Privacy

ShimodaAtlantic™ actively assures ongoing compliance with all HIPAA privacy requirements both in external clinical studies and internal business operations.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a far-reaching federal law that includes several key components to protect health insurance coverage for individuals when they lose or change jobs, as well as simplify the administrative burden across the healthcare delivery system. The Administrative Simplification (AS) provision of HIPAA is in the process of being implemented and is receiving much attention from providers, health plans, insurers and information clearinghouses. It is specifically designed to reduce the barriers associated with the electronic transfer of health information between organizations and more generally, to increase the efficiency and cost effectiveness of the US healthcare system. In addition, standards for the security and privacy of Protected Health Information (PHI) are included and are being implemented by all those engaged in healthcare delivery and service. This web site has been developed to share additional information on the HIPAA requirements and provide a summary of Quality Oncology’s efforts to comply with all the HIPAA standards.

There are four primary components of HIPAAs Administrative Simplification requirements:

Transaction and Code Set Standards

In order to simplify the exchange of electronic information within the healthcare system, standards have been developed for many of the most common types of transactions including claims payment/status, eligibility and benefit verification, enrollment, authorization/referrals and premium payments. There are currently several hundred different types of these transactions that are exchanged and the intent of the law is to standardize one format for these critical transaction types for use in electronic information exchanges. In addition, standard code sets have been developed to simplify the diagnostic and treatment reporting processes so that a common definition is used across the healthcare system. Reducing the number of formats and code sets utilized is anticipated to reduce the inefficiencies inherent in electronic data interfaces as well as the administrative costs associated with processing the majority of common transactions.

Privacy Standards

Privacy is defined as controlling who is authorized to access information and the right of individuals to keep information about themselves from being disclosed without their consent. The HIPAA regulations address five basic principles of privacy protections:

  • Boundaries – use of protected health information for intended purposes (treatment, payment and healthcare operations) only
  • Security – administrative, technical and physical mechanisms to keep information private
  • Consumer Control – informed consent of individuals to use their information and the right to access and amend information
  • Accountability – penalties for violations of the Privacy Regulations
  • Public Responsibility – process for disclosing information for public health, research and legal purposes

Security Standards

Security is defined as the ability to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss. The HIPAA requirements include three categories of security requirements:

  • Administrative Procedures – operating policies and procedures to ensure the security of protected health information
  • Technical Standards – information system mechanisms to ensure the security of protected health information maintained in electronic form
  • Physical Safeguards – facility controls to ensure the protection of information from unintended access, disclosure or loss.

Unique Identifiers

A key goal of the HIPAA regulations is to assign one unique identifier to each of the following groups:

  • Employers
  • Heatlhplans
  • Providers

Currently, each of these groups may have different identification numbers within the respective systems of the other or even have multiple identifiers. For example, an individual provider may have a different provider number with each health plan that they are contracted with. HIPAA intends to simplify this so that a unique identifier for this provider would be the same no matter who the contracted health plan is.

Privacy Standard

The Final HIPAA Privacy Ruling includes provisions for the confidentiality and protection of Individually Identifiable Health Information (IIHI) and Protected Health Information (PHI). Note that the privacy requirements apply to information exchanged in any media (electronic, written, oral.) There are five key areas covered by the regulations:

Boundaries

    • Information is used for intended purposes only
    • Consumer disclosure is performed

Security

    • Administrative mechanisms (operational policies and procedures) established to keep information private
    • Technical mechanisms (information system protections) established to keep information private
    • Physical mechanisms (facility controls) established to limit access to only those staff having an operational need to view information
    • Each of the above security components is meant to be scalable to the organization that is implementing it and reflects the general operational and technical environment

Consumer Control

    • Informed consent to use information for uses other than payment, treatment and healthcare information
    • Right to access and amend information
    • Record of disclosures must be kept and available to members

Accountability

    • Federal penalties (civil and criminal) for violations
    • Effective compliance activities to deter, identify and punish violators

Public Responsibility

    • Process established for disclosing information for public health, research and legal purposes

Security Standard

The Draft Security Ruling includes three primary areas of focus that support the privacy and confidentiality requirements of HIPAA and establish a more consistent information system environment:

Administrative Procedures

    • Certification review of systems and security program (internal or external)
    • Chain of trust agreements with 3rd party trading partners covering the requirements for patient- sensitive information
    • Policies and procedures for all staff to ensure information, personnel and facility security
    • Access authorization controls
    • Proactive internal audits of procedures
    • Personal authorization
    • Security management process
    • Termination process
    • Employee training

Physical Safeguards

    • Assigned responsibility (Security Officer or staff designee)
    • Media controls over hardware and software
    • Access controls
    • Workstation policies
    • Secure workstations
    • Employee training

Technical Standards

    • Access controls
    • Audit controls
    • Authorization controls
    • Data authentication
    • Entity authentication

(Note that the final security ruling is expected from HHS by 6/30/02 with compliance expected by 8/31/04.)

Unique Identifiers

To help simplify the communication of information within the healthcare industry and reduce the duplication of identifying information, HIPAA includes the use of unique identifiers to process all health encounter and claim information. The Employer Identifier has been finalized and compliance is expected by 7/31/04. The Provider and health plan identifiers are expected by the end of the summer of 2002 with compliance expected during the fall of 2004:

The Federal Tax ID number currently used by the Internal Revenue Service will be used (9 digits separated by hyphen, e.g. 00-0000000) to identify employers and employer groups.

National Provider Identifier – a proposed new eight character alphanumeric or 10 digit numeric with check digit will be used to identify providers

Health Plan Identifier – a national standard plan identification number will be developed and used to identify health plans. A standard has not yet been proposed.

Last updated August 21, 2004