HIPAA Compliance

MedNautix's HIPAA Statement

April 2003 marked the compliance deadline for the HIPAA Privacy Rule. MedNautix's suite of technology and services meets or exceeds the requirements set by this rule.

How Does MedNautix's System Comply with HIPAA?

MedNautix's Legal Position Regarding Patient Fees Under HIPAA

MedNautix's compliance with the provisions of the Privacy Rule under HIPAA (the Health Insurance Portability and Accountability Act) is as follows:

In Section 164.524(c)(4), HIPAA states that:

"If the individual requests a copy of the protected health information...the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of: (i) Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual; (ii) Postage, when the individual has requested the copy...to be mailed, and (iii) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(ii) of this section."

This reasonable, cost-based fee excludes charging individuals for such items as the records search, retrieval of the file, administrative costs, clerical costs, etc., although these items typically constitute a considerable percentage of MedNautix's cost for performing these services. In regulated states, the statutory/regulatory per-page fee is deemed to be reasonable for this "individual" fee purpose under HIPAA.

Attorney and insurer rates did not change under HIPAA. This is due to specific direction from the Department of Health and Human Services (HHS), the author of the HIPAA Privacy Rule. In the August 14, 2002, Final Rule published in the Federal Register of that date, Volume 67, No. 157, on page 53254, HHS states:

"The Department clarifies that the Rule, at Section 164.524(c)(4), limits only the fees that may be charged to individuals, or to their personal representatives in accordance with Section 164.502(g), when the request is to obtain a copy of protected health information about the individual in accordance with the right of access. The fee limitations do not apply to any other permissible disclosures by the covered entity, including disclosures that are permitted for treatment, payment and health care operations, disclosures that are based on an individual's authorization that is valid under 164.508, or other disclosures permitted without the individual's authorization as specified in 164.512...."

(Note: "personal representatives" are defined in 164.502(g) as (1) parents/guardians, or (2) administrators/executors of the estate of a deceased person, or (3) those who hold a healthcare power of attorney.)

This definitive statement by HHS in the Comments section of the Final Rule bolsters the language of the regulation as published in December 2000 in 65 Fed. Reg. 250, page 82824.

MedNautix HIPAA POLICY:

MedNautix is committed to protecting the privacy of your member’s personal health information. Part of this commitment is strict compliance with the Privacy Rule of the Health Portability and Accountability Act of 1996 (HIPAA), which requires us to take additional measure to protect personal information.

How has MedNautix handled HIPAA Rules and Regulations?

The Health Insurance Portability and Accountability Act (HIPAA) is a legislation that was passed in 1996. The United States Health & Human Service Department has been given authority to define regulations related to transactions and code sets, identifiers, privacy and security. This legislation will accomplish many things, although one of the more notable accomplishments will be improved accountability related to the privacy of an individual's medical records and other personal health information.

The privacy standards of HIPAA provide a framework for health privacy protection which serves to enhance and insure the protection of patient medical and health information. These standards have changed the manner in which information is handled and delivered. The Privacy Rule applies only to health plans, health care clearinghouses and covered certain health care providers – known as "covered entities" under the legislation. Since most health care providers rely on contractors and other "business associates" to assist them in providing quality care to their patients, the issue of privacy has become more complicated. MedNautix is considered a business associate.

A business associate is typically defined as, “a person or entity that provides certain functions, activities or services for or to a covered entity, involving the use and/or disclosure of protected health information.”

The business associate provisions within HIPAA were included due to a concern that covered entities disclose protected health information to a wide range of third parties. The business associate rule places restriction on third parties who perform covered certain functions on behalf of a covered entity and receive protected health information. Without restrictions on these disclosures, the protections intended by HIPAA would not cover a significant portion of protected health information that is disclosed to business associates.

The privacy law requires covered entities to have written agreements and satisfactory assurances that the information they disclose to their business associates will: remain confidential, only be used for the stated purpose, be safeguarded from misuses, and assist the covered entity in complying with their responsibilities under the law. Information is only provided to a business associate to help the covered entity carry out their health care function – never for independent use by the business associate.

A Business Associate Agreement with our office requires that we will:

Use the information disclosed only for the permitted purpose. Restrict the disclosure of all protected health information only to those authorized to receive it. Use any and all available and appropriate protections to prevent the use or disclosure of information other than as provided by the agreement. Ensure that subcontractors or agents to whom protected health information is provided agree to the same restrictions and conditions.

Make available our internal practices, books, and records relating to the use and disclosure of protected health information to the Department of Health and Human Services Secretary, if requested.

Return or destroy all protected health information received from the covered entity at termination of the agreement. Authorize termination of the agreement by the covered entity upon determination that the business associate violated a material term of the agreement.

How does MedNautix systems and processes comply with HIPAA?

MedNautix’s operation executives and its legal counsel have reviewed the Department of Health and Human Services Transaction Standards, Security Standards, and the Privacy Standards including the Final Privacy Rule published in August 2002.

The Transaction Standards are intended to improve the efficiency and effectiveness of the U.S. health care system by establishing national standards for electronic health care transactions. The standards apply only to data transmitted electronically between healthcare providers and health plans. The Security Standards specify the steps that must be taken to ensure the security of protected health information that is transmitted electronically. As a business associate, MedNautix has been in compliance of all rules, even prior to the HIPAA deadline.

The Privacy Standards and the Final Rule apply to all uses of individually identifiable health information, whether or not it is in electronic form. Since MedNautix’s business depends on ensuring the confidentiality and security of the data it handles, any policies required under the Privacy Rule were incorporated into our policies, procedures, and training prior to the April 2003 deadline.

We have also taken various measures to protect our systems and the information contained therein. We have established a HIPAA Security Rule, which applies to health information maintained or transmitted by a Covered Entity in electronic form. This information requires administrative, physical and technical protection.

Administrative protections:

Security management – policies to prevent, detect, contain and correct security violations; risk analysis, risk management, and sanction/security policies.
Assigned responsibility – single individual must have responsibility, assigned in writing, for the overall security of a covered entity’s information
Workforce security – only authorized staff may have access to information
Information access – policies for authorizing, establishing and modifying access to information
Security awareness/training – program for entire staff developed and maintained
Security incident procedures – policies are in place to report, respond to and manage security incidents
Business Continuation plan – for response to disaster/emergency that damages information systems containing information
Evaluation – periodically determine the extent that our security policies meet the ongoing requirements.
Business Associate Agreement – states that we will adequately safeguard the information

Physical protections:

Facility access – limit physical access to information
Workstation use – policy specifies the use of workstations and the characteristics of the physical environment of workstations that can access information
Workstation security – limited only to authorized users
Equipment Controls – for recovered information and removal of hardware and electronic media containing information

Technical protections:

Access control – only authorized personnel have access
Audit controls – to record and examine activity within systems
Integrity – to protect information from improper modification or destruction
Person/entity authentication – to verify that persons seeking access to information are who they claim to be
Transmission security – to prevent unauthorized access to information that is transmitted over an electronic network (i.e., the Internet or an Intranet)