Electronic Medical Billing Software, HIPAA compliance, and the role Based Access Control


HIPAA compliance requires special focus and work that failure to comply carries significant risk of loss and penalties. A practice with many separate systems for patient scheduling, electronic medical records and billing, HIPAA requires many specific management efforts. This paper presents an integrated approach to HIPAA compliance and describes key HIPAA concepts, principles and requirements to help train the owner to ensure HIPAA compliance medical billing services and software vendors.

The last decade of the previous century witnessed the rapid spread of digital technology in health care, which along with lower costs and higher quality services, introduced new and more risk of accidental disclosure of personal health information.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by Congress to establish national standards for privacy and security of personal health. The Privacy Rule, written by the US Department of Health and Human Services entered into force on 14 April 2003.

to comply with HIPAA risk accreditation and reputation damage, a lawsuit by the federal government, of fines ranging from $ 100 to $ 250,000 and imprisonment ranging from one year to ten years.

Protected Health Information (PHI)

key term HIPAA protected Health Information (PHI), which includes everything that can be used to identify individual and any information shared with other healthcare providers or clearing houses in the media (digital, verbal, recorded voice, faxed, printed or written). Information that can be used to indicate a person includes:

  1. Name
  2. dates (except year)
  3. code more than 3 numbers, telephone and fax numbers, email
  4. Social Security numbers
  5. Medical Record numbers
  6. health plan numbers
  7. Leave figures
  8. Photos

Information shared with other health care professionals or clearinghouses

  1. Nurses and doctor comments
  2. Billing and other files therapy

Principles HIPAA

HIPAA intends to allow smooth flow of Phi for the operation of health concerning the patient’s consent, but prohibit any flow of unauthorized PHI for other purposes. Healthcare operations include treatment, payment, care quality assurance, auditing skills training, acceptance, insurance rating, auditing and legal sources.

HIPAA promotes good practice information and requires those with access to PHI and keep it. Fair information practices means that content will get

  1. Access to Public Health,
  2. Correction for errors and integrity and
  3. Knowledge of others using Phi

Protection Pi means that individuals will keep phi

  1. Be responsible for your own use and disclosure of
  2. Have remedies to combat infringements

HIPAA Implementation Process

HIPAA implementation begins with making assumptions about PHI threat information model. Implementation includes both priority and back-testing and includes processes, technology and human factors.

A threat model helps to understand the purpose of HIPAA implementation process. It includes assumptions about

  1. Threat nature (accidental disclosure of insider? Access profit?),
  2. Source threats (external or insider?),
  3. Performance might compromise (compromise, physical intrusion, computer hacking, virus?),
  4. Specific kinds of data at risk (patient identification economy, doctor?), And
  5. Scale (how many medical threat?).

HIPAA process must include clear policies, curriculum and events, clear enforcement actions, plan for testing HIPAA compliance, and means continuing transparency of HIPAA compliance. The stated policy usually statement of least privilege access data to complete the work, the definition of Public Health and incident monitoring and reporting procedures. Educational materials can be case studies, control questions and plan for review courses for employees.

Technical requirements HIPAA Compliance

Technology HIPAA implementation proceeds in stages from logical data definition of physical data center to the network.

  1. To ensure physical Data Center security manager will be
    1. Lock data
    2. access control list
    3. Track data access with closed-circuit TV cameras to monitor both internal and external building activities
    4. Protect access to data by 24 x 7 onsite security
    5. Protect backup data
    6. Test recovery process
  • For network security, data centers will have special facilities for
    1. Secure Network – firewall protection, encrypted data only
    2. Network access control and audit reporting
  • For data security, the manager will have
    1. Individual confirmation – a unique login and password
    2. Role Based Access Control (see below)
    3. audit trails – all access to all data fields tracked and recorded
    4. Data Discipline – Limited ability to download data
  • Role Based Access Control (RBAC)

    RBAC adds convenience and flexibility of management. Greater comfort helps reduce errors and omissions in the commission to grant access privileges to users. Greater flexibility helps implement a policy of least privilege, where users are given only as much privilege as needed to complete their work.

    RBAC promotes economies of scale, the rate of change of role definition for a user is higher than the rate of change of role definitions across the entire organization. Thus, to make a great change in privileges for the number of users with the same set of privileges, the administrator only makes changes to a role definition.

    Hierarchical RBAC promotes further economies of scale and reduce the likelihood of errors. It makes redefine the role of inheriting privileges assigned roles in higher hierarchical level.

    RBAC is based on establishing a set of user profiles or roles under the warranty. Each role has pre-defined rights. The user buys rights by getting membership in the role or assignment section of the manager.

    Every time when the definition of the role changes along with a set of privileges necessary to complete the work in connection with the role, the administrator only needs to redefine the role privileges. Rights to all users who have this role be defined automatically.

    Similarly, if the role of one user is changed, the only action required to carry out the reassignment of the user to redefine user access privileges automatically according to the new profile.


    HIPAA compliance requires special practice management attention. A practice with many separate systems for scheduling, electronic medical records and billing, HIPAA requires many separate management efforts. Integrated system reduces the complexity of HIPAA implementation. By outsourcing technology to HIPAA-compliant vendor vericle as technology solution to ASP or SaaS basis, HIPAA management costs can be eliminated (see companion article on ASP and SaaS for Medical Billing).


    Leave a Reply

    Your email address will not be published. Required fields are marked *