5 Facts About NPI For HIPAA Compliant Electronic Medical Billing Software And Service

The 1996 Health Insurance Portability and Accountability Act (HIPAA) established national privacy and security standards for electronic health care transactions, including a national identifier for providers, health plans and employers. Accordingly, by May 23, 2007, healthcare providers and all health plans and clearinghouses must change both their processes and information systems to implement HIPAA’s National Provider Identifier (NPI) regulations.

Background on the NPI regulation

• HIPAA mandated regulation
• Effective nationwide on May 23, 2007
• The compliance date for health care payers with less than $5 million in annual revenue is May 23, 2008

 

What is the NPI?

• A unique 10-digit identification number
• Assigned for life to a provider and de-activated only upon death, retirement, or identity theft
• Replaces multiple legacy provider identification numbers, including Medicare UPINs, commercial payer IDs and state Medicaid IDs
• Contains no identifying information related to the provider - randomly generated
• Independent of key provider information changes, such as practice location or specialty
• Providers have 30 days to update their NPI record

 

Who is affected by the NPI mandate?

• Payers
  • Health plans
• Clearinghouses
• Providers
  • Organizational providers
  • Individual providers

 

Why is the NPI necessary?

• NPI delivers two-fold benefits for payers and providers:
  • Simplifies communication and administration
  • Facilitates efficient electronic transmission of certain health information
• Streamlines detection of billing fraud and abuse
• Improves debt collection efforts

 

What are the challenges of NPI implementation for payers and providers?

• Providers and payers must exchange information
• Technological implementation cost within organizations

 

What should payers and providers do now to prepare for the NPI?

• Organize project teams to ensure a smooth transition
• Identify and address processes and information system changes
• Evaluate outsourcing solutions offered by technology vendors

  Yuval Lirov, PhD, author of "Practicing Profitability - Network Effect for Revenue Cycle Control in Healthcare Clinic and Chiropractic Office: Scheduling, SOAP Notes, Care Plans, Coding, Billing, Collections, and Audit Risk" (Affinity Billing) and "Mission Critical Systems Management" (Prentice Hall), inventor of patents in Artificial Intelligence and Computer Security, and CEO of Vericle.net - Distributed Billing and Practice Management Technologies. Yuval invites you to register to the next webinar on audit risk at BillingPrecision.com.

7 Steps To NPI For HIPAA-Compliant Electronic Medical Billing Software And Service

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandated the adoption of standard unique identifiers for health care providers, as well as the adoption of standard unique identifiers for health plans. They become mandatory on May 23, 2007.

The purpose of these provisions is to improve the efficiency and effectiveness of the electronic transmission of health information. The Centers for Medicare & Medicaid Services (CMS) has developed the National Plan and Provider Enumeration System (NPPES) to assign these unique identifiers.

CMS has contracted with Fox Systems, Inc. to serve as the NPI Enumerator. The NPI Enumerator is responsible for dealing with health plans and providers on issues relating to unique identification.

HCFA Timetable

Changes in the HCFA 1500 form to accommodate the NPI number took place January 1, 2007. Until March 30, 2007, using NPI number on the HCFA form is optional but as of April 2, 2007, using NPI becomes mandatory.

Getting an NPI is free - Not Having One Can Be Costly: If you delay applying for your NPI, you risk your cash flow.

 

1. Enumerate: Enumeration is mandatory for both individual providers and organizations and subparts. When applying for your NPI, CMS urges you to include your legacy identifiers, not only for Medicare but for all payors. If reporting a Medicaid number, include the associated State name. This information is critical for payors in the development of crosswalks to aid in the transition to the NPI.
2. Update: Make sure to upgrade your software, HIPAA Transactions, CMS1500, UB04, and/or Dental claim form changes.
3. Communicate: Notify your payers once you have obtained your NPI number. As outlined in the Federal Regulation (The Health Insurance Portability and Accountability Act of 1996 (HIPAA)) you must also share your NPI with other providers, health plans, clearinghouses, and any entity that may need it for billing purposes -- including designation of ordering or referring physician.
4. Collaborate: Check the readiness of your payment partners (such as health plans, TPAs, clearinghouses, etc...)? Not all payers are ready to accept the NPI number at this time. Use both your existing (legacy) number and the NPI number when submitting electronic claims.
5. Test: Test transactions well before the deadline. Make sure to test HIPAA Transactions, e.g., 837 Claims, 835 Remittance Advice, and, if you submit paper claims, verify that the data is printed in the correct fields. The new HCFA form has new fields for identifier numbers on lines 17b, 32a and 33a.
6. Educate: Focus on staff working on insurance verification of eligibility and claim denial or underpayment follow up.
7. Implement: Once you obtain your NPI, it might take about 120 days to do the remaining wo

   rk to use it. This includes working on your internal billing systems, coordinating with billing services, vendors, and clearinghouses, testing with payers.

   Yuval Lirov, PhD, author of Practicing Profitability - Network Effect for Revenue Cycle Control in Healthcare Clinic and Chiropractic Office: Scheduling, SOAP Notes, Care Plans, Coding, Billing, Collections, and Audit Risk (Affinity Billing) and Mission Critical Systems Management (Prentice Hall), inventor of patents in Artificial Intelligence and Computer Security, and CEO of Vericle.net - Distributed Billing and Practice Management Technologies. Yuval invites you to register to the next webinar on audit risk at BillingPrecision.com

The Modern Medical Office: Balancing Success, Technology, and HIPAA

The medical field has always depended on technology for improving patient care. Thanks to advances in technology, administrative functions of healthcare offices have greatly increased their efficiency and customer relations. For example, there is technology that allows doctors to share information with offices across street or across the nation instantly with just a few clicks of the mouse. These advances not only free up hours of paperwork, but also quickly provides information vital to patient’s care.

The Electronic Medical Office & HIPAA

A clinic can in the end be more profitable by offering these innovative services. Nearly half of the people interviewed in a Forrester Research study said they would be willing to pay more for online features; such email access to their doctors. (1)

While technology can be tremendously beneficial there are serious cautions that must be heeded. In 2003, the privacy rule of HIPAA was enacted and the rules governing protected health information (PHI) of patients became far more stringent. The rule governs the way in which information is handled. It requires every level of communication and storage of the PHI to be secure and private.(2) Examples of the ways violations occur are:

• Computer screens visible from waiting room
• Files left out around the office
• PHI not disposed of properly, such as securely shredded
• Records sent to the wrong home or email address

 

Due to these changes all modes of communication have a heavier burden of responsibility placed upon them since the inclusion of the privacy rule, but none more than electronic transmissions. Keeping the information protected when sending emails, which can be intercepted, can in itself be a daunting task.

HIPAA’s Penalties

If an action taken by any employee, whether intentional, unintentional, or simply neglectful leads to improper recipient of PHI, the practice involved could face serious consequences.

 

• The civil penalties range from "$100 per incident, up to $25,000 per person, per year, per standard that is violated."(3)
• The criminal penalties range in three main groups. The first is up to $50,000 and 1 year in prison, moving up to $100,000 and 5 years, or $250,000 and 10 years in prison.

 

Each tier of the criminal penalties has different qualifications leading up to the knowingly disclosing PHI with the intent for malicious harm. (3)

Keeping Your Practice HIPAA Compliant

It’s important for today’s electronic medical office to have several layers of digital protection. This ensures PHI or any other private information cannot go outside the confines of the practices’ systems without the proper digital rights. These rights can be controlled by moderators or even the sender and have the ability to dictate what permissions the receiver may have.

One large step is to protect your practice from accidentally sending information into the wrong hands. This can be done through email anti-theft solutions which encrypts the data sent via email. By using these types of programs, the sender may control not only the security of the file but also subsequent actions that may be carried out by the file’s recipient(s).

email anti-theft programs allow the user to establish who can view, edit, print and forwarding these important health records. Permissions set with email anti-theft software stays with the documents once they’ve left the clinic’s computer.

What Happens if My Practice’s Computer is Stolen?

Email anti-theft software can also protect the data on the computer if the machine is ever misplaced or stolen. This can be done through remote laptop security. All the victim of theft has to do is log into the program and there remotely block access to all protected files on the missing laptop. Without improvement in the means of securing and transmitting their files many practices will continue to commit violations of HIPAA, losing money and patients along the way.

HIPAA Compliance & Patient Trust

It is obvious that one must comply with HIPAA because of the financial penalties that go with noncompliance. There are however, far better reasons for compliance than avoiding punishment.

HIPAA Violations can break the trust between doctors and patients, but compliance along with new technology can strengthen relationships. When patients have new services such as the ability to ask questions to doctors via email the doctors can enhance their trust levels. This is especially important for small practices as interpersonal relationships play key roles for the retention of patients.

The advantages of technology will continue to provide new ways of serving patients. As the digital age comes the computer will increasingly become the focus of record keeping. With an industries like medical & healthcare so dependent on keeping detailed yet secure records, it is going to be ever important to stay current with strong security programs to encrypt and protect files.

 

1. Bradford J. Holmes, Eric G. Brown, Elizabeth W. Boehm, Lynne Bishop, "Trends In Healthcare Consumer Technology Adoption" Forrester Research, 15 July 2004.
2. Title 45 Code of Federal Regulations, Pt 164.
3. United States Department of Health and Human Services. Protecting the Privacy of Patients' Health Information Summary of the Final Regulation. 2005. http://aspe.hhs.gov/admnsimp/final/pvcfact1.htm

   Michael L. David is a member of the marketing team at Essential Security Software (ESS), the leading provider of email anti-theft software for small business. He is a regular contributor to http://www.Iwantmyess.com

Electronic Medical Billing Software, HIPAA Compliance, and Role Based Access Contro

HIPAA compliance requires special focus and effort as failure to comply carries significant risk of damage and penalties. A practice with multiple separate systems for patient scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. This article presents an integrated approach to HIPAA compliance and outlines key HIPAA terminology, principles, and requirements to help the practice owner to ensure HIPAA compliance by medical billing service and software vendors.

The last decade of the previous century witnessed accelerating proliferation of digital technology in health care, which, along with reduced costs and greater service quality, introduced new and greater risks for accidental disclosure of personal health information.

The Health insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress to establish national standards for privacy and security of personal health data. The Privacy Rule, written by the US Department of Health and Human Services took effect on April 14, 2003.

Failure to comply with HIPAA risks accreditation and reputation damage, lawsuits by federal government, financial penalties, ranging from $100 to $250,000, and imprisonment, ranging from one year to ten years.

