HIPAA Compliant Medical Billing Services & Software
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to protect the privacy and security of certain health information. To fulfill this requirement, The U.S. Department of Health and Human Services (HHS) published the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, also known as the Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.
PMG & HIPAA
According to HIPAA, PMG is considered ‘business associate’ to your Community Health Center. The HIPAA Privacy Rule allows your Community Health Center to release protected health information to business associates such as PMG as long as there are assurances that they too will follow all HIPAA compliance rules. PMG signs and submits a HIPAA Compliant Business Associate Agreement (BAA) at the start of each new client onboarding.
Obligations and activities under the BAA include but are not limited to:
- Business Associate agrees not to use or further disclose PHI other than as permitted or required by this agreement, as required by Law or as permitted by law, provided such use or disclosure would also be permissible by law by the client.
- Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement. Business Associate agrees to implement Administrative Safeguards, Physical Safeguards and Technical Safeguards (“Safeguards”) that reasonably and appropriately protect the confidentiality, integrity, and availability of PHI as required by the HIPAA Security Rule.
- Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of PHI by Business Associate in violation of the requirements of this Agreement, or of any Security Incident of which it becomes aware.
- Business Associate agrees to report to the client any use or disclosure for the PHI not provided for by this Agreement.
- Business Associate agrees to provide access, at the request of the client and in the time and manner designated by the client, to PHI in a Designated Record Set, to the client or, as directed by the client, to an Individual in order to meet the requirements under 45 CFR § 164.524.
- Business Associate agrees to make any amendment(s) to PHI in a Designated Record Set that the client directs or agrees to pursuant to 45 CFR §164.526 at the request of the client or an Individual, and in the time and manner designated by the client.
- Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of PHI received from, created or received by Business Associate on behalf of, the client available to the client, or at the request of the client to the Secretary, in a time and manner designated by client or the Secretary, for the purposes of the Secretary determining client’s compliance with the HIPAA Privacy Rule and Security Rule.
- Business Associate agrees to document such disclosures of PHI and information related to such disclosures as would be required for the client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR §164.528.
- Business Associate agrees to provide to the client or an Individual, in a time and manner designated by the client, information collected in accordance with this Agreement, to permit the client to respond to a request by an individual for an accounting of disclosures for PHI in accordance with 45 §CFR 164.528.
- Business Associate represents that if applicable, it has policies and procedures in place designed to detect, prevent and mitigate the risk of Identity Theft to comply with the Federal Trade Commission’s Identity Theft Prevention Red Flags Rule (16 CFR § 681.2).
Permitted Uses and Disclosures under the BAA:
- Except as otherwise limited to this Agreement, Business Associate may use or disclose PHI to perform functions, activities, or services for, or on behalf of, the client as specified in the Service Arrangement, provided that such use or disclosure would not violate the HIPAA Privacy Rule if done by the or the minimum necessary policies and procedures of the client required by 45 CFR §164.514(d).
- Except as otherwise limited in this Agreement, Business Associate may use PHI for the proper management and administration of the Business Associate or carry out the legal responsibilities of the Business Associate.
- Except as otherwise limited in this Agreement, Business Associate may disclose PHI for the proper management and administration of the Business Associate, provided that disclosures are Required By Law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Except as otherwise limited in this Agreement, Business Associate may use PHI to provide Data Aggregation services to the client as permitted by 45 CFR §164.504 (e)(2)(i)(B).
- Business Associate may use PHI to report violations of law to appropriate Federal and State authorities, consistent with 45 CFR §164.502(j)(1).
How PMG Remains Compliant With HIPAA
COMMITTED to Ethical Business Practices
The mission of PMG’s HIPAA Compliance Department is ensuring PMG achieves financial, operational and strategic goals while maintaining compliance with HIPAA, all associated laws and/or regulations.
COMMITTED to responsibility and accountability
The HIPAA Compliance Team at PMG is dedicated to ensuring the privacy of your patients.
COMMITTED to having the best team at your service.
PMG’s team understands the complexities of HIPAA Compliance. We ensure that employees receive appropriate “as needed” HIPAA compliance training.
PMG has and will continue to be committed to the highest standards of HIPAA compliant billing practices. The mission of PMG’s HIPAA Compliance Department is ensuring PMG achieves financial, operational and strategic goals while maintaining compliance with HIPAA, all associated laws and/or regulations. The Code of Business Ethics reinforces PMG commitment to integrity and clearly identifies PMG’s expectations for staff compliance with HIPAA laws and policies and subscribes to the accepted standards of business practice.
This mission is directly represented in PMG’s HIPAA Compliance Plan and Code of Business Ethics. Responsibility for overseeing and continually updating these HIPAA compliance procedures rests with the Compliance Manager with support from a team of Compliance Specialists. The Compliance Manager, with input and direction from the Compliance Committee, and department managers not on the Committee, shall develop a general in-service training and education program in support of the HIPAA Compliance Program. The HIPAA training and education program will be reviewed annually and updated whenever changes in regulations, policy or guidance require revision of training materials.
Upon hire, each PMG employee will complete PMG’s HIPAA compliance training. HIPAA compliance raining will be required annually and will be mandatory for all employees as a material condition of continuing employment. In addition, The Compliance Manager, Compliance Committee, and PMG managers shall ensure that employees receive appropriate “as needed” HIPAA compliance training including specific training addressing revisions or additions to HIPAA standard code sets.