The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) has had a significant impact on the health care industry. HIPAA applies to “covered entities” and, indirectly, to their “business associates.” As a health care clearinghouse, athenahealth® is a covered entity under HIPAA. athenahealth also acts as a business associate on behalf of its customers. athenahealth has spent a considerable amount of time and resources to develop programs and systems to ensure compliance with the key HIPAA standards and requirements.
Standards adopted under HIPAA require covered entities to transmit and receive certain electronic transactions in standard formats (the Transactions Rule). As a submitter of health care claims on behalf of its customers, Transactions Rule compliance is a core part of athenahealth’s business. The information needed to generate HIPAA compliant transactions is fully integrated into athenaNet®, and the Transactions Rule requirements are embedded in the fabric of the athenaNet workflow, from patient scheduling through payment posting. Using the integrated data, claims are formatted, and then submitted and processed in HIPAA standard formats.
Privacy standards adopted under HIPAA (the Privacy Rule) require that covered entities use or disclose Protected Health Information (PHI) only as permitted or required by the Privacy Rule. athenahealth has implemented policies and procedures designed to ensure compliance with the Privacy Rule requirements by athenahealth’s workforce. In addition, athenaNet helps enable athenahealth’s clients to comply with the Privacy Rule. For instance, athenaNet functionality includes privacy notice tracking, the ability to view, log, and update disclosures of PHI, and gives clients the ability to assign differing levels of user access to PHI.
Security standards adopted under HIPAA (the Security Rule) require that covered entities implement appropriate physical, administrative, and technical measures to ensure the confidentiality, integrity and availability of PHI in electronic form (ePHI).
athenahealth has performed a risk analysis under the Security Rule, and has prepared a risk management plan in which it has identified the measures in place to ensure that it maintains the confidentiality, integrity, and availability of ePHI.
Regulations adopted under HIPAA have mandated the use of a national provider identifier (NPI) in HIPAA standard electronic transactions. athenahealth has worked proactively on compliance with the NPI requirements on behalf of its customers.