Overview(DHCTK)

HIPAA and SOAPware:

DOCS’s HIPAA Compliance Tool Kit (DHCTK) is now available to assist SOAPware users in the process of dealing with compliance issues for privacy and security. Click Here to Download the tool kit. As issues related to Security and Privacy evolve, notices will be posted at this same location.

SOAPware, Inc. has done a lot of work and preparation for you. If you have version 4.75 (or later) SOAPware and a support agreement, you will be able to take advantage of these tools. If you are not using an EMR and considering SOAPware, this is likely be the answer to your HIPAA fears. Without an EMR, HIPAA compliance will be very costly. SOAPware makes compliance much simpler. Once you have basic SOAPware, and the Security Module, you are ready for the DHCTK and its step-by-step outline to compliance! Adding the ChartPortal module will be well worth your consideration as well.

Our DHCTK explains how to develop, implement and document HIPAA compliance in Clinics Using SOAPware. It builds upon the power of SOAPware’s Security Module and the ChartPortal Module:

SOAPware’s Security Module

SOAPware Audit Trail Policy and Procedures

This explains how to take advantage of SOAPware’s audit trail function. When this is activated, anyone accessing a patient’s record will leave an audit trail for review. You will be able to see who did what, when and where in your medical records. SOAPware does this automatically. This task is nearly impossible with paper charts.

SOAPware Security Functions Assigned by Groups of Users 

Different members of your staff can be assigned varying levels of ability to access and edit your medical records. For example, clinicians can be given greater access than clerks.

SOAPware Passwords

Authentication and verification of the identity of clinicians and employees can be provided through the use of user passwords and identifications.

SOAPware ChartPortal

SOAPware ChartPortal to give patient access to their Protected Health Information.

The ChartPortal module provides an efficient means to give patients access to their medical record. Within seconds, the record can either be printed or placed on a floppy disk to be viewed on their home PC. You are able to give patient’s immediate, low cost access to their records without disruption of your practice and without risk to the original information.

Do you need a HIPAA Business Associate Agreement with SOAPware, Inc.?

   Rarely would SOAPware, Inc. need to access any of your patient records. Therefore, there is no need for a HIPAA Business Associate Agreement with SOAPware, Inc. In the rare event that you encountered a technical problem (e.g. corrupted database), requiring you to send any patient information to us, we would agree to a Business Associate Agreement at that time and enforce a Chain of Trust to protect any information sent to SOAPware, Inc. Keith Caselman serves as the Privacy Officer for SOAPware, Inc. and can be contacted if there is a need or to answer any related questions.

HIPAA Tasks and Sample Documents List

(actual documents found in the tool kit)

The DHCTK Includes an Outline of HIPAA Tasks and Sample Documents which can be edited and then used to create your HIPAA Compliance Manual. (CUS = Clinics Using SOAPware; PHI = Protected Health Information)

• Develop Log - Actions Taken to Develop HIPAA Awareness and Understanding
  • Have key employees study HIPAA materials and start implementation plans. For example, Obtain Field Guide to HIPAA Implementation from the AMA. http://www.ama-assn.org/ama/pub/category/7519.html OP#319402. Price: $79.95. AMA Member Price: $64.95.  

• Develop List - HIPAA Contacts for CUS
  •  Designate the “Privacy Official” and other key employees. Get Legal Counsel guidance for the Practice HIPAA Compliance Plan.

• Develop Risk Analysis of the practice (how attacks could happen and consequences of each)

• Complete Form – Application Inventory

• Develop Policy - Procedures and Methodologies for Release of Information
  • Develop List - Employees Allowed to Release PHI
  • Develop Form - Patient’s Notice-Of-Privacy Policy (Good faith effort to get patient’s awareness)

• Develop Mechanism - (Log) - To Document Efforts Made to Inform Patients of the Privacy Policy

• Develop Form - Patient Authorization - Routine Disclosure

• Develop Mechanism - Patient Requests Regarding Their Preferences or Restrictions Regarding Release of Information

• Develop Mechanism - Patient Requests Regarding Their Preferences for Communication of Information

• Develop Mechanism Mechanism - Patient SPECIAL Requests Regarding Release of Information

• Develop Form - Patient Authorization - Protected Disclosure

• Develop Form - Patient Requests Regarding Their Preferences for Communication of Information

• Develop Mechanism - Document CUS Releases of Information.
  • Develop Log - Disclosure-Release of PHI (Routine, Non-sensitive)
  • Develop Log - Disclosure-Release of Sensitive or Non-Routine Information
  • Develop Mechanism - Patient Requests for Access to their Medical Records

• Develop Form - Patient Request for Access to their Medical Records

• Develop Log - Patient Requests for Medical Records.
  • Develop Form - Employee Confidentiality Assessment
  • Develop Mechanism – Patient’s Amendments to Medical Records
  • Develop Form - Patients Amendments to Medical Records

• Develop Mechanism - Patient Complaints of Privacy Violations.
  • Develop Form- Patient Complaints of Privacy Violations

• Develop Mechanism – Security Documentation
  • Written policies of actions taken to safeguard PHI. For example, what is software mechanism to detect intrusions and how is this documented?

• Develop Log - Security Actions.

• Develop List - Employees and Staff and check off when the following is accomplished.
  • Develop Policy - Employee Education
  • Distribute Policy - Employee-CUS Regarding Confidentiality of Clinical Information
  • Distribute Policy - Employee Disciplinary Process for Breach of Patient Confidentiality Procedures
  • Distribute Form - Employee Verification of Understanding of Policies Regarding Patient Confidentiality and Privacy
  • Distribute Form - Employee Confidentiality Assessment
  • Collect and file the completed Confidentiality Assessments.

• Develop Policy - Employee Reinforcement
  • Develop Log - Employee Corrective and Punitive Actions When Privacy Policy is Violated
  • Develop List - Business Associates
  • Develop Log - Business Associate Contracts

• Reference - Example - SOAPware Security Functions Assigned by Groups of Users

• Reference - Example- SOAPware Initial Passwords: (sample list)

• Reference - HIPAA Information Sources

• Reference - SOAPware, Inc. (Vendor) Nondisclosure Agreement with CUS-Clinic Using SOAPware. Reference – HIPAA Glossary .

• Form – Application Inventory    

• By April 2003, your Privacy Officer must document all of the above in your Security/Privacy Manual.  

• By April 2003, all employees must receive:
  • List - HIPAA Contacts for CUS Policy - Procedures and Methodologies for Release of Information
  • Policy - Employee-CUS Regarding Confidentiality of Clinical Information
  • Policy - Employee Disciplinary Process for Breach of Patient Confidentiality Procedures
  • Form - Employee Verification of Understanding of Policies Regarding Patient Confidentiality and Privacy
  • Form - Employee Confidentiality Assessment

• By April 2003, all patients will need to be given:
  • Form - Patient’s Notice-Of-Privacy Policy
  • Form - Patient Authorization - Routine Disclosure 

• By April 2003, UPON REQUEST, any patient must be given:
  • Form - Patient Requests Regarding Their Preferences for Communication of Information
  • Form - Patient Authorization - Protected Disclosure
  • Form - Patient Request for Access to their Medical Records
  • Form - Patients Amendments to Medical Records
  • Form- Patient Complaints of Privacy Violations Reports: