HIPAA Compliance

HAWTHORNE BENEFIT TECHNOLOGIES

HIPAA COMPLIANCE STATEMENT

HIPAA Health Insurance Reform

Title I of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. Visit this site to find out about pre-existing conditions and portability of health insurance coverage. HIPAA Insurance Reform

HIPAA Administrative Simplification

Congress included provisions to address the need for developing a consistent framework for electronic transactions and other administrative simplification issues in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104-191, which became law on August 21, 1996. Through subtitle F of Title II of that statute, Congress added to title XI of the Social Security Act a new part C, titled "Administrative Simplification." The purpose of this part is to improve the Medicare and Medicaid programs in particular, and the efficiency and effectiveness of the health care system in general, by encouraging the development of standards and requirements to enable the electronic exchange of certain health information. Hawthorne Benefit Technologies is required to comply with the Administrative Simplification provisions of the HIPAA legislation because it falls under the legal definition of a covered entity (a health care clearinghouse). The Administrative Simplification provisions of HIPAA include: Electronic Transactions and Code Sets, Security, Unique Identifiers and Privacy.

Electronic Transactions and Code Set Standards

The HIPAA Benefit Enrollment and Maintenance Transaction (ASCX12N834) is the standard EDI specification required to transfer enrollment information from the sponsor of the insurance coverage, benefits, or policy (i.e. the government agency, employer, or other entity that ultimately pays for the coverage) to a payer (i.e. the insurer or entity that pays the claims and/or administers the insurance coverage). It is sometimes referred to as the X12 standard or 834 format. October 16, 2003 was the deadline for covered entities to comply with HIPAA's electronic transactions and code set provisions. Organizations can meet the requirements either by transmitting and receiving standard data elements or by submitting non-standard data elements to a health care clearinghouse for transmission and receiving non-standard data elements through the clearinghouse.

October 16, 2003 was the HIPAA deadline for covered entities to comply with the transaction and code set provisions. After that date, covered entities were technically not permitted to conduct noncompliant transactions electronically. However, HHS received numerous inquiries expressing concern over the health care industry's state of readiness due to the massive changes that are required to many legacy systems. As a result, the Centers for Medicare & Medicaid Services (CMS), which is the agency responsible for enforcement, recognized that transactions often require the participation of two covered entities and that noncompliance by one covered entity may put the second covered entity in a difficult position. Therefore, CMS will look at both covered entities' good faith efforts to come into compliance with the standards. Good faith efforts may include such factors as external testing with trading partners, lack of availability of, or refusal by, the trading partner(s) prior to October 16, 2003 to test the transaction(s) with the covered entity whose compliance is at issue, and in the case of a health plan, concerted efforts in advance of the October 16, 2003 deadline and continued effort afterwards to conduct outreach and make testing opportunities available to its provider community.

As a health care clearinghouse, Hawthorne Benefit Technologies is required to comply with government standards for electronic transactions and code sets. By the same token, HIPAA also allows us to continue providing EDI transactions to carriers and other covered entities that may still be in the process of testing the ASCX12N834 format with their trading partners. HBT is prepared to, and does provide data to covered entities in the HIPAA–compliant 834 format whenever accepted by carriers or other business associates. At the present time we are transmitting data in the standard ASCX12N834 format as well as non-standard proprietary formats preferred by some of our employer groups' insurance carriers and third party administrators.

Security

Security Standards are to protect the confidentiality and availability of health care information. They apply to all health care organizations and their business partners that transmit or maintain electronic health information, not just those that solely transmit electronic data as with other provisions of HIPAA-AS. The proposed standards cover both organizational and technical practices. The Department of Health & Human Services (DHSS) divides security requirements into the following five areas of compliance.

Administrative Procedures - Documented practices for establishing and enforcing security policies that guard data integrity, availability and confidentiality. These also must address staff responsibilities for protecting data. Requirements such as training, information access control, security management, incident and termination procedures are covered in this section of the regulation. Chain of Trust agreements must be put in place in order to protect data exchanged between covered entities and their business partners. This section of the regulation also addresses contingency planning including data backups, alternate processing options and disaster recovery procedures. Covered entities must develop formal mechanisms for the processing of records that contain health information including receipt, manipulation, storage and transmission of those records.

Physical Safeguards - There must be documented processes to protect data integrity, availability and confidentiality. Safeguards protect physical computer systems, buildings, equipment from fire and other environmental hazards as well as intrusion. A security officer or department must be assigned the responsibility for security. Policies on workstation use and security are addressed as well as the use of physical locks, security systems, and administrative measures.

Technical Security Mechanisms - Mechanisms, including business processes, to prevent unauthorized access to data or information transmitted over a communications network (data in transit). Access controls and encryption must be deployed over an open network. In addition alarm, audit trail, entity authentication and event reporting must be implemented. Technical Security Services - These are services or processes to guard the integrity of data and its availability and confidentiality within a system. These include the use of passwords and other means to monitor, control and protect access. There must be audit controls that record and examine system activity related to data authentication and entity authentication.

