HIPAA & DATA SECURITY
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed by Congress in 1996. The primary purpose of the law was to provide better access to health insurance and ensure strict adherence discouraging healthcare billing fraud. There are many sections of the law related to administrative simplification and privacy of protected health information that have far-reaching effects for total healthcare sector.
The Administrative Simplification rules of HIPAA are intended to improve efficiency in healthcare delivery through standardized, electronic transmission of many administrative and financial transactions as well as protection of confidential health information.
AIMS billing services will fall under the extension of Business Associate (BA) under HIPAA privacy rule. A Business Associate (BA) is any person(s) or entity, which performs a function or activity on behalf of a Covered Entity (CE) and involves the use or disclosure of Protected Health Information (PHI).
Under the security standards, we ensure proper implementation of Administrative, Physical and Technical safeguards. By following standards we ensure protection of confidentiality, integrity and availability of electronic protected health information.
- Full-time Data Security Officer to take care of policy implementation monitoring.
- Necessary policies and procedures in place to prevent, contain and correct security violations.
- Extensive background check conducted by HR department on all new employees prior to "employee confirmation process."
- Every employee enters into a Confidentiality Agreement that prohibits any employee to use/publish/disclose/divulge or permit others to use/publish/disclose/divulge any confidential information obtained by them. This Agreement is enforceable under the IT Amendment Act 2008, Data Security and Customer Privacy Act, with punishment that may extend up to seven years of imprisonment.
We take compliance related concerns seriously and address them as a matter of important policy. We are suitably equipped with most technologically advanced infrastructure to handle data security issues.
Salient features are :
- The facility is truly locked down with access only to authorized individuals in client specific areas. Entrance in production area is restricted by finger print software, as per HIPAA privacy requirements.
- CDs, DVDs, pen drive, disk drive or any other storage devices are not allowed in the individual PCs and in office premises without prior permission from authorized management team members. Most of workstations do not have external USB and CD Drives.
- Entry of mobile phones is strictly prohibited in the production area. The appointment letter of each employee specifies this condition.
- Maintenance of a mostly paperless process environment followed by timely destruction of used hard copies etc.
- Only need based Limited access to the network through login IDs and password protection is allowed in the production area.
- Our professional firewall system restricts the users to surf or access unauthorized sites on the internet.
- The teams have need based restricted remote access to the client's software applications. Client networks are physically isolated and have dedicated firewalls into the client's network for an additional security.
- We use the best of Hardware Firewall Solutions available in the market. HIPPA compliant VPN enabled Firewall Fortigate 60D is installed at our secure server that continuously restricts unwanted usage of the internet. It allows secure login from remote offices to our secure server through Remote Access VPN Client Login.
- The website of AIMS www.aimsbillingandcoding.com is also SSL protected, encrypting all the files that pass through it. Only need based limited access is provided to the employees restricting use with passwords.
- AIMS uses professional HIPPA compliant E Mail services of Microsoft 365 for completely secure data exchange with the client's back office using 128 BIT encryption of mail and uploaded files.
CERTAIN FACTS ON HIPAA
- The Privacy Rule permits hospitals to continue the practice of providing directory information to the public unless the patient has specifically chosen to opt out.
- The Regulation specifically provides that hospitals may continue the practice of disclosing directory information "to members of the clergy," unless the patient has objected to such disclosure.
- Under the Privacy Rule, a health care provider may "disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual," the medical information directly relevant to such person's involvement with the patient's care or payment related to the patient's care.
- Under the Regulation, a family member or other individual may act on the patient's behalf "to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information."
- Disclosure is mandated in only two situations to the individual patient upon request, or to the Secretary of the Department of Health and Human Services for use in oversight investigations.
- The HIPAA Privacy Regulation does not give people the right to sue.
Here are few important issues involving HIPAA compliant secure mails carrying PHI.
All email service providers Do Not have secure servers.
Free service providers like Gmail, AOL, and Yahoo are not secure email services and every bit of correspondence that needs to be HIPAA compliant must be encrypted. This includes any attachments to the email, images or documents. These providers do not offer encryption services as well.
It's not necessary to encrypt any and all emails.
If you are sending emails from one co-worker to another on a secure server - you don't have to encrypt the email provided that the secure server is secure enough and it cannot be penetrated by an outside source. Even though it's not required by HIPAA to encrypt inter-agency communication, it may not be a bad habit to get in to when regarding confidential information.
What documents to be encrypted for HIPAA compliance.
Anything that is being stored electronically should be encrypted. When you scan a document or image, you can send it directly to an email. You can do the same with faxes, and telephone correspondence may also be transcribed to email. All of these have to be encrypted.Skype, under the Omnibus rule is also included. So everything that can be must be encrypted.
Encrypt information stored on any electronic device.
To safeguard data from theft of devices and servers hacked it is advisable to keep all PHI of patients stored in encrypted form.
Use HIPAA compliant Email.
Health care providers use a third party (like Gmail, Microsoft, or their IT company) for email. These firms are referred to by HIPAA as "Business Associates." These Business Associates are required to sign an agreement that states they will protect a patient's confidential information with the same high standards required of the health care provider.
AIMS uses professional HIPPA compliant E Mail services
To make mutual data transfer with the client's back office Completely secure by using encryption of mail and uploaded files.
email@example.com and firstname.lastname@example.org is HIPPA COMPLIANT mail.