Professional Documents
Culture Documents
emPower e-learning solutions is one of the leading provider of online health compliance
courses in the market. Keeping in mind the needs of the companies to train their
employees as per prevalent industry standards, emPower provides variety of e-courses,
including those mandated by Government and regulatory bodies such as HIPAA, OSHA,
Joint Commission and Red Flag rule. The company has its own Learning Management
System which efficiently hosts customized e-learning courses. The real time compliance
tracking feature of our LMS, endorses the policy to provide our invaluable customers
world class e-learning environment. Our courses are SCORM compliant so that students
and employees can easily access and run our courses on other Learning Management
System, without any hiccup.
emPower
12806 Townepark Way
Louisville, KY 40243-2311
Ph: 812 -332-5590
http://www.empowerbpo.com
Introduction to HIPAA
The Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and its
regulations was enacted by congress on August 21,
1996 to protect the privacy and security of
patient’s personal health information. The
regulation obligates healthcare providers to
establish national standards for electronic
healthcare transactions and national identifiers for
providers, health plans, and employers. The
purpose of this security rule is to improve the
portability of continuity of health insurance in the
group and individual markets, combat fraud,
waste and abuse in health insurance and health
care delivery. Privacy and security procedures in
the administrative simplification section designed
to streamline the administration of health insurance by recognizing the
efficiencies and cost savings technology. Healthcare entity if fails to comply with
these regulations may have to pay million of dollars. Anyone dealing with
sensitive data must follow most strict security policy available.
Who is covered by HIPAA? The Privacy rule applies only to covered entities.
Health care clearing houses, public or private entity that facilitates the
processing of nonstandard, health information data elements into standard
data elements.
Health care providers-a provider of medical or other health services and any
other person furnishing healthcare services or supplies.
Health plans-an individual or group plan that provides or pays the cost of
medical care, with the exception of liability and worker‘s compensation plans.
HIPAA has achieved great success in securing and protecting sensitive healthcare
information. HIPAA has made considerable contributions resulted into increase
in the utilization of electronic medical record systems, to implement secure,
Author: Jason Gaya Page 4 6/9/2010
Understanding HIPAA
Health Insurance Portability and
Accountability Act or HIPAA, as it is
popularly known was enacted in 1996 by Congress. It came into force on 1 July,
1997. The main purpose of this act is to manage health care delivery system and
regulate health insurance industry so that people are protected from frauds,
malpractices and discrimination.
The Act provides health insurance coverage to the individuals and their families,
who loose or change their jobs. It promotes use of medical saving accounts,
frames health insurance procedures and provides access to long term services.
The law prohibits discrimination between individuals based on their health
conditions and issues guidelines that monitor insurance plans and their
providers, so that customers are not cheated and their rights are completely
protected.
The ongoing process of conversion of health records into electronic data is the
part of the strategy to create a health care system that can be managed in a safe
and sound manner. For this HIPAA has issued guidelines that advise on how to
protect the crucial patient health information, while it is stored or transferred,
electronically. The thrust is on protecting the health information of the patients
so that it is not misused.
The Act prohibits use of medical data of patients for any other purpose, except
treatment. The data can not be used for marketing purpose and the patients have
the complete right to protect their privacy and written consent is needed from
them prior to any disclosure of their information to third party. HIPAA makes it
mandatory for all the insurers to document their privacy procedures so that the
patients know very well how their privacy will be protected. The health insurers
are bound to keep all the details confidential and in case individuals or groups
feel that their information has been compromised, they can lodge complain with
the Department of Health and Human Services (HHS) for civil rights.
In the end it can be rightly said that Health Insurance Portability and
Accountability Act acts as guardian of the health care system by efficiently
managing health insurance system and placing safeguards in it to make it tamper
proof. This all translates into a credible health delivery system that fulfills health
care requirements of the patients in a safe and secure manner.
Author: Jason Gaya Page 6 6/9/2010
HIPAA is enforcing stricter laws and norms to deal firmly with health insurance
fraud cases like the one reported in the SUN newspaper about sale of vital health
records of patients to attorneys so that they could mint money. There are few
steps that have been taken in recent months with sole purpose to make electronic
exchange of human health data, foolproof.
In the end new and stricter regulations point out to the effort of the regulatory
authorities to clamp down on the fraudulent practices that still exist in the system
in spite of safeguards that are placed in it. The sole purpose is to make the
Author: Jason Gaya Page 7 6/9/2010
electronic sharing of patient health data secure and tamper proof. This will save
the State and people from loosing millions of dollar every year due to fraudulent
insurance claims.
Due to rising frauds in patient health information the regulatory authorities have
enforced stricter HIPAA norms to make patient identity safe and secure.
Author: Jason Gaya Page 8 6/9/2010
The main objective of adopting HIPAA security standard while selecting an email
service is to protect the patient health information. This prevents patient identity
theft and saves the State and people from financial losses incurred due to
insurance frauds.
Author: Jason Gaya Page 10 6/9/2010
To protect the loss of crucial patient health data it is necessary to adopt the right
encryption procedure before the sensitive data is sent out to the receiver, through
the public network. The purpose of encryption is assure the sender that he or she
is sending the information to the receiver in foolproof manner and the
information safely reaches the receiver without getting intercepted during its
journey.
Creating and implementing a policy that authorizes only limited and trusted
people to access the confidential patient health data.
All the computer programs should be protected by passwords and user ids to
prevent, unauthorized access. The passwords should be securely managed so
that unwanted people cannot access them.
All the storage devices, backup tapes and computer equipment should be
accounted for by maintaining a proper log book that keeps track on them.
All paper documents that contain critical information, but not needed in the
office should be shredded so that no body else can lay hand on it.
Author: Jason Gaya Page 12 6/9/2010
Appropriate gateway security with capacity to deeply inspect the web content
and filter out unwanted elements like debilitating software and virus should
be, placed.
The network security system should continuously monitor the network for any
suspicious activity that indicates an unexplained deviation from the standard
procedure and raise an alarm.
Administrative Safeguards
Security Safeguards:
The security device should support native form of authentication. For web
related applications, Transparent Authentication should be used so that a
same user who moves to different secure applications does not have to sign-
in, his or her, username and password, every time he or she makes a jump.
The security system should support email content filtration process with
keywords and regular expression string features.
To prevent, unauthorized access or intercept, of the patient health
information when it on journey between sender and receiver, proper
encryption techniques should be used. The transport of the PHI to public
Author: Jason Gaya Page 16 6/9/2010
In the end it is necessary for all the entities that are involved in health care
system like, health service providers, insurance companies, transcription service
providers, payers, labs, internet service providers, hospitals and billing services
to build a chain of trust so that any patient health information routed between
them is kept high confidential. This can be done through a network of computer
systems that strictly adhere to HIPAA compliance norms to facilitate a safe and
secure transmission of confidential health information on public network.
The fax machine should be configured in such a way that no copy of received
fax is saved.
The Fax machine should have inbuilt copying system, which can print as
many as copies needed. This eliminates the need of external document copier
like, Photostat machine and prevents exposure of the confidential patient
health information to unauthorized persons.
The fax machine should be placed in a secure place and accessed by only
authorized personnel. On receipt of the fax, the message should be delivered
straightaway to the intended recipient.
The fax numbers which are used regularly should be properly saved, and the
speed dialing option should be used to prevent misdialing of the numbers.
There should be a sound policy in place, which manages efficiently the
storage, duplication and disposal of the faxed protected health information, as
per HIPAA law. The policy should also be able to address effectively, the
wrong delivery of the PHI.
Fax machine is integral part of the office communication system. Covered entities
like clinics, hospitals, clearing houses, insurance companies and other health
provider depend on it for their daily communication needs. With the advent of
HIPAA law, the fax machine should be installed and used in a very secure
manner.
HIPAA compliant fax machine should be used and have special encryption
features, which allows the sender to encrypt the protected health information and
send it as an email through the net. The PHI is encrypted into sequence of codes
and transmitted to the fax machine of receiver also connected to the internet. The
receiver has a key which decodes the encrypted email and prints back the
information in the original form. Thus the message is faxed in a safe and secure
manner over the net. These precautions help the health organizations to store
and exchange the protected health information of the patient as per HIPAA law.
Author: Jason Gaya Page 18 6/9/2010
Balancing Social
Media with HIPAA
Social media is completely
changing the way people
communicate with each. The
online networking platform that
social media provides has made it quite easy for the people to converse, exchange
ideas, share opinions and distribute information, to shape mass opinion about an
individual, product, policy, healthcare, education, etc. The list runs long.
