HIPAA
Health Insurance Portability and Accountability Act (HIPAA)
Availity specifically agrees to adhere to the Standards of Privacy and Security of Individually Identifiable Health Information published by the U.S. Department of Health and Human Services Offices for Civil Rights (CFR 45 Parts 160 and 164).
In compliance with HIPAA Security regulations, Availity completed, using an independent security consultant, a risk assessment and gap analysis of each of the Implementation Specifications of the Security Standards at Subpart C of Part 164 of the HIPAA regulations.
Policies, procedures, and technical and business standards have been implemented to ensure complete compliance with each of the Implementation Specifications, including:
- Developing a Security Program documenting decisions and the compliance approach to each Required and Addressable Implementation Specification, including:
- Documenting data flow of private health information (PHI) and electronic PHI in information systems
- Inventory of all hardware, in-house developed software, and vendor applications
- Policies and Procedures that set standards of expected conduct, define sanctions, and provide for ongoing security training, education, and awareness
- Incident Response Process for reporting of violations
- On-going auditing, evaluations, and risk management
- Updating existing Business Associate Trading Partner Agreements, where needed
- Implementing extensive technical security safeguards, including:
- Contingency/Disaster Recovery Plan
- Intrusion prevention/detection
- Malware protection
- Log-on authentication and password protection, limiting access to only authorized entities
- Maintaining complete audit trails and logs for all transactions that access patient-level data on all internet-based services
At Availity, PHI shall be used solely under the Treatment, Payment, or Healthcare Operations provisions, as defined by the U.S. Department of Health and Human Services.
Availity is committed to continued compliance with the HIPAA Privacy regulations, which became effective on April 14, 2003, the HIPAA Transactions and Code Sets Rule, which became effective October 16, 2003, and to the Security regulations, which became effective April 21, 2005.
Availity transaction standards
The current versions of Availity applications support the transaction standards promulgated under HIPAA regulations and applicable to clearinghouses. As part of our commitment to fully meet industry standards, Availity voluntarily sought and received CLAREDI certification of HIPAA compliance for the acceptance of the following transactions:
- X12N 270/271—Eligibility Inquiry and Response
- X12N 276/277—Claims Status Inquiry and Response
- X12N 278—Authorizations and Referrals
- X12N 837P—Professional Claim
- X12N 837I—Institutional Claim
- X12N 835—Remittance Advice
Standards for other systems
Further, to protect customer investments in software applications that have been in use, Availity offers a number of clearinghouse and data transformation solutions to assist customers in their transition to HIPAA-mandated standard transactions, where applicable. Please keep in mind that covered entities that use the Availity Health Information Network applications or who are requesting transformation to or from the HIPAA standard transactions, and are defined as "Covered Entities" under HIPAA regulations, are required to sign the Availity "Business Associate Trading Partner Agreement" (BAA).
Availity requires those customers with electronic access to an individual's identifiable health information held by Availity to sign a BAA. This agreement specifies that all data provided or accessed thereto granted by Availity will be secured as required by the current HIPAA standards. Users identified within each customers’ organization as having the authority to gain access to Availity's systems will be required to acknowledge and agree to abide by the terms of use and other confidentiality requirements of Availity. The customer will be responsible for its own plan for security measures used to protect the data accessed, as well as any suspected breaches of the security measures. The customer will additionally be expected to maintain disciplinary procedures regarding breaches of computer security and confidentiality.
Availity will audit the customer’s account for "entity access" but will rely upon the client to monitor the appropriateness of the access. Availity is not accountable for auditing the customer site in accordance with the Accountability of Disclosures Privacy requirement because all interactions will be for the purpose of treatment, payment, or health care operations. Customers’ use of information beyond these purposes must be used within the scope of the organization's disclosure policies.