As healthcare providers face the approaching deadline for meeting the requirements described in the Health Insurance Portability and Accountability Act (HIPAA), SoftAid customers can be assured that we are prepared for the implementation of these changes.  From multi-level security to tracking access to patient information, our products provide the technical resources you need to be compliant with the HIPAA Administrative Simplification Provisions.

SoftAid is closely monitoring every stage of this important piece of legislation, and is ready to assist you in any way we can towards bringing your organization into compliance.  To learn more about what HIPAA is and what it means to you, visit our HIPAA FAQ page.

For an explanation about how medical software systems relate to HIPAA, please read our article titled Understanding The Relationship Between HIPAA & Practice Management Systems, which first appeared in print in the April 2003 edition of  M.D. News.

HIPAA Statement

All SoftAid customers are classified as being covered entities - described as any healthcare provider, insurance plan or clearinghouse - meaning they are subject to the Administrative Simplification provisions of HIPAA. SoftAid, however, is not considered to be covered entity, but rather is classified as a business associate since there may be occasions where our staff obtains protected health information (PHI) from our customers.

Soft-Aid, Inc. has established a HIPAA readiness team to ensure that our products and customers meet the requirements of the four standards outlined in the Administrative Simplification provisions. We will continue to closely monitor the latest HIPAA developments and requirements, and will implement the necessary changes in all future product releases and upgrades.

Readiness for Electronic Transactions & Code Sets Standards
The Health Insurance Portability and Accountability Act (HIPAA) requires that electronic transactions be conducted in a published compliant format. In particular, the regulations establish a minimum and uniform standard for securely transmitting critical information such as health data and medical information.

SoftAid has completed development of claims and remittance formats using the current American National Standards Institute (ANSI) X12 standards. This transmission standard is included in the current versions of The Medical Office™, The DME Office™ and Manage.MD™. SoftAid has completed ANSI testing with many of the clearinghouses and payers across the country and is continuing to test with other payers on an as needed basis. To assist covered entities in becoming HIPAA compliant, SoftAid is prepared to send ANSI-formatted claims to those that are requiring that format.

All SoftAid products are in compliance with the code sets standards, as these codes have already been incorporated into our software.

Readiness for Privacy Standards
HIPAA's Privacy Rules, for the most part, do not apply to SoftAid since they are predominately focused on non-electronic issues, such as the disclosure of PHI. However, since there are occasions where SoftAid will receive PHI - for data conversions, for example - we have implemented internal policies and processes that govern how we receive and handle PHI.

Readiness for Security Standards
The Security Rule requires healthcare providers to implement administrative and technical safeguards to ensure the confidentiality, integrity and availability of electronic PHI. The technical safeguards define four action sets that must be implemented to control and monitor the access to PHI.

SoftAid software includes a multi-level security feature that allows network administrators to restrict access to PHI and system functionality on an individual user basis. This security setting enables covered entities to be in compliance with two of the required actions sets: establishing unique user identifications and restricting access to PHI only to those with the proper authentication.

Presently, compliance with the remaining two action sets, securing transmissions of PHI and creating audit controls, can be handled outside of our software. The secure transmissions rule was designed to be addressed on an as-needed basis, such as when entities send PHI in e-mails. Additionally, SoftAid is in the process of establishing a more in-depth mechanism to create audit trails than is currently available; however, entities can remain compliant by implementing hardware or procedural methods for providing activity records.

Breakdown of the HIPAA Administrative Simplification Provisions

The following is a brief explanation of the four parts of HIPAA's Administrative Simplification section.  All deadline dates are courtesy of the Centers for Medicare & Medicaid Services.

• Electronic Healthcare Transactions and Code Sets
  Compliance deadline:  October 16, 2003...This deadline has been extended. No new deadline has been set.
  Testing deadline:  April 16, 2003 (all covered entities must have started software and systems testing)
  The Electronic Healthcare and Code Sets provisions establishes ANSI ASC X12 as the national standard for electronic healthcare transactions.  HIPAA does not require healthcare providers to conduct transactions electronically, but it does require that health plans accept electronic transactions sent in a HIPAA-compliant format.  Examples of electronic healthcare transactions include insurance claims; health plan eligibility, enrollment and disenrollment; payments for healthcare; insurance premiums; claim status checks; and coordination of benefits.
   