An organized and credible healthcare system is crucial for well being of the
human society. Health insurance also falls under purview of healthcare system
and patient health information is of great significance. Insecure and a
compromised patient health information system can have severe implications on
the health and financial condition of the patients. HIPAA plays a pivotal role by
enforcing strict regulations, which provide complete protection to confidential
patient health information. The covered entities like the hospitals, clinics, billing
Author: Jason Gaya Page 19 6/9/2010
Doctors, nurses, medics, paramedics, surgeons, etc are nowadays using social
media tools like Facebook, Twitter, Flickr, etc, to communicate with each other.
The patients also use social media to search for the right physicians or surgeons
who can address their specific healthcare needs. This is the positive aspect of the
social media in the healthcare settings. Also increased accessibility gives the
patients the opportunity to share and improve their knowledge about a disease
and treatment. The use of social media, word-of-mouth testimonial benefits the
patients by providing them reliable information, which they can count on to
conclude successfully, their pending health issues.
But there are also some threats, which social media poses to the privacy of
patients. Lack of proper social media usage policies for healthcare workers and
the human lapses can seriously put the integrity and confidentiality of the patient
health information at risk. The intentional or unintentional display of the patient
health information will surely invite strict penalties and convictions as per
HIPAA regulations.
Instead of creating friction or conflict between HIPAA with social media through
irresponsible use, the health care organizations should administer a sound social
media management policy, which ensures that no leakages occur and what ever
goes on the net is not detrimental to healthcare rights of the patient. If some how
the information does manage to slip through, strict vigilance should ensure
timely removal of the content from the net. The medical staff should be trained to
handle social media in such a manner that both, organization and patients are
benefited through its constructive use.
Instead of opposing each other, the social media and HIPAA must be harmonized
in such a manner so that the vast reach, which social media provides, is used
effectively to address the healthcare issues, without compromising the individual
or collective healthcare privacy rights.
Author: Jason Gaya Page 20 6/9/2010
Some surgeons tweet from operating rooms to the relatives of patient and keep
them updated on the condition of the patient. For a marketing perspective, this
might be a good way to woo more patients to the hospital by advertising about
service, which reflects the customer-centric policy of the organization.
But Twitter in healthcare settings, is fraught with dangers. The HIPAA norms
make it mandatory for all the covered entities like hospitals, health insurance
providers, billing services and other health providers along with their business
associates to ensure complete protection of patient health information, which
they store, process and exchange between themselves. Irresponsible use of
Twitter might result is leakage of sensitive health information of the patient and
Author: Jason Gaya Page 21 6/9/2010
invite heavy fines and criminal convictions, which can ruin careers of the medical
personnel, and tarnish image and business prospects of the health care
organizations.
Use of Twitter from the operating room should be discouraged as it might affect
the electronic signals of the machines installed in the room. Further a wrong or
premature information tweeted from the room can damage the reputation of the
organization. Any tweet, which leaks the identity of the patient or information,
will surely invite legal troubles for the personnel and the organization.
The HIPAA compliance laws make it mandatory for the covered health entities,
like hospitals, clinics, billing and insurance companies, and their business
Author: Jason Gaya Page 23 6/9/2010
HIPAA compliance rules make it necessary for the FTP servers of the health
organizations and insurance companies to adopt security measures, so that the
electronic health information of the patient is safely transferred from sender to
the intended receiver. HIPAA compliant servers have following security features:
The FTP servers are protected by 128 SSL encryption technology. The file is
loaded on the server in an encrypted form and can be downloaded, only by an
authorized person or entity in the original form, through a unique key, which
the sender and the receiver share amongst them.
HIPAA compliant server offers a very secure and fast transfer of large volumes
of digital data through Multi-thread file transfer system. This is quite faster
than the normal FTP transfer.
HIPAA compliance in FTP server enables the user to continue their use of the
existing firewall service. The unique username and password protects the
system from unauthorized intrusion.
HIPAA compliant servers are user friendly and make it easy to
download/upload large files without any complications.
Special Intrusion detection system provides foolproof security and thwarts
any rogue entry into the system.
The encryption feature of the FTP server makes it impossible for the intruder to
access the sensitive information and this completely falls in the line with
requirements of HIPAA compliance norms.
But with this benefit of WLAN, comes an underlying security threat which can
seriously compromise the ability of the health care facility to follow the HIPAA
compliance laws pertaining to electronic exchange of confidential patient health
information. The wired network, as it requires physical access, is safer compared
to the wireless network. The open network architecture feature of the WLAN
makes it easy for any unauthorized person to get behind the firewall and access
the network. This poses a serious threat to the safety of the confidential patient
health information, which is stored, exchanged or processed by the network.
