Click here for Info on Free HPATS Live Web Seminars.

IO Datasphere has developed the HIPAA Privacy Accountability Tracking System (HPATS) to help your organization comply with the HIPAA Privacy Rule. The HIPAA Privacy Rule requires you to track the release of a patient's Protected Health Information (PHI). It also requires you to act on requests to amend a patient's medical record or requests to limit use and disclosure of PHI. HPATS assists you in complying with these and other requirements of the regulation by automating the compliance process within your organization. Key features of HPATS allowing you to automate compliance for HIPAA Privacy include:

	Track PHI Disclosures by Date and Type of Disclosure
	Track PHI Disclosures by Location and Department
	Print the Accounting of Disclosures Report
	Monitor Deadlines for Accounting of Disclosure Requests
	Generate Letters (i.e. 30-Day Extension for Printing the Accounting of Disclosure Report)
	Track Authorizations
	Track Complaints Related to HIPAA Privacy
	Track Communications related to PHI
	Automatic Notification of Special Communications Requirements
	Customize Workflows According to Policies and Procedures
	Print Standard Reports to Manage Workflow and PHI Disclosure Related Information
	Customize Workflows According to Policies and Procedures
	Document Privacy Decisions
	Account for Federal and State Privacy Regulations

  Get Adobe Reader

Download HPATS Brochure in PDF format (1.1 meg)

HPATS can significantly reduce your costs to comply with the HIPAA Privacy Rule and provide your staff with an effective automated solution. As a web-based enterprise system, HPATS can be configured to easily maintain and retrieve all information required for HIPAA privacy compliance, as well as other federal and state privacy laws. HPATS can be the key to a cost effective HIPAA privacy compliance solution.

IO Datasphere offers the HPATS Standard Version for a single organization environment and the HPATS Enterprise Version for a multi-organization environment such as a health system with multiple hospitals. Both versions provide the same functionality for automating the tracking and reporting required by the HIPAA Privacy Rule. However, the Enterprise Version allows users to track and report information by selecting a single organization or by selecting multiple organizations within the environment. All of the access to information at any level (hospital, location, department, etc) is controlled through user logins, assigned roles and privileges.

HPATS consists of four primary components:

	Communications - maintains all PHI related communications with external entities including patients, personal representatives, healthcare providers, government agencies, health plans and research companies. Communications captures the basic key information (who, what, when and where) about a PHI related request (disclosure, authorization, complaint, confidential communications, etc). This includes simple requests for release of PHI to more complex requests such as amending a medical record. Communications allows for grouping multiple communications into a "Dialogue" to provide a complete history of ongoing communications for any PHI item. Status tracking allows for easy review of outstanding items or items approaching any deadline for processing.
	Authorizations - maintains information for authorizations of PHI disclosures. Authorizations provides for recording the key information about an authorization of PHI disclosure including the requested PHI data, the requestor, whether remuneration is involved and the authorized starting and ending dates. Authorizations also tracks verification of the requestor and the approved, pending or denied status of the request.
	Disclosures - maintains information for PHI disclosures. Disclosures captures the details of a PHI disclosure including a description of the PHI data, the receiving organization's name, address and contact person, the date of disclosure and the reason for the disclosure based on the disclosures allowed by HIPAA. Computer generated disclosures can also be cross referenced to the actual data files sent to external entities. An interface can be created to automatically load these computer generated disclosures directly into HPATS.
	Data Exchanges - maintains a list of the data exchanges (typically a computer program with a specific output media such as CD-ROM or magnetic tape) used to transmit or receive computer generated PHI information. This includes the decisions made to verify the data exchange complies with HIPAA requirements such as "minimum necessary", "authorization required" and "Treatment, Payment, Operations (TPO) related".

The following diagram depicts how HPATS interfaces with the external requests for PHI data. Communications acts as a clearinghouse to capture key data and link it to Authorizations or Disclosures. Users can easily enter and retrieve information about a specific request or issue. Various reports can be generated such as a listing of unauthorized PHI disclosures or a listing of communications and decisions involved in a request to amend a medical record. For tracking purposes, Disclosures can be linked to Data Exchanges. A Data Exchange identifies the specific computer program or database query used to create a PHI disclosure.

