Your EDI Resource

What is HIPAA?  Complying and Reducing the Burden

Posted by Shandra Locken on Fri, Apr 21, 2017 @ 04:12 PM

asg_Bgip4AJNHEgV5Oxp2Fart_J2wW7etzgwOX4zC32F1492637205344-iStock-650097548.jpgReprinted with permission from Liaison Technolgies.  Written by Hmong Vang, Chief Trust Officer for Liaison Technologes.  The Health Insurance Portability and Accountability Act (HIPAA) was an amendment to the Internal Revenue Code of 1986.  And while it was enacted primarily to ensure portability and continuity of health insurance coverage and improving the exchange of health information electronically, it also was intended to protect a patient’s protected health information (PHI) which includes health status or condition, medical history, insurance coverage, payment for health care, and other data that a healthcare provider or other covered entities collect in order to provide the proper care.

Signed into law in 1996 by President Bill Clinton, the act contains five key sections that cover: policies for health insurance coverage (Title I), compliance requirements for processing electronic healthcare transactions and implementing secure access to data (Title II), guidelines for taxation and medical care (Title III), rules for defining health insurance reforms (Title IV), and provisions for life insurance policies owned by companies (Title V).

For health care providers, insurance companies, and businesses that support health systems and providers, HIPAA compliance largely pertains to adhering to the standards and guidelines defined in Title II. This post focuses on understanding the basics of HIPAA compliance and how to reduce the burden of complying with the guidelines defined in Title II.

HIPAA Isn’t Only for Doctors and their Patients

HIPAA and the US Department of Health and Human Services (HHS) provide a clear definition of covered entities and business associates that need to comply with HIPAA rules. HIPAA defines a covered entity as one of the following:

  • A Health Care Provider including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, medical laboratories or pharmacies that are transmitting patients’ PHI electronically.
  • A Health Plan Provider such as health insurance companies, health maintenance organizations (HMO), companies providing health plans, and government entities paying for health care.
  • A Health Care Clearinghouse that processes nonstandard PHI into standardized electronic formats or vice versa.

Business associates are individuals or entities that assist covered entities in carrying out healthcare functions and activities. Vendors that transmit, process and/or store PHI on behalf of a covered entity or business associate are also bound to abide by HIPAA rules.

Understanding HIPAA Rules

Title II of HIPAA includes five key rules or standards which covered entities and business associates are required to comply with:

Privacy Rule. The Privacy Rule aims to protect patients’ rights to their PHI. These rights include allowing patients to examine, obtain copies of, and request corrections of their PHI. The Privacy Rule also requires covered entities to establish safeguards to protect patients’ PHI and also sets guidelines on when PHI may be used or disclosed without the patients’ authorization. Other administrative requirements laid out by the Privacy Rule includes appointing a privacy official at a covered entity, training employees on privacy policies and procedures, establishing and maintaining technical and physical safeguards to protect PHI, and creating processes that will handle patient complaints. Finally, the Privacy Rule establishes the penalties that covered entities will incur in case of a data breach.

Security Rule. The Security Rule specifies the required safeguards that need to be in place to protect patients’ electronic protected health information (ePHI). It requires covered entities and business associates to establish administrative, technical, and physical safeguards to maintain the integrity, confidentiality, and security of ePHI. Specifically, covered entities and business associates must: identify the sources of ePHI and PHI, including those that they create, receive, process, transmit, or maintain; perform regular risk assessments related to the protection of ePHI; and ensure organizational compliance through administrative safeguards. Like the Privacy Rule, the Security Rule also aims to protect patients from unauthorized, unreasonable, and impermissible use of their ePHI and PHI. While the Security Rule does not lay out specific guidelines on technical specifications, costs, and complexity of security measures, it requires covered entities and business associates to take them into consideration. Finally, the Security Rule requires covered entities and business associates to regularly review and adapt their security measures to evolving risks.

Enforcement Rule. This rule sets out the authority of the Health and Human Services (HHS) Office for Civil Rights (OCR) to enforce the Privacy and Security rules and to impose penalties in cases of violations or noncompliance. The OCR follows a three-step Enforcement Process: investigation of complaints, conducting compliance reviews, and fostering compliance through education and outreach programs. See the HHS website, where the OCR lists the most common and frequent compliance issues investigated since 2003. They include: impermissible uses and disclosures of PHI; lack of safeguards of PHI; lack of patient access to their PHI; use or disclosure of more than the minimum necessary PHI; and lack of administrative safeguards of ePHI.

Breach Notification Rule. HIPAA requires covered entities and business associates to notify affected individuals, the HHS, and the media, in more severe cases, following a breach of unsecured PHI. A breach is defined as an impermissible use or disclosure of PHI. Under the rule, covered entities and business associates must provide notifications to individuals affected by the breach without unreasonable delay and no later than 60 days from the discovery of the breach. Individual notifications must include a description of the breach and descriptions of the medical information compromised, the suggested actions individuals should take to prevent further harm, the steps the covered entity are taking to investigate the breach, minimize adverse effects, and prevent further breaches, and how individuals can contact the covered entities. For breaches involving over 500 individuals in a jurisdiction, covered entities are also required to notify prominent media outlets in the jurisdiction.

Omnibus Rule of 2013. In 2013, the HHS created the HIPAA Omnibus Rule to implement modifications to HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Omnibus Rule implemented extensive changes to HIPAA, including: requirements to strengthen the privacy and security of PHI; introducing objective guidelines for a covered entity’s liability in case of a breach; defining the steps in enforcing the Security and Privacy Rules for the OCR; holding business associates to higher standards as covered entities; and increasing the penalties for violations and/or noncompliance of the HIPAA, up to a maximum of $1.5 million per violation.

Reducing the Burden of HIPAA Compliance

The scope of HIPAA is extensive and compliance can be overwhelming for covered entities and business associates. Not only do covered entities face huge upfront costs to assess and meet governing compliance standards,  but business associates and vendors supporting them need to factor this into their budgets as well.

As in most budget planning efforts, upfront costs are usually anticipated and forecasted, but many organizations underestimate the cost of maintaining compliance, which can reach hundreds of thousands or even millions of dollars as enterprises struggle to keep up with ever-changing regulations and technologthat require ongoing investments.

Considering the huge cost of compliance (and non-compliance), forward thinking organizations align as many data initiatives as possible in support of compliance.  If data integration operations are managed in-house, then all the compliance costs, burdens, and liabilities mentioned above also fall squarely the covered entity or business association, or even their vendors. Every new application, EMR platform, or change in data configuration must be accounted for the compliance strategy—no easy feat when both the amount of data and number of applications organizations must deal with are growing exponentially.

An alternative that can reduce some of this burden is data integration and management as a managed service through a third-party integration provider that follows a Trust Framework. Now the burdens of compliance, along with the growing integration complexities and staffing challenges, are being managed by a trusted partner. As new data sources are added and integrated, that same level of compliance and security is applied to all. Leveraging a cloud-based managed services platform, offloads much of the people, processes and technology compliance to the third-party.

Vendors and HIPAA Compliance

Vendors supporting covered entities and business associates, must take HIPAA compliance seriously. As more applications, operations and PHI data move to cloud-based software and platforms, entities that are bound by HIPAA rules need to be sure they are entrusting their business operations and PHI to business partners that are continuously compliant. Cloud-based platforms that offer complex integration, data transformation and harmonization in a managed services model not only offer healthcare customers the ability to scale, integration expertise, and efficiency that compliments their IT operations, but they also supplement compliance by ensuring the people, processes, and technologies are adhering to these requirements.

How are you managing the compliance burden?  Click below to read about the unique challenges the pharmaceutical industry faces and how to solve them.

Download  Pharmaceutical  Challenge  Whitepaper

Tags: cloud, cloud computing, SaaS, HIPAA, data integration, data security, Managed Services

Liaison's Alloy: Cloud Services Redefined

Posted by David McAlister on Mon, Apr 17, 2017 @ 09:05 PM

72758628_16e3e0eb24_m.jpgPhoto appears courtesy of Jason Pratt. Like everything in life, products evolve and services continue to be improved and refined.  Liaison is always on the cutting edge and their Alloy managed services is no exception.  As our phones have evolved into watches, calendars, alarm clocks and many other things, Alloy has done the same for data integration.  According to Ovum ICT Enterprise Insights 2016, Ovum places Liaison as one of the strongest players with state-of-the-art cloud solutions poised for growth in the near future.  This Ovum survey states that only a 1/4 of companies (excluding small companies) have strategic long term investments in their B2B integrations.  Liaison’s efforts with Alloy have served to provide a white glove, top-notch service to support Cloud computing with a unified platform and end-to-end compliance.

Alloy is an integration and data managed service (or SaaS) platform able to satisfy any Cloud or on-premise solution regardless of being legacy.  According to Ovum’s estimates, "resource-related costs can account for up to 60% of the total cost of ownership (TCO) for a legacy EDI solution.”  Alloy not only provides a communication hub, but can accept and send any format such as XML, JSON, Soap Rest or EDI.  Furthermore, Alloy is a more cost effective solution over SAP’s PI and Tibco.  Companies like IBM or Mule Soft typically don’t know the other side when it comes to integrating and each solution has their own proprietary technology.  In plain English, no one is speaking the same language.  Liaison, with their outstanding resources, are able to provide technical expertise in all these areas.  Alloy provides secure and compliant connectivity from one system to the next using a technology agnostic solution that is data centric.  Security within Alloy is bar none in the industry to support tedious HIPAA and PII (personally identifiable information) requirements.  With all that on top of Liaison’s white-glove support service, you will find Alloy to be your solution of choice.

For many of us it is time to send that old alarm clock or calculator to Goodwill and make the move to Alloy.  Don’t take my word for it.  Do your own research by reviewing Ovum's Market Landscape:  B2B Integration Managed Services Providers, 2016-2017.   Liaison’s Alloy is the only provider in the survey that met 100 percent criteria in all categories of review:  Core Integration and Associated Capabilities, Trading Partner Community Management, Monitoring and Analytics, Service Delivery and Management, and Deployment Flexibility and Security Capabilities.

Take a few moments and review Alloy at these links:

And reach out to us as Authorized Solutions Integrators (ASI’s) to guide you through the process of coming into the new age of technology using Alloy.

Click below to read a whitepaper on what getting data integration right can do for your business.

Download Free  Data Integration  Whitepaper

Tags: cloud, cloud computing, data integration, ERP integration, SaaS, Managed Services

Cloud or On-Premise EDI Integration? A Unique Approach to Selection

Posted by Shandra Locken on Thu, Jul 18, 2013 @ 05:50 PM

Guest blogging for the Aurora EDI Alliance today is Nathan Camp of Liaison Technologies.  Photo courtesy of Mikhail Koninin.

maninrainOrganizations of every size are evaluating every piece of technology to determine whether they retain or expand solutions with on-premise software and hardware, or move the functionality up to the “Cloud.”

A major tile and masonry products supplier based in Los Angeles, CA, with dozens of stores across the US, had such a decision as they looked at their EDI operations.

This company was using Oracle JD Edwards for their ERP system, and they had decided to keep this system in house running on Oracle servers. While they had an enterprise-class ERP system, their revenues and therefore budgets were also still directly tied to a very tight home improvement market. Cost, delivery capability, control, and growth were constant considerations as they looked at IT resources. In order to stay in business, this company knew they had to expand their markets in big home improvement chains. And that made one choice an absolute must: find a new EDI integration system. Since JD Edwards typically uses staging tables for data integration, both on-premise and Cloud delivery models were options.

Many IT directors are faced with that conundrum today: “To Cloud or not to Cloud, that is only one of my 1,400 decision e-mails sitting in my inbox.”

