Upload
gervase-nichols
View
215
Download
0
Embed Size (px)
Citation preview
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
An Introduction to HIPAA
2©2003 First Consulting Group
Presentation Agenda
An Overview of HIPAA Administrative Simplification Setting the Stage HIPAA EDI Standards HIPAA Security & Privacy Standards Organizational Impacts and Approaches Final Remarks and Questions Resources
3©2003 First Consulting Group
Presentation Objectives
At the end of this presentation, you should: Have a good general understanding of HIPAA Understand the specific EDI, security and privacy
components and impacts of HIPAA Be able to determine your own organizational strategies
and next steps for tackling HIPAA
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
An Overview of Administrative Simplification
5©2003 First Consulting Group
HIPAA Overview
Health Insurance Portability and Accountability Act
• Signed into law during August of 1996
• Original intent: To support the portability of health insurance To support the improved fraud and abuse protections
Administrative Simplification (Title II)
• Added under pressure by the industry
• Desires to reduce paperwork
• Desires for administrative efficiencies
• Desires to ensure the confidentiality of electronic information
6©2003 First Consulting Group
HIPAA Overview
HIPAA
Title I Title II Title III Title IV Title VHealth insurance access, portability and renewal
Fraud and Abuse
Medical Liability Reform
Administrative Simplification
Medical Savings Accounts
Tax deduction provisions
Group health plan provisions
Revenue offset provisions
Electronic Transaction Standards (EDI)
Security Standards
PrivacyStandards
Nine payer transactions.
Clinical code sets.
Identifiers.
PHI protection.
Permissible PHI uses.
7©2003 First Consulting Group
Evolution of HIPAA
Components proceed through the process independently Lack of forward movement for one component does not impede
the forward movement of other components
Reviewexisting
regulations
Obtain public input
Draft proposed
rule
Obtain public
comment
Redraft proposed
rule
Post final rule
Enforce Finalrule
26 MonthsAfter
publication
FederalRegister
60 days
Must reviewALL publiccomments
Preventduplication
Is there aNeed?
FederalRegister
8©2003 First Consulting Group
Status of HIPAA
ComplianceFinalizedProposed
Electronic Transaction Standards (EDI)
Transactions& Code Sets
Provider ID Employer ID HealthPlan ID Patient ID
05/1998
05/1998 06/1998 Expected 2003 On hold
08/2000
Expected 2003 Expected 2003 Unknown On hold
10/16/2002, or 10/16/2003
PrivacyStandards
11/1999 12/2000 Verified 04/2001
04/14/2003
Security Standards
08/1998 02/20/2003 04/20/2005
9©2003 First Consulting Group
Applicability
HIPAA applies to the following entities
• Health Plans (including self-insured employers)
• Clearinghouses
• Healthcare Providers HIPAA applies to the following circumstances
• EDI standards apply to PHI within specified transactions
• Security standards apply to all electronic PHI
• Privacy standards apply to all PHI Electronic Paper Oral
10©2003 First Consulting Group
Applicability
HIPAA does NOT apply to the following:
• Aggregated, non-patient-identifiable information
• Business associates, trading partners, or third parties HIPAA requires covered entities to:
• Ensure all software vendors are prepared to deliver applications that support EDI and security requirements
• Hold business associates using PHI accountable
• Consider partnering with clearinghouses to effectively implement EDI transaction standards
11©2003 First Consulting Group
Other Implications
Working with other organizations as well as trade and professional organizations will become paramount
• States and regional demonstration projects are underway (MA, MN, OR, WA and others)
• WEDI established the Strategic National Implementation Process (SNIP) to coordinate implementation of the transaction standards
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
Setting the Stage
13©2003 First Consulting Group
Healthcare Preparedness
August 2002 HIMSS/Phoenix HIPAA Survey• Completion of gap assessments is taking longer than
projected; however, compliance efforts have moved into planning, implementation and training
• Organizations appear to be absorbing the impact of key privacy rule modifications proposed in March (and subsequently finalized in August)
• Less than half of all payer and vendor respondents will be ready by the October 2002 transactions deadline, all reported that they will be ready by October 2003
• 85% of responding clearinghouses will be ready to transmit all HIPAA-required transactions before the April 2003 testing deadline, all will be ready by October 2003
14©2003 First Consulting Group
Healthcare Preparedness
Electronic Transactions• Organizations are now scrambling to “get smart” and get ready for EDI
• Many healthcare delivery organizations have relied on vendors and clearinghouses – and are expected to continue to rely on them for the compliance deadline – to transact their electronic business
• Savvy organizations have either taken transactions “in house” or have formed regional partnerships to implement and test transactions
Privacy & Security • Most healthcare organizations have traditionally expounded on the
importance of patient privacy; however, their policies, procedures, training, and funding have not historically been adequate
• Recent events affecting online privacy and disaster recovery have forced organizations to pay increased attention to privacy and security
