HCS has closely followed the regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Many compliance aspects of the act are already mandated, while others will continue to be implemented through 2008.

HCS has created the role of HIPAA Compliance Officer to review and maintain compliance with regard to software systems and vendors. All of the HIPAA regulations have or will have some impact on HCS INTERACTANT and our users; therefore, we have focused on addressing the following items:

Please select a link on the left to learn more about each topic.

The security standards for electronic health information specify a series of administrative, technical, and physical security procedures to follow in order to assure the security and confidentiality of electronic protected health information (PHI). The security rule is similar to the privacy rule except that it is limited in scope to PHI in electronic form, whereas, the privacy rule covers PHI in any form. Highlights of the security standards include:

• Security awareness training must be provided to all members of an organization
• Risk analyses must be performed to determine information security risks and vulnerabilities
• Policies and procedures must be established that allow access to electronic PHI only to authorized personnel
• Audit controls must be established that record who has logged into any information system containing PHI
• Physical access limitations to facilities that contain electronic PHI must be established
• Sanctions must be established for all workforce members not following the defined policies and procedures

While much of the rule pertains to training and policies, each organization must make sure that electronic PHI is protected. HCS supports that goal with multiple layers of security that are built into INTERACTANT Software. These security layers protect electronic health information in several ways. Every user must have a unique user ID and password. Users must be specifically authorized to both the patient population (in a multi-site environment) and to the function they are asking to perform (inquire patient chart). Each clinical application keeps an audit trail of each user that accesses a patient chart. This audit information can be viewed on-line from either the user or the patient perspective. End users have no authority to the INTERACTANT database from outside the INTERACTANT Applications. Unless a user is granted specific authority, the user cannot download database files in an attempt to access patient information.

The privacy standard covers the security of PHI in any form and defines when and how PHI can be released. Areas that the privacy standard covers include:

• Using PHI for marketing purposes
• Consent and notice requirements
• Disclosure of PHI
• Authorization requirements
• Minimum necessary standards
• Parent and guardian rules for protecting a minor's PHI
• Business associate contract requirements
• Research use of PHI

The INTERACTANT security capabilities discussed under the security standard will be an important tool for our clients to ensure that PHI remains secure. The INTERACTANT Registration/Census Module enables our clients to track the privacy agreement status of each patient. The INTERACTANT Medical Records Module includes the ability to record and report upon correspondence requests for PHI.

Transaction standards mandate the use of several standard electronic transaction formats. HCS has been successfully providing electronic billing and remittance advice capabilities for our clients for many years. Prior to HIPAA, the electronic formats varied greatly among the different states, providers, and third party intermediaries. Considerable resources were required to maintain all of the different formats for the broad range of healthcare providers that HCS supports.

HCS INTERACTANT fully supports the HIPAA standard formats for electronic billing (837) and remittance (835). During the development process, we quickly learned that even though a national standard had been developed, many individual states, providers, and intermediaries had added some unique requirements that were defined in companion guides. Our ability to react quickly to the specific needs of our individual clients has made the transition to these new formats relatively easy.

The code set standards define the use of specific code sets for billing and reporting purposes. After the final rule regarding code sets was published, a modification to the final rule was made. The major provision in the modification was the repeal of using NDC codes for reporting drugs and biologics for non-retail pharmacy transactions. Had this provision not been repealed, providers would have had to switch from the use of HCPCS codes to NDC codes for reporting drugs and biologics. Retails pharmacies will continue to use NDC codes. The standard code sets include:

• ICD-9-CM - International Classification of Diseases, 9th edition, Clinical Modification volumes 1, 2, and 3
• NDC - National Drug Codes
• HCPCS - Health Care Financing Administration Common Procedure Coding System
• CPT4 - Current Procedure Terminology, 4th edition
• CDT4 - Current Dental Terminology, 4th edition

These standard code sets are employed within INTERACTANT Software. HCS is prepared for the future adoption of the ICD-10-CM code set standard.

The final rules for the national provider and national employer identifiers have been published. Compliance with the national employer identifier is already in effect, and compliance with national provider identifiers will be mandatory in 2007. The national health plan identifier rules are still under development, and the national individual identifier has been tabled indefinitely.

In anticipation of the identifier standards, HCS expanded the INTERACTANT database to include national identifiers for providers, employers, and health plans. The typical end user will not have to be retrained since these identifiers are contained in master files. As part of the registration process, payor/plans, providers, and employers are linked to the patient record. Whenever identifier information is required, i.e., bill production, the system will retrieve the information from the appropriate master file. All master files within INTERACTANT are user maintainable.

Although the national individual identifier is currently tabled, if and when a rule is established, the patient demographic database will be expanded to include this data element. The registration process will be modified to capture the individual national identifier. This would become part of a permanent demographic record associated with the individual's medical record. With INTERACTANT, when a patient returns to your facility for another episode of care, all demographic information is retrieved to initialize the new registration.

The electronic signature standard was originally part of the security standard but was removed when the final rule for the security standard was published. The electronic signature standard may be published in a separate rule. However, a timetable has not yet been established.

None of the HIPAA regulations currently require that an electronic signature be used. However, if new regulations are published that specify an electronic signature is required or if an entity decides to employ an electronic signature, a cryptographic based digital signature will most likely be the standard. The rules as currently defined would require public/private key technology for the transmission of digitally signed documents. HCS does not currently employ digital signature technology within the INTERACTANT Software Modules. However, if the new rules mandate that an electronic signature will be required for the transmission of transactions such as claims or remittance advice, HCS will incorporate this technology into our software.