-to-Know Procedures for
personnel access
Policy and guidelines on workstation use
Secure workstation locations
Security Awareness Training (including business
associates like transcription companies)
Technical
Security Services :
Include the processes that are put into place
to protect and to control and monitor information
access.
Access Control - Applies primarily to EMR and
includes: Context-based, Role-based, and User-Based
Access, Encryption, and Emergency access procedures
Audit Controls
Authorization Control - Role-based and User-Based
access
Data Authentication
Entity Authentication - Requisite: Auto Logoff
and Unique User ID, plus at least one of the following:
Password, PIN, Tele-callback, Token, Biometric
signature
Technical
Security Mechanisms :
Include the processes that are put into place
to prevent unauthorized access to data that is
transmitted over a communications network.
Communications/Network controls - Requisite:
Integrity Controls and Message Authentication
plus one of the following:
Access Control, Encryption
If using a network, add:
Alarm, Audit Trail, Entity Authentication, Event
Reporting
*These are excerpts from Federal Register documentation
on Administrative Simplification regarding Security.
For comprehensive text, download documentation
from the web by clicking here.
Privacy
Guidelines of Administrative Simplification*
The Privacy Rule provides the first comprehensive
Federal protection for the privacy of health information
and is carefully balanced to provide strong privacy
protections that do not interfere with patient
access to, or the quality of, healthcare delivery.
By the compliance date of April 14, 2003 covered
entities (Health Plans, Healthcare Clearinghouses,
and Healthcare Providers) must implement standards
to protect and guard against the misuse of individually
identifiable health information. Failure to timely
implement these standards may, under certain circumstances,
trigger the imposition of civil or criminal penalties.
Incidental
Uses and Disclosures (45CFR 164.502(a))
An incidental use of disclosure is a secondary
use of disclosure that cannot be reasonably be
prevented, is limited in nature, and that occurs
as a result of another use or disclosure that
is permitted by the Rule. An incidental use or
disclosure is NOT permitted if it is a by-product
of an underlying use or disclosure which violates
the Privacy Rule.
Minimum Necessary
(45CFR 164.502(b), 164.514(d))
The essence of this rule is the conveyance of
patient information, in whatever form that conveyance
may take (documented, verbal, data transfer, etc.)
with the minimum amount of data necessary to meet
the current treatment needs of the patient. The
Privacy Rule requires covered entities to take
reasonable steps to limit the use or disclosure
of protected health information to the minimum
necessary to accomplish the intended purpose.
Personal
Representatives (45CFR 164.502(g))
Under the Privacy Rule, a person authorized to
act on behalf of the individual in making health
care related decisions is the individual's personal
representative. Covered entities are required
to treat an individual's personal representative
as the individual with respect to uses and disclosures
of the individual's protected health information.
The personal representative has the ability to
act for the individual, exercise the individual's
rights, and may also authorize disclosures of
the individual's protected health information.
Business
Associates (45CFR 164.502(e), 164.504(e), 164.532(d)
and (e))
By law, the HIPAA Privacy Rule applies only to
covered entities. However, most healthcare providers
do not carry out all of their activities and functions
by themselves. Often the use of services provided
by a variety of other persons and businesses are
required. The Privacy Rule allows covered providers
to disclose protected health information to these
"business associates" if the providers obtain
satisfactory assurances that the business associate
will use the information only for the purposes
for which it was engaged by the covered entity,
will safeguard the information from misuse, will
help the covered entity comply with some of the
covered entity's duties under the Privacy Rule,
and help the covered entity carry out its healthcare
functions.
A member of the covered entity's workforce is
NOT a business associate.
An independent medical transcriptionist that
provides transcription services
to a physician IS a business
associate.
A software vendor only becomes
a "Business Associate" when it is required that
a company representative view patient data in
relation to providing services in the installation
or maintenance of computer software.
If the viewing of patient data can be avoided
in this regard, a software vendor is not considered
a business associate.
*These are excerpts from Privacy Rule guidelines
created by the U.S. Dept. of Health and Human
Services Office of Civil Rights. For comprehensive
text, visit the Office
of Civil Rights on the web.
|
