How Can We Send Data to RemitDATA and Be in Compliance With HIPAA?
RemitDATA understands the critical importance of protecting sensitive patient information. Protecting the privacy of sensitive patient data is nothing new to the healthcare industry. For instance, well before the final HIPAA privacy rule was issued, CMS (formerly HCFA), released the “Internet Security Policy” to stipulate how sensitive patient information should be handled over the web. The policy states:
It is permissible to use the Internet for transmission of CMS Privacy Act-protected and/or other sensitive CMS information, as long as an acceptable method of encryption is utilized to provide for confidentiality and integrity of this data, and that authentication or identification procedures are employed to assure that both the sender and recipient of the data are known to each other and are authorized to receive and decrypt such information.
In addition, the U.S. has literally hundreds of state laws that govern an individual’s right to privacy (Florida alone has over 43 laws on the books protecting a patient’s rights!).
RemitDATA will continue to keep informed AND WILL REMAIN IN COMPLIANCE with these important state laws, CMS Policy and now, HIPAA.
Since HIPAA is the “hot topic” right now, we want to help you better understand HIPAA, and how it relates to your relationship with RemitDATA. We’ve prepared the following summary for your benefit. (You can find the complete copy of The Final Rule of the HIPAA Privacy Standards at http://www.hhs.gov/ocr/hipaa/.):
The HIPAA Privacy Rule is now final, and went into effect on April 14, 2003 (some very small providers had 1 year longer).
Under HIPAA, our clients are defined as “Covered Entities,” and RemitDATA is defined as a “Business Associate” (see Privacy Rule 160.103).
As a Business Associate, we are required to safeguard your “Protected Health Information” (PHI) and to keep it confidential. We cannot do anything with your data that you do not specifically allow us to do. If we accidentally release any PHI, we must inform you immediately. We must be responsible for the data while it is in our control.
Under HIPAA, once you’ve given your patients notice of your policy, a “Covered Entity” may share PHI with a “Business Associate” for purposes of performing healthcare operations. RemitDATA fits this definition. Therefore, you do NOT need to seek a patient’s individual written consent each time you perform specific healthcare operations, including sending your ERNs to RemitDATA.
Under HIPAA, your written contracts with your Business Associates must have specific “HIPAA language.” Our agreement states simply that we will be in compliance with all state and federal laws, including HIPAA, and that these are the minimum standards we will use in safeguarding your data. In simple terms, the agreement says, “You are providing PHI to RemitDATA. RemitDATA will only use this data to help you perform certain healthcare operations and will otherwise keep this information confidential. The only exception is that RemitDATA is allowed to de-identify your data, and create an aggregated “Limited Data Set” for uses such as industry benchmarking reports. The data used will ONLY be produced in a form that makes it IMPOSSIBLE to identify a specific patient’s information or provider’s information.” Under HIPAA, specifically the “Limited Data Sets” section, RemitDATA is allowed to aggregate your data and create Benchmarks for the industry- PROVIDED that we do not disclose any personally-identifiable information.
That’s basically it. The details can be mind-numbing, but the important thing to remember is – THIS IS NOTHING NEW! We’ve been required to protect patient’s data for a long time. HIPAA just adds some stiffer Federal penalties and some documentation, which will make it a more enforced rule throughout the industry. If you have questions or need more information, please let us know. We look forward to working with you.