How is Sikka Software Corporation HIPAA Compliant? 

Regulations for protecting patient information have always existed; there are dozens of state laws designed to safeguard patient privacy. Years before HIPAA announced its final privacy ruling, CMS, then known as HCFA, released an Internet Security Policy which specified the conditions for transmitting sensitive patient information:

"It is permissible to use the Internet for transmission of CMS Privacy Act-protected and/or other sensitive CMS information, as long as an acceptable method of encryption is utilized to provide for confidentiality and integrity of this data, and that authentication or identification procedures are employed to assure that both the sender and recipient of the data are known to each other and are authorized to receive and decrypt such information."

SIKKA is committed to maintaining compliance with state laws, CMS policy, and the new HIPAA guidelines. Our on-line services were designed to provide a high level of security for confidential patient information. We ensure that our data is maintained in a safe and secure manner, include features to prevent unauthorized access, and utilize the same secure encryption format employed by banks for electronic transmissions. The following points summarize the requirements for providers regarding their obligations to The HIPAA Privacy Rule, while utilizing the services of SIKKA. Effective as of April 14, 2003:

As defined by HIPAA, our clients are "Covered Entities", and SIKKA is a Business Associate" (see Privacy Rule 160.103). As a Business Associate, we are required to safeguard your "Protected Health Information" (PHI) and ensure it remains confidential. We cannot do anything with your data that you do not specifically allow us to do. We must notify you immediately if any PHI is inadvertently released, and are held responsible for your information while it is in our control.

Covered Entities must have a written "Privacy Policy" and provide this policy to their patients. After you've given your patients notice of your policy, a "Covered Entity" may share PHI with a "Business Associate" , (i.e. SIKKA) for purposes of performing healthcare operations. You do not need to obtain each patient's written consent when you perform specific healthcare operations such as transmitting a copy of your data to SIKKA.

Written contracts with your Business Associates must include specific HIPAA terms. Our agreement maintains that SIKKA will be in compliance with all state and federal laws, including HIPAA, and that these are the minimum standards we will use in protecting your information. Simply put, our contract says that the PHI provided by your office will only be used by SIKKA to enable you to perform certain healthcare operations, and except for this use, we will keep your information confidential. The only exception is that SIKKA is allowed to create an aggregated "Limited Data Set" for uses such as industry benchmarking reports. This information is created without revealing specific patient or provider information. As per the "Limited Data Sets" section of HIPAA, SIKKA is allowed to aggregate data in order to develop industry benchmarks, as long as information that could be used to identify specific individuals is not revealed

The bottom line is that protecting patient information has been mandatory for many years. HIPAA has increased Federal penalties for non-compliance and added to the required documentation which will make it a more enforced rule throughout the industry. If you'd like more information, or have questions, please contact us. We look forward to working with you. For your reference, a complete copy of The Final Rule of the HIPAA Privacy Standards is available at : http://www.hhs.gov/ocr/hipaa/