While Cloud and mobile continue to be the darlings of media, the software industry is providing signals that on-premise is not dead nor quietly drifting off into obsolescence. In a recent post by Pete Barlas of Investors Business Daily, he cites Gartner’s research that says, “By 2016, global revenue from public cloud software services is expected to reach $210 billion, up 60% from the $131 billion expected this year, says Gartner. The research firm expects total software revenue of $369 billion in 2016, so public cloud software would be nearly 57% of the total vs. 43% this year.” And Barlas correctly summarizes, “That, of course, still leaves a lot outside the cloud.”

Turning back to the tile distributor in Los Angeles, they had the following critical factors as their main consideration factors:

  1. They absolutely needed to satisfy the EDI needs for Home Depot, Lowes, and other home improvement giants.
  2. They needed a flexible solution that could work with JD Edwards via database connectivity.
  3. They demanded that their new EDI solution must perform complicated pricing and unit measure look-ups and conversions to transform internal costs and product units into the appropriate values required by each retailer.
  4. Large product catalogs also needed to be compiled from the JD Edwards database on a regular basis, and posted on a secure FTP server for immediate customer pickup by customers using the Retail Flooring Trade Association RFMS system.

With this list of requirements, the tile distributor began the search for solution providers. They knew that they needed to evaluate solutions covering a broad spectrum of delivery methods. In the end, they whittled the list down to a Cloud integration service provider and an on-premise solution. And here is where this company did something that most others haven’t considered. They decided to have a live competition between the two solution options. The Home Depot integration project was given to one solution provider, while Lowes was given to the other solution provider.

This unique solution to choosing a new vendor provided the tile distributor with four practical take-a ways:

  1. Could the solution provider easily connect to the JD Edwards staging tables without disrupting too many internal systems nor compromising security?
  2. Could the solution provider actually deliver what the sales person had promised?
  3. Were budgetary objectives met?
  4. Was the system adaptable to be managed by either internal or external resources on an as-needed basis?

While the results might surprise you (on-premise software won the day), what should impress you is the creative approach to the solution process. This tile distributor recognized the absolute strategic importance of this decision, and they systematically determined the best course for their business. This required duplication of work efforts across two competing solution providers, cash outlay for the professional services provided in the proofs of concept, and the critical analysis that this exercise needed to quantify the cost-to-benefits of both products.

While this customer ended up evaluating on-premise systems compared to Cloud delivery, I argue that the same approach can be taken in on premise versus on-premise or Cloud versus Cloud. This approach does not have to be taken for every decision because many IT purchasing decisions can be more obvious.

But when faced with a more difficult capital investment decision which could lead to substantial hidden costs, a little upfront sacrifice is worth it. Without the exercise of the proof-of-concept trail, the supplier would not have uncovered the new costs of working with this particular Cloud provider that demanded the client adhere to its canonical file structure, which then made it necessary to add a second data translation map between the “converted” EDI file and JD Edwards. Yes, this is a common, hidden pain point that is highlighted as point 1 in this blog article.

On the positive side, because this tile distributor was able to find success and a strong working relationship with the Aurora EDI Alliance, both this company and the solution experts continue to look for new opportunities to expand the ways to use the middleware solutions beyond just client EDI. In fact, the tile distributor is now looking to work with the solution provider to run a supplier enablement program and offer a multi-lingual Web EDI product to tie their international based suppliers directly into their EDI system.

Click below for a case study on how the Alliance helped another company, AliMed, make their EDI operations more efficient using the Delta/ECS tools.

 Download AliMed Case Study

Tags: EDI integration, data integration, cloud, enterprise resource planning, cloud computing, electronic data interchange, supplier enablement, JD Edwards, Web EDI

Web EDI in a Mobile World

Posted by Shandra Locken on Fri, Sep 21, 2012 @ 11:59 AM

mobile device EDICan you manage your EDI solution with your iPhone from the Starbucks patio?  Mobile device EDI?  Absolutely.  Web EDI, managed services, EDI in the cloud, SaaS (software as a service) and other EDI outsourcing solutions are still increasing in popularity.  And we have seen a push with these types of services coming from the major EDI providers.  The question is why?  Could it be because we are operating our companies and conducting our jobs from mobile devices?  Everywhere you look, someone is using their Smartphone or their iPad, at happy hour, at the gym and at the local coffee house.  Web EDI, or really any EDI solution that can be managed via the Internet, offers flexibility that traditional EDI software currently cannot compete with.  

