Tip: Include access management language in clearinghouse contracts
HIPAA Weekly Advisor, April 24, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Just as facilities must protect their employees' health information from being used for job-related purposes, organizations that have clearinghouses must have the appropriate mechanisms in place to prevent improper use of patient information.
The final security rule's information access standard requires organizations to isolate the health care clearinghouse function. Hospitals don't typically have a health care clearinghouse operation, but major vendors or corporations that are considered hybrid entities might include this feature, explains William Miaoulis, CISA, principal at Phoenix Health Systems, in Montgomery Village, MD. "If you have a clearinghouse, you have to make sure the information coming to that clearinghouse is not shared with the larger entity."
Develop policies and procedures to protect information from unauthorized access, he says.
Hospitals, physicians, and others who work with clearinghouses must have business associate contracts. They should indicate in the agreements that information can only be used for specified purposes, says Miaoulis.
"The clearinghouses need to be able to prove that people in the larger organization don't have access," he says. "If you run an access list, it shouldn't show that people outside the clearinghouse have access to the data."
Many large vendors have their own clearinghouses, he says. Since clearinghouses are also covered entities, they must separate information used for clearinghouse purposes from all other information. "Information should only be processed or accessed by authorized people."
Separate information by developing policies and procedures and using access controls. You may choose to use a firewall or role-based access, says Miaoulis. "Look at a list of people who have access, and make sure they need it."
Clearinghouses transmit a lot of information, he says. "[They] get data from a lot of different providers." Train employees to only access information needed to do their jobs and make sure they're sending information back to the right people.
From the upcoming May 2003 issue of Healthcare Information Security.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- HIPAA Q&A: Level of encryption needed for email
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Hospitals are not bound by InterQual criteria for determining patient status
- ED-to-inpatient transfers are flawed with safety gaps
- Searched