Protected Health Information (PHI)

The key term of HIPAA is Protected Health Information (PHI), which includes anything that can be used to identify an individual and any information shared with other health care providers or clearinghouses in any media (digital, verbal, recorded voice, faxed, printed, or written). Information that can be used to identify an individual includes:

1. Name
2. Dates (except year)
3. Zip code of more than 3 digits, telephone and fax numbers, email
4. Social security numbers
5. Medical record numbers
6. Health plan numbers
7. License numbers
8. Photographs

    

    

 

Information shared with other healthcare providers or clearinghouses

1. Nursing and physician notes
2. Billing and other treatment records

    

    

 

Principles of HIPAA

HIPAA intends to allow smooth flow of PHI for healthcare operations subject to patient's consent but prohibit any flow of unauthorized PHI for any other purposes. Healthcare operations include treatment, payment, care quality assessment, competence review training, accreditation, insurance rating, auditing, and legal procedures.

HIPAA promotes fair information practices and requires those with access to PHI to safeguard it. Fair information practices means that a subject must be allowed

1. Access to PHI,
2. Correction for errors and completeness, and
3. Knowledge of others who use PHI

    

    

 

Safeguarding of PHI means that the persons that hold PHI must

1. Be accountable for own use and disclosure
2. Have a legal recourse to combat violations

    

    

 

HIPAA Implementation Process

HIPAA implementation begins upon making assumptions about PHI disclosure threat model. The implementation includes both pre-emptive and retroactive controls and involves process, technology, and personnel aspects.

A threat model helps understanding the purpose of HIPAA implementation process. It includes assumptions about

1. Threat nature (Accidental disclosure by insiders? Access for profit? ),
2. Source of threat (outsider or insider?),
3. Means of potential threat (break in, physical intrusion, computer hack, virus?),
4. Specific kind of data at risk (patient identification, financials, medical?), and
5. Scale (how many patient records threatened?).

    

    

 

HIPAA process must include clearly stated policy, educational materials and events, clear enforcement means, a schedule for testing of HIPAA compliance, and means for continued transparency about HIPAA compliance. Stated policy typically includes a statement of least privilege data access to complete the job, definition of PHI and incident monitoring and reporting procedures. Educational materials may include case studies, control questions, and a schedule of review seminars for personnel.

Technology Requirements for HIPAA Compliance

Technology implementation of HIPAA proceeds in stages from logical data definition to physical data center to network.

 

 

 

1. To assure physical data center security, the manager must
   1. Lock data center
   2. Manage access list
   3. Track data center access with closed circuit TV cameras to monitor both internal and external building activities
   4. Protect access to data center with 24 x 7 onsite security
   5. Protect backup data
   6. Test recovery procedure

    

    

2. For network security, the data center must have special facilities for
   1. Secure networking - firewall protection, encrypted data transfer only
   2. Network access monitoring and report auditing

    

    

3. For data security, the manager must have
   1. Individual authentication - individual logins and passwords
   2. Role Based Access Control (see below)
   3. Audit trails - all access to all data fields tracked and recorded
   4. Data discipline - Limited ability to download data

    

    

 

Role Based Access Control (RBAC)

RBAC improves convenience and flexibility of systems management. Greater convenience helps reducing the errors of commission and omission in granting access privileges to users. Greater flexibility helps implement the policy of least privilege, where the users are granted only as much privileges as required for completing their job.

RBAC promotes economies of scale, because the frequency of changes of role definition for a single user is higher than the frequency of changes of role definitions across entire organization. Thus, to make a massive change of privileges for a large number of users with same set of privileges, the administrator only makes changes to the role definition.

Hierarchical RBAC further promotes economies of scale and reduces the likelihood of errors. It allows redefining roles by inheriting privileges assigned to roles in the higher hierarchical level.

RBAC is based on establishing a set of user profiles or roles according to responsibilities. Each role has a predefined set of privileges. The user acquires privileges by receiving membership in the role or assignment of a profile by the administrator.

Every time when the definition of the role changes along with the set of privileges that is required to complete the job associated with the role, the administrator needs only to redefine the privileges of the role. The privileges of all of the users that have this role get redefined automatically.

Similarly, if the role of a single user is changed, the only operation that needs to be performed is the reassignment of the user profile, which will redefine user's access privileges automatically according to the new profile.

Summary

HIPAA compliance requires special practice management attention. A practice with multiple separate systems for scheduling, electronic medical records, and billing, requires multiple separate HIPAA management efforts. An integrated system reduces the complexity of HIPAA implementation. By outsourcing technology to a HIPAA-compliant vendor of vericle-like technology solution on an ASP or SaaS basis, HIPAA management overhead can be eliminated (see companion papers on ASP and SaaS for medical billing).

Yuval Lirov, PhD, author of Practicing Profitability - Network Effect for Revenue Cycle Control in Healthcare Clinic and Chiropractic Office: Scheduling, SOAP Notes, Care Plans, Coding, Billing, Collections, and Audit Risk (Affinity Billing) and Mission Critical Systems Management (Prentice Hall), inventor of patents in Artificial Intelligence and Computer Security, and CEO of Vericle.net - Distributed Billing and Practice Management Technologies. Yuval invites you to register to the next webinar on audit risk at BillingPrecision.com

HIPAA Products Guide

HIPAA has led to sweeping changes to health care administration and information systems as health care organizations struggle to achieve cost-effective compliance by 2003.All health care entities that process health-related data are required to comply with the U.S. Department of Health and Human Services' (HHS) Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The U.S. Congress designed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. Title I of HIPAA safeguards health insurance coverage for workers and their families when they lose or change their jobs. According to title II of HIPAA, the Administrative Simplification (AS) provisions, necessitates the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The AS provisions also address the security and privacy of health data. The purpose of all these standards is to improve the efficiency and effectiveness of the nation's health care system by encouraging the extensive use of electronic data transactions in health care.