Electronic Signature Standards - If a digital signature is employed, the following three implementation features must be implemented: (1) message integrity, (2) non-repudiation, and (3) user authentication. There are other optional features. DHHS has indicated that the final security regulations will be published without the standard for electronic signature and that this part of the regulation will be delayed for some time. The Security and Electronic Signature NPRM is available here.

April 21, 2005 is the deadline for compliance with Security standards for all covered entities except small health plans; April 21, 2006 is the deadline for Security standards compliance for small health plans. The rule requires covered entities to protect against reasonably anticipated threats to security. The government will soon post on its HIPAA Website guidance to help small providers implement the security rule. See http://www.cms.hhs.gov/hipaa/hipaa2

Hawthorne Benefit Technologies has adopted physical, electronic and managerial procedures to comply with all five areas of the HIPAA Security legislation and to safeguard and secure the information we collect to prevent unauthorized access, maintain data accuracy, and ensure confidentiality. All HBT employees must sign a Confidentiality Agreement stating that they understand the highly confidential nature of our business and committing to exercise discretion when handling client affairs. Breach of this agreement constitutes grounds for immediate termination of employment. In addition, HBT routinely executes Business Associate Agreements with trading partners in which a mutual contractual commitment to Confidentiality is required. Hawthorne Benefit Technologies is in full compliance with HIPAA Security standards as they apply to a health care clearinghouse.

Privacy

Security and privacy provisions are sometimes confused. Privacy protections protect the confidentiality of the patient's individual medical information. It is an individual right. Security relates to the protective measures put in place to enforce policy regarding confidential information. April 14, 2003 was the deadline for Privacy compliance for all covered entities except small health plans; April 14, 2004 was the deadline for Privacy compliance for small health plans.

HIPAA privacy standards apply to all forms of protected information (e.g. paper, oral, electronic) once any personal identifiable health information has been electronically stored or transmitted. This information is called "protected health information (PHI)." HIPAA defines individual information as: "Any information, including demographic information collected from an individual that:

•  is created or received by a health care provider, health plan, employer or health care clearinghouse; and
•  is related to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual , or the past, present or future payment for the provision of health care to an individual and

a. Identifies the individual; or
b. With respect to which there is a reasonable basis to believe that the information can be used to identify the individual."

Individually identifiable health information includes many common identifiers (e.g. name, address, birth date, Social Security Number). There are no restrictions on the use or disclosure of de-identified health information (45 C.F.R. 164.502(d)(2); 164.514(a) and (b).

The Privacy Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the "covered entities"). Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.

In most instances, health care clearinghouses receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate . In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearinghouse's uses and disclosures of protected health information. (45 C.F.R. 164.500(b).

The only protected health information HBT receives is as a business associate of another covered entity. In general, a business associates is a person or organization that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. When a covered entity uses a business associate to perform services or activities, the Rule requires that the covered entity include certain protections for the information in a Business Associate Agreement . In this agreement, a covered entity must impose specified written safeguards on the personally identifiable health information. Covered entities that have an existing written contract or agreement with business associates prior to October 14, 2002, which was not renewed or modified prior to April 14, 2003, are permitted to continue to operate under that contract until they renew the contract or April 14, 2004, whichever is first. HBT routinely executes Business Associate Agreements with trading partners in which a contractual commitment to safekeeping of PHI is required.

Hawthorne Benefit Technologies is in full compliance with the Privacy Rule with respect to health care clearinghouses. HBT has addressed all Administrative requirements under this provision, including written privacy polices and procedures that are consistent with the Privacy Rule. HBT has designated a privacy official responsible for developing and implementing its privacy policies, and a contact person responsible for receiving complaints and providing individuals with information on our privacy practices. HBT has trained all workforce members on its privacy policies and procedures as necessary and appropriate for them to carry out their functions. In addition, HBT will apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.

HBT maintains reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure. Safeguards such as shredding documents before discarding them and securing the IT facility with keys and access pass-codes are in place.

For Hawthorne Benefit Technologies complete Data Privacy Policy, click here .

Resources

Centers for Medicare & Medicaid Services:
http://www.cms.hhs.gov/hipaa
The Security and Electronic Signature NPRM

US Dept. of Health & Human Services:
http://www.hhs.gov

Healthcare Technology Consulting:
http://www.hipaa4u.com/

Health Data Management:
http://www.healthdatamanagement.com/

First Name: (Required)

Last Name: (Required)

Email: (Required)

Phone Number:

Comments/Questions:

Yes, I would like to receive email updates from BeneTrac

Home Site Map PRIVACY