To achieve HIPAA compliance the WLAN should have security features that are
mentioned below:
In the end the WLAN in any healthcare setting should be securely configured in
manner so that it becomes safe for the organization to store and exchange the
confidential patient health information in line with HIPAA compliance laws.
The waste paper re-cycler is one such business associate who takes care of waste
paper disposal.
Provide complete details on how the waste paper will be disposed off, safely.
Indicate the time taken towards disposal. It should clearly point out the time
lapsed between collection and its destruction.
Ensure availability of specific sum of liability insurance, which provides risk
coverage risk to the covered entity. This is because the covered entity is
ultimately responsible for privacy of patient health records.
Provide complete information on all the safeguards placed in waste paper
management plan so that covered entity can rest assured of no safety
breaches, from collection to disposal of the paper records.
Provide proof of record destruction, whether it is by shredding, paper
recycling or burning.
The vendor is also responsible for patient health privacy. To develop long term
business relations with covered entity it is essential that the vendor should
practice safe disposal of medical records The covered entity should get a written
commitment in form of a signed contract to ensure HIPAA compliance during
waste paper disposal.
The safe disposal of the unneeded patient health documents is crucial because the
health service provider is accountable for any breach, during information
processing, exchange, storage or disposal. Any paper disposal vendor or recycler
who seeks to enter into business alliance with any of the health service provider
Author: Jason Gaya Page 27 6/9/2010
should employ the right waste paper management techniques that are in line with
HIPAA compliance norms.
The covered entity and the vendor should together work in tandem to chalk out a
good strategy, which ensure safe disposal of the paper documents. The following
points should form the backbone of this joint strategy:
The health providers should train their staff to generate less paper wastage.
The organization should switch to electronic mode of information processing
from paper documents. This will greatly reduce the waste paper generation at
source. The facility should maintain a list of the staff members who are
responsible for generation, storage and safe handing over of the waste paper
documents to the vendor. This brings in accountability into the system.
Paper should be trashed in locked bins and stored in safe areas of the facility,
away from the busy areas. If the health providers want they can shred the
documents in there own facility but it requires additional labor and capital.
If a vendor is given the task of shredding or recycling the documents then the
covered entity should enter into a binding agreement that ensures that there
is no lapse on the part of vendor right from collection of waste to its disposal
in shredding machine or a recycling plant, because ultimately health provider
is accountable for any safety lapse.
The vendor can shred the documents on the site or transport them to bulk
shredding center. It should provide certificate of disposal so that time, place
and proof of safe disposal are available to the covered entity.
Thus a well though out waste disposal scheme protects the covered entity from
liability due to any breach in confidentiality of patient health information during
its disposal.
Able to track the user, whether a service provider or client and maintain a
complete record of date, time and nature of access through a system of
usernames and passwords. It should provide information on who accessed the
data and what was viewed, updated or deleted.
Restrict the user access, to the required information only. It should allow the
authorized user to view or process the patient information, which falls under
his or her scope of job. The user cannot access any other information, which
does not pertain to his or her work or department.
Provide override function, which grants special access or emergency rights to
the staff member in case of emergency so that patient health care is not
compromised in any way. But at same time, the in built messaging system
should inform other users about such access and this includes the identity of
the person and the information accessed. This is a part of security review,
associated with override function and ensures accountability in the system
through continued vigilance.
Anti-virus Firewall defense and a system of usernames and passwords to
protect the health information system from virus and hackers.
Support e-mail encryption, so that the patient health information sent
through mail is tamperproof.
The software should support internal messaging system, which updates the
user about entry or exit of messages or other information, without having to
leave the security of the organizational network.
The software should have online patient authorization system, which grants
the health service providers the rights to use the patient health information
for the good of patient. The online authorization for should have expiration
date and clearly indicate for what purpose the patient health information will
be used. The software should keep track on the expiration of the
authorizations, so that they can be revalidated as and when required by the
patient and the health service provider.
The software should support coding and billing procedures so that patient
health transactions can be easily conducted electronically between different
health service providers as per HIPAA compliance norms.
The main objective of the HIPAA compliance software is to protect the health
information of the patient processed, exchanged or stored at various health
entities. The software should facilitate smooth flow of the patient information
through different networks in secure way. The security features should thwart
hostile access and at same time, not hinder authorized users like providers or
patients, so that the health of the patient is compromised in any way.
Author: Jason Gaya Page 29 6/9/2010
The HIPAA compliance norms makes it mandatory all the covered entities like
hospitals, clinics, clearinghouses, physicians, medical insurance companies and
other health service providers to employ secure computer network systems,
which follow stringent security codes. Any failure in HIPAA compliance on part
of health provider, will surely invite strict regulatory action, in form of heavy
fines or criminal prosecution.
Author: Jason Gaya Page 30 6/9/2010
The nomadic or remote settings of the patients make it a challenging task for the
health providers to maintain the privacy of patient health information. A series of
wireless and local area networks make the system vulnerable to hackers. Further
lack of proper vigilance at remote settings attracts hostile intrusion from both,
hackers and virus. To fortify the Telemedicine network against unauthorized
access, the health service providers should incorporate stringent security features
in the network and they are:
All the email communications should be in encrypted form. The email content
is encrypted into strings of codes and transmitted over the network. At the
receiving end, the coded message is assembled back into original form with
help of a key. Even if someone manages to access it illegally during course of
transmission, the coded message will make no sense to the hacker.
Facial recognition system helps the service providers to clearly identify the
patients on the network, especially in the case of video conferencing.
Digital identity card is provided to the remote patients after identity
verification by authorities. The encryption features and digital signature of the
patients in the card authenticates the users and allows them access online
health services.
The access to all the point-of-service computers should be user authenticated,
to ensure that only authorized personnel access the system.
The computer network should be protected by firewall and should be
constantly monitored to detect any intrusion. There should be an audit
system, which maintains a record of time, frequency and nature of the hostile
attacks made, on the network.
The security features in the network enable the health service providers to
provide quality healthcare services to remote patients in a safe and secure way.
The patient health privacy is protected and this is in line with HIPAA compliance
norms. Telemedicine and EMR can safely deliver customized health solutions to
remote communities.
The complete conversion of the paper records into electronic format is a time
consuming task. The real challenge lies in creating seamless connectivity between
different health services so that the patient health information is used safely to
settle insurance claims, remittances and eligibility issues in time bound manner
and to complete satisfaction of the customers.
This is where HIPAA 5010 will take over from HIPAA 4010. HIPAA 5010
overcomes the shortcomings of HIPAA 4010 by adopting a well a defined policy
which supports structural and technical changes to provide a consistent and
uniform content that creates a common platform for different health service
providers. As a result covered entities like physicians, hospitals, payers,
clearinghouses, dentists and pharmacies can easily share and process the patient
health information in minimal time and cost.
Administration of Claims
Management of contract with Health service provider
Medical Management that includes referral and pre-authorization, disease
and case management.
Assessment of Eligibility and Enrolment
Customer service in handling the appeals and providing claim related
support.
In the end, HIPAA 5010 with 1000 plus changes, from its predecessor, will
greatly help increase interoperability and portability between the different health
providers and their business associates. This will translate into huge savings in
operational costs of the national healthcare system and enable the patients to
receive better health insurance services at reduced prices, compared to what is
available to them, today.
Author: Jason Gaya Page 32 6/9/2010
HIPAA Law-Selecting
the Right User
Authentication
System
The main objective of the HIPAA law
is to streamline health insurance
system and provide continuous
coverage to the people who change or
loose their jobs. To do this effectively, special emphasis is laid on complete
conversion of patient health records from paper to electronic format. This will
make it convenient for the covered health providers and their business associates,
to safely manage the voluminous patient health information in a cost-effective
manner.
Author: Jason Gaya Page 33 6/9/2010
The HIPAA law advocates a very strong security policy, which guarantees the
protection of the confidential health information from unauthorized access on the
net. Password enabled access, is the most common type of the security system.
But such a system is not reliable as the passwords can be easily hacked. Also
when there are many passwords to remember, it becomes very cumbersome for
the user to remember all of them. The patient or user writes them down on paper
and this is an unsafe practice because if it falls in wrong hands it can result in
financial losses for patient and the health service provider.
The smart card system provides a better option as it works on combination of the
security card and a pin number. But there is a loophole in it. Incase of loss of
smart card or if the pin number is cracked open by hacker, the secrecy of patient
health information can be severely compromised. Further Smart card based
authentication systems are costly and hence it becomes expensive for the small
health providers to install.
Under HIPAA law, all the covered entities like hospitals, clinics, clearing houses
and other health service providers are responsible and accountable for the safety
of the patient health information. Hence it is necessary, to put in place an
impenetrable security wall, in form of reliable user authentication, which
successfully neutralizes any intrusion. This protects the health organization from
non compliance of HIPAA law due to poor network security.
Author: Jason Gaya Page 34 6/9/2010