HIPAA 2nd edition Student Manual - s3.amazonaws.coms3.amazonaws.com/Careertec/Career Technical Institute/Student... · HIPAA 2 nd Edition Table of Contents HIPAA2E/0810 iii Lesson

HIPAA 2nd Editio

n

HIPAA2E/0810

HIPAA2E/0810 2

HIPAA 2 nd Edition Table of Contents

HIPAA2E/0810 i

Table of Contents

Introduction ..........................................................v

HIPAA Privacy Rules............................................ 1

Overview of HIPAA...................................................................3

Lesson 1 ................................................................................................... 5

Coverage .................................................................................................. 5

Introduction ..................................................................................... 5 What are the misconceptions about HIPAA? ................................. 6 Who is affected by the Administrative Simplification provision? .... 8

Lesson 2 ................................................................................................... 9

Covered Entities .................................................................................... 9

What is a Health Plan? ................................................................... 9 What is a Health Care Provider? .................................................... 9 What is a Health Care Clearinghouse? ........................................ 10 Health Plans.................................................................................. 10 Covered entity or not?................................................................... 11

Lesson 1 ................................................................................................. 17

HIPAA Privacy Rule ............................................................................ 17

Privacy Rule .................................................................................. 17 Benefits to Individuals ................................................................... 19

Lesson 2 ................................................................................................. 21

Protected Health Information......................................................... 21

Protected Health Information ........................................................ 21 The Privacy Rule: PHI.................................................................. 21

Lesson 3 ................................................................................................. 26

Privacy Notification Requirement................................................. 26

Privacy Notification Requirement.................................................. 26

Lesson 4 ................................................................................................. 33

Penalties, Enforcement and Complaints .................................... 33

Penalties ....................................................................................... 33 Fines ............................................................................................. 33 The Impact of Noncompliance ...................................................... 34 Compliance ................................................................................... 35

Table of Contents HIPAA 2 nd Edition

HIPAA2E/0810 ii

Electronic Health Data Transactions............... 41

Electronic Data Interchange ............................................ 43

Lesson 1 ................................................................................................. 45

Shared Data Across Organizations............................................... 45

Lesson 2 ................................................................................................. 47

Standardized Data .............................................................................. 47

Health Information Transaction Data ............................. 51

Lesson 1 ................................................................................................. 53

Transaction Standards...................................................................... 53

Lesson 2 ................................................................................................. 59

Transaction Code Sets...................................................................... 59

What are transaction code sets? .................................................. 59

Lesson 3 ................................................................................................. 63

Unique Identifiers ............................................................................... 63

What are unique identifiers? ......................................................... 63

Evaluating the Impact of the Privacy Rules..... 65

Privacy Rule Applicability................................................... 67

Lesson 1 ................................................................................................. 69

Access to Healthcare Information and Privacy Obligations69

Lesson 2 ................................................................................................. 72

Business Associates and Privacy ................................................. 72

Assessing Compliance with Privacy Rule

Requirements ......................................................................... 75

Lesson 1 ................................................................................................. 77

Areas of Vulnerability ........................................................................ 77

Lesson 2 ................................................................................................. 79

Privacy Gap Analysis ......................................................................... 79

Lesson 3 ................................................................................................. 84

Privacy Compliance ........................................................................... 84

Preparing Your Staff and Associates............................ 101

Lesson 1 ............................................................................................... 103

Privacy Training................................................................................. 103

HIPAA 2 nd Edition Table of Contents

HIPAA2E/0810 iii

Lesson 2 ............................................................................................... 105

Complying with Business Associate Provisions .................... 105

Changing Processes and Procedures ............................109

Lesson 1 ............................................................................................... 111

HIPAA Privacy Rule Documentation Requirements.............. 111

Resolving PHI Access Issues and Complaints ....................... 122

Disciplinary Policies under HIPAA .............................................. 126

Skill Guide Sample Policy Regarding Violations of Privacy

................................................................................................................. 129

Securing Protected Health Information .......... 133

Administrative Safeguards for Data Security .............135

Lesson 1 ............................................................................................... 137

Data Security Policies..................................................................... 137

Security in the Workforce .............................................................. 141

Lesson 3 ............................................................................................... 143