• Savvy organizations are seeking technologies that can increase security while decreasing burdens on clinical staff (single sign-on, biometrics)
15©2003 First Consulting Group
Costs of not Complying
Civil and criminal penalties will likely apply:• Providing PHI knowingly:
$50,000 and/or up to 1 year imprisonment
• Providing PHI under false pretenses: $100,000 and/or up to 5 years imprisonment
• Providing PHI for malicious intent or financial gain: $250,000 and/up to 10 years imprisonment
No enforcement body has been indicated
JCAHO and NCQA are incorporating HIPAA compliance elements into their accreditation requirements
Courts are beginning to rule in favor of patients harmed by breaches of privacy
16©2003 First Consulting Group
Potential Savings
$400 billion annually is spent on healthcare administrative costs 1
• In 2002, standardizing electronic processing will result in savings of $3.1 billion - roughly split between payers and providers 2
Paper claims cost $7 - 12 each in direct expenses3
Electronic claims cost $1.50 - $3.00 each 4
A typical practice generating 30 – 40 referrals per day spends $28.50 per referral5
Automated referral process costs $.93 per referral 5
Customer service inquiry costs typically range from $5 - 7 per inquiry 6
Costs for electronic inquiry can be 5¢ - 25¢
1BancBoston Robertson Stephens 2HHS 3AMA 4American Medical Billing Association5Health Data Management 6FCG client experience
A Northeast BCBS plan realized 200% ROI by automating transactions. 97% of referral submission and eligibility and 70% of claims status checks are now done electronically
A New England Medicaid HMO was able to reduce the time it takes to generate a referral by more than 50% by using an Extranet for automated web authorization
A Texas-based clinic processing 400-500 claims/week reduced reimbursement lag time 50% by using the Internet to submit its claims
A Northeast BCBS plan realized 200% ROI by automating transactions. 97% of referral submission and eligibility and 70% of claims status checks are now done electronically
A New England Medicaid HMO was able to reduce the time it takes to generate a referral by more than 50% by using an Extranet for automated web authorization
A Texas-based clinic processing 400-500 claims/week reduced reimbursement lag time 50% by using the Internet to submit its claims
Case Examples
17©2003 First Consulting Group
1995 – Daughter of a hospital employee uses her mother’s password to look up medical records then call patients with falsely positive HIV results
1995 – Newton, MA hospital employee and convicted child rapist accesses records to make obscene phone calls
1996 – Tampa health department worker mails HIV list to press
2000 – Dutch hackers steal 5,000 patient record files from an academic medical center in Seattle
2001 – Drug maker inadvertently divulges e-mail addresses of 600 patients with depression, bulimia or obsessive-compulsive disorder
2001 – Detailed psychological records for more than 60 children accidentally posted on university website; removed 8 days later
1995 – Daughter of a hospital employee uses her mother’s password to look up medical records then call patients with falsely positive HIV results
1995 – Newton, MA hospital employee and convicted child rapist accesses records to make obscene phone calls
1996 – Tampa health department worker mails HIV list to press
2000 – Dutch hackers steal 5,000 patient record files from an academic medical center in Seattle
2001 – Drug maker inadvertently divulges e-mail addresses of 600 patients with depression, bulimia or obsessive-compulsive disorder
2001 – Detailed psychological records for more than 60 children accidentally posted on university website; removed 8 days later
Case Examples
Privacy & Security Risks
Primary sources of data loss or destruction:
• Computer viruses
• Physical disaster
• Poor organizational practices
• Internal breachesAssociated risks to the organization:
• Loss or destruction of data
• Loss of productivity and revenue
• Inability to provide care and/or inappropriate care rendered
• Public embarrassment and legal risk
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
Transactions, Code Sets, and Identifiers
19©2003 First Consulting Group
HIPAA: The EDI Standards
Transaction standards:
• Claims: ASC X12N 837 Pharmacy NCPDP Batch Standard V1.1
• Claim status: ASC X12N 276/277
• Enrollment/disenrollment: ASC X12N 834
• Eligibility: ASC X12N 270/271 Pharmacy NCPDP Batch Standard V1.1
• Payment/remittance advice: ASC X12N 835
• Health plan premium payment: ASC X12N 820
• Coordination of benefits: ASC X12N 837 Pharmacy NCPDP Batch Standard V1.1
• Referral and authorization: ASC X12N 278 Pharmacy NCPDP Batch Standard V1.1
A standard for Claims Attachments has not yet been officially released, it is expected to be: ASC X12N 275 + HL7
20©2003 First Consulting Group
HIPAA: The EDI Standards
Clinical data code sets standards:
• ICD-9 for diseases
• CPT-4 for services and procedures
• HCPCS for medical equipment, injectable drugs, and transportation services
• CDT-2 for dental services
• Prescription drugs and biologics – not officially designated; can be NDC or HCPCS
These standards apply only to the administrative and financial electronic transactions – though feeder systems may also be impacted by migration to these standards
21©2003 First Consulting Group
HIPAA: The EDI Standards
Standards for unique national identifiers:
• Health Care Providers (NPI - National Provider Identifier): Originally proposed to be an 8-digit alphanumeric identifier; expected to be finalized as a 10-digit numeric.
