What’s do we mean when someone mentions medical billing HIPAA compliant software? What features are important for a HIPAA software program for compliance with the security, privacy, and data interchange requirements of the law.
HIPAA legislation introduced several initiatives which impact practice management software such as privacy and security of patient data and transaction rules for how information is exchanged between parties. A good example was the requirement for providers to use only NPI numbers on claims. The NPI number is a unique provider identification number intended to replace all the legacy numbers assigned by the different insurance companies.
You may see the term “HIPAA Compliant Software” or “HIPAA Software Program” used a lot. What does this mean? HIPAA doesn’t give you a cut and dried list of criteria that a health insurance claim software must have to be declared HIPAA compliant. Instead there are features that a medical billing hipaa compliant software should have that enables the user(s) to comply with the HIPAA requirements for the protection of patient information and the interchange of data.
There’s really no such as a formal HIPAA compliant software approval. There are consultants who will audit your processes and operations and give an assessment of where you stand with regard to HIPAA compliance – including your software and data systems.
How Does HIPAA Apply to Software
Anybody who sends billing information electronically to a clearinghouse, health insurance payer, or Government insurer such as Medicaid or Medicare has to follow HIPAA guidelines.
When this requirement was mandated a few years ago, some billing claim medical software did not have a field for the NPI number. This is where the impact of HIPAA really hit home for me – the owner of a small medical billing business.
Our software did not have the capability accommodate the NPI number. This required a software upgrade to a version which would accept the longer number and be able to transmit it in electronic files to the clearinghouse or insurer. This was an expensive and disruptive process that took a while to recover from. But we did end up with a practice management system which had improved privacy and security capabilities as well as the ability to accommodate the 7 digits of the ICD-10 codes to be implemented in 2013.
A software program is not necessarily HIPAA compliant although it may have features that enable compliance. These are features like audit logs that show who logged on and what they did. The ability to set user access to what is minimally necessary so those who need to access patient data only see what is necessary to perform their tasks. All practice management programs should have the ability to set password protection.
Medical billing HIPAA compliant software features should have the capability to accommodate data fields such as the unique provider NPI number, ICD-10 diagnosis codes, and support the other transaction code set rules introduced by HIPAA legislation.
Billing Compliant HIPAA Medical Software Backup
HIPAA requires organizations to make sure patient data is available to those who need to access it, which includes the patients themselves. The HIPAA availability requirement implies that Medical billing HIPAA compliant software have the capability to back up data on a regular basis
This data backup should be at an “offsite” location – in a location other than the machine or server that is running the health insurance claim software. In the event of fire or natural disaster, the data can be retrieved from the off site back-up. Even if this wasn’t a HIPAA requirement, its still good practice to back up your data files in a secure off-site location.
If you own a host server or PC on which the software runs, it’s important to understand how and when the data is protected – and how to recover this data in the event of a loss. If you use a billing claim medical software or practice management software provided by a vendor – such as an online medical billing software – ask what they are doing to back up your data and what their emergency plans are.
Consultants and vendors who have access to your medical claims billing software or practice management system are considered a Business Associate and should sign a business associate contract. This contract says the user will adhere to the same policies and standards that your own office follows to protect the security and privacy and security of the database.
HIPAA Electronic Data Formats
HIPAA legislation introduced many changes in the definition of code sets and transaction specifications. The purpose of these changes is to facilitate standardization of transmission of billing information. If you’re looking for a medical billing hipaa compliant software, make sure it supports these HIPAA standards. But just about every software offering complies with these standards – otherwise they won’t be in business very long.
Transactions and Code Sets Rule
The HIPAA/EDI provision was scheduled to take effect from October 16, 2003 with a one-year extension for certain “small plans”. However, due to widespread confusion and difficulty in implementing the rule, CMS granted a one-year extension to all parties. On January 1, 2012 a new version called 5010 becomes effective. This will replace the version 4010. One of the biggest changes as part of the 5010 transaction standards are the use of larger fields for the ICD-10-CM diagnosis codes.After July 1, 2005 most medical providers that file electronically did have to file their electronic claims using the HIPAA standards in order to be paid. Some of these changes were transparent to users who used a clearinghouse as they would take claim data submitted to them and format to comply with HIPAA standards to transmit to insurance payers.
The EDI (Electronic Data Interchange) transactions required for medical billing HIPAA compliant software are used to define how claim data is sent from provider (or clearinghouse) to the insurance payer, how Explanation of Benefits (EOB) or Remittance advice is transmitted. These also cover the format for electronically checking eligibility, enrollment, or claim status. All of the electronic communications that are important to the provider or billing service and are used on a regular basis.
Microsoft Based Systems and HIPAA
HIPAA Security Rule section 164.308(a)(5)(ii)(B) says that you must implement “procedures for guarding against, detecting, and reporting malicious software.”
So what does this mean to the typical practice or billing service?
Many practices are still using Windows XP desktop workstations in their offices. Although Microsoft stopped selling XP a long time ago, beginning in spring of 2014, they will no longer support this operating system. What does that mean? It means that they will no longer release important security updates for the operating system. That means that Windows XP may be more vulnerable to viruses, malware, Trojans, etc.
It’s not just desktops that are at risk. Beginning in early 2015, Microsoft Server 2003 which is still widely used will no longer receive patches or updates. Server 2003 was widely deployed and still used in many smaller practices.
So if you can’t update your operating system software to stay current on security updates, you won’t be HIPAA compliant. That’s why it’s important for providers and their vendors (such as billing services) to assess their technology and implement upgrades before this becomes an issue.
The HITECH Act (Health Information Technology for Economic and Clinical Health Act) – Subtitle D was enacted as part of the American Recovery and Reinvestment Act of 2009. This act addresses the privacy and security concerns associated with the electronic transmission of health information. It also implements new rules for accounting of disclosures of a patient’s health information.
Subtitle D extends the security and privacy requirements of HIPAA to business associates of covered entities. This includes the extension of criminal and civil penalties to business associates which are required to be included in business associate agreements. These took effect November 30, 2009.
In summary a medical billing hipaa compliant software is a software that has features that enable your organization to comply with the provisions of HIPAA to protect patient information. It’s also important the software comply with the data interchange (EDI) requirements of HIPAA – otherwise you may not be able to send electronic data to a clearinghouse or insurance payer. It’s also important a medical billing hipaa compliant software be able to accommodate the HIPAA changes like provider NPI number and ICD-10.