Business Associate Contract Security ..................................... 143

Lesson 1 ............................................................................................... 149

Physical Safeguards ........................................................................ 149

Technical Safeguards...................................................................... 154

HIPAA 2 nd Edition Introduction

HIPAA2E/0810 v

IntroductionIntroductionIntroductionIntroduction The HIPAA course consists of 5 parts: HIPAA Privacy Rules, HIPAA Electronic Health Data Transactions, HIPAA: Evaluation the Impact of the Privacy Rule, HIPAA: Implementing Privacy Rules and HIPAA: Securing Protected Health Information. In the first part, students will examine the privacy provisions under HIPAA for patients and employees involved with covered entities. Under HIPAA, covered entities are now expected to provide notification to individuals before the routine use of health information. HIPAA offers patients the right to a copy of their medical records, to request amendments to them if necessary, and to know the history of disclosures. This course helps covered entities recognize the key provisions of HIPAA, how their organizations are affected by HIPAA, and how the privacy rules impact upon them. The second part of this course is designed to help you comprehend the implications of implementing HIPAA data transaction rules. The course presents basic concepts of electronic data interchange (EDI) and how EDI principles will be applied to health related business transactions. It also describes the structure of technical transaction standards used in HIPAA administrative simplification rules. This course is designed to provide a managerial perspective on transaction standards. In the third part, this course helps employers evaluate the impact of HIPAA privacy requirements upon their organizations. It teaches them which practices they will need to change and whether they may qualify for certain exceptions. In addition, this course will help employers develop strategies to meet requirements by assessing the gap between what is required by the privacy rule and their organizations' current practices. The course will advise them what is involved in adopting new procedures and fulfilling administrative responsibilities. In the fourth part, this course offers a practical guide to implementing and complying with the HIPAA privacy rules. The course helps healthcare professionals, managers, and staff personnel understand HIPAA regulations and how to implement the changes required for compliance.

Introduction HIPAA 2 nd Edition

HIPAA2E/0810 vi

In the fifth part, this course describes precautions employers should take when complying with HIPAA Administrative Simplification rules. The course explores specific standards set within HIPAA rules and legally-mandated implementation standards as well as areas where the law allows flexibility in adopting the new rules This manual covers the content presented in the media based courseware for each of the five parts as follows:

HIPAA: Privacy Rules HIPAA: Electronic Health Data Transactions HIPAA: Evaluation the Impact of the Privacy Rule HIPAA: Implementing Privacy Rules HIPAA: Securing Protected Health Information

You may use this manual to review and highlight important concepts as you progress through the media based course.

Enjoy your course!

HIPAA Privacy RulesHIPAA Privacy RulesHIPAA Privacy RulesHIPAA Privacy Rules Personal privacy is now a major issue to people, particularly where medical information is concerned. This course presents an overview of HIPAA (the Health Insurance Portability and Accountability Act), outlining the main components and identifying who is covered by the act. The course examines the privacy provisions under HIPAA for patients and employees involved with covered entities. Under HIPAA, covered entities are now expected to provide notification to individuals before the routine use of health information. HIPAA offers patients the right to a copy of their medical records, to request amendments to them if necessary, and to know the history of disclosures. This course helps covered entities recognize the key provisions of HIPAA, how their organizations are affected by HIPAA, and how the privacy rules impact upon them. This course was developed with subject matter support provided by the Labor & Employment Law Group of the law firm of Baker, Donelson, Bearman, Caldwell & Berkowitz, PC. Please note, however, that the course materials and content are for informational purposes only and do not constitute legal advice. Nothing herein, or in the course materials,

PPPAAARRRTTT

Part 1: HIPAA Privacy Rules HIPAA 2 nd Edition

HIPAA2E/0810 2

shall be construed as professional advice as to any particular situation or constitute a legal opinion with respect to compliance with any federal, state, or local laws. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship. Readers should not act upon this information without seeking professional counsel. The information contained herein is provided only as general information that may or may not reflect the most current legal developments. This information is not provided in the course of an attorney-client relationship and is not intended to constitute legal advice or to substitute for obtaining legal advice from an attorney licensed in your state.

