The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were established to reduce the costs of healthcare administration, protect individual privacy, and secure health care information. These provisions, which create uniform standards for the handling and transmission of individually identifiable healthcare information, can be broken down into four separately defined standards:

• electronic transactions and code sets
• privacy
• security
• unique identifiers

Electronic Transactions and Code Sets Standards

Among other things, this rule establishes a uniform format for sending and receiving electronically transmitted healthcare information, such as claims, eligibility information and payments. It also mandates the adoption of a standardized set of codes that would be used to describe injuries and illnesses, identifying the cause of the problems, and defining the remedies administered. This section has the most obvious correlation to a practice management system.

Privacy Standards

These regulations define a patient's control of their medical records, including restrictions on the access, uses, and disclosures of their personal and medical information. It also imposes stringent safeguards to protect paper-based medical records, and requires that a "Notice of Information Practices" be given to patients that outlines how the healthcare organization plans to use and safeguard all health information gathered.

Security Standards

Both the security and privacy standards share a number of common themes, primarily in regards to the safety of patient information. For example, the rules require the implementation of physical and technological safeguards to protect the security of electronically stored health information. The security standards also call for an administrative infrastructure similar to the privacy standards that manage these safeguards.

Unique Identifiers

The regulations specify that four identifiers be used in healthcare transactions to distinguish employers, health plans, providers, and patients. The employer identifier is slated to be the same number as the Employer Identification Number (EIN) issued by the Internal Revenue Service. The provider number would be a single code that would be used by healthcare providers with every company they do business with. The health plan identifier - while similar to provider numbers - are unique codes to identify health plans. This is meant to distinguish organizations that offer both health plans and healthcare provider services. Individual identifiers would be used to identify patients.

The Relationship Between Software and HIPAA

The most important thing to remember when establishing the relationship between practice management systems and the HIPAA regulations is that not all of HIPAA's rules apply to medical software. Practice management systems were originally designed to increase productivity and reduce the chances of error. HIPAA essentially regulates some of the software's core functionality, such as sending electronic transactions and restricting access to electronically stored patient information. However, using a practice management system does not mean that an organization will be in complete compliance with the legislation. After all, software cannot prevent a doctor from violating the privacy standards by talking about a patient without the patient's permission.

Most practice management systems by design perform two of the four tasks regulated by HIPAA: electronic transactions and security. Software that sends and receives electronic transactions should be pre-programmed to adhere to the ANSI X12 standards defined by HIPAA, as well as provide the uniform code sets for patient information that is electronically stored. To address the security issues, medical office software should also be able to restrict user access to records, and more importantly, track what activity took place with a patient's record.

While on the surface it seems as though there is very little practice management systems can do to address the privacy and unique identifiers standards, there are, in fact, features that can help medical offices comply with these regulations. Since the privacy standards require that patients receive a letter advising them of how their individually identifiable information will be used, medical software systems can produce customized letters for each patient, and can track which patients have acknowledged receiving and signing these letters. And just as the systems store and use the standardized code sets, they could also maintain the employer, health plan, provider, and patient unique identifiers.