Background
In 1996, in an attempt to reform and streamline healthcare in the United States, Congress enacted The
Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). HIPAA can be divided into three
major areas; Standards for Transactions and Code Sets ("TCS"), Privacy, and Security. HIPAA affects
every individual that seeks health care in the United States and regulates the transmission of "protected
health information" in every aspect of the healthcare industry. HIPAA is a very broad comprehensive overhaul
of the healthcare industry. Healthcare Business Resources, Inc. and its subsidiaries (collectively, "HBR") in
accordance with our Company Philosophy of providing the highest and most competent service to our Clients, as well
as being a leader in the medical coding and billing industry and in corporate compliance, has incorporated HIPAA
into the Company's existing corporate compliance program ("CCP").
Click Below to expand:
Standards for Transactions and Code Sets ("TCS")
The first major component of HIPAA deals with setting one uniformed electronic method for the electronic
transmission of claims and claim related information for reimbursement of healthcare in the United States.
To ensure compliance as well as to minimize the disruption to our Clients revenue, HBR took the following actions:
- Formed a company wide taskforce, known, as “HIPAA Taskforce” comprised of management and employees from all the offices and departments within each office to assess and implement an action plan based on foreseeable risks.
- Worked with all Clients to ensure proper documentation was filed with CMS for the October 2002 TCS extension.
- HBR received, and continues to maintain, certification as HIPAA compliant for the transmission and receiving of electronic information by the third party testing service known as Claredi.
- Establishment of formalized Policy and Procedures as related to TCS Standards.
- Training of Company employees regarding the meaning and implication of the TCS Standards.
- Participation with other billing company professionals in 2006 on the HL7 Workgroup to establish, review and test the attachments standards for ED professional service claims.
To view the Final Transaction Rule:
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/transactions/default.asp
Patient privacy is the second major component of HIPAA. Privacy has long been a cornerstone of importance
among healthcare professionals but now it is actually defined and the access and disclosure allowed by law is
strictly limited. Acknowledging the importance of this section of HIPAA, HBR took numerous actions to ensure
compliance with the Privacy Rule of HIPAA including the following:
- The HIPAA Taskforce did a thorough company wide gap and risk analysis dividing the Company into “front-end”, “back-end” and “administrative” groups to look at such issues as ensuring that employees’ access and disclosure to protected health information (“PHI”) was limited to the minimum necessary to perform their job functions; that the physical layout of all offices was as secure as feasibly possibly eliminating any unauthorized access or disclosure of PHI; and the review of any and all disclosure of PHI to entities outside the Company to ensure that only the minimum necessary amount of PHI was released.
- HBR’s employees’ job descriptions were re-written to define and describe in the detail the appropriate levels of access and/or disclosure of PHI for each job function; employees were trained on the “minimum necessary” standards for PHI and each employee then signed his/her job description.
- A Privacy Policy was released to all Clients and Company personnel.
- HIPAA, in general and Privacy, in particular was addressed in the Company Compliance Guide and is distributed to all Company Personnel as well as upon request to any Client or potential Client.
- Review of Company policies and procedures with amendments to existing policies and procedures enacted and new policies and procedures established where necessary.
- Business Associate Agreements were entered into with vendors, clients and other third parties and continue to be entered into as required.
- HIPAA training and yearly re-training of all Company personnel and new personnel is now an intricate part of all Company personnel yearly Compliance training.
- On-going monitoring of any possible unauthorized disclosure and/or possible violation of HIPAA has been established.
To view the Final Privacy Rule:
http://www.hhs.gov/ocr/hipaa/finalreg.html
To view HHS Fact Sheet on Privacy:
http://aspe.hhs.gov/admnsimp/final/pvcfact2.htm
The third and final component of HIPAA is Security with a Compliance deadline of April 2005. The Security
Rule completes the full picture of ensuring protection of electronic PHI ("ePHI") by focusing on the PHI
maintained in the information technology environment. HBR actively reviewed, addressed, and continues to
such for all elements as designated in the Security Rule. The steps that the Company undertook include not
only the review of the required elements of the Security Rule but also the examination of addressable issues
of the Rule.
- The Company’s HIPAA Taskforce with a special sub-committee made up of the Information Technology Department and the Legal/Compliance Department actively performed a gap analysis to determine the Security Rule elements that are either required or addressable to HBR as set forth in the law
- A Security Survey was distributed among all employees to assist in this gap analysis.
- HBR, and its IT vendors, have, and continue to, incorporate physical safeguards to protect computer systems and related equipment.
- Technical data security is continuously reviewed and monitored for further security measures for implementation, as appropriate. For example, HBR’s principle IT vendor has, and will continue to perform, “network vulnerability and penetration testing” of the HBR website and network to assess and determine the vulnerability of each to unauthorized access.
- The Vice President of IT was appointed by the HBR Board of Directors as the HBR Security Officer to oversee compliance with the Security Rule.
- Company wide training regarding the Security Rule and Company Security Policy and Procedures was completed prior to April 2005. For its annual compliance training and re-training for all management and employees, HBR has continued to provide training information and resources regarding ePHI and security incident procedures and management.
- Policies and procedures are reviewed, amended and new policies and procedures instituted company wide as deemed necessary.
To view the Final Security Rule:
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
To view the HIPAA FAQs:
http://www.cms.hhs.gov/
HBR considers HIPAA compliance to be a critical part of HBR's overall and longstanding
voluntary compliance program. While no corporate compliance program prevents and detects
any and all errors or non-compliant activity from occurring, HBR's HIPAA related compliance
activities are examples of the Company's continued and ongoing commitment to compliance with the
laws and regulations regarding patient privacy and security of ePHI—we seek to provide our stakeholders—employees,
client physician groups, hospitals and the patients who they treat—with the confidence that these
compliance measures are both meaningful, important and significant in achieving compliance.