HIPAA is designed to regulate the way all health care organizations electronically exchange sensitive patient data and to protect patients from illegal disclosure of their medical records (whether paper or electronic). It means that if personal information is stored on computer databases, tapes, disks, or transmitted with the assistance of faxes or the Internet, in addition to anything written down or talked about, steps must be taken to ensure a patient’s privacy.

Today a number of HIPAA products and services are being offered both online and offline, such as, online HIPAA training, privacy manuals and template policies, security manuals and template policies, security products, disclosure tracking systems, compliance consulting services, etc. All these products are designed basically to guide you through the formidable transition of HIPAA compliance and help you navigate the complex and tedious regulatory environment created by HIPAA.

The online HIPAA training is a very convenient tool to learn about HIPAA. Moreover, it is available whenever and wherever you have an internet access. The privacy manuals and template policies are the workbooks that will lead you through a careful assessment of your company’s Privacy compliance plan. The security manuals and template policies are those workbooks that will guide you through a careful assessment of your company’s Security compliance plan. The security products include network security scanning and automated online backup. The network security scanning or the HIPAA e-probe beats hackers to the punch by vigilantly probing your Internet connected systems for vulnerabilities before the hackers can find and exploit them.

The automated online backup or the e-backup lets you control the configuration and operation of your entire organization’s backup system from a single location. Monitoring and administration of all backup and recovery tasks are controlled from a single workstation. The disclosure tracking systems are those software programs that are designed and developed to address the requirement of covered entities (health care providers, payers, and clearinghouses) to record the required elements for the patient's right to an accounting of disclosures. The compliance consulting services include onsite consulting services and the business associate certification.

Mansi aggarwal recommends that you visit HIPAA products for more information

 

HIPAA and the Internet: Requirements for Intranet Collaboration Software

Sharing private health information over the internet can be a risky business. Unfortunately, as people become accustomed to doing most if not all of their personal business online, the demand for accessing this information online will grow to the point that health care providers will have no choice but to either provide access to this private health information or lose their customers.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted to assure the confidentiality of patient information. This requires that health care providers employ stringent measures to assure that information shared on the internet is protected from unauthorized access.

The HIPAA Act requires health-providing entities to:

 

 

 

• Assign responsibility for security to a person or organization.

   

   

• Assess security risks and determine the major threats to the security and privacy of protected health information.

   

   

• Establish a program to address physical security, personnel security, technical security controls, and security incident response and disaster recovery.

   

   

• Certify the effectiveness of security controls.

   

   

• Develop policies, procedures and guidelines for use of personal computing devices (workstations, laptops, hand-held devices), and for ensuring mechanisms are in place that allow, restrict and terminate access (access control lists, user accounts, etc.) appropriate to an individual's status, change of status or termination.

   

   

• Implement access controls that may include encryption, context-based access, role-based access, or user-based access; audit control mechanisms, data authentication, and entity authentication

 

This law has serious implications for organizations that allow unauthorized access resulting in a breach in confidentiality.

Security is the key

Since the HIPAA law provides for both civil and criminal penalties for violations, data and access security is of the utmost importance. To assure HIPAA compliance, online document management must include a number of security features:

 

 

 

• Secure web server – a server running secure socket layers is the minimum needed.

   

   

• Encrypted database – all data must be encrypted. Software is available that will encrypted all data sent between two computer over the internet.

   

   

• Secure access control -- in addition to a traditional user id and password, it may be a good idea to use a strong password or smart card as additional security.

   

   

• Session timeout – this assures that confidential data is not left on an unattended screen.

   

   

• Server monitoring – the secure web server needs to be strictly monitored to detect break-in attempts.

   

   

• Regular security audits – regular audits are required to make sure all security precautions are working properly.

   

   

• Personnel – system maintenance should be in the hands of qualified personnel familiar with HIPPA requiremen

  Rick Mosenkis is the President and CEO of Trichys, the creators of WorkZone hosted intranet and extranet software, including a higher-security version for HIPAA compliance. With customers around the world, among large and small companies, Trichys develops easy-to-use web-based software that allows non-technical business professionals to leverage the power of the Internet without IT support.

HIPAA in a "Nutshell" - Guidelines for EMR and Paper Medical Records Compliance

HIPAA in a “nutshell”

There are two HIPAA rules requirements; privacy (2003) and security (2005). Both rules require:

-Identifying possible threats,
-Assessing specific vulnerabilities,
-Determining appropriate and reasonable safeguards and
-Implementing the necessary defense mechanisms and policies.

Using an EMR (electronic medical record) has no absolute right and wrongs in either computer equipment or software for HIPAA compliance. Usually there are four areas to examine:

-Physical Security – can your computers with patient data be stolen?
-User Security - can anybody log on to the patient database?
-System Security – what happens on a hard drive crash?
-Network Security – can unauthorized persons outside your facility access patient data?