I've always said that one of the biggest benefits of Web EDI is that it can be accessed from any computer with an Internet connection.  In our increasingly mobile world and the popularity of tablets, this is actually a huge benefit.  Other than being able to send a ship notice from the Starbucks patio, this opens up the EDI world to others in your organization who traditionally never get involved in EDI.  How about the sales rep who is on the road?  He or she can now log in and see if the big account they landed has submitted a PO.  How about the ability to pull up a POS report while renegotiating pricing with your customer?  This is the most exciting aspect of this trend because it makes my job of selling the value-add of EDI that much easier.  And now with the addition of 4G technology, you don't even have to have a wi-fi signal to gain access!

Hand held device usage in the supply chain is not a new thing.  When I was in the beer industry, our sales reps used hand held computers to take orders at the store level.  Those computers were then synced with our AS400 later at the office.  Then there's the relatively new DEX system used to electronically send an invoice at the time of delivery.  Lastly, who hasn't heard of Square by now?  Square is the hugely popular device and application that allows you to accept credit cards with your cell phone or tablet.  It's only a matter of time before traditional EDI software will offer mobile apps so that those solutions can also be managed from that Starbucks patio.  I predict that someday, mobile device EDI will be commonplace in many industries.  I may be the last person on earth who does not have an iPad and all this talk of mobile devices and apps is making me want to go out and get one!  Black Friday is right around the corner...

Want More Information?



Tags: EDI Technology, benefits of EDI, cloud computing

Making the Switch to Cloud Computing Services

Posted by Shandra Locken on Wed, May 16, 2012 @ 12:13 PM

Guest blogging for the Aurora EDI Alliance is Yehuda Cagen from Xvand Technology Corporation, a Houston cloud computing company.

Cloud computing's value varies by the size and makeup of the client organization. The cloud provides Fortune 500-level IT capabilities to the small and midsize sector minus the key capital expenditures.

On the surface it would seem that cloud computing services best serve organizations that are firmly established with a less-than-robust IT system already in place.  However, we’ve recently engaged with a small law firm who had recently disbanded from a larger firm simply because the managing partner refused to put a "dollar sign" on the security of his clients' confidential data.

cloud computing servicesThe bottom line is that like EDI, each cloud computing benefit should always be tied to a specific business benefit.  If it meets that specified criteria, the cloud should be viewed as a viable alternative to on-premise IT.

There are many variations of cloud computing services.  Let’s explore two models at different ends of the “cloud spectrum”:

The business world is most familiar with a cloud-based data backup model that replicates your data to their offsite servers.  So, imagine a scenario in which your on-premise systems crash and cannot be restored.  The first step is to replace the systems that crashed.  Next, the data must be retrieved from the cloud computing provider and restored to your new on-premise systems.  Also remember that the data must be compatible with your new systems.  

So the key question is, “How long will the entire data restoration process take?”

Conversely, the more comprehensive cloud computing solutions use a different model in which ALL data, files and software applications are stored offsite, including EDI software and other applications or data that pertain to EDI.  In this model, there are no on-premise systems.  Most cloud vendors have redundant (duplicate or triplicate) system components in place in the event one component fails.  Contrary what some cloud providers might allege, there’s no such thing as “100% uptime.”

However, let’s say that even with all the safeguards in place, the cloud system experiences a 20-minute outage.  While the client company may lose access to data, there’s no need for the client to retrieve or restore data to new systems.  In this instance, the cloud vendor will find and resolve the issue and the client can continue operations as usual.

