Human Arc HIPAA Compliance Statement

To protect informational privacy.
To ensure ethical business conduct.

As a leader in the industry of healthcare reimbursements and revenue enhancements, Human Arc provides technical knowledge to our customers regarding its compliance with the requirements for handling and exchange of patient information as defined in the Health Insurance Portability and Accountability Act (HIPAA).

Since Congress enacted HIPAA in 1996, the United States Department of Health and Human Services (HHS) has been developing standards and requirements for maintenance and transmission of health information that identifies individual patients. It is intended to:

Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for specified administrative and financial transactions; and
Protect the security and confidentiality of electronic health information.
General HIPAA Compliance Questions and Answers

Key Questions and Answers

Q. How does HIPAA apply to the services Human Arc provides to its customers?

A. Legal Perspective - Human Arc's customers are covered entities under HIPAA. Covered entities must comply with HIPAA requirements to protect the security and privacy of confidential health information, and they must enter into agreements with business associates who perform services on their behalf requiring the business associates to protect confidential health information of the covered entity. In most cases, Human Arc's services make it a business associate of its customers.

Human Arc Intent - We aggressively work to ensure that we meet our obligations as a business associate of HIPAA covered entities, our customers.

Q. What standards and security requirements must be in place when my hospital system exchanges data electronically with Human Arc?

A. Legal Perspective - The exchange of information between Human Arc and a customer to prepare a claim or the appeal of a claim denial typically is not a healthcare transaction covered by HIPAA Transaction and Code Set Standards and is therefore, not required to be standardized.

Further, a Business Associate agrees to establish security policies, processes and procedures to ensure the integrity and confidentiality of health information transmitted in electronic form in accordance with the requirements of the final Federal Security and Electronic Signature Standards as may be adopted by the Department of Health and Human Services on or before the compliance date of such Security Standards.

Human Arc Intent - We treat the matter of electronic data exchange - including fax server transmissions - with great importance and consequence. Protected Health Information (PHI) is transferred to and from our clients through the use of controlled access lines, secured network sessions or insecure network sessions that are sufficiently encrypted (including E-mail-encrypted with PGP, FTP'ing Encrypted Files). Such transfer methods ensure the security of our client's PHI during transfer. Such transfer methods ensure the security of our client's PHI during transfer. PHI is transferred on a private network, protected by a firewall and a buffer network (DMZ).

Q. If my hospital exchanges "protected health information"(PHI) with Human Arc and Human Arc misuses the data, is my hospital liable?

A. Legal Perspective - No. The Office for Civil Rights, responsible for enforcing the privacy rules, has stated that a healthcare provider, health plan or other covered entity is not liable for privacy violations of a business associate. The covered entity is not required to actively monitor or oversee how the business associate carries out safeguards or follows contract requirements, but the covered entity must require the business associate to advise it if a violation occurs. If the hospital becomes aware of a pattern or practice that is a violation under its contract, the hospital must take reasonable steps to cure the breach or to end the violation. Only if a covered entity failed to take steps could it be liable for privacy violations of a business associate.

Human Arc Intent - While the legal interpretation protects you, Human Arc is serious about ensuring that your PHI is managed carefully and that no violations of privacy occur. Our plans can be reviewed in our Human Arc Corporate Compliance Policy document, a required written information privacy and security program. It maps out our steps to safeguard your data and PHI and has been developed in accordance with the HIPAA Privacy and Security Regulations.

Human Arc HIPAA Compliance

Human Arc’s Corporate Compliance Officer meets with fellow company leaders and legal counsel, monitors key web sites and printed materials, and attends conferences to remain a knowledgeable and credible resource of the latest HIPAA information. As a result of continual research, necessary recommendations are made for accommodations within our systems, software and processes as appropriate to ensure Human Arc meets or exceeds federal and state HIPAA compliance mandates for safeguarding and protecting PHI.

Human Arc and Privacy

Because Human Arc guards your private information as you would, we have incorporated HIPAA language into our contracts with our customers or subcontractors. We have signed Business Associate Agreements for all new and existing clients.

Human Arc and Security

User Authentication

Human Arc's strong password technology incorporates a combination of characters that are changed periodically. In addition, explicit policy prohibits password sharing to help ensure that accessing individuals are fully authorized.

Authorization Control

Human Arc employs both individual and job or role-based authorization mechanisms in all operational software that uses Personal Health information.

Access Control

Human Arc employs network and application security mechanisms to ensure only authentic authorized users may access protected data.

Data Authentication

Human Arc uses various methods to ensure appropriate updates and deletes of protected data for integrity control. These include pattern matching, double-typing and check-sums.

Audit Controls

Human Arc proprietary applications provide an audit trail of users viewing protected data. Human Arc still utilizes some residual legacy applications which do not have integral audit controls, but is actively in the process of phasing these from use.

Please contact Human Arc with questions you may have.

Jenny Roman
Corporate Compliance Officer
Human Arc

1457 East 40th Street
Cleveland, Ohio 44103
216.431.5200 | 800.828.6453 | Fax 216.431.5201

Pages In This Section

PDFs In This Section

Human Arc Corporate Ethics Policy

Handheld Edition