• Employers (EIN - Employer Identification Number): The IRS Employer Identification Number (currently 9 digits: 00-0000000).
• Health Plans (HealthPlanID): Identifier yet to be announced. Likely to be a 9-digit number assigned to all health plans, including TPAs, IPAs, PPOs, etc.
• Individuals (UHID): Currently on hold.
Use of these identifiers technically applies only to the administrative and financial electronic transactions
22©2003 First Consulting Group
HIPAA: The EDI Standards
HIPAA does not mandate the electronic exchange of health care data for provider-based organizations• Provider-based organizations that choose to conduct these transactions
electronically either directly or through a clearinghouse must comply. Transmissions within a corporate entity are not required to comply
with the standards (except where the entity is acting as both a payer and a provider and those transactions are among the 9 that are covered).
Simply storing electronic patient identifiable information or externally transmitting that information for purposes other than one of the 9 covered transactions doesn’t alone dictate that an organization is covered under HIPAA
Providers and payers may submit non-standard transactions to a health care clearinghouse for the sole purpose of translating them into standard transactions for electronic submission.
23©2003 First Consulting Group
HIPAA: The EDI Standards
Under HIPAA legislation, if a provider chooses to conduct a standard electronic transaction with a health plan:
• The health plan may not refuse to conduct such transactions as standard transactions.
• The plan may not delay such transactions or adversely affect the submitter or transaction (though some state laws now require prompt payment).
• The information transmitted and received in connection with the transaction must be in the form of standard data elements.
If a Health Plan is currently engaged in a business function today that is one of the HIPAA-specified transactions – even if the Plan is not currently conducting that transaction electronically – it must be able to support that function electronically using the standard.
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
Privacy and Security Introduction
25©2003 First Consulting Group
Privacy and Security Intentions
In drafting the privacy and security rules, HHS has intended for organizations to maintain reasonable and appropriate operational, technical, and physical safeguards
Prevent unauthorized use or disclosure
• Protect against external threats and physical hazards
• Limit/eliminate improper internal uses Key considerations:
• Reasonable and appropriate are not explicitly defined
• Standards are intended to protect against both external and internal threats
• Standards include both technical and operational measures
• Organizations must determine the risks and their associated response or approach in order to make the rules “real”
26©2003 First Consulting Group
Privacy vs. Security
Privacy - Rules governing access and use of data
Who gets access and who doesn’t
Security: Mechanisms for protecting electronic data
Preventing unauthorized individuals from gaining
access
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
Privacy
28©2003 First Consulting Group
The Privacy Debate
Key issues:
• Privacy issues are receiving increased attention The FTC has been focused on Internet privacy The EU has accused the US of lax privacy protections Consumer reports of privacy breaches appear to be on the rise
• In healthcare, several camps of dissatisfied constituents exist: Patient privacy advocates who want patient consent reinstated Researchers who seek improvements to make research easier
• By and large, payers, hospitals and their lobbying organizations have supported the latest version of the final privacy rule
• Congress continues to debate Internet privacy in general; while action does not appear to be imminent, future legislation could affect HIPAA rules
29©2003 First Consulting Group
Key Elements of Privacy Rule
The Privacy Rule:
• Covers electronic, paper-based and oral information
• Allows information to be used with few restrictions for treatment, payment and health care operations
• Supports routine disclosure with patient permission under defined circumstances for certain national priority purposes such as research, public health, law enforcement and oversight
• Requires patient authorization for the use and disclosure of health information for other purposes
• Gives patients greater access to and control over their health information
• Requires that organizations maintain safeguards for protecting patients’ health information and preventing unauthorized access (includes policies, procedures and training)
30©2003 First Consulting Group
More Specifics on Privacy Rule
Covered entities are obligated to use only the “minimum necessary” information for payment and healthcare operations
