|
|
| e-Prescribing |
|
PocketScript Privacy Policies and Procedures
Patient Privacy
ZixCorp acts as a medical transaction clearinghouse and is therefore required to comply with federal HIPAA legislation as a “Covered Entity” and operate the PocketScript® service in compliance with this legislation. ZixCorp takes its responsibility for protecting patient information seriously. ZixCorp has policies and procedures in place that prevent unauthorized disclosure of protected health information (PHI). Each disclosure request is required to be reviewed by the Director of PocketScript Operations and the ZixCorp HIPAA Privacy Officer. Due to the nature of the PocketScript operations, a disclosure of patient information outside of the normal transmission of prescriptions to pharmacies is rare and is usually a request by a prescribing physician for his/her patients.
Under normal operations prescriptions are processed automatically, checking patient eligibility, recording prescription history, and transmitting the prescription via electronic data interchange (EDI) or via fax to the destination pharmacy. These prescriptions are not viewed or altered in any way during processing. One-half of one percent of prescriptions transmitted will require intervention by PocketScript operations staff. This is generally due to the inherent problems of working with pharmacy fax machines. Fax machines may be turned off, phone numbers may be changed, phone lines may be shared or continually busy, they may be out of paper, or mechanically broken. In these cases, the operations staff will intercede to correct the problem and if unable to resolve the problem, will contact the prescribing doctor’s office to phone the prescription in to the pharmacy.
PHI has been classified as “Restricted” ZixCorp information requiring access on a “need-to-know” basis only. Anyone requiring access to patient information in performance of his/her job function must first receive training covering the responsibility of accessing and the requirements for handling patient information as defined by HIPAA. Key training points for those having access to PHI are:
- PHI is never printed.
- PHI must never be copied to electronic media unless authorized.
- PHI must never be altered in any way.
- Any disclosure of PHI must be approved following company policy.
- If PHI is transmitted electronically, it must be in encrypted form.
- PHI physically sent must also be encrypted.
- Never disclose or discuss PHI with fellow employees.
- Report PHI policy violations immediately to the ZixCorp HIPAA Privacy Officer.
Device Protection
Access to the PocketScript e-prescribing software is password protected, requiring all users to utilize strong passwords consisting of a mix of eight alpha, numeric and special characters. It is important to strictly control physical access to a PocketScript Personal Digital Assistant (PDA) device that is logged into the PocketScript service (activated) until that device is logged out (deactivated).
If a device has not been used for a configurable period of time, activation of the device is suspended from sending prescriptions until reactivated by reentering the user password. The PocketScript service limits the PHI data that resides in the PDA to the current patient information while the device is in use. After logging off the service, no PHI is kept on the device. All temporary files and temporary file caches are cleared from the device.
While in use, all transaction-related patient information is transmitted securely by PocketScript through the ZixData Center™ via the Internet using a minimum of 128-bit encryption. All PocketScript patient demographic and script history is securely stored at the ZixData Center.
Independent Audits
To maintain best practices in operations required by HIPAA, the external audit firm, Deloitte, audits ZixCorp services annually for compliance in the areas of security, integrity, confidentiality, and availability through the SysTrust/ WebTrust certification framework. As a result of each audit, Deloitte confirms the ZixData Center™ to be SysTrust™ certified and additionally issues a SAS70 audit report. The best practice standards of the ZixData Center™ meet or exceed all HIPAA requirements for security, integrity, availability, and confidentiality. Please see the American Institute of Certified Public Accountants Web site at www.aicpa.org/assurance/systrust/princip.htm for details on the requirements to achieve and maintain this level of certification.
|
| |
|
|
