HIPAA

FirstEMR is fully compliant with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)…

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were established to reduce the costs of healthcare administration, protect individual privacy, and secure health care information. The virtual medical practice management system from FirstEMR™ adheres to all of the standards. Our medical practice software has endured rigorous testing and meets strict internet security requirements. The HIPAA provisions, which create uniform standards for the handling and transmission of individually identifiable healthcare information, can be broken down into four separately defined standards:

 

  • Electronic Transactions and Code Sets Standards

    This rule establishes a uniform format for sending and receiving electronically transmitted healthcare information, such as claims, eligibility information and payments. It mandates the adoption of a standardized set of codes that would be used to describe injuries and illnesses, identifying the cause of the problems, and defining the remedies administered. This is one of the most obviously applicable rules to FirstSuite’s virtual medical office management.  It is one that our development team was keenly aware of, and one which they are exceedingly strict about adherence to it.
  • Privacy Standards

    These regulations define a patient's control of their medical records, including restrictions on the access, uses, and disclosures of their personal and medical information. It also imposes stringent safeguards to protect paper-based medical records, and requires that a "Notice of Information Practices" be given to patients that outline how the healthcare organization plans to use and safeguard all health information gathered.  Electronic security measures and safeguards are in place in the FirstEMR™ programming to insure that sensitive information remains private, whether paper-based or not.
  • Security Standards

    Both the security and privacy standards share a number of common themes, primarily in regards to the safety of patient information. For example, the rules require the implementation of physical and technological safeguards to protect the security of electronically stored health information.  The aforementioned technological safeguards are a hallmark of our programming, and you can rest assured the utmost attention has been given to issues of security.

 

 

 

 

Medical Privacy Rule

The second part deals with the Medical Privacy Rule (OCR). The goal of OCR is to establish national standards that protect the privacy of Personal Health Information (PHI), and went into effect April 14th, 2003. This has been much more difficult to implement due to the impact on workflow patterns that are ingrained into practices. Simply considering the many areas in a practice where "casual views" of patient data are possible (sign in sheets, computer screens, reports, schedules, etc.), and knowing that this is just one step in compliance, gives one an idea of the enormity of the task. Computers, particularly an integrated EMR system, are one of the keys to achieving this compliance, and e-MDs Solution Series is being developed with this in mind. Features that help healthcare providers comply with OCR include:

 

  • Automatic timeouts suspend use of the applications when there is no activity for a certain time period. The timeout protects against casual views of patient data, and also improves the accuracy of audit trails. Re-activation of each application requires an authorized username/password combination to be entered at the workstation.

  • Role and Rule-based security determines who can access the system, and which features of the system group members may use.

  • The scheduler has an option to show only initials instead of patient names. This is a view of data that is commonly left open on many terminals.

  • Audit trails constantly track user activity by type. Importantly, the audit trails are perpetual, not just the last activity on an account.

  • Consent master forms can be stored in master documents folder for easy access. Once filled out and signed by patients, a scanned copy can be kept in the specific patient file. This is one of the rules that were relaxed slightly, so that consent would not be required for every visit. This would also apply to those covered entities that perform various marketing activities requiring an individual's consent.

 

The Relationship between Software and HIPAA

The most important thing to remember when establishing the relationship between practice management systems and the HIPAA regulations is that not all of HIPAA's rules apply to medical software. Practice management systems were originally designed to increase productivity and reduce the chances of error. HIPAA essentially regulates some of the software's core functionality, such as sending electronic transactions and restricting access to electronically stored patient information.  In this regard, First Medical Solutions is not satisfied with anything but the most secure privacy standards. However, using an electronic medical records and medical office management system does not mean that an organization will be in complete compliance with the legislation. After all, software cannot prevent a doctor from violating the privacy standards by talking about a patient without the patient's permission.

 

Most practice management systems by design perform two of the four tasks regulated by HIPAA: electronic transactions and security. Software that sends and receives electronic transactions should be pre-programmed to adhere to the ANSI X12 standards defined by HIPAA, as well as provide the uniform code sets for patient information that is electronically stored. To address the security issues, FirstSuite’s electronic medical records and medical office management software is able to restrict user access to records, and more importantly, track what activity took place with a patient's record.

 

While on the surface it seems as though there is very little our medical practice management software can do to address the privacy and unique identifiers standards, there are, in fact, features that help medical offices comply with these regulations. Since the privacy standards require that patients receive a letter advising them of how their individually identifiable information will be used, FirstEMR™ produces customized letters for each patient, and can track which patients have acknowledged receiving and signing these letters. And, just as the systems store and use the standardized code sets, we also maintain the employer, health plan, provider, and patient unique identifiers.