A covered entity’s business associates are required to sign a contract ensuring that they, too, will protect patient information
• Organizations will likely get an additional year to convert business associate contracts already in place
Use of patient information for marketing purposes is specifically addressed
• Disease management, marketing of nominal products/services and other organization-sponsored initiatives that benefit the patient are permitted, though patients can opt out
• Selling or otherwise turning over patient information to external entities for their own marketing is not permitted
Use of patient information for fundraising is also specifically allowed under certain circumstances
31©2003 First Consulting Group
Patient Impacts of the Privacy Rule
Provider organizations must give patients a notice of privacy practices outlining the general uses, disclosures and protections of patient information by the organization
• Organizations must make a “good faith effort” to obtain written acknowledgement from patients that they’ve received the notice
Patients can:
• Request restrictions to the use or disclosure of their health information – though the covered entity is not obligated to comply
• Amend – but not correct – their records
• Request an accounting of the disclosures of their health information to outside entities
• File a complaint if they believe their privacy rights have been violated
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
Security
33©2003 First Consulting Group
Key Points
Security is a business issue and a technical issue It is applicable to all electronic protected health information (PHI)
regardless of format It is a FLOOR not a CEILING. Value-Added or more stringent
standards should be applied as appropriate Its standards are technology and vendor neutral as well as scalable
and flexible It is the National security standard for data in transit and at rest It requires the healthcare community to adopt security processes,
procedures and technological solutions that balance availability and costs with size and risks of the covered entity
Its standards seek to safeguard and provide appropriate availability of PHI
34©2003 First Consulting Group
Structure
Safeguards for electronic PHI within the following basic categories• Administrative Safeguards – Formal practices to manage
workforce security business processes
• Physical Safeguards – Formal practices for managing facilities housing information systems or electronically stored media
• Technical Safeguards – Formal practices for managing information systems and networks
• Organizational Requirements – Formal practices for establishing and managing contracts and relationships with electronic PHI
• Documentation Requirements – Formal practices for managing policies, procedures, and documentation
35©2003 First Consulting Group
Key Specifics
Organizations must document their assurances of the safeguarding of all electronic PHI
Security is an extension of privacy with guidelines that enhance privacy measures
Coherent organizational security management practices are required
Assignment of a security official is required Organizations must implement several written contingency
plans Organizations must education the entire workforce Implementation of encryption, decryption, or other
technical solutions is required
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
Security
This section is helpful for HD clients.
This section is helpful for HD clients.
37©2003 First Consulting Group
Context
This is a starter list of operational impacts and should not be considered exhaustive
Specific impacts and corresponding responses will vary depending on an organization’s:
• Specific information systems
• Size, complexity and operations
• HIPAA compliance approach
38©2003 First Consulting Group
Registration & Scheduling
Area/Function Key Impact(s) Consideration(s)
Eligibility Verification
If accomplished electronically, must use HIPAA standard
Good opportunity for administrative savings if function is integrated with HIS
Patient Registration Logical place for distributing patient privacy notice, getting patient acknowledgement and addressing any questions; could lengthen the registration process
Most patients are not aware of or concerned with privacy issues – and staff will need training on how to best discuss the topic with them
Must make “reasonable attempt” to get patient’s acknowledgement of receipt of the privacy notice
Patient Scheduling Patient schedules may contain personal health information
May need to segregate or secure sensitive information
39©2003 First Consulting Group
Care Delivery
Area/Function Key Impact(s) Consideration(s)
Direct Care All caregivers and their support staff are governed under the privacy rules
All caregivers and their support staff must undergo training and adhere to same privacy policies and procedures