HIPAA2E/0810 3

UNITUNITUNITUNIT

1

Overview of HIPAAOverview of HIPAAOverview of HIPAAOverview of HIPAA This unit is comprised of 2 Lessons that cover: Lesson 1: Coverage

• Coverage • Covered Entities

Lesson 2: Privacy Rule

• HIPAA Privacy Rule • Protected Health Information • Privacy Notification Requirement • Penalties, Enforcement and Complaints

Lesson Post-test At the end of the unit, you will complete a Lesson Post-test.

HIPAA 2 nd Edition Unit 1 Overview of HIPAA

LeLeLeLesson 1sson 1sson 1sson 1

CoverageCoverageCoverageCoverage

Introduction

He Health Insurance Portability and Accountability Act (HIPAA) was introduced by Congress in 1996 to protect those with health insurance who were

experiencing employment changes that could affect their coverage. HIPAA aims to prevent discrimination against those with changing health or job status. HIPAA also regulates the privacy, security and electronic transfer of Protected Health Information (PHI). HIPAA consists of two main provisions – the Health Care Insurance Access, Renewal, and Portability Provisions and the Administrative Simplification Provisions. The Administrative Simplification provision aims to improve efficiency, protection and security of health care information. • Defines National Standards for the Transmissions of

Health Care Data and Transactions H IPAA defines transaction standards for the transmission of health care data and health care transactions. Standards were introduced to reduce human error and

T

Unit 1 Overview of HIPAA HIPAA 2 nd Edition

HIPAA2E/0810 6

paper-handling costs by focusing specifically upon electronic orders.

• Defines Privacy Rules for Protected Health

Information HIPAA defines transaction standards for the transmission of health care transactions. Standards were introduced to reduce human error and paper-handling costs by focusing specifically upon electronic transfers.

• Gives people more control over their information

HIPAA allows individuals more rights to control their own health information, making it easier for people to request updates and corrections, and to gain access to their records.

• Requires the use of National Provider Identifiers (NPIs) HIPAA requires the use of National Provider Identifiers (NPIs), which are used to identify health care providers and are required for all electronic transactions and data exchanges.

• Defines security rules HIPAA establishes requirements for the security of electronic health care information and combined with the privacy rules, it controls access to private information.

What are the misconceptions about HIPAA?

ipaa does not: H


HIPAA2E/0810 7

• Guarantee health care coverage for all individuals • Replace the federal government as the primary health

care regulator • Require health plans to offer specific benefits

The Administrative Simplification provision under HIPAA outlines the national standards for health care providers relative to security and privacy of information. The Administrative Simplification provision also sets standards for the electronic transfer of information and transactions by health plans, health care providers and health care clearinghouses. • Standard Transactions – Electronic Data Interchange

(EDI) Electronic health care transactions should follow specific EDI standardized formats known as Transactions and Code Sets. These sets require that every covered entity is using the same format.

• National Provider Identifiers (NPIs)

NPIs are unique ten-digit identifiers used to identify helath care providers. They are required for all electronic transactions and data exchanges.

• Security of electronic health care transactions

Security under HIPAA involves the protection of information from destruction, alteration, misuse, or loss, and aims to prevent access to protected health information by unauthorized persons.


HIPAA2E/0810 8

• Privacy of health information Privacy of personal health information is covered by the Privacy Rule under Administrative simplification, and includes the right of individuals to prevent the disclosure of their information. The Rule requires a notice of privacy practices regarding how personal information could be used or disclosed.

Standards These national standards introduced by Administrative are intended to have several advantages. They reduce:

• The burden of complex administrative procedures • The cost of paper handling • The risk of error and loss of secure data

Who is affected by the Administrative Simplification provision?

Those who must adhere to the rules include: • Health care providers, health plans and clearinghouses • Payers • Administrators • Billing agents

The Health Insurance Portability and Accountability Act protects individuals from discrimination relative to health care coverage, and defines rules that govern the behavior and standards of health care providers, insurers and health plans, healthcare clearinghouses, and their business associates who transmit and use protected health information.


HIPAA2E/0810 9

The Administrative Simplification provision of HIPAA sets standards for security and privacy of personal health information and standardizes electronic health care transactions.

Lesson 2 Lesson 2 Lesson 2 Lesson 2

CCCCovered