So exactly what is HIPAA?

Simply put, HIPAA Administrative Simplification is a government mandate for Electronic Data Interchange (EDI), with detailed requirements for privacy and security in healthcare. Just so we won't waste your time, we need to say up front that CTA Solutions is involved in the compliance effort regarding HIPAA's privacy and security regulations. We're all for privacy and security in the broad sense of those concepts, but our business is about HIPAA EDI compliance testing and certification as well.

So, from that perspective, here are the HIPAA Highlights: First, HIPAA is law, appropriately passed by Congress and signed by the President of the United States. From the earliest days of electronic data interchange there have been people within the healthcare industry who recognized that the countless number of electronic formats contributed to a system that is very difficult to interface.

In fact, by the time you add up all the proprietary data formats used by payers, providers, clearinghouses and the government, you get over 400 distinct flavors of EDI. If you are a clearinghouse who wants to file a customer's claim with one payer you have to get the systems talking to each other. But just because you have passed that particular configuration and testing hurdle that doesn't mean you will be able to communicate with another payer. Each time, it's back to square one. If you are a provider, especially a small provider, the job can be overwhelming. All in all health care EDI had become a bit of a nightmare.

Somebody had to find a solution. In fact, pretty much everyone in the industry recognized the need for this standard. So industry trade groups took the lead and began the process of developing and promoting standards that everyone could use. Standards that, when fully implemented would enable people in the health care industry to get back to doing health care.

An Industry Consensus

Enter the industry trade groups and government affiliates: WEDI, ASC X12N, AFEHCT, NUBC, NUCC, ADA, NCPDP, CHIM, CHIME, EHNAC, HEDIC, HFMA, HIMSS, JHITA, NCHICA, UHIN, MCHEC, AHIMA and MHDC to name a few. It seems like you could randomly select any set of four or five letters and you would find some health care related organization that, at one time or another, has had input on HIPAA. We don't say that to be clever; what this shows is how widespread and diverse the interest has been in the development of sensible standards for health care EDI.

So from the early-eighties through the mid-nineties, enormous amounts of blood sweat and tears had been shed over the development of standards. The Workgroup for Electronic Data Interchange (WEDI) indicated in 1993 that federal legislation was one way to move the industry forward. From the early 90's, every health care bill in Congress contained provisions to do just that. Then in August of 1996 Congress passed the legislation we now call HIPAA. It stands for the Health Insurance Portability and Accountability Act of 1996. A big part of it enables individuals to qualify immediately for insurance when they change jobs -- that's the portability part.

But there is much, much more to HIPAA. Title II gave the Department of Health and Human Services the job of mandating standards for health care EDI. This aspect of HIPAA is known as Administrative Simplification. The Secretary of HHS, in consultation with the National Committee on Vital Health Statistics (NCVHS), was given the task of working with several private-sector organizations, including the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), the Workgroup for Electronic Data Interchange (WEDI), and the American Dental Association (ADA) to adopt standards and implementation specifications. The NCVHS took public testimony and then advised the Secretary of HHS of the results of these groups' efforts. Out of all of that came the "Final Rule" on administrative simplification, which was published in the Federal Register on August 17, 2001.

HIPAA EDI Requirements

Sounds complicated, right? It's not as bad as you might think. Administrative simplification establishes requirements for the following: transactions and code sets, identifiers, security, privacy, timeframes and penalties.

• Transactions
  ASC X12N
• Code Sets
  Diagnoses and impatient hospital services: International Classification of Diseases, ninth edition, Clinical Modification (ICD-9-CM) Because CTA Solution’s business is built around testing for the first two requirements, and developing policies for people and technology for the security and privacy aspects.

The following sections address each of these minimum-security and privacy aspects and indicate how CTA Solutions address these requirements.

Requirement 1: Contingency Plan

Organizations must have adequate safeguards for protecting electronic health information in the event of an emergency. CTA Consulting Group offers complete backup and recovery for all workstations in your organization. To ensure that the backup solution becomes a part of the overall organization's security policy, CTA Consulting group will also include recommended backup schedule for your organization for minimal data loss during downtime. This schedule can be integrated into your operational procedures for incident handling and escalation.

Requirements 2: Information access control, Media Controls

Our Business Partners all feature, at a minimum, firewall technology to lock down access to your data, systems, and networks. Firewalls give you multiple ways to allow or prevent access. To restrict authorization of sensitive patient records to only authorized parties, CTA Consulting offers a variety of access control products from vendors like Intel and 3com as options for our Business Partners. This allows you to migrate from password security for your applications, to stronger authentication techniques that are user-friendly. Also, with CTA Consulting’s own password manager system, employees can securely store their passwords with the added confidence that these passwords meet standards for high quality (of certain length with random qualities).

Requirement 3: Security Configuration Management

Rigorous control and documentation of how patient information may be modified/accessed is an essential component of safeguarding patient information. Healthcare organizations must document all modifications and updates made to patient records. Our Business Partners are formed from commercial products, with specified version number and application keys, that form a "security baseline" for your organization that can be rebuilt and documented under configuration control. CTA Consulting’s integrity protection products, a valuable option to our Business Partners, ensure that any data or technology modifications occur in a controlled, approved method, and that inadvertent or malicious tampering of your baseline is detected and halted.

Requirements 4, 5, 6: Security Incident Procedures, Security Management Process, and Termination

As referred to in Requirement 1, organizations should implement any security technology solutions with an overall corporate security policy framework, building appropriate security measures within their existing workflow process. CTA Consulting’s experienced security engineers will assist those customers purchasing Business Partners to develop a formal corporate security policy, including incident handling and thorough password revocation processes for terminated employees. Refer to CTA Solutions’ Web page for more on these services.

Requirement 7: Security Training

One of the largest security weaknesses in any organization is an ill-informed employee. Lack of thorough, dedicated security training for the workforce will render any expensive security technologies useless in an instant. Our Business Partners are accompanied with up-to-date documentation explaining the proper usage of security products. Additional consulting support may be acquired for your IT Administration staff. CTA Consulting offers rigorous training programs as part of its suite of IT security programs.

If you are a healthcare provider in search of HIPAA compliant solutions, let CTA Consulting group provide a solid security foundation for your business.