Access to varying levels of patient information will – and should – vary by role and their need to access information
Patients are permitted to ask to restrict the use or sharing of their information
Significant effort would be required to track who is authorized to hear/see patient information if the organization agrees to the restriction
Indirect Care Secondary caregivers (pathologists, radiologists) are covered under the patient consent for primary caregiver
Treatment is covered rather broadly; a separate patient consent is not required
40©2003 First Consulting Group
Support Services
Area/Function Key Impact(s) Consideration(s)
Laboratory, Radiology, Pharmacy
Sensitive patient data reside on key ancillary systems
Ancillary systems must have mechanisms to restrict access to patient information
Laboratory and pharmacy data may reflect sensitive diseases (AIDS, mental health)
Ancillary staff must directly receive requests for release-of-information
HIM/Medical Records
HIM is typically the department most affected by release of information and patient privacy issues
HIM staff are often thrust into expanded roles managing privacy across the organization
One of the primary contact points for patients regarding privacy policies, release of information, accounting of disclosures and complaints is HIM
Transcriptionists qualify as business associates
Business associate contract and privacy protections must be in place
41©2003 First Consulting Group
Financial Services
Area/Function Key Impact(s) Consideration(s)Authorization & ReferralBilling
If accomplished electronically, must use HIPAA standard
Huge area of potential cost savingsMost payers and vendors cannot
accomplish electronic authorizations
Must adhere to “minimum necessary use” requirements
Staff typically don’t need full access to patient clinical information
Claims Submission If accomplished electronically, must use HIPAA standard
Claims submission is the biggest volume HIPAA transaction at present
Requires payer collaboration
Must adhere to “minimum necessary use” requirements
Payers must seek only minimum necessary information to pay claims
Billing Billing agencies qualify as business associates
Business associate contract and privacy protections must be in place
Clinical and ancillary need to use HIPAA-standard codes (i.e., ICD-9)
42©2003 First Consulting Group
Information Systems
Area/Function Key Impact(s) Consideration(s)
EDI Information systems play major role in EDI compliance efforts
EDI systems strategy, approach and design need to be articulated
Additional costs may be incurred, especially related to clearinghouses
Security Additional security technologies and approaches will be required
Different security technologies (biometrics, tokens, passwords) might be appropriate for different systems or in different situations
Some clinical systems have minimal user authentication, data segregation and audit tracking mechanisms
Staff IS staff play significant role in security protections
The skill set and reporting relationship/visibility for the security officer are important
Appropriate internal IS controls must be in place
43©2003 First Consulting Group
Other Healthcare Operations
Area/Function Key Impact(s) Consideration(s)Patient Information Desk
Need to confirm with patients how their status information can be shared
Uses must be disclosed in patient privacy notice
Special requirements for clergy, law enforcement officials
Clinical Research Must use IRB or similar structure
Aggregated patient information or IRB waiver doesn’t require authorization
Decentralized research databases and data downloads create significant impacts for patient authorization and audit tracking
Audit, Legal, Risk Management, Compliance & Quality Improvement
Functions are covered under “healthcare operations” for privacy purposes
Uses must be disclosed in patient privacy notice
Uses must adhere to minimum necessary use requirement
Audit, Risk Management and Compliance may be most effective functions for overseeing compliance
44©2003 First Consulting Group
Other Healthcare Operations
Area/Function Key Impact(s) Consideration(s)
Accreditation External accreditation organizations are covered as business associates
Uses must be disclosed in patient privacy notice
Uses must adhere to minimum necessary use requirement
Must maintain business associate contract
Marketing & Fundraising
Only internal marketing (i.e., for disease management purposes) is allowed
Uses must be disclosed in patient privacy notice
Organizational fundraising is permitted under certain circumstances
Sale of patient identifiable information or marketing by external entities for their own purposes must be authorized by patient
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
Organizational Approaches
Customize for client.
Customize for client.
