Net Health HIPAA Statement

Summary

The impact of the Health Insurance Portability and Accountability Act of 1996 on Net Health’ clients is enormous. To support our clients in confronting the tasks of compliance, we at Net Health have committed ourselves to adopting the "best practices" established for the health care software application industry. Strictly speaking, there is no such thing as "HIPAA compliant" software. Software vendors are not covered entities and are not regulated by HIPAA. However, certain requirements of the Act will come to be expected of all software products that perform certain functions in the health care industry. Net Health is firmly committed to these "best practices" and has already taken appropriate steps to include them in our software.

Specific aspects of each of the HIPAA regulations affect all health care software products, including those of Net Health. The standards relevant to our product, and Net Health implementation of those standards in the software, are detailed in the following sections.

The HIPAA Transaction and Code Sets Standard

The transactions, code sets and identifiers mandated by the HIPAA Transaction and Code Sets Standard are well defined, and virtually every software vendor will be updating their applications to comply with these regulations.

Standard Transactions

Provider clients who license the software to submit their claims electronically are required either to submit their claims to a clearinghouse, who in turn is required to submit the HIPAA standard transaction to the payer, or to submit the claims using the HIPAA standard transaction format. A notable exception is workers’ compensation claims, which fall outside the purview of the regulation. The HIPAA standard transaction for electronic claims is the ANSI X.12 (837) transaction format for institutional claims or professional claims.

Any clients who have licensed the Electronic Claims add-on module can use the Billing Module to submit claims electronically, either using the HIPAA standard transaction format or through a clearinghouse. If you intend to continue using a clearinghouse, you should contact your clearinghouse to ensure HIPAA compliance. In addition, the Billing Module has the bonus capability of transmitting workers' compensation claims using the standard transaction, for those workers' compensation carriers willing and able to accept them.

In the future, covered entities may be required to submit the First Report of Injury (used for Workers' Compensation Notification) using a HIPAA standard transaction format. However, at this time the proposed format, ANSI X.12 (148), is under debate by DHHS and has not been finalized. If and when such a format is determined and finalized, Net Health will take the proper steps to provide that HIPAA standard transaction for clients who elect to license our EDI add-on component.

Standard Code Sets

The software has provided the capability to use all of the relevant standard code sets required for by HIPAA since its initial release. These include:

  • ICD-10-CM codes for diagnosis;

  • CPT-4 codes for all procedures (these must be licensed from the AMA); and

  • Level 2 HCPCS codes for certain procedures, supplies and drugs

The initial iteration of the regulation called for the use of NDC codes for drugs. However, on May 31, 2002, DHHS officially proposed a retraction to the use of NDC codes as a HIPAA standard code set. Regardless of the outcome of this debate, our software supports the use of NDC codes if needed.

The current version of the software also now supports the use of ICD-10 codes and CPT-5 codes, once they are adopted in the future.

Standard Unique National Identifiers

Net Health now provides the capability to use all of the proposed standard unique national identifiers. These include:

  • The Federal Employer Identification Number (EIN) for all employers,

  • The National Provider Identifier (NPI) for providers, and

  • The National Health Plan Identifier (NHPI) for health plans.

While the health plan identifiers remain in the proposal stage, its ultimate acceptance is expected.

The HIPAA Security Standard

The HIPAA Security Standard greatly impacts the policies and procedures of covered entities. The Final Rule, passed on February 20, 2003, outlines a few, relatively well defined features that are expected of all software applications. Some of these features fall into the category of specific technical requirements of the regulation, while others belong in the category of "best practices". Some are required, while others are "addressable". Net Health Employee Health and Occupational Medicine address all of the required areas and many of the addressable ones.

The three most important security services that should be provided by health care software are authentication, authorization and audit. The software supports these security services in the following manner:

Authentication

Net Health Employee Health and Occupational Medicine provide the following:

  • Unique user code with required password authentication for system login, with a password that requires at least 6 characters;

  • The user is required to change his/her password upon logging into the software for the first time;

  • The user is prevented from logging into the software after three unsuccessful attempts;

  • Encrypted passwords;

  • User authentication to access the database, for open systems databases such as the Oracle or SQL-Server version;

  • Encrypted data files requiring password authentication to be accessed, for the standard, proprietary database version;

  • Single user sign-on for accessing the database; and

  • The ability for a user to lock the workstation, requiring a password for program re-entry.

  • All passwords must contain at least one alphabetic and one numeric character;

  • Automatic password expiration, based upon system administration policy;

  • The user may not re-use the same password, if it has been used in the past five changes;

  • Automatic user account suspension after an administrator-designated number of unsuccessful login attempts; and

  • Automatic logoff after a (system administrator-designated) time period of inactivity.

Authorization and Encryption

Net Health Employee Health and Occupational Medicine provide:

  • User role-based authorization to various levels of secured and confidential information, and

  • User role-based authorization for various levels of program functionality.

  • The ability to encrypt all reports and other attachments in emails generated by the system, using an Adobe PDF encryption technology; and

  • If purchased as a separate add-on function, Net Health Employee Health and Occupational Medicine will support the use of a third party tool, PGP, which uses the RSA algorithm, a technology accepted by HIPAA, if the client wishes to encrypt all text in emails. However, PGP is expensive, and requires separate licensing by the user organization, and all sensitive health information transmitted via email is contained in encrypted attachments.

Audit

Net Health Employee Health and Occupational Medicine provide:

  • An historical audit of all individually identifiable protected information that will show who added any record, changed any record, deleted any record or imported any record. The extent and longevity of the audit trail will be governed by the system administrator.

  • All user accesses to the software, including successful and unsuccessful logins, as well as system logouts.

  • Changes made to user access rights.

The HIPAA Privacy Standard

The HIPAA Privacy Standard primarily impacts the policies and procedures of covered entities. This regulation, to which significant changes were made in August, 2002, governs the uses and disclosures of individually identifiable health information. It requires all Covered Entities to document a wide range of disclosures, obtain authorizations for certain uses and disclosures, provide every individual with a Notice of Privacy Practices and obtain a signed acknowledgment of receipt of notice. The Standard also requires Covered Entities to adhere to patient rights, including the right to an accounting of disclosures, the right of access to personal protected health information, the right to request amendment to personal protected health information, and the right to request a confidential communication channel and restrictions on the use and disclosure of information.

These issues reside outside of the domain of functionality of the Net Health Employee Health and Occupational Medicine programs. However, to meet these special needs, Net Health has created a new product, HIPAA GUARD™ , which integrates with the Net Health Employee Health and Occupational Medicine database to provide all the burdensome documentation capabilities required by the Privacy Standard. Visit Net Health’ web site www.nhsinc.com for more information about HIPAA GUARD™ .

Net Health, Inc., Your HIPAA Business Associate

Net Health has committed to honor and respect the needs of all our clients for maintaining the confidentiality, integrity and security of your patient records. To that end, we have established internal policies for maintaining the confidentiality of all client information to which we might become privy in the course of business. Furthermore, we are continually training our staff in the intricacies of the HIPAA standards, to ensure quality control. We consider ourselves your business partner, and are willing to enter into Business Associate agreements as needed for the purpose of doing our part to have your organization be successful as a HIPAA covered entity.