HIPAA Compliance

Modified on Wed, 24 Apr 2024 at 10:33 AM

What is HIPAA?


The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).


Source: https://www.hhs.gov/hipaa/for-professionals/security/index.html


How do we support HIPAA compliance?


If your company requires HIPAA compliance, our goal is to help you stay compliant when using Ottimate for your AP automation needs. 


Ottimate itself does not ensure HIPAA compliance. A majority of our customers use our system to manage invoices from vendors (which do not typically contain ePHI); however, we’ve outlined a few guidelines below to help our customers maintain compliance. 


Please note: It is your sole responsibility to determine which HIPAA regulatory requirements apply to your company and to ensure that you comply with those applicable requirements.


Guidelines for Maintaining Compliance with Ottimate


With accounts payable (AP), you have full control over what information is submitted into our system. To remain HIPAA compliant, you should refrain from sharing information containing ePHI with Ottimate.


We’ve outlined the following guidelines for maintaining HIPAA compliance while leveraging Ottimate’s AP automation capabilities:


We have multiple invoice upload options for data ingestion. However, if you have a vendor or supplier that sends invoices containing ePHI, we advise that you avoid using our automated upload options, such as the Electronic Data Interchange (EDI) feeds or location-based email addresses. This enables you to identify and remove any ePHI from the invoice before it enters our system.


To proceed with managing these invoices in Ottimate, you have two options: 


  • Download the invoices and remove or mark out ePHI before entering it into our system

  • Create a manual invoice in Ottimate and leave out any ePHI from the invoice


Here’s a list of 18 identifiers that can be used to identify an individual’s health information and should be removed from invoices before uploading them to Ottimate:


  • Names

  • Geographic subdivisions smaller than a State

  • Dates directly related to an individual (except year)

  • Telephone numbers

  • Fax numbers

  • Email addresses

  • Social security numbers

  • Medical record numbers

  • Health plan beneficiary numbers

  • Account numbers

  • Certificate/license numbers

  • Vehicle identifiers and serial numbers (including license plate numbers)

  • Device identifiers and serial numbers

  • Website URLs

  • IP address numbers

  • Biometric identifiers

  • Full-face photographic images and comparable images

  • Any other unique identifiers (number, characteristic, or code)



Once ePHI is removed from the invoice, you can upload it into our system without the risk of HIPAA violation and manage the rest of the invoicing process — from automatic GL coding to scheduled payments — in Ottimate.


Common Use Cases


  • Patient refunds or credits: Payment would need to be associated with an original invoice/remittance slip that could contain ePHI

  • Medical device purchases: Digital records of medical devices, including invoices or purchase receipts, may contain ePHI

  • Prescriptions and pharmacy bills: Prescription records, including pharmacy bills, qualify as ePHI


More Ways Ottimate Works to Keep Your AP Data Protected


We have stringent security and accessibility measures in place to ensure the data you share with Ottimate remains secure and confidential.


  • SOC2 Type 1 and Type 2 compliant AP automation and industry-standard encryption and security measures

  • Single Sign-On options

  • Role-based permissions for who can view certain information


We also help with audit capabilities by providing total insight into your end-to-end AP workflow, from data ingestion to payments:


  • Centralized storage of invoices

  • Full audit trail of invoice ingestion, approvals, payees, and payment amount

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article