46©2003 First Consulting Group
Organizational Approaches
Two important points:
• Recall that HIPAA originally began as an industry-led effort to increase levels of electronic processing and reduce associated administrative complexity
Our beliefs:
• Organizations that set out to merely achieve HIPAA compliance will have missed opportunities to streamline their business, eliminate complex processes, save money and achieve a competitive advantage
• Establishing a privacy-conscious organization requires a strong leadership commitment and a culture that reinforces doing the right thing
47©2003 First Consulting Group
Key Steps to Achieving HIPAA Compliance
For starters, we recommend conducting the following key steps:
• Educate senior management on key issues and discuss overall strategy
• Assign responsibility and accountability
• Educate key staff on details of HIPAA requirements
• Conduct baseline readiness assessment
• Integrate requirements into organization’s overall plans, assign resources and plan budget
First up: compliance with HIPAA privacy requirements (required by April 14, 2003)
48©2003 First Consulting Group
HIPAA Assessment: Goals and Objectives
There are a number of key objectives organizations should seek in undertaking a HIPAA assessment:
• Understand key organizational strategies and specific initiatives
• Identify the impact of HIPAA will have on the organization’s: Corporate strategies Key projects Information systems Business processes Trading partners/business associates
• Outline strategies to comply with HIPAA and provide recommendations for a governance and project structure to support ongoing HIPAA compliance
• Develop an approach, tactical plans and cost estimates to shape next steps
Note: use this slide only for Assessment engagements
Note: use this slide only for Assessment engagements
49©2003 First Consulting Group
HIPAA Assessment: Key Steps
Review Findings
4. HIPAA Approach & Recommendations
Present Recommendations
1. Project Initiation
Project Kickoff
2. HIPAA Education and Strategy
Conduct HIPAAEducation
Validate HIPAA Strategy
3. HIPAA Baseline Assessment
Assess CurrentEnvironment
Review CorporateStrategies and
Initiatives
Document Results
These are the high-level steps we associate with a typical HIPAA assessment:
50©2003 First Consulting Group
HIPAA Assessment: Key Activities
Key Activities
• Develop final deliverable
• Present final recommenda-tions
• Outline next steps
• Develop workplan & communication plan
• Confirm approach and structure
• Identify workgroup participants
• Define framework for final deliverable
• Schedule work-group sessions
• Conduct Kickoff
• Modify Interview and knowledge capture tools
• Schedule interviews
• Conduct information gathering
• Finalize workgroup structure
• Conduct Education Sessions
• Revise & finalize assessment tools
• Conduct workshop sessions
• Workgroups complete assessment
• Document assessment findings
• Compile findings
• Review findings with team
• Formulate recommend-ations
• Develop Approach and Cost Model
Project Kick-off & Organization
HIPAA Education & Strategy
Undertake HIPAA Assessment
HIPAA Approach and Plan
Final Recommend-ations
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
Final Remarks
52©2003 First Consulting Group
Contact Information
1. Vice President, CSE, or DSE <Email> <Vmail>
2. Project Manager <Email> <Vmail>
3. Consultant <Email> <Vmail>
53©2003 First Consulting Group
Questions and Discussion
?????
???
©2002 First Consulting Group
F I R S T C O N S U L T I N G G R O U P
HIPAA Education
Resources
55©2003 First Consulting Group
Resources
AFEHCT (Association for Electronic Health Care Transactions)
www.afehct.org
AHIMA (American Health Information Management Association)
www.ahima.org/hipaa
ASTM (American Society for Testing and Materials) www.astm.org
CHIM (Center for Healthcare Information Management)
www.chim.org
CPRI (Computer-based Patient Record Institute) www.cpri-host.org
DHHS (Department of Health and Human Services) aspe.hhs.gov/admnsimp/index
EHNAC (Electronic Healthcare Network Accreditation Commission)
www.ehnac.org
56©2003 First Consulting Group
Resources
Email Subscriptionswww.hcfa.gov/medicare/edi/admnlist
“For the Record, Protecting Electronic Health Information”
www.nap.edu
Greely Education (800) 650-6787
Health Privacy Forum www.healthprivacy.org
“Protecting the Security and Confidentiality of Healthcare Information” (V.12, No.1, Spring 1998)
www.himss.org
JHITA (Joint Healthcare Information Technology Alliance)
www.jhita.org
Medicare EDI www.hcfa.gov.medicare/edi/edi
57©2003 First Consulting Group
Resources
National Uniform Billing Committee www.nubc.org
National Uniform Claims Committee www.nucc.org
Transaction Implementation Guides www.wpc-edi.com
WEDI (Workgroup for Electronic Data Interchange) www.wedi.org
Miscellaneous Linkwww.va.gov/meetings/hhs980720/noiwp1.htm
Miscellaneous Linkwww.naic.org/1news/testimonies/4-23grte.htm
Miscellaneous Linkwww.hcfa.gov/hipaa/hipaahm.htm
58©2003 First Consulting Group
Resources
Miscellaneous Linkwww.wedi.org/htdocs/securitymatrix.htm
Miscellaneous Link www.jhita.org/hipaarule.htm
Miscellaneous Link www.mahealthdata.org