Privacy, Security and Compliance
Experian Health is highly sensitive to the many privacy issues surrounding consumer information. Among other things, Experian Health does the following:
- All data is transmitted via encrypted Web servers
- All users are required to have a business need (permissible purpose) to access the services
- All clients are screened to ensure appropriate use practices and are granted access only to the appropriate level of information
Experian Health has established procedures to comply with the following regulations:
- Gramm-Leach-Bliley Act (GLBA)
- Fair Credit Reporting Act (FCRA)
- Health Insurance Portability and Accountability Act (HIPAA)
Experian Health has a commitment to provide secure and reliable services to clients and is diligent about compliance to the HIPAA Privacy and Security regulations. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a broad federal law enacted by Congress, in part to help protect patient privacy. The part of the law that deals with privacy is intended to do the following:
- Set limits on the use and disclosure of health information
- Establish safeguards that hospitals, physicians, health plans and clearing-houses (“covered entities”) and their business associates must have in place to protect the privacy of health information
- Hold violators accountable with civil and criminal penalties if they violate a patient’s privacy rights
As a trusted business associate with a variety of covered entities, Experian Health has implemented many safeguards, including a corporate HIPAA Security Program to effectively communicate and administer the HIPAA Privacy and Security regulations internally to associates and with business processes throughout the organization.
The HIPAA Security Program is designed to:
- Adapt and implement HIPAA Privacy and Security regulations to all areas of the organization
- Protect the confidentiality, integrity and availability of electronic PHI
- Use administrative, physical and technical safeguards to address reasonably anticipated threats and hazards to PHI
Final Omnibus Rule - Deadline September 23, 2014
The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors.
What to Expect: Experian Health has implemented the requirements of this ruling in the form of Risk Assessments, updated breach notification policies and process, Business Associate responsibilities and requirements and regular HIPAA training. If you have any questions related to these changes or how Experian Health can assist you in this regard, please reach out to firstname.lastname@example.org, Compliance and Privacy Officer.
To learn more about this regulation, please visit: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html and http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
There are many forms of compliance. In addition to privacy and security, Experian Health’s products and consultative services are required to meet and accept many industry compliance guidelines as set forth by CMS, HHS and HIPAA. These compliance guidelines often require changes to Experian Health’s products, and these changes can depend on the compliance of other healthcare trading partners and entities with which data is managed, exchanged and stored. By working in coordination with clients, vendors and trading partners, Experian Health is continually preparing to meet compliance mandates and to work within expected time frames to ensure successful outcomes. With an internal compliance task force to watch industry news, monitor proposed changes, prepare products and services, and communicate with clients as necessary, Experian Health maintains a year-round focus on compliance initiatives and industry changes.
A list of current compliance projects will be available here for reference, and any questions related to upcoming industry changes should be directed to our compliance task force at email@example.com.
Upcoming Compliance Mandates
ICD-10 — Deadline October 1, 2014
What is ICD-10?
The Department of Health and Human Services (HHS) announced in 2008 a proposed regulation that would replace the ICD-9 diagnosis code sets with the greatly expanded ICD-10-CM (diagnosis) and ICD-10-PCS (hospital procedure) code sets.
What to Expect: Experian Health implemented the acceptance of ICD-10 within applications that contain diagnosis coding in mid-2011 and will continue working to incorporate additional ICD-10 enhancements where applicable through 2014. Although ICD-10 conversion coding is based upon the client hospital information system or practice management system, plans related to assisting clients with the ICD-10 transition will be ongoing. Clients should make Experian aware of any changes to HIS or PMS systems related to ICD-10 data elements, as we will want to work with your vendor changes to ensure connections or transfers of data are not interrupted. Please contact support if you have any questions about these changes.
To learn more about this regulation, please visit CMS at www.cms.gov/home/regsguidance.asp.
All ICD-10 vendor surveys can be submitted to firstname.lastname@example.org.
For additional questions regarding our commitment to privacy, security and compliance, please contact email@example.com.
Meaningful Use – Stage 2
Expected compliance by 2014
In July 2010, the Centers of Medicare & Medicaid Services (CMS) published a final rule which established three phases of the EHR Incentive Program. The three stages of Meaningful Use are designed to support eligible professionals and hospitals with implementing and using EHRs in a meaningful way to help improve the quality and safety of the nation’s healthcare system. Stage 1 of the EHR Incentive program began in 2011. On September 4 2012, CMS published a final rule that specifies the Stage 2 criteria that eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) must meet in order to continue to participate in the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. All providers must achieve meaningful use under the Stage 1 criteria before moving to Stage 2.
What to Expect: Experian Health offers products and services to support the guidelines expected under Meaningful Use. To Learn more about the regulations, please visit CMS at http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Stage_2.html.
X12 5010 EDI Transaction Standards - Effective as of June 30, 2012
What is HIPAA 5010?
In January 2009, HHS announced a final rule that replaces the current version of the electronic transaction standards (4010) with version 5010 for all electronic claim, remittance and eligibility transactions. All transactions must be transmitted in compliance with standards set forth by HIPAA by the final compliance date of Jan. 1, 2012.
What to Expect: Experian Health uses the 5010 transaction standard as applicable to all transaction-based products and services. To learn more about this regulation, please visit CMS at www.cms.gov/home/regsguidance.asp.