home | HIPAA | contact us | members only
DrFirst Home
DrFirst -- Simple. Powerful. Fast.
customers
>more
online store
enter Rcopia's online store to subscribe to various services and purchase our products.


>purchase Rcopia
HIPAA
DrFirst is committed to assisting its clients in meeting their HIPAA compliance obligations by providing products and services that conform to the extent possible with applicable HIPAA regulations by their respected mandated compliance dates. Furthermore, DrFirst extends its resources to assist member practice to prepare and file a compliance plan, and request for time extension to respond to HIPAA compliance issues. DrFirst recommends all subscription members to file for compliance extension regardless.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), administered by the Department of Health and Human Services (DHHS), will transform security, privacy and compatibility standards for U.S. healthcare informatics over the next several years. Specifically, HIPAA calls for:
  • Standardization of electronic patient health, administrative and financial data, (e.g. Adoption of Transaction formats developed by ANSI, agreeing on Standard Code Sets such as ICD-9 to be used for health transactions).
  • Unique health identifiers for individuals, employers, health plans and health care providers
  • Security and Privacy standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future, (e.g. Encryption of data during transmission, Authentication and Verification of the sender and receiver).
Although HIPAA is comprised of four segments, only two of the segments - along with their associated compliance dates - are currently in final form.

HIPAA Segments & Associated Compliance Dates
(Applicable to DrFirst Clients)
Transaction Standards October 16, 2002
Privacy Regulations April 14, 2003
Security Standards April 21, 2005
National Identifier No date yet established ^back to top

Who is affected by HIPAA?

HIPAA specifies the following as "covered entities":
  • Health care providers
  • Health Plan
  • Health Care Clearinghouses
Although DrFirst is not a "covered entity" as a provider of systems that handle patient data, HIPAA indirectly affects us through our clients' HIPAA obligations. Consequently, DrFirst's objective is to ensure that its products and services to accommodate our clients' HIPAA obligations. ^back to top

DrFirst and HIPAA

HIPAA Transaction Standards & Code Sets Regulation
(Applicable to DrFirst Clients)

The HIPAA Transaction Standards & Code Sets Regulation (TSCS Regulation) was adopted on October 16, 2000. It established uniform standards of compliance for the electronic exchange of administrative and financial health care transactions. The general rule regarding compliance is that if a covered entity (health care provider, health plan or healthcare clearing-house) transmits a transaction defined in the TSCS Regulation electronically, the covered entity must conduct the transaction as a Standard Transaction.

According to the TSCS Regulation, all covered entities must be in compliance with the electronic transactions and code sets standards by October 16, 2002. However, a covered entity could request a one year's extension to the compliance deadline - until October 16, 2003 - by presenting a compliance plan to the Department of Health and Human Services (DHHS). The compliance plan must be submitted by October 15, 2002. The deadline extension does not change DrFirst's position on HIPAA or our strategy for HIPAA-enabling our products and preparing our customers to meet the original HIPAA transactions and code sets deadline. ^back to top

Standard Transaction

The "Standard" is a very precise method of defining information to be transmitted in an electronic format. The data is formatted by the sender, then sent via any mechanical means, and then interpreted back by the receiver.
All of the standards adopted by the TSCS Regulation are from the American National Standards Institute (ANSI) Accredited Standards Committee (ASC) X12N except the standards for retail pharmacy transactions, which are from the National Council for Prescription Drug Programs (NCPDP). The Standards specifically defines the different types of transactions that are covered under HIPAA, and stipulates the exact format for each transaction record.

Standard Transactions established by HIPAA are as follows:
  • The ASC X12N 837
    Professional Health Care Claim or Encounter: Compliance by October 16, 2002.
  • The ASC X12N 835
    Health Care Claim Payment and Remittance Advice: Compliance by October 16, 2002.
  • The ASC X12N 276/277
    Health Care Claim Status Request and Response: Compliance by October 16, 2002.
  • The ASC X12N 278
    Referral Certification and Authorization: Compliance by October 16, 2002.
  • The ASC X12N 270/271
    Eligibility for a Health Plan: Compliance by October 16, 2002.
  • The ASC X12N 834
    Enrollment and Disenrollment in a Health Plan: Compliance by October 16, 2002.
  • The ASC X12N 820
    Health Plan Premium Payments: Compliance by October 16, 2002.
DrFirst is committed to support the transaction and code set standards as mandated by HIPAA and is working with its third party software vendors including clearing house to ensure transaction sets utilized by these products meets the HIPAA requirements. ^back to top

Code Sets

The TSCS Regulation also identifies certain code sets that must be implemented in conjunction with the use of the Standard Transactions. A code set is defined as any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. Code sets captured in the TSCS Regulation are as follows: ICD-9-CM, CPT-4 and HCPCS. DrFirst is working with its third party software vendor to meet the proposed transmission guidelines by October 16, 2002.

