Under the rules of the Act, "HIPAA compliance" is an organizational obligation; therefore, tools may be used to assist the organization in reaching compliance, but the tools themselves should not (and cannot) be looked upon as being "compliant" or "non-compliant." It is merely a question of whether, when using any given tool, can the required organizational compliance be achieved?

The question is frequently asked of us whether our product is "HIPAA compliant." In the context that the question was asked, the answer is yes. By that, we mean that within the 3 areas where HIPAA requirements impact our software, we provide the necessary functionality that, when correctly implemented, will allow the using organization to achieve compliance in those areas. These 3 areas are:

EDI Format: HIPAA requires all Electronic Data Interchanges between covered entities be converted to ANSI X12 format somewhere along the path. This provides a common ground through which various systems can talk to each other. CCA MEDICAL's EDI software products with Per Se Technologies are converted into the ANSI X12 format at Per Se's clearinghouse as required by HIPAA mandates. Any further Business Partner relationships that CCA Medical pursues for EDI transactions will also meet this requirement.

Encryption: Any medical information being transmitted over a public network like the Internet (such as Electronic Medical Claims, Patient Notes, Patient Statements, etc.) must be protected from access or viewing by unauthorized persons. This can be handled by encryption and decryption. Outgoing information is encrypted prior to transmission and decrypted by the receiver. Interception of the encrypted information between these 2 points provides the interceptor with gibberish since they do not have access to the key and they are not aware of the method used to encrypt the data. Currently, only files for Patient Statements for Practice Revolution are transmitted via the internet. These files are encrypted using public/private keys and 3DES encryption. All other file transfers are made via private, dial-up phone lines. Transmissions made via private, dial-up phone lines are considered secure and do not require encryption. Any future incorporation of automated internet file transfers will utilize encryption in a proper manner that meets or exceeds HIPAA guidelines.

Security: The organization is required to secure and protect medical information maintained within its offices. This would include patient and other medical information contained on computers as well as on paper or any other medium. CCA MEDICAL's software products provide the organization with user and system security to control access to computerized data; however, "compliance" for the organization is dependent upon the correct and effective use of these security tools. The simple fact that the product has this capability does not create compliance either for the product or for the organization. CCA Medical does not maintain control over your network. Nor does CCA Medical control access to your network. We provide tools that, when used properly, control access to the data stored by our software. It is your organization's responsibility to secure your network and ensure that access to your network is properly controlled.

While correct use of the security aspects of our software products may allow the organization to achieve compliance in that specific area, the software product should not be confused with the network or the physical computer system itself. Our software products reside on a hardware platform and an operating system, which must also be properly protected in order to achieve organizational compliance. Functional concerns would include such areas as operating system security, anti-virus software, database access via reporting tools such as Microsoft Access and Crystal Reports, Virtual Private Networks or other security measures to control remote access to the system and firewalls to prevent hacking or unauthorized access via the Internet. CCA MEDICAL can assist you in identifying issues relevant to you in this area and make recommendations as to courses of action to take where appropriate.

In regard to organizational compliance questions, we recommend highly that all clients authorize practice personnel to attend HIPAA seminars/training and that medical practice consultants knowledgeable in HIPAA be retained.

08/15/02