Using paper medical records begs similar questions:

-Physical Security – how secure are the files from fire and theft?
-User Security - what access controls and logging is there?
-System Security – what happens in a fire or flood?
-Storage Access – are the files in a locked, secure area?

There are HIPAA penalties

The civil monetary penalty is up to $100 per person record per violation and up to $25,000 per year total for the same type of violation. There is 30 days to correct the problem if it is not through willful neglect.

The criminal penalties are for “misuse” and for obtaining or using health information by “false pretenses” or with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. These penalties are up to $250,000 and five years in jail.

Currently there is no real effective enforcement body.

HIPAA compliance "thumb rules"

With an EMR most of the requirements are common sense and providers do not need to be overly concerned but do require some basic steps like:

-Put your computer server in a secure room, locked,
-Use an EMR with user management and permissions,
-Make regular back-ups and store them in a secure place and
-Employ a computer specialist.

Most medical practices and clinics using paper records need to make physical changes to be HIPPA compliant. If you continue to use paper then there are a myriad of physical complexities to consider:

-How to monitor staff access,
-Fire and flood protection (insurance is not enough)
-A disaster plan (that has been documented and practiced.)

Finally, if there is a legal case brought forward a provider to protect themselves should have a trail of how the patient's individual information was accessed. For paper records this means at a minimum a monitored sign out sheet and for an EMR user logging of patient file access.

Michael Milne is the CEO of BrunMed, Inc. (http://www.brunmed.com), the developer of Medscribbler, the first handwriting embedded EMR for the Tablet PC. Visit http://www.medscribbler.com for more information on a handwriting enabled EMR.

Deriving Due Care Practices from HIPAA and GLBA

Recent years have shown a trend in corporations being held responsible for information security negligence. In particular, the Federal Trade Commission (FTC) and the Attorney General of New York have been actively pursuing companies that fail to follow effective security practices. Many high-visibility cases illustrate how companies are being required to implement stronger security controls, the Guess case being a good example.

In June 2003, Guess, Incorporated agreed to settle FTC charges that it exposed consumers' personal information to commonly known attacks by hackers, contrary to the company's claims. "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC's Bureau of Consumer Protection. The settlement required that Guess implement a comprehensive information security program that would be certified as meeting or exceeding the standards in the consent order by an independent professional within a year.

The Problem

A key reason why corporations demonstrate poor or inconsistent information security controls is the lack of a widely accepted and comprehensive set of good security practices. Standards bodies such as the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish security standards with varying degrees of corporate acceptance and use. The Information Systems Security Association (ISSA) has identified the need for a universally agreed-upon collection of essential security practices and is currently developing the Generally Accepted Information Security Principles (GAISP)--although how well accepted these principles will be upon publication remains to be seen.

The Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule and the Gramm Leach Bliley Act (GLBA) Interagency Guidelines are customer privacy laws specifying the security rules that must be followed by the healthcare and financial services industries respectively. If entities covered by these laws fail to follow the required security practices they may not only be exposing their customers' private information but may also be subject to regulatory penalties and fines. These laws, in essence, define information security due care standards--the security practices that must be followed to avoid liability--for the healthcare and financial services industries. The entities covered by these laws, however, only represent approximately 25% of the U.S. Gross Domestic Product. Other industries must rely upon their best judgment to protect customer information--clearly not an effective approach as the cases mentioned earlier demonstrate.

Most companies certainly want to do the right thing and protect their customers' information, but avoiding legal liability and harm to their reputation are also factors that motivate them to implement appropriate information security controls. While most corporate information security professionals probably think they understand how to protect customer information, many wouldn't be comfortable attesting that their practices would protect their employer from liability. Lacking a commonly accepted set of security practices, many corporate information security professionals are uncertain how to secure customer information in a way that also limits their company's liability.

Proposed Solution

The best approach for companies that wish to protect their customer's information and potentially avoid liability is to implement the security practices required by both HIPAA and GLBA. There are 12 security practices in common between these two customer privacy laws. By following these 12 practices, companies will be practicing information security due care and can potentially avoid liability. Indeed, all of the security requirements mandated in the settlement of the cases mentioned earlier are among the 12 practices in common between HIPAA and GLBA.

What is Due Care?

Companies that handle the personal information of their customers may be breaking the law and not know it, as evidenced by the Guess case. This ignorance may partly stem from substantial gaps of prosecutable computer crimes that exist in federal criminal code and individual state criminal statutes. Federal and state criminal statutes are slow to evolve to adequately prosecute crimes based on the fast-changing technology of information systems. Companies and information security professionals may find little direction in criminal codes and statutes to help them avoid inadvertently breaking the law when it comes to protecting their customers' personal information.

Since there is little guidance for companies to follow when it comes to avoiding criminal or civil liability or harsh settlements from the FTC, they need to consider how legal standards are created in the first place. Legal standards are developed based on the concept of due care, which is the care that an ordinarily prudent person would have exercised under the same or similar circumstances. Failure to practice due care is equivalent to demonstrating negligence. Companies that demonstrate negligence relative to their information security practices are susceptible to lawsuits, fines, and other sanctions, whereas companies that practice due care should be largely protected from such punishments.

Where to Find Due Care Information Security Practices

Companies that wish to find due care information security practices need look no further than to two major federal laws that regulate the protection of customer information: HIPAA and GLBA. While both HIPAA and GLBA enacted a lot more than just customer privacy requirements, they both have spawned substantial regulatory guidance on security controls for protecting customer information. The regulations for HIPAA are called the Final Security Rule and those for GLBA are referred to as the Interagency Guidelines.