HIPAA Privacy Regulation
(Applicable to DrFirst Clients)

The HIPAA Privacy Rule became effective on April 14, 2001. The compliance date of the Privacy Rule for most covered entities is April 14, 2003. The HIPAA Privacy Rule provides for the privacy of individually identifiable health information by providing individuals access to their information and informing them on how the information will be used as well as setting limits on its use. At the core of Privacy Regulation is the idea that protected health information, comprising the personal medical records of individuals, should be guarded against unauthorized disclosure. The Privacy Rule covers all individually identifiable health information in the possession of covered entities - in electronic format or otherwise.

HIPAA Privacy Rule Standards:
  • Limit the non-consensual use and release of protected health information
  • Give patients new rights to access their medical records and to know who else has accessed them
  • Require patient authorization and consent prior to use or disclosure of protected health information;
  • Restrict most disclosure of protected health information to the minimum needed for the intended purpose
  • Establish new criminal and civil sanctions for improper use or disclosure;
  • Establish new requirements for access to records by researchers and others; and
  • Permit de-identified information or information that cannot be traced to a particular individual to be disclosed without authorization.
On March 27, 2002 the Department of Health and Human Services (DHHS) released proposed modifications to the HIPAA Privacy Rule. The proposed modifications do not change the privacy rule compliance date of April 14, 2003.

The proposed modifications:
  • Eliminate the requirement to obtain consent in certain circumstances
  • Require acknowledgment of notice of privacy practices
  • Modify authorization requirements
  • Allow disclosures for treatment, payment and health-care operations of another entity
  • Modify the minimum necessary standard
  • Clarify parental access to records of minors
  • Modify rules related to research
  • Seek comments on an alternative approach to de-identification of protected health information
^back to top
DrFirst's Privacy Features

DrFirst assists its clients in attempting to comply with the Privacy Rule in the following fashion:
  1. Consent. The HIPAA Privacy Rule requires that the patient's consent and/or authorization to be given for both routine and non-routine uses of their medical data. DrFirst's software will be enhanced to provide various consent indicators. The existing software will be enhanced to provide more information about consent and what consent is given for and to make any restrictions to disclosure prominent in the user interface.
  2. Limiting Access. DrFirst software provides authentication of users and limits access to types of information for each user. HIPAA Security Standards
    (Applicable to DrFirst Clients)
The proposed Security and Electronic Security Signature Standards were announced in the Federal Register on August 12, 1998. The final version of the proposed Security and Electronic Signature Standards has not been published thus no date has yet been established for their implement.

The proposed security standards contain general requirements for healthcare provider information systems. These requirements pertain to access controls, information network protection, and information authentication requirements. According to proposed HIPAA rules, security standards relates to the software controls and protocols that are responsible for processing and storing protected data. These areas include:
  1. Entity authentication mechanisms to ensure the identification of the entity, such as passwords, biometrics, PINs, modem callbacks and automatic logoffs
  2. Access controls to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information
  3. Audit controls that provide for the recording and examining of system and security activities to provide a means of identifying suspicious activity
  4. Data authentication mechanisms to ensure that data within an organization has not been altered or destroyed in an unauthorized manner
^back to top
DrFirst's Security Features

DrFirst intends to incorporate any applicable currently proposed HIPAA Security Standards throughout DrFirst's solutions. As mentioned, DrFirst compliance specialists constantly monitor and interpret the impact of published and proposed HIPAA standards, conduct periodic reviews to determine the impact of those standards on our clients and work closely with clients to facilitate compliance.

The following security features are currently or will be incorporated within DrFirst healthcare software applications:
  1. Individual log-in and password protection features that prevent use or disclosure of individually identifiable health information to unauthorized uses.
  2. System-wide audit trails that automatically document user Ids that are responsible for specific patient record updates.
  3. System administrator controls that permit access to sensitive records based on department security protocols.
^back to top
HIPAA National Provider Identifier
(Applicable to DrFirst Clients)

In May 1998, the U.S. Department for Health and Human Services (DHHS) proposed standards to require hospitals, doctors, nursing homes, and other health care providers to obtain a unique identifier when filing electronic claims with public and private insurance programs. Providers would apply for an identifier once and keep it if they relocated or changed specialties. Currently, health care providers are assigned different ID numbers by each different private health plan, hospital, nursing home, and public program such as Medicare and Medicaid. These multiple ID numbers result in slower payments, increased costs and a lack of coordination. Although final rules have not yet been published, it is expected that the identifier will be in a 10-digit, numeric format and will be required on all standard electronic healthcare transactions. DrFirst's software will be able to meet the proposed National Provider Identifier standard.

The text of specific HIPAA regulations can be downloaded from the U.S. Department for Health and Human Services (DHHS) website at http://aspe.os.dhhs.gov/admnsimp/
©2007-08 DrFirst Corporation. All rights reserved.