• E-mail
• Print
• RSS

Can an ASP provide a HIPAA-compliant solution?

HIPAA Weekly Advisor, October 22, 2001

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: We are considering using an application service provider (ASP) to automate the referral and eligibility process in our medical practice. Currently we spend a lot of time phoning and faxing authorization forms to referrals. Can an ASP provide a HIPAA-compliant solution?

A: The Internet has created vast opportunities to develop ASPs and other improvements in communications between providers and consumers and other providers. Some ASPs may want to avoid health care organizations because of the complexity of the health care legacy applications, but there are a number of Internet applications that can be valuable to health care organizations if ASPs opt to provide them.

It's no wonder that health care providers trying to comply with HIPAA and reduce monumental administrative paperwork are looking to automate transactions such as referrals, authorizations, claims submission, eligibility checks, and remittance. It moves them one step closer to a paperless office, reduces the insecure faxing of protected health information, and provides cleaner claims with fewer errors for speedier reimbursement.

HIPAA requires that provider organizations record and audit their security and privacy policies and require vendors or outsourcing companies, such as ASPs, to sign business partner agreements. These agreements protect the health care organization by ensuring the vendor or subcontractor is complying with the requirements of HIPAA. Nevertheless, the provider shares responsibility when security breaches or other disasters occur.

To narrow down your choice of vendors, ask these important questions:

• Is the ASP familiar with HIPAA and does its staff understand the standards and requirements?
• Does the ASP employ or use certified security personnel (e.g., CIS, CISSP, CISA)?
• Does the ASP provide any enhanced security features to comply with HIPAA?
• What type of access controls can be enabled (by role or user)?
• What level of encryption does the ASP use?
• Does the ASP use firewalls as a perimeter defense?
• How often does the ASP apply patches to operating systems and databases to prevent hacker attacks and fix known vulnerabilities?
• How comprehensive are the ASP's disaster recovery plan and mechanisms to protect data integrity?
• Does the ASP carry technology liability insurance and their coverage?

Always have legal counsel review the language of any agreement with an ASP or other outsourcing partner.

Editor's note: The excerpt above, from the October 2001 issue of Briefings on HIPAA, was answered by Jon Bogen, president of HealthCIO Inc. in Duxbury, MA. If you have a question for him, write to BOH, P.O. Box 1168, Marblehead, MA 01945, or send an e-mail to HIPAA Weekly Advisor editor Brian Driscoll at bdriscoll@hcpro.com.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive