HIPAA and the HITECH Act

The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—pharmacies, doctors’ offices, hospitals, health insurers, and other healthcare companies—with access to patients’ protected health information (PHI), as well as to business associates, such as software service and IT providers, that may access PHI on their behalf. The law regulates the use and dissemination of PHI in four general areas:

1. Privacy, which covers patient confidentiality.

2. Security, which deals with the protection of information, including physical, technological, and administrative safeguards.

3. Identifiers, which are the types of information that cannot be released if collected for research purposes.

4. Codes for electronic transmission of data in healthcare-related transactions, including eligibility and insurance claims and payments.

The scope of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Together, HIPAA and HITECH Act rules include:

The HIPAA Privacy Rule, which focuses on the right of individuals to control the use of their personal information, and covers the confidentiality of PHI, limiting its use and disclosure.

The HIPAA Security Rule, which sets the standards for administrative, technical, and physical safeguards to protect electronic PHI from unauthorized access, use, and disclosure. It also includes such organizational requirements as Business Associate Agreements (BAAs).

The HITECH Breach Notification Final Rule, which requires giving notice to individuals and the government when a breach of unsecured PHI occurs.

HIPAA regulations require that covered entities and their business associates—in this case, Abacus when it provides services to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Once a BAA is in place, Abacus customers—covered entities—can use its services. Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Abacus services covered under the BAA are undergoing audits conducted by accredited independent auditors.

HIPAA History

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

Privacy and Security

Abacus is firmly committed to providing the best products and services available, while protecting the privacy and security of our customer’s information. We realize the confidentiality within the services that we provides and Abacus has established an information security policy in an effort to protect the security, confidentiality, integrity, and availability personally identifiable information, corporate trade secrets, intellectual property, and takes all reasonable and appropriate administrative, technical and physical safeguards to protect the security of this information. Our corporate values revolve around the commitment to service, excellence, integrity, privacy and security. We work closely with each of our customers to address individual needs and concerns and deliver a solution that meets their specific business requirements.

Abacus has received full accredited from EHNAC, see https://www.ehnac.org/accredited-organizations/, and has completed the HIPAA EPCS certification and has been approved for electronic prescribing of controlled substances (EPCS) via our pharmacy software applications. To earn certification, the company’s software application for EPCS functionality was audited as well as our process, facility, staff, procedures and operation to ensure that it complied with the requirements delineated in the Drug Enforcement Administration’s (DEA) EPCS Final Rule, 21 CFR Part 1300, 1304, 1306, and 1311. The certification audit is a requirement before prescribers or pharmacies can begin to exchange e-prescriptions with controlled substances and to be activated by SureScripts to send or receive EPCS through its prescription exchange network. Furthermore, it will allow Abacus to provide pharmacies’ solutions that will meet mandate for paperless EPCS e-prescriptions as required in some States.

The software is also certified or meets regulatory standards set by the National Council for Prescription Drug Programs (NCPDP), United States Pharmacopeia (USP), the U.S. Department of Health and Human Services (HHS), the Health Insurance Portability and Accountability Act (HIPAA), American Society for Automation in Pharmacy (ASAP) and the Food and Drug Administration’s (FDA) Title 21 CFR Part 11 rules.

If you have more questions call us at (305) 220-0400 or