GBA Health Network Systems: HIPAA Statement

GBA Health Network Systems, as one of the most successful privately held medical software companies in the United States, was early to recognize both the benefits and the impact of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) on the healthcare marketplace and, in particular, on its software customers.

GBA has taken the following steps as part of its Compliance Plan to prepare for the HIPAA requirements:

Customer Information

• In mid-2001, a GBA staff member was assigned to monitor HIPAA news and to prepare our customers for their future challenges as the regulations moved towards enforceable law. The text of the act (well over 1,000 pages) was reviewed and summarized into a 39-page whitepaper document that included information specific to GBA’s customer base. The document was distributed via the mail and the GBA website. The GBA employee was available to answer HIPAA questions when customers called the company.
• The GBA customer newsletter devoted much of its news space in numerous issues to HIPAA updates and guidance.
• Software customers received a HIPAA action letter advising them of the steps needed to reach HIPAA readiness. The letter and the GBA Business Associate Agreement document were provided for the customer’s compliance records.
• In April of 2004, PMS Gold software customers were sent the first letter about the HIPAA 2005 Security Rule with an April 21, 2005 deadline.
• In March of 2005, GBA customers were sent letters about the approaching deadline and an 18-page document describing the major phases of HIPAA in general and the April 2005 Security Rule in particular.

Privacy and Security

• All GBA employees are required to take HIPAA training on patient privacy, confidentiality, and medical office conduct and to sign statements that they understand and agree to abide by the guidelines.
• Shredding policies were created and machines have been placed throughout the building.
• Policies have been developed regarding system safeguards, equipment use and maintenance, and media control.
• A Clean Desk policy has been established whereby no paperwork with Protected Health Information (PHI) would be left visible to others.
• Continuous reviews of services to insure proper privacy and security measures are taken and followed by all employees.
• As a designated Business Associate, GBA has contract assurances in place with its Covered Entities.
• A privacy officer has been appointed to develop policies and procedures designed to protect PHI, handle all complaints related to the proper use and disclosure of PHI, and for training the workforce in all matters relative to HIPAA.
• A security official has been appointed to develop policies and procedures designed to protect the security of PHI within the organization and for providing staff with information concerning security protection.

Software and Service Applications

GBA’s software product called PMS Gold was updated to a HIPAA-ready version (v8.30) including the ANSIx12 4010A for electronic data interchange (EDI) transactions.

ANSIx12 implementation guides are being used for the development of GBA’s new practice management software. The product – called MEDfx – was built with HIPAA regulations in mind – not retrofitted to accommodate the federally mandated changes.

[Return to top]