Privacy, HIPAA & ICD-10 Status
Introduction
HIPAA (Health Insurance Portability and Accountability Act of 1996) is a set of regulations developed by various governmental agencies and members of the healthcare industry. It is designed to protect patient rights, and simplify the complicated web of communication systems used by the industry for passing information from one entity to another. AOD Software’s relationship to HIPAA covered entities (providers and clients), is that of a Business Associate/Software vendor.
HIPAA contains a set of standards to be used by all covered entities and Business Associates in the healthcare industry with regard to how the information is transferred and protected. There are three main provisions of the HIPAA Act, which affect AOD Software as a Business Associate/Software vendor; Privacy Regulations, Security Regulations, and Transaction Standards.
The Health Information Technology for Economic and Clinical Health Act (HITECH), a part of the American Recovery and Reinvestment Act of 2009 (ARRA), widened the scope of responsibility for Business Associates in the areas of HIPAA privacy and security protections. AOD Software re-vamped and updated its Business Associate agreement with its clients in 2010 to reflect these changes.
Privacy Regulations
The Privacy regulations mandate standards for keeping individually identifiable patient data that relates to that person’s health, health care or payment for health care, private. This means that patient data should only be visible on a need-to-know basis. With regard to AOD software, the privacy regulations dictate how information in our application is secured in order to keep personal patient data private. AOD software has various hierarchical levels of security built into our applications, which allow client system administrators to grant access to only the parts of the system that a particular person or staff position needs to access. In other words, the person who adds the demographic information into the system may or may not have access to the diagnostic or medical record part of the system. Throughout the AOD software, social security numbers, insurance information, birthdates, etc., may be masked from view by unauthorized individuals.
Transaction Standards
A critical focus for AOD Software’s future and current software development is the Transaction Standards. These standards dictate how various forms of EDI (Electronic Data Interchange) will be designed and implemented. Specifically, from a technical data format, these regulations require the use of a standard format for all EDI transactions. EDI from a business view is a system for exchanging business documents and information with external entities, and integrating them into the company’s internal systems. AOD Software will take into account the effect externally generated information will have on client internal systems, and validate the business/clinical information received with the appropriate checks and balances as required under HIPAA and HITECH.
Security Regulations
The Security regulations require the adoption of administrative, physical and technical safeguards to protect electronic PHI (Personal Health Information) and mandate specific details as to how the electronic information used by the healthcare industry should be stored, transferred and used to ensure the privacy of individually identifiable data related to a patient’s healthcare. ARRA (The American Recovery and Reinvestment Act of 2009) and the HITECH (The Health Information Technology for Economic & Clinical Health, effective 2/2009) strengthened the responsibility of the Business Associate’s responsibilities under HIPAA and require Business Associates to provide comprehensive and sustainable improvements in the day-to-day handling of PHI (Protected Health Information) and PII (Personal, Identifiable, Information). In accordance with the HIPAA Security regulations, AOD Software conducted a risk management analysis to determine potential risks to the confidentiality, integrity and availability of electronic PHI created, received, maintained or transmitted with the use of the AnswersTM software application. As a result of the findings from the analysis, changes specifically designed to protect patient data began in the 2003 summer release of the Answers Software product and are on-going with each subsequent version release.
Administrative Safeguards
Policies and procedures are in place at AOD Software for sanctioning staff members who violate AOD’s security policies and procedures. Additional administrative safeguards are in place at the AOD Corporate and remote office locations for data backup, disaster recovery and emergency mode operation plans.
Breach Notification
AOD Software has Breach notification procedures for immediate, 24 hr/365 day reporting for AOD employees. Should a Breach event occur, the AOD Security Officer will contact the affected organization/client and together will work to maintain the regulatory Breach notification reporting time schedule. AOD employees are discouraged from maintaining any PHI client data, however; it is possible for PHI client data to be handled by AOD as part of our business relationship with clients during the software application training, implementation and support process. Steps are in place to keep shared PHI secure, including encryption processes on remote employee laptops and jump drives used in client sites. No Breaches of PHI information have occurred. Every effort is made by AOD Software to prevent any Breaches of patient data.
HIPAA Security Officer
Your questions may be addressed to the AOD Software HIPAA Security Officer.
Contact: David Burr, VP of Operations
AOD Software
8100 N. University Drive
Fort Lauderdale, FL 33321
Protecting patient data is a joint responsibility between AOD Software and its clients.
HIPAA Administrative Simplification Compliance Deadlines
ü October 16, 2003 Electronic Health Care Transactions and Code Sets
As with all regulatory changes, AOD is committed to be ICD-10
operational in advance of the regulatory deadline.