While some of the requirements in these regulations are industry-specific, there is a lot of commonality between the two. In particular, 12 security practices were found in both the HIPAA Final Security Rule and the GLBA Interagency Guidelines. The fact that these two sets of regulations intersect in 12 places is no coincidence. This is a clear signal from the federal government of the level of due care it expects the country's health care providers and financial institutions to practice. If these are the standards of due care that must be practiced by industries that represent about a quarter of the country's GDP, it stands to reason that other industries will be expected to follow these same practices.

HIPAA & GLBA Security Due Care Practices in Common

The 12 security practices in common between HIPAA and GLBA are all "high-level" practices. There are no specific technology controls. Some practices are required while others are required only if a risk assessment conducted by the entity determines that the practice is appropriate.

The HIPAA Final Security Rule and the GLBA Interagency Guidelines were designed to provide guidance to senior management. How the practices are implemented is left largely up to the companies to determine.

Following is the list of the 12 security practices in common between HIPAA and GLBA (please refer to the HIPAA/GLBA Due Care Practice Matrix in the Laws and Regulations section of the OpenCSOProject for detailed analysis and references):

 

1. Assess and Control Risk
2. Assign Security Responsibility
3. Appropriate Access and Authorization
4. Security Awareness and Training
5. Incident Response and Reporting
6. Disaster Recovery
7. Security Evaluation
8. Vendor Contracts
9. Facility Access Controls
10. Data Integrity Controls
11. Encryption
12. Security Monitoring Procedures

 

Validation from Recent Enforcement Actions

If the companies in the FTC settlement cases mentioned earlier had faithfully implemented these 12 practices, they would not have suffered any penalties and their customers’ information would have been protected. For instance, in the Guess case, the FTC ordered Guess to:

 

• Designate an employee or employees to coordinate and be accountable for the information security program (HIPAA/GLBA Due Care Practice #2: Assign Security Responsibility);
• Identify material internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation. (HIPAA/GLBA Due Care Practice #1: Assess and Control Risk);
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards' key controls, systems, and procedures. (HIPAA/GLBA Due Care Practice #7: Security Evaluation);
• Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Guess knows or has reason to know may have a material impact on its information security program. (HIPAA/GLBA Due Care Practice #7: Security Evaluation)

 

These four requirements would have been fulfilled by following just three of the 12 HIPAA/GLBA Due Care Practices: Assess and Control Risk, Assign Security Responsibility, and Security Evaluation. The other settlement cases had similar requirements, also covered by the HIPAA/GLBA Due Care Practices. It is clear that the security practices required by both HIPAA and GLBA establish a basis of due care.

Conclusion

Companies are finding that they will pay the price for not maintaining strong security controls and protecting their customers' information. They must proactively implement and maintain prudent security processes to demonstrate that they are practicing due care. Until a universally accepted set of information security practices is produced, the best approach for companies is to implement the security practices required by both HIPAA and GLBA.

Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.

The Need for HIPAA Complaint Medical Billing Software

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes seven sets of rules that will affect your practice. The Department of Health and Human Services, or DHHS, issues these in the form of the ""Notice of Proposed Rule Making"" or NPRM. Every practice, regardless of size, must comply with HIPAA privacy, security and transactional regulations. Moreover, adherence to all subsequent regulations is also required. This covers most everything in your practice, including your medical billing software.

When you are shopping for medical billing software, ask how and for whom the system was designed, and whether the data will be safe and secure on backed-up, protected, HIPAA-compliant servers accessible only to authorized persons. Look for companies who provide free updates to ensure continued efficiency and HIPAA compliance. The new HIPAA standards require huge changes to how healthcare organizations deal with their patient information, including coding, security, patient record management, reimbursement and care management. HIPAA‘s provisions include stringent codes for the unvarying transfer of electronic data, including routine alterations and billing.

Clearly your approach to HIPAA medical billing software must include a serious investigation of software security. Most computer experts will agree that there is no such thing as absolute computer or software security, so working closely with your HIPAA software providers to help determine data deficiencies is a good idea. HIPAA Complaint Medical Billing Software can be easily expanded to meet future needs, and can be targeted directly to the size and complexity of your practice. Options for new HIPAA compliant software have never been better, as there is unlimited scalability, a wide range of customization choices, and a large selection of useful features that will prevent the patients' privacy from being compromised.

Innovations in the technology of medical billing software have created a new criterion for digital precision. Make certain that the HIPAA compliant medical software packager you chose includes all finalized aspects of HIPAA to guarantee full compliance with HIPAA standards as they relate to the electronic transfer of protected health information. The regulations themselves took effect in February 2003, and affect every medical practice in the United States. Effective April 2005, HIPAA mandates security measures to physically and electronically secure electronic protected health information (PHI) against unauthorized retrieval, reliably store the electronic data, and provide for emergency access to the data.

Since most medical billing software packages are now designed to be HIPAA compliant, it is just a matter of choosing the right software for your practice, and your medical billing software will run as smoothly and efficiently as ever.

Medical Billing Software Info provides comprehensive information about medical insurance billing software, HIPAA compliant medical billing software, easy and free medical billing software, and medical billing software prices and reviews. Medical Billing Software Info is the sister site of Medical Billing Web.

