Medrium's HIPAA Compliance Statement

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlined changes in the provision of healthcare and the management of paper and electronic records. Such changes focused primarily on defining standards in a) medical information transport, b) medical transaction set formats for transmitting or handling electronic claims, remittance, and eligibility information, and c) overall protection and confidentiality of patient-identifiable information.

Medrium intends to be fully compliant with each of HIPAA's requirements and looks forward to each of our partners also becoming compliant since downstream transaction efficiencies will be realized from the widespread adoption of such standardized electronic interfaces.

Here is a breakdown of the current HIPAA requirements and Medrium's actions to accommodate each one:

A) In line with HIPAA's first goal to promote industry-wide use of electronic transactions and transmission of information, the Act provides a strong disincentive to those using paper claims management. After October 16, 2003, covered entities, including health plans, clearinghouses, and any providers who submit information electronically, will be prohibited from submitting paper claims to Medicare. Instead, submission of electronic, HIPAA-compliant, Medicare claims will be a precondition to payment. HIPAA will also require that such electronic transmission be secure.
To this end, Medrium attempts to send all submitted claims electronically. Medrium only sends claims on paper (through its clearinghouse partners) to payors that currently do not accept electronic submission. Over 85% of all claims that go through Medrium's practice management system are submitted to the payors electronically. Medrium has also partnered with Verisign, the leading provider of digital trust services in electronic commerce and communications. Verisign is powered by a global infrastructure that manages more than seven billion communications and transactions a day. With Verisign, Medrium's trusted transactions over the Internet are secured by Secure HTTP (HTPPS) using 128bit encryption, the highest level of encryption, from the browser to the database and back.

B) Medrium has taken significant measures to ensure that our transaction set formats, a second major HIPAA regulation, will be compliant as well. To this end, we have secured the services of two of the health care industry's largest clearinghouses, WebMD Envoy and McKesson HBOC. These clearinghouses will be ensuring that the claims data they receive are transmitted to the payors in the specific 837 ANSI data formats required by HIPAA. In the face of state and federal medical data compliance regulations, our clearinghouses are naturally very committed to HIPAA as well. You can read about our clearinghouses' plans for HIPAA below:

http://www.mckesson.com/hipaa.html

http://www.webmd.com, and go to Search: HIPAA to see WebMD's HIPAA Statement.

C) Finally, in addition to proper information transmission and data formatting, HIPAA also enforces the overall protection and confidentiality of patient information. Security is crucial for practitioners, and patients want to know that their medical data will stay private.
Medrium understands these concerns and uses the latest Web technologies to ensure security. First, to access information, users must supply a username and password when logging into the Medrium website. This username and password is encrypted and sent to Medrium's databases for verification. Upon authentication, a secure session is started using Secure-HTTP (HTTPS). If a session times out (perhaps due to interruptions at the office), the password must be supplied again to continue working. This ensures that only the authorized personnel who knows the password can access data via Medrium. Medrium's firewall architecture prevents unauthorized access to the network and back-end databases. From Medrium's standpoint, Medrium's headquarters is located in a secure facility with multiple security systems that summon police immediately if compromised and all Medrium employees must sign a nondisclosure agreement upon the start of their employment.

Please feel free to email any questions, issues or clarifications to:

ComplianceOfficer@medrium.com or call us at 1-877-MEDRIUM and ask for the Compliance Officer.