SUPPORTING YOUR HIPAA COMPLIANCE EFFORTS

Transcription

1 WHITE PAPER SUPPORTING YOUR HIPAA COMPLIANCE EFFORTS Quanti Solutions. Advancing HIM through Innovation HEALTHCARE

2 SUPPORTING YOUR HIPAA COMPLIANCE EFFORTS Quanti Solutions. Advancing HIM through Innovation PRODUCT DESCRIPTION The Quanti HIM product suite provides coding and copliance solutions, as well as health inforation anageent odules to support abstracting, chart copletion, chart location, and requests for copies of edical records. EDM, the electronic docuent iaging product, is also built on the Quanti platfor. Since these products contain individually identifiable inforation about patients, healthcare providers ust evaluate their use as part of their HIPAA copliance efforts. Soeties we re asked the question, Are these products HIPAA-copliant? Readers of the security regulations recognize that the regulations are ulti-faceted and coplex, requiring covered entities to assess the risks to their electronic inforation, anage those risks, train their workforces, ipleent physical and technical safeguards, develop and ipleent policies and procedures, and contract with their business associates. All of these activities contribute to the covered entity s copliance with HIPAA. Software applications, like the Quanti HIM suite, should contain appropriate security features to support the covered entity s copliance efforts, but they, in and of theselves, are not HIPAA-copliant. REGULATORY OVERVIEW The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and federal regulations proulgated under the Act outline specific protections for health inforation that identifies individuals. Covered entities, organizations that ust coply with HIPAA, include health plans, healthcare clearinghouses, and healthcare providers who transit certain transactions (such as healthcare clais) electronically. The HIPAA privacy regulations govern how protected health inforation ay be used and disclosed. The HIPAA security regulations outline specific easures that ust be ipleented to protect the security of electronic protected health inforation. To coply with the security regulations, healthcare organizations and other covered entities ust: Ensure the confidentiality, integrity, and availability of all electronic protected health inforation that they create, receive, aintain, or transit; Protect against reasonably anticipated threats to the security or integrity of the inforation; Protect against reasonably anticipated uses or disclosures that are not peritted under the regulations; and Ensure workforce copliance. 2

3 PROTECTED HEALTH INFORMATION HIPAA s protections apply to health inforation that identifies individuals. This inforation, known as protected health inforation, includes any inforation that pertains to an individual s past or current health history, treatent, or payent for healthcare services. Inforation is considered to identify an individual if the inforation contains one or ore of the following data eleents: Nae Street address City, county, or precinct Postal (zip) code (Note: It is acceptable to cobine all zip codes with the sae three initial digits, if that cobined geographic unit contains ore than 20,000 people) Dates, including birth date, adission date, discharge date, and date of death Age (if the individual is 90 years old or older) Telephone nubers Fax nubers Electronic ail addresses Social security nuber Medical record nuber License nubers (such as driver s license) Vehicle identifiers and serial nubers, including license plate nubers; Full face photographic iages Any other unique identifying nuber, characteristic, or code Although not required by the HIPAA security regulations, role-based access represents an industry best practice. It allows users to be assigned specific access privileges on a need to know basis giving users access to the inforation needed to do their jobs. Eleents of PHI contained in specific Quanti products are outlined in Exhibit A. ROLE-BASED ACCESS Although not required by the HIPAA security regulations, role-based access represents an industry best practice. It allows users to be assigned specific access privileges on a need to know basis giving users access to the inforation they need to do their jobs. Quanti Solutions support role-based access by allowing clients to establish their own user groups, defining the specific access privileges each group should have. Depending on the odule, users ay be given such privileges as viewing, editing, adding new data, aking status changes, archiving inforation, and configuring or printing reports. 3

4 MINIMUM NECESSARY When using or disclosing protected health inforation, covered entities ust ake reasonable efforts to liit the inforation to the iniu necessary to accoplish the intended purpose of the use or disclosure. Quanti Solutions support this requireent by allowing syste adinistrators to assign user privileges based on their job requireents. All Quanti Solutions allow confidentiality levels 1-5 to be assigned to further liit user access. All patients are assigned Level 1 (open access) by default, but the syste adinistrator ay define ore restrictive confidentiality levels in 2-5. Mass copying, printing, or downloading of data is restricted. Printing is assigned as a specific perission, and only one record or page ay be printed at a tie. We recognize that security solutions are not one-size-fitsall, so any of these security features are flexible, allowing clients to set the paraeters that best eet the needs of their organizations. In EDM, docuent types are hidden fro view if the user has not been given access privileges for that docuent type. EDM also allows docuents to be assigned a confidential security status. These docuents ay be accessed only by users with confidential access privileges. CONFIDENTIALITY LEVELS To assure confidentiality for high-profile patients or those who have requested restrictions, a confidentiality level of 1-5 ay be assigned to each patient. All patients are assigned Level 1 (open access) by default, but the syste adinistrator ay define ore restrictive confidentiality levels in 2-5. PRODUCT SECURITY FEATURES To support healthcare providers in coplying with the HIPAA security regulations, Quanti Solutions include a nuber of security features. We recognize that security solutions are not one-size-fits-all, so any of these security features are flexible, allowing syste adinistrators to set the paraeters that best eet the needs of their organizations. Product security features are outlined in Exhibit B. 4

5 EXHIBIT A Eleents of Protected Health Inforation (PHI) and Clinical Inforation in Quanti Solutions Data Eleent EDM* Abstracting Chart Copletion Chart Locator Correspondence Facil. Coding IP Copliance OP Copliance Nae Address Telephone nuber Fax nuber Eail address Date of birth Date of adission or encounter Date of discharge Date of death Social security nuber Medical record nuber Health plan beneficiary nuber Account nuber Certificate or license nuber Vehicle identification nuber or license plate nuber Device identifiers and serial nubers Web universal resource locators (URLs) Internet protocol (IP) address nubers Bioetric identifiers Full face photographic iages Other unique identifying nubers, characteristics, or codes Diagnoses Procedures Diagnosis codes Procedure codes Clinical suaries Orders Test results Diagnostic iages Phys. Coding *EDM ay contain any of these eleents if they are part of the scanned record. 5

6 EXHIBIT B Security Features in Quanti Solutions This suary includes the following products: EDM (Electronic Docuent Manageent Version 3.0 or higher) Quanti Abstracting Quanti Chart Copletion Quanti Chart Locator Quanti Correspondence Manageent Quanti Facility Coding Quanti Inpatient Copliance Quanti Outpatient Copliance Quanti Physician Coding Security Feature Unique passwords Coplex passwords Passwords hidden during entry by user Prevention of password re-use Passwords encrypted when stored on the server Passwords encrypted between client and server Required change of passwords Available ACCESS CONTROLS Not Available Notes Passwords ust be at least 6 characters in length, up to a axiu of 64 characters. Passwords ust contain at least one nuber or special character. Passwords are not displayed on the screen when they are entered. Instead, the screen displays ******. Users are required to change their passwords fro those initially assigned. Syste adinistrator defines how often users ust change their passwords, up to a axiu of 9,999 days. User authentication Authentication is perfored at the server. Prevention of concurrent (double) logon of a user User lock-out after failed logon attepts Autoatic logoff after a period of inactivity Users ay be logged on to the application on ore than one coputer at the sae tie. Users are locked out of the application after three consecutive failed logon attepts. Syste adinistrator defines how long users are locked out, up to 120 inutes. Syste adinistrator defines how long the application is inactive before the user is autoatically logged off, fro 1 to 9,999 inutes. Other ethods of user authentication In EDM, bioetric identifiers ay be used. continued 6

7 EXHIBIT B (continued) Security Feature Role-based access User restrictions Audit logs Recording of user logon, logoff, and failed logon attepts Recording of add, delete, or change actions perfored by users Warning banner Restriction of ass copying, printing, or downloading ACCESS CONTROLS (continued) Available Not Available AUDIT CONTROLS MINIMUM NECESSARY Notes Passwords ust be at least 6 characters in length, up to a axiu of 64 characters. Passwords ust contain at least one nuber or special character. Passwords are not displayed on the screen when they are entered. Instead, the screen displays ******. Users are required to change their passwords fro those initially assigned. Syste adinistrator defines how often users ust change their passwords, up to a axiu of 9,999 days. Hidden fields Authentication is perfored at the server. Restricted records Restricted docuents Encryption of data stored on the server DATA ENCRYPTION Users ay be logged on to the application on ore than one coputer at the sae tie. Users are locked out of the application after three consecutive failed logon attepts. Syste adinistrator defines how long users are locked out, up to 120 inutes. Syste adinistrator defines how long the application is inactive before the user is autoatically logged off, fro 1 to 9,999 inutes. Encryption of data during transission In EDM, bioetric identifiers ay be used. Test environent for use in applying patches or perforing upgrades TEST ENVIRONMENT Use of live data is not prohibited in the test environent. Syste adinistrators deterine the type of data used. Direct changes to application QuadraMed ay ake direct changes to the application in the production environent if peritted by the client. 7

8 L /13 DTM SUMMARY Although HIPAA copliance is an organization-wide responsibility for healthcare organizations that are covered entities under the law, Nuance Healthcare, as a provider of healthcare inforation technology, recognizes the critical iportance of HIPAA copliance. Quanti Solutions have any built-in security features designed to eet HIPAA s requireents for protecting the confidentiality, availability, and integrity of electronic protected health inforation. Many of these security features are flexible, allowing syste adinistrators to set the paraeters that best eet the needs of their organizations. Role-based access is easy to assign, with custoized user groups designed to eet the specific needs of your organization. Users ay be given specific access privileges to just the inforation they need to do their jobs. ABOUT NUANCE HEALTHCARE Nuance Healthcare, a division of Nuance Counications, is the arket leader in creating clinical understanding solutions that drive sart, efficient decisions across healthcare. As the largest clinical docuentation provider in the U.S., Nuance provides solutions and services that iprove the entire clinical docuentation process fro capture of the coplete patient record to clinical docuentation iproveent, coding, copliance and appropriate reiburseent. More than 450,000 physicians and 10,000 healthcare facilities worldwide leverage Nuance s award-winning voice-enabled clinical docuentation and analytics solutions to support the physician in any clinical workflow on any device. Copyright 2013 Nuance Counications, Inc. All rights reserved. Nuance, and the Nuance logo are tradearks of Nuance Counications, Inc. are tradearks and/or registered tradearks, of Nuance Counications, Inc. or its affiliates in the United States and/or other countries. All other brand and product naes are tradearks or registered tradearks of their respective copanies. HEALTHCARE