Stay tech savvy and HIPAA compliant with this checklist.
If you don’t ask the right questions when it comes to HIPAA’s transactions rule, how can you expect to receive the right answers? Fortunately, the Centers for Medicare and Medicaid Services wants to help.
Take a look below at some of the questions the TCS enforcement agency thinks you should be asking your vendors, third party administrators and clearinghouses.
1. Are you working on developing software to meet your HIPAA needs?
• What HIPAA transactions does your product support? Claims and encounter information? Payment and remittance? Claims status inquiry? Eligibility inquiry? Referral and authorization inquiry?
• What software updates are needed for HIPAA compliance?
• Does my office need a particular release of your software to implement the HIPAA transactions or is an entire upgrade from our current version required?
• Can I upgrade to the various electronic transactions incrementally?
• What is the minimum hardware requirement for servers and workstations to run the HIPAA compliant version?
• When will the software updates be available?
• What training, support and services are available to help my office?
• Do you charge extra for training and support services?
• How do you remain current on the latest HIPAA developments? Do you belong to any of the HIPAA-related workgroups?
• Who specifically can I contact for HIPAA electronic transactions questions?
2. Will your software be able to support HIPAA transactions and code set requirements?
• Do you use the official Implementation Guides for the HIPAA transactions? Is your software using the latest version of the guides?
• Do you have the companion guides for my payers with whom I file directly?
• How does your product support collecting the required and situational claim data?
• Will your software support the required HIPAA code sets for Medical and Non-Medical?
• Is there a process for cross-walking from current codes to the HIPAA mandated codes?
• What new data will I need to start collecting?
• Are there any edits built into your software?
• Do you have a price list for the various upgrades, or new version of software?
• (For Clearinghouses) How can we submit transactions directly to you? Are there any changes in connectivity?
3. What are your electronic transactions and code set testing plans?
• How much lead time is required to install and test the software?
• How will current claims processing with existing formats proceed while testing new ones?
• Has your testing process included all of the seven types recommended by WEDI SNIP?
• Has the software received third-party certification that it can generate HIPAA compliant transactions?
• Will you send me a testing schedule that includes internal testing, testing with Medicare, testing with commercial payers, and testing with a clearinghouse (if applicable)?
• Have you tested successfully with any of my payers? Which ones?
• What are your contingency plans if you cannot be ready on time?
Don't scrap old computers before performing vital safety checks.
Covered entities, be forewarned: If state organizations or others are hungry for your donated computers, you’ll need to take several bytes out of your hard drive before you hand them over.
It’s happening more and more often these days. Health care organizations with outdated or obsolete personal computers are giving them away to other facilities without properly sanitizing their machines. Confidential health care data winds up in full view of those who shouldn’t have access to protected health information--and thousands of patient files are one click away from public exposure.
Remember, CEs: You’re responsible for the integrity and security of the PHI you maintain under HIPAA’s security reg. If you’re considering donating your computers to anyone, you need to ensure that PHI is no longer contained in any of those hard drives.
While the 1998 proposed security rule didn’t clearly address how to dispose appropriately of media or systems that might have electronic PHI on them, the final rule explains what your responsibilities are, notes Cynthia Smith, at PricewaterhouseCoopers. CEs must review their risk assessments regarding how they’re disposing of media -from floppy disks to CDs to hard drives - and how they’re disposing of information that’s no longer useful.
Option 1: Secure Delete. While many CEs believe deleting files will quickly and efficiently erase all PHI, “Just simply deleting data is not sufficient protection,” Smith said, adding that one should perform an over right to properly dispose of confidential information. “There needs to be some thought on this issue to ensure that [PHI is not turned over] to a voluntary organization like a school and can be reused,” she urges.
Others say that computers just don’t understand that deleting files means we humans want something completely erased. “Instead, when you tell your computer to delete a file, it thinks that it should merely hide that file from you,” says Rick Edvalson, business manager for IntegriNet Solutions Inc. in Boise, Idaho.
Edvalson tells Eli that when a computer “deletes” a file, the name of the file is merely altered in a way that removes the file from the directory of files.
CEs want to ensure that “deleted” files cannot be recovered, they can obtain software that complies with the Department of Defense standard, says Edvalson. “Such ‘secure delete’ programs will be able to completely erase one file at a time,” he says, adding that some “secure delete” programs can be found at places like East Technologies, software sites tucows and ZDNet Downloads, and many others.
Forget Deleting, Use A Sledgehammer
Option 2: Hard Drive Destruction. But for those who don’t want to take the chance that some of their stored PHI could get loose in public, they may want to consider physically destroying the disk. That’s what Fred Langston advises, principal consultant with Guardent in Seattle.
Langston is aware that sounds a bit overzealous, but stresses that it truly is the best way to ensure PHI doesn’t get out on the street. “Literally taking a hammer to it until it’s in little, tiny pieces--that’s probably the best way.”
Warning: Reformatting is no solution. If destroying your hard drives outright doesn’t appeal to you, you can always go with byte-for-byte overwites, says Langston, or what are known as “triple wipes” of the disk. He says there are many “secure delete” programs out there that will perform these tasks.
Whatever you decide, Langston advises CEs to refrain from performing a simple reformatting. “A lot of people think they’ll just reformat the disks and that’ll fix it. Well, that makes it so that you can’t recover your operating system, but the data potentially can still be called off there; it’s not as good as doing a secure byte-for-byte overwrite or a triple wipe.”
Better To Deface Than Erase
Langston says many people feel that erasing PHI from their disks will solve all of their problems, when that’s just not entirely accurate. That’s not a complete solution, he claims, because when you open a Microsoft Word document that may contain PHI, it creates temp files. For example, when you open a Word document, potentially there are eight individual temp copies of that document when it’s opened. So, in most cases, it’s best to wipe that disk completely from end to end, because there can be multiple copies of data on a system.