Alert: New HIPAA Rules Could Affect Your Organization's Email System

On April 21, 2005, a new Health Insurance Portability and Accountability Act (HIPAA) security rule went into effect. The requirements of this rule, which are basically information security best practices, focus on the three cornerstones of a solid information security infrastructure: confidentiality, integrity and availability of information.

The HIPAA regulatory requirements encompass transmission, storage and discoverability of Protected Health Information (PHI). Given the widespread use and mission-critical nature of email, enforcement of HIPAA encryption policies and the growing demand for secure email solutions, email security has never been more important to the healthcare industry than it is right now.

Although many assume it applies only to health care providers, HIPAA affects nearly all companies that regularly transmit or store employee health insurance information. HIPAA was signed into law in 1996 by former President Bill Clinton, with the intent of protecting employee health and insurance information when workers changed or lost their jobs. As Internet use became more widespread in the mid-to-late 1990s, HIPAA requirements overlapped with the digital revolution and offered direction to organizations needing to exchange healthcare information.

HIPAA in the Workplace
Collaboration between employers and healthcare professionals has grown increasingly digital, and email has played an ever-increasing role in this communication. However, email’s increased importance can lead to severe consequences without proper security and privacy measures implemented.

In addition to the usual concerns about privacy and security of email correspondence, even organizations that are not in the healthcare industry must now consider the regulatory compliance requirements associated with HIPAA. The Administrative Simplification section of HIPAA, which, among other things, mandates privacy and security of Protected Health Information (PHI), has sparked concern about how email containing PHI should be treated in the corporate setting. HIPAA, as it relates to email security, is an enforcement of otherwise well-known best practices that include:

* Ensuring that email messages containing PHI are kept secure when transmitted over an unprotected link

* Ensuring that email systems and users are properly authenticated so that PHI does not get into the wrong hands

* Protecting email servers and message stores where PHI may exist

Organizations regulated by HIPAA must comply and put these practices in place. However, the need to comply with regulations puts particular pressure on the healthcare industry to enhance their use of technology and “catch up” with other industries of similar size and scope.

Privacy and Email Security
The privacy protection provisions in HIPAA pose a major compliance challenge for the healthcare industry. These provisions are intended to protect patients from disclosure of any of their individually identifiable health information. Organizations that fail to protect this information face fines ranging from $10,000 to $25,000 for each instance of unauthorized disclosure. If the disclosure is found to be intentional, HIPAA provides for fines ranging from $100,000 to $250,000 and possible jail time for individuals involved in the violations.

The clock is ticking – it’s time to get started
Bringing an enterprise into compliance with the rules set by HIPAA can seem like a very daunting task to even the most experienced executives. Nonetheless, the growing dependence on email as a mission-critical application requires that your organization implement comprehensive security and privacy policies – and soon. A solid combination of security policies and the technologies to enforce those policies can ensure improved security as well as HIPAA readiness and ongoing adherence.

Dr. Paul Judge is a noted scholar and entrepreneur. He is Chief Technology Officer at CipherTrust, the industry's largest provider of enterprise email security solutions. Learn how to make your email system comply with HIPAA regulations by visiting http://www.ciphertrust.com.

Health Insurance; COBRA; OBRA; HIPAA; Medicare; Definitions, Relationships

 

Health Insurance; COBRA; OBRA; HIPAA; Medicare. If asked, could you state that you knew that all 5 of these topics had the same thing in common: medical insurance coverage for you and, perhaps, your family? Would you know the qualifications for each? Well, in this article, we will discuss them. For a timeline that depicts, graphically, the time relationship between them, please see the timeline in www.disabilitykey.com.

HEALTH INSURANCE Coverage from Work

If we are lucky, we, and/or our spouse, work for a company that provides, as a benefit, health insurance coverage for us and our family. If so, we are very lucky. Even if that is true, there are some key things that you might want to look at to see if you have ENOUGH coverage.

1) From your Human Resources Department (or wherever else you would go to get information about your health insurance) get what is called a "Summary Plan Description" (SPD). This document should be kept where you can always find it, as it contains all the information you will need about what your insurance covers and what it doesn't.

2) Look up "Coverage" and "non-coverage" in your SPD.

These will tell you what your plan covers and doesn't cover. You need to see if, perhaps, you or one of the covered members of your family has a condition or circumstance that might not be covered, where you need additional coverage. For example, let's say that your family has a history of cancer; perhaps your plan restricts the number of hospitalization days for care; or, restricts the days per condition. In this case, (like my children) you might want to get additional "cancer insurance" (I think that AFLAC might provide this type of coverage).

It would be a good idea to contact a Health Insurance benefit Broker and ask him/her to read your SPD and see if you have any gaps in coverage. They then can help you supplement coverage BEFORE YOU NEED IT!

NO HEALTH INSURANCE COVERAGE

You might be one of the growing members of our society that, through one circumstance or another, does NOT have health insurance coverage for your family. In this case, I strongly encourage you to contact a Health Insurance Broker and get immediate coverage of what is called "catestrophic" (not sure if I spelled this correctly) coverage. In this type of coverage, you will generally have large deductibles, but will have coverage if, say, one of you has to go into the hospital.

CONTACTING A BENEFITS INSURANCE BROKER

Whenever you call or email a Health Insurance Broker, it is very important to prepare ahead of time. WHAT, specifically are you looking for; how much can you afford to pay every month; what circumstances do you want to make sure that your family is covered for. In this way, you can make sure to focus on your critical needs.

