HIPAA Compliance

Modified on Wed, Apr 24 at 10:33 AM

What is HIPAA?

The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).

Source: https://www.hhs.gov/hipaa/for-professionals/security/index.html

How do we support HIPAA compliance?

If your company requires HIPAA compliance, our goal is to help you stay compliant when using Ottimate for your AP automation needs.

Ottimate itself does not ensure HIPAA compliance. A majority of our customers use our system to manage invoices from vendors (which do not typically contain ePHI); however, we’ve outlined a few guidelines below to help our customers maintain compliance.

Please note: It is your sole responsibility to determine which HIPAA regulatory requirements apply to your company and to ensure that you comply with those applicable requirements.

Guidelines for Maintaining Compliance with Ottimate

With accounts payable (AP), you have full control over what information is submitted into our system. To remain HIPAA compliant, you should refrain from sharing information containing ePHI with Ottimate.

We’ve outlined the following guidelines for maintaining HIPAA compliance while leveraging Ottimate’s AP automation capabilities:

We have multiple invoice upload options for data ingestion. However, if you have a vendor or supplier that sends invoices containing ePHI, we advise that you avoid using our automated upload options, such as the Electronic Data Interchange (EDI) feeds or location-based email addresses. This enables you to identify and remove any ePHI from the invoice before it enters our system.

To proceed with managing these invoices in Ottimate, you have two options:

Download the invoices and remove or mark out ePHI before entering it into our system
Create a manual invoice in Ottimate and leave out any ePHI from the invoice

Here’s a list of 18 identifiers that can be used to identify an individual’s health information and should be removed from invoices before uploading them to Ottimate:

Names
Geographic subdivisions smaller than a State
Dates directly related to an individual (except year)
Telephone numbers
Fax numbers
Email addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers (including license plate numbers)
Device identifiers and serial numbers
Website URLs
IP address numbers
Biometric identifiers
Full-face photographic images and comparable images
Any other unique identifiers (number, characteristic, or code)

Once ePHI is removed from the invoice, you can upload it into our system without the risk of HIPAA violation and manage the rest of the invoicing process — from automatic GL coding to scheduled payments — in Ottimate.

Common Use Cases

Patient refunds or credits: Payment would need to be associated with an original invoice/remittance slip that could contain ePHI
Medical device purchases: Digital records of medical devices, including invoices or purchase receipts, may contain ePHI
Prescriptions and pharmacy bills: Prescription records, including pharmacy bills, qualify as ePHI

More Ways Ottimate Works to Keep Your AP Data Protected

We have stringent security and accessibility measures in place to ensure the data you share with Ottimate remains secure and confidential.

SOC2 Type 1 and Type 2 compliant AP automation and industry-standard encryption and security measures
Single Sign-On options
Role-based permissions for who can view certain information

We also help with audit capabilities by providing total insight into your end-to-end AP workflow, from data ingestion to payments:

Centralized storage of invoices
Full audit trail of invoice ingestion, approvals, payees, and payment amount