HPATS User Interface
HPATS is an easy to use web-based enterprise solution for automating the tasks required for complying with the HIPAA Privacy Rule. Below is a sample HPATS screen used to manage and retrieve information on PHI related communications. Using drop down menus along with search (including partial key searches) and sort capabilities, you can quickly find all of a patient's PHI related communications records. The menu tabs at the top and navigation items on the left allow users to easily move between the various components of HPATS. In addition to the four primary components, the "Admin" component allows for administration functions including configuration options and user security. Pre-defined reports are also available through the "Reports" component. HPATS also provides on-line Help screens and access to the HIPAA Privacy Rule and related documents.

The following screen is used to enter details about a specific PHI Disclosure. You can enter all of the information required by the HIPAA Privacy Rule (PHI Disclosed, Disclosure Date, complete company and contact information for the receiver of the PHI information, etc). In addition, HPATS allows you to document additional information such as what was used to verify the identity of the requestor, whether PHI information was archived using a document imaging system and justification for the disclosure.

HPATS provides a complete audit tracking of decisions related to disclosures. Each workflow and approval step is tracked as shown in the Decisions section in the lower half of the screen. This is configurable to match the specific workflow steps and decisions utilized in your organization. Both summary and detailed history views are available. The summary view displays the current status while the history view displays all decisions regarding the disclosure. Users can view the details of any decision including the justification and decision maker.

More HPATS Functionality
All of the data needed for compliance is maintained in several integrated components that share key information. You can maintain a list of patients along with their personal representatives. External entities involved with PHI disclosures are also maintained including government agencies and business partners. Similar to the screens and functionality for tracking and reporting PHI Disclosures. HPATS provides the capability of tracking and reporting Authorizations and other PHI related requests (i.e. Limited Use and Disclosure, Confidential Communications, Suspensions of Accounting of Disclosures, Complaints, Amendment of Medical Records, etc). Each component also has a similar intuitive user interface making it easy for your staff to quickly learn and use the system. Also, all of the items in the drop down menus are configurable to customize the terminology, workflow and documented decisions to meet your organization's policies and procedures.

Reporting
HPATS provides both standard reports and ad hoc reporting capabilities. Standard reports include the Accounting of PHI Disclosures report with a date range parameter to define the time period required along with the capability of selecting what level(s) in the organization should be included. There are also standard reports to list information by type of PHI related request, patient, personal representative, or PHI disclosure recipient. You can use reporting tools such as Crystal Report for custom analysis. Below are samples of an Accounting of Disclosures Report and the report selection screen.

Role Based User Security
HPATS provides configurable user security to ensure only authorized employees can access restricted information. Each user must be assigned access to specific Roles and each Role has access to specific screens and pre-defined functionality. In addition, the User is assigned User Organization Rights to access data at any level in a multi-organization environment. A User can be granted one or more data access rights at the hospital, location and/or department levels. As shown in the example below, User security is easily maintained by a system administrator using a point and click interface.

Beyond HIPAA
HPATS allows you to configure various options to extend the functionality and effectiveness for your organization. This allows you to comply with other federal and state privacy laws, as well as policies and procedures specific to your organization. Specific tasks and related decisions can be defined and tracked to help automate workflows and ensure all required processing has been completed.

HIPAA Compliance

The HIPAA Privacy Rule mandates that covered entities manage and/or provide the following functions:

	PHI Access
	Access to an Accounting of Disclosures
	Notice Acknowledgement Tracking
	Amendment of PHI by patients
	Confidential Communications
	PHI Disclosure Tracking
	Authorization of PHI Disclosures
	Privacy Complaint Management
	Due Diligence for Protecting PHI
	Requests for Limited Use and Disclosure of PHI

Each item has its own parameters in terms of HIPAA compliance. For example, PHI Access has a mandated requirement in terms of time allowed to fulfill a request. An Accounting of Disclosures must cover a six year time period. If a Request for Limited Use and Disclosure of PHI is approved, it impacts all potential use of PHI even for TPO. These and many other mandated requirements make it imperative for a covered entity to have an efficient and effective solution. Using outdated systems or a manual approach will put an added burden on your staff. With an automated approach such as HPATS, your organization can reduce the workload of your staff, while ensuring compliance by tracking and documenting all PHI related activities covered by the Privacy Rule.