The final rule took effect on April 14, 2001. As required by the HIPAA law, most covered entities have two full years - until April 14, 2003 - to comply with the final rule's provisions. The law gives HHS the authority to make appropriate changes to the rule prior to the compliance date. The following highlights key elements of Infinedi’s readiness for Privacy Standards:
We only disclose protected health care information (PHI) for the purpose of "Payment, Aggregate data, and Demographic Information.” This single policy statement simplifies greatly our compliance efforts in respect to the final rule. As a strict business practice, Infinedi does not publish or provide your personally identifiable information (PHI) to third parties, with the exception of business associates that are used for the purpose of “payment”, and have a signed and executed non-disclosure agreement with our company. These associates may have individual privacy policies, which Infinedi; LLC does not have control, and thus are not addressed by this policy. We will continue to evaluate the language of the Provider Participation Agreements to ensure HIPAA compliance of the agreement as a Business Associate Contract.
We have implemented administrative, technical, and physical safeguards to protect the privacy of PHI from any intentional or unintentional use or disclosure. We have a disaster plan in place that is continuously reviewed and expanded.
We have documented policies and procedures that reasonably limit access to and use of PHI to the minimum necessary given the job responsibilities of the workforce and the nature of our business. In the event of special functions that require PHI to be handled off-site, i.e., mailing, claims filing, we perform all data translation and dissemination functions within a secure data area of our corporate clearinghouse. We have procedures in place for regular virus checks and virus prevention procedures. All allowable methods and polices regarding handling and transmission of PHI are documented in our data security policy which is signed by all employees (including appropriate handling of both electronic and paper records.) All on-line terminals and remote access capabilities have current state-of-art security that is constantly updated. We use physical security methods to isolate access to PHI.
Our Business Associate Contracts intend to clarify that requests for access and/or amendment of PHI are the responsibility of the Provider. We have functions within our network that assist the provider in complying with a request for access and/or amendment of PHI. We provide data warehousing for the provider but we are not an "owner" of the data and therefore not authorized to handle request for access and/or amendment of PHI. Any such requests will be directed to the provider (data "owner"). Our system currently maintains records in excess of 8 years which identifies disclosure of PHI and capture the ‘Who, What, Why, and When’ of each disclosure. This is simplified in that our only disclosures fall into the "payment" category of health care operations. The data is only disclosed to Payers as directed by the health care provider.
Infinedi, LLC owns and operates our system and is the company that collects PHI. Infinedi, LLC contact information is as follows: Address:
Infinedi, LLC
1437 South Boulder Avenue
Suite 1030
Tulsa, Oklahoma 74119-3616
Attn: HIPAA Compliance Officer
(918) 249-4450