  This provision also mandates the adoption of a standard set of codes for diagnoses and services involved in healthcare transactions.  Code set would be used to describe injuries and illnesses, identifying the cause of the problems, and defining the remedies administered.
   
  CMS has enacted its contingency plan; however, they have not issued a new compliance date.  Healthcare professionals will be given a 60-day notice prior to the final deadline.  In the meantime, CMS has amended its Electronic Transactions contingency plan.
   
  Effective July 1, 2004, Medicare is modifying its Health Insurance Portability and Accountability Act contingency plan. Providers will still be able to submit non-compliant electronic claims, but payment for those claims will take an additional 13 days.  This means HIPAA-compliant claims received on July 1, 2004 can be paid as early as July 15th, while claims received July 1 that are not HIPAA-compliant can be paid no earlier than July 28th.
   
• Privacy and Confidentiality Standards
  Compliance deadline:  April 14, 2003 (all covered entities except small health plans)
  Compliance deadline:  April 14, 2004 (small health plans)
  The privacy provisions establish a national standard for the collection, use and disclosure of individually identifiable health information.  This rule defines a patient's control of their medical records; places restrictions on the uses and disclosures of patient information; establishes sanctions for violations of patient confidentiality; and requires an administrative infrastructure to implement and manage these standards.
   
• Unique Identifiers
  HIPAA regulations specify that four identifiers be used in healthcare transactions to identify employers, health plans, providers, and patients.  The identifiers will be unique for each healthcare organization, and will be assigned and administered using a centralized system.
   
  Employer Identifier - The nine-digit employer identifier will be the same number that is assigned by the Internal Revenue Service.
  Compliance deadline:  July 30, 2004 (all covered entities except small health plans)
  Compliance deadline:  August 1, 2005 (small health plans)
   
  Provider Identifier - Ten-digit numeric identifiers with the tenth digit acting as a check digit.  Healthcare providers can begin applying for IDs starting on May 23, 2005.  The national provider identifier (NPI) number that will replace the use of all legacy provider identifiers, including UPIN, and the Medicaid, Medicaid and Blue Cross/Blue Shield provider numbers.  The official NPI announcement letter can be viewed at the CMS Web site.
  Compliance deadline:  May 23, 2007 (all covered entities except small health plans)
  Compliance deadline:  May 23, 2008 (small health plans)
   
  Health Plan Identifier - Health plan identifiers have not been issued.
  Compliance deadline:  No date has been announced
   
  Patient Identifier - Codes to identify an individual patient have not been determined.
  Compliance deadline:  No date has been announced
   
• Security and Electronic Signature Standards
  Compliance deadline: April 21, 2005 (covered providers, claims clearinghouses and most payers)
  Compliance deadline: April 21, 2006 (small payers with annual receipts below $5 million)
  The security regulations define the technical, physical and administrative safeguards required to protect all electronic health information. However, the security standards are extremely broad and allow healthcare professionals to make "addressable" approaches to meet specific rules, an acknowledgement from the government that not everyone runs their office the same way.  This provision is broken down into two parts: administrative procedures and technical procedures.
   
  Organizational Policies, Practices and Procedures - To become compliant you can create a set of policies that detail what your office will do to protect electronic data. Administratively, the policies should be designed to prevent, detect, contain, and correct security violations. The standard does contain four required implementation specifications: risk analysis, risk management, sanction policy, and information system activity review.
   
  Technical Policies, Practices and Procedures - On the technical side, there are four sets of actions that must be implemented to control and monitor the access to information.
  1. All systems must allow for unique user identification and include an emergency access procedure for obtaining electronic data during an emergency.
  2. Two forms of transmission security must be in place, including (a) integrity controls that ensure that electronically-transmitted health information is not improperly modified without detection; and (b) data encryption, particularly over the Internet.
  3. There needs to be some method in place to provide for audit controls.
  4. Procedures should be established to protect patient health information from being altered or destroyed, and must include a mechanism to prove that the data has not been tainted.

Additional HIPAA Information

The deadline for filing an extension expired on October 15, 2002.  In December 2001, the Administrative Simplification Compliance Act (ASCA) had extended the deadline for compliance from October 16, 2002 to October 16, 2003 for all covered entities – described as any healthcare provider, insurance plan or clearinghouse.