COBRA

COBRA is an acronym ( how can I spell acronym correctly, yet not be sure that I spelled catestrophic correctly?) that stands for: Consolidated Omnibus Budget Reconciliation Act. Basically, it is a federal law that allows you to pay for your Company-paid health insurance, as an active member, if you no longer work for that company for, generally 18 additional months.

1) COBRA is "triggered" (that is, you, or a covered member of your family, become eligible for COBRA) by events such as the following: resignation from the company; termination (FOR ANY REASON) from the company; divorce of a spouse; a covered chile's birthday makes them ineligible for coverage. These are the main "triggering" events for COBRA.

2) Now, when eligible for COBRA, you will be asked to pay for 100% to 105% of the company's employee/employee and family coverage amount. You should get a letter from your company explaining what that amount will be. BEFORE YOU DECIDE TO TAKE COBRA, there are some important things for you to consider.

What will be your cost, and what will be the coverage for that cost? Sometimes the cost is too much for the coverage. In these cases, you might want to select HIPAA coverage, instead (see HIPAA below).

Or, you might just want to get catestrophic coverage as was mentioned earlier, and wait for full coverage under your next job.

Part of this decision should be whether or not you or a member of your family has what is called a "pre-exisitng coverage" condition.

Here again, before automatically taking COBRA, it would be wise to contact a Benefits Insurance Broker and give him/her all of your options, and get their input. I have worked extensively with a Benefits Insurance Broker, and he is absolutely fantastic!

OBRA

What, you ask, is OBRA? I've never heard of it, you say, and no one I know has heard of it either! Well, that's because, 99% of Human Resource or Benefit folks that I know have never heard of it! OBRA is a federal law that was passed that extends COBRA for an additional 11 months FOR DISABILITY PURPOSES ONLY!! Why, you ask, is this important? Thanks for asking, let's see if I can explain.

If you are as nieve (did I spell this wrong too? sorry!) as I was when I first started looking to bridge my health insurance from working to Medicare, I assumed that when I got through all of the hoops to qualify for SSDI (Social Security Disabililty Insurance) I'd IMMEDIATELY be eligible for Medicare, RIGHT??? WRONG!!!!

When you FINALLY qualify for SSDI, you have to wait for 5 months before you get your first check. AND, the rules state that, you are eligible for Medicare 2 years (24 months) FROM THE DATE OF YOUR FIRST SSDI PAYMENT. Well, if you add 24 + 5 you get, 29 months between qualifying for SSDI, and Medicare coverage.

OK, I said earlier that COBRA is for 18 months of coverage. Well guess what 18 months of COBRA + 11 months of OBRA equal - 29 months!

BUT, there are two catches to OBRA; first of all, you have a small window of 30 - 60 days to apply ( this window opens the date of your SSDI approval); and, it can cost up to 150% of your plan coverage amount. BUT, if you have a "previously existing condition" this might be the best way for you to proceed.

Again, it is important to contact a Health Insurance Broker to help you with the risk/cost ratio of all of these situations.

It is also improtant to know all of these deadlines as you plan to ensure that you and your family have important health insurance coverage.

HIPAA

HIPAA is a federal law that is called, briefly, the "portability" law for health insurance. What that means is that when you leave a group (read company-paid plan), the carrier that provided that plan, must offer to you, another plan, different from COBRA, when you leave the group coverage. Generally this will be what is called a "bare bones" plan. Again, the best thing for you to do is to call/email a Health Insurance/Benefits Broker with all of your information: SPD, COBRA info, HIPAA info, needs, cost limits, and let him/her help you find the optimum plan coverage for you.

MEDICARE

OK, now, finally, we've reached Medicare! BUT (you really didn't think it would be that easy, did you?) if you have qualified for Medicare because of disability, there are RESTRICTIONS (of COURSE there are!).

First of all, if you are qualifying for Medicare because of disability, you are probably under the age of 65 - normal retirement age.

Medicare coverage does NOT cover prescription drugs, which, those of us with disabilities probably need, and which cost lots.

But, Congress prescribed that states (all but 11) offer what is called "Medicare supplement" plans, some of which do offer prescription coverages. BUT, these plans ARE NOT REQUIRED TO, and do not, offer these medicare supplement plans that offer prescription coverages to folks who qualify under age 65! So, if you are qualifying because of disability, your medical insurance plan doesn't cover one of your primary cost expenditures!

Here again is where you need to contact a health insurance/benefit broker. Again, he/she can work with you, and your specific circumstances, to get you the coverage you need.

Hope that this information was helpful to you. If you have any questions, please feel to ask them by commenting on this blog, and I'll be happy to get you an answer.

About Disabilitykey.com & Carolyn Magura:

Disabilitykey.com is a website designed to assist each person in his/her own unique quest to navigate through the difficult and often conflicting and misleading information about coping with disabilities.

Carolyn Magura, noted disability / ADA expert, has written an e-Book documenting the process that allowed her to:

a) continue to work and receive her “full salary” while on Long Term Disability; and

b) become the first person in her State to qualify for Social Security Disability the FIRST TIME, in UNDER 30 DAYS.

Click here to receive Carolyn 's easy-to-read, easy-to-follow direct guide through this difficult, trying process. If you are disabled, don't let this disabiling process

 disable you. Read Carolyns Disability Key Blog.