Here are ten reasons to move to a cloud computing provider:

  1. Speed to Market.  Starting with a pre-built, enterprise-level IT foundation allows clients to accelerate launch times of projects and businesses. 
  2. Lower Financial Risk.  Reduce the risks of on-premise solutions that require upfront capital expenses with an uncertain payoff. 
  3. Greater Financial Visibility.  A cloud-based managed service provider helps executives more accurately forecast the costs of adding new users or locations. 
  4. Improved Cash Flow.  Avoid assuming debt and keep cash in the company longer.
  5. Free-up Internal Resources.  Internal IT talent can focus on software applications and the associated innovations that drive business rather than engage in daily rounds of infrastructure troubleshooting.
  6. Better IT Budget Forecasting.  Unexpected server crashes, security threats and upgrades only increase budget uncertainty.  Since in most cases, the cloud computing provider assumes all capital IT and personnel costs, firm management only needs to forecast for a consistent, monthly per-user fee.  This simplifies the task of budgeting for potential growth, particularly with complex expansion or merging projects, when headcount is increased or reduced.
  7. Adaptability to Evolving Market Conditions.  In the cloud, firms can leverage the provider’s enterprise-level IT resources and deploy them as-needed.  This helps break the cycle of recurrent IT expenditures and positions the organization to adapt to evolving market conditions.
  8. Improved Risk Management.  Simply put, the more IT investments, the greater the risk.  Cloud providers reduce the organization’s dependence on onsite systems by assuming the costs and risks of the entire IT lifecycle: hardware, backups, security and support.  The firm can pursue growth opportunities without incurring the risk of significant capital outlays.
  9. Disaster recovery.  Rather than having to constantly back up files (and retrieve and restore it after a disaster) clients rely on the cloud computing provider’s data backup and protection procedures.  The key question to ask any provider, especially with disaster recovery, is, “What’s the recovery interval?”  In other words, how long will it take to restore normal business operations after a disaster?
  10. Greater Employee Morale.  Downtime reduces employee productivity and firm output.  Cloud solutions enable employees to work from home using the same familiar desktop interface, thus drastically reducing commute time and improving employee morale.  Remote users have ubiquitous access to the provider’s support team.  Most providers have executive-focused management consoles that enable managers to monitor employee activity remotely.

Tags: EDI considerations, EDI software, cloud computing

Cloud Based EDI: What Does "In the Cloud" Really Mean?

Posted by Shandra Locken on Fri, Feb 10, 2012 @ 12:51 PM

One of the biggest topics of conversation in technology these days is "in the cloud."  What does it really mean?  Just typing this term into Google gets you 1.7 billion hits.  Essentially, "in the cloud" means service rather than product, whether you are talking about ERP, accounting or EDI.  And usually the data is passed back and forth over the Internet.      

cloud based ediWhere EDI is concerned, if you are using EDI SAAS (software as a service) or EDI hosting...then you are using cloud based EDI.  One could even argue that Web-based EDI is a cloud EDI solution.  What you should be aware of is that there is software sitting on some machine's just not on your property.  And that someone is pushing the buttons. 

There are several advantages to having a cloud EDI solution.  One of the biggest advantages of cloud based EDI is that you do not need a technical staff because someone else is acting on your behalf - they are your staff.  Also, another benefit is that most EDI SAAS solutions offer tiers of service.  You can go big or you can go small, depending on your needs AND later you can upgrade.  This is especially important to companies who start out with limited EDI but anticipate rapid growth.  With software in-house, it's often all or nothing.  And in-house software usually requires a larger up front investment. 

Cloud based services are growing by leaps and bounds!  According to IDC, cloud computing sales brought in a revenue of more than $21.5 billion in 2010.  That number will grow to $72.9 billion by 2015.  As more and more companies see the benefits of SaaS, my guess is that EDI providers will up the ante in terms of their cloud offerings.  And in this competitive climate, what sort of bells and whistles will we see being offered?  I can't wait to find out...

Click for More Resources!

Tags: cloud computing, hosted EDI