Orbograph HIPAA/HITECH Compliance, Resiliency and Security



Similar documents
HIPAA and HITECH Compliance for Cloud Applications

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security Rule Compliance

Nine Network Considerations in the New HIPAA Landscape

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HIPAA and Mental Health Privacy:

The Impact of HIPAA and HITECH

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

Bridging the HIPAA/HITECH Compliance Gap

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

CHIS, Inc. Privacy General Guidelines

COMPLIANCE ALERT 10-12

Why Lawyers? Why Now?

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

HIPAA. HIPAA and Group Health Plans

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HIPAA Compliance Guide

HIPAA PRIVACY AND SECURITY AWARENESS

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

The Basics of HIPAA Privacy and Security and HITECH

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

HIPAA Compliance Guide

BUSINESS ASSOCIATE AGREEMENT

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

REMOTE ACCESS TO A HEALTHCARE FACILITY AND THE IT PROFESSIONAL S OBLIGATIONS UNDER HIPAA AND THE HITECH ACT

M E M O R A N D U M. Definitions

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

OCR/HHS HIPAA/HITECH Audit Preparation

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

Network Security and Data Privacy Insurance for Physician Groups

Barracuda Web Application Firewall: Safeguarding Healthcare Web Applications and ephi. Whitepaper

HIPAA for Business Associates

Wyoming Medicaid EDI Application

Healthcare Insurance Portability & Accountability Act (HIPAA)

HIPAA Security Alert

Implications of HIPAA Requirements on Healthcare Payment Processing

Patient Privacy and HIPAA/HITECH

Texas Medical Records Privacy Act

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Use & Disclosure of Protected Health Information by Business Associates

HIPAA Compliance and the Protection of Patient Health Information

Preparing for the HIPAA Security Rule

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Healthcare Compliance Solutions

HIPAA BUSINESS ASSOCIATE AGREEMENT

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Am I a Business Associate?

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

HIPAA Compliance & Privacy. What You Need to Know Now

The benefits you need... from the name you know and trust

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Business Associate Liability Under HIPAA/HITECH

HIPAA The Law Explained. Click here to view the HIPAA information.

C.T. Hellmuth & Associates, Inc.

HIPAA OVERVIEW ETSU 1

HIPAA Privacy at SCG...

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT TERMS

HIPAA Privacy & Security White Paper

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA Compliance for Students

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

Somansa Data Security and Regulatory Compliance for Healthcare

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

HIPAA Compliance Audits: Your Newest Risk: Are You Prepared?

GAO PRESCRIPTION DRUG DATA. HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight

HIPAA/HITECH Compliance Using VMware vcloud Air

General HIPAA Implementation FAQ

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Compliance and PrintFleet Software Applications

REFERENCE 5. White Paper Health Insurance Portability and Accountability Act: Security Standards; Implications for the Healthcare Industry

efolder White Paper: HIPAA Compliance

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Transcription:

Orbograph HIPAA/HITECH Compliance, Resiliency and Security Version 1.0 August 2013

Legal Notice This document is delivered subject to the following conditions and restrictions: The document contains proprietary information belonging to Orbograph, Ltd. Such information is supplied solely for explicitly and properly assisting authorized users of Orbograph products No part of the document contents may be used for any other purpose, disclosed to any person or firm, or reproduced by any means, electronic or mechanical, without the express prior written permission of Orbograph Ltd. The text and graphics are for the purpose of illustration and reference only. The specifications on which they are based are subject to change without notice. Corporate and individual names and data used in examples herein are fictitious unless otherwise noted. The software described in this document is furnished under license. The software may be used or copied only in accordance with the terms of the license agreement specified in this document. This Document is provided for informational purposes only and is subject to change without notice. Copyright 2013 Orbograph Ltd. All rights reserved. All trademarks used herein are the property of their respective owners.

Table of Contents Chapter 1. Introduction... 2 Chapter 2. HIPAA/HITECH Considerations... 3 HIPAA... 3 HITECH... 5 Chapter 3. Resiliency and Security... 7 Administrative Safeguards... 7 Physical Safeguards... 8 Logical Safeguards... 9 Resiliency... 9 Conclusion...10 Page i

Introduction 1 Regulatory compliance is a critical consideration for solution vendors in the healthcare and dental payments space. Compliance standards create the requirements for the industry by creating regulations. Chapter 2 of this document will first address the compliance requirements behind HIPAA and HITECH. After these regulations are described, Chapter 3 will provide an overview on how Orbograph s healthcare payments solutions meet these requirements. Although processing healthcare payments in today s environment may not require real-time processing in all areas, it does require a strong resiliency plan for the system to eliminate processing disruptions. This document will also address how the Orbograph solution is configured on a software and hardware platform which assures high system availability for end-to-end payment processing. Orbograph s Healthcare and Dental Revenue Cycle Management solutions are comprised of two solutions for processing explanation of benefits (EOBs) forms as well as electronic remittance advices (ERAs). These offerings are listed below. Orbograph P2Post converts scanned images of paper EOBs into EDI 835 files. Both the original image of the EOB as well as output is stored in the HRCM Portal. Additionally, X.12 EDI 837 claim files are many times used to improve the EDI 835 output. These claim files are typically stored in the portal as well. Orbograph E2Post provides matching and reconciliation of electronic claim files (837) with and remittance advices (835) at the service line level. These files are stored in the portal. All of these Orbograph components are hosted in a secure cloud-based environment with the HRCM Portal serving as the user interface which displays the workflow status of all processing. Files generated during this process are archived as well. The HRCM Portal also offers a wide range of search options to support the revenue cycle management process of a biller, healthcare provider or medical lockbox. Page 2

HIPAA/HITECH Considerations 2 This chapter will examine key industry events and legislation which drove the requirements around HIPAA and HITECH. HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Privacy Rule A major goal of the Privacy Rule is to assure that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed. In addition, The HIPAA Privacy Rule establishes national standards to protect individuals medical records and other personal health information. This rule applies to health plans, clearinghouses and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Security Rule The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Page 3

The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations, called covered entities, must put in place to secure individuals electronic protected health information (e-phi). Protected Health Information (PHI) is health information about a patient created or received by healthcare providers and health plans. PHI includes information: Sent or stored in any form (written, verbal, electronic): o o o o That identifies the patient or can be used to identify the patient That generally is about a patient s past, present and/or future treatment and payment of services Individually identifiable health information Transmitted or maintained in any form or medium by a Covered Entity, Clearinghouse or its Business Associate PHI includes all of the following patient specific details: Patient names or initials Patient date of birth Home addresses including Zip Codes Telephone & Fax Numbers Email Addresses Social Security Numbers Medical Record Numbers Health Plan Numbers Patient names or initials Patient date of birth Home addresses including Zip Codes Telephone & Fax Numbers Email Addresses Social Security Numbers Medical Record Numbers Health Plan Numbers When creating test sets of data for pre-system processing or for sharing examples between vendor and healthcare provider, the following precautions must be taken: Removal of certain identifiers so that the individual who is subject of the PHI may no longer be identified Page 4

Stripping of listed identifiers such as: Patient Names, Geographic subdivisions, all elements of dates and SSNs Guidelines for vendors processing healthcare payments should pay close attention to: Do not use or disclose PHI, other than as permitted by the agreement or required by law Use appropriate safeguards to protect the confidentiality of the information Report to the Covered Entity any use or disclosure not permitted by the agreement Ensure that any of its agents or subcontractors will agree to the same restrictions and conditions as the Business Associate Enforcement Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. Vendors must be aware of the penalties associated with violating HIPAA. They include: $100 fine per day for each standard violation (up to $25,000 per person, per year, per standard). $50,000 fine + up to one year in prison for improperly obtaining or disclosing health information. $100,000 fine + up to five years in prison for obtaining or disclosing health information under false pretenses. $250,000 fine + up to ten years in prison for obtaining health information with the intent to sell, transfer or use for commercial advantage, personal gain or harm. With this infrastructure in place, it is important to note that there is no HIPAA Certification. Each company must create their own policies & procedures and demonstrated compliance to manage their own liability. Audits must also be completed to ensure that the policies and procedures are in place and enforced to meet HIPAA requirements. Orbograph has implemented a strong set of policies and procedures in its software development, infrastructure and operations management processes. These policies can be provided upon request. HITECH The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009. It is designed to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Page 5

Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing: Four categories of violations that reflect increasing levels of culpability; Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and A maximum penalty amount of $1.5 million for all violations of an identical provision. It also amended section 1176(b) of the Act by: Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect. This interim final rule reconciles HIPAA s enforcement regulations to these statutory revisions that are currently effective under section 13410(d) of the HITECH Act. This interim final rule does not make amendments with respect to those enforcement provisions of the HITECH Act that are not yet effective under the applicable statutory provisions. Page 6

Resiliency and Security 3 The three critical areas of HIPAA/HITECH which will be covered in this section include: Administrative Safeguards Physical Safeguards Logical Safeguards In addition to these security considerations, the resiliency and reliability factors of the Orbograph solution will be presented. Administrative Safeguards What are Administrative Safeguards? The Security Rule defines administrative safeguards as, administrative actions, and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. Administrative Security covers a wide range of considerations for an organization. Orbograph has addressed these topics very directly as summarized below: Risk Assessment: Orbograph management and IT teams have built a software platform which is currently deployed on the Amazon Web Services (AWS) platform. In both the software development model as well as the hardware hosting the solution, a strong plan is put in place to ensure reliability, uptime and provide security to any system data including PHI. Minimal Exposure Practice: Orbograph has implemented policies to minimize the amount of PHI that is necessary for specific tasks and functions. This is important in the operational aspects of the system. Departmental Procedures: These procedures are documented for end-user client review as well as for auditing purposes. Annual Training: Training is completed on HIPAA topics throughout the year via both onpremise training as well as web training. Page 7

Annual Testing: Testing of system components is completed as part of a comprehensive technical audit process. Examples within the Orbograph Portal application include (see Orbograph HRCM Portal User Guide): Daily Files Summary File Monitoring Audit Physical Safeguards What are physical safeguards? The Security Rule defines physical safeguards as physical measures, policies and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Physical Security addresses the location of the servers and IT infrastructure. Orbograph has two locations which are considerations for physical security including Amazon Web Services as well the Orbograph development facility. Physical security is addressed at both locations with the following processes: Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. Minimal Exposure Practice: Orbograph has implemented policies to minimize the amount of PHI that is necessary for specific tasks and functions. This is important in the operational aspects of the system. Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Page 8

Logical Safeguards What are Logical Safeguards? Logical Security consists of software safeguards for an organization s systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security. The Security Rule defines technical safeguards in 164.304 as the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Several key components to the Orbograph Logical Security considerations include: Intrusion detection Multiple firewalls Data is not directly accessible and is multiple layers deep The comprehensive approach deployed by Orbograph to address these considerations includes: AWS s TrustAdvisor covers security, system health Nagvis layer on top of Nagios this is system health (CPU, disk space, utilization, etc) monitoring and alerting SNORBY intrusion detection and prevention Graylog2 collects all logs from the system NOD32 monitoring Virus attacks DuoSecurity and OpenVPN Resiliency The Orbograph HRCM solution is built to be highly resilient to minimize any downtime. Considerations for resiliency include: AWS (Amazon) & Orbograph double layered redundancy Mirrored server farms Geographically diverse facility locations all within the USA Outstanding monitoring Proactive actions Page 9

The AWS platform is an impressive hosting solution. Orbograph has built its policies and procedures to leverage and complement the outstanding AWS monitoring tools. For a more detailed summary of the AWS risk, compliance, security and monitoring solutions, see http://aws.amazon.com/about-aws/whats-new/2008/09/05/amazon-web-services-securitywhitepaper/. Conclusion Because Orbograph is a part of a 400M publicly traded company, we approach our solution set as a data center entity. We have the resources to ensure our services and software solutions are designed to meet and exceed HIPPA/HITECH requirements. As each module for our system is developed and enhanced, the administrative, physical and logical safeguards are incorporated into the deliverable. The result is a secure and resilient system which can be relied upon not only to be fault-tolerant, but to meet service level agreements in system performance. Ultimately, our deliverable will reduce the risk of non-compliance and downtime for a healthcare provider, financial institution or biller. For a technical review of system details, please contact your Orbograph representative or email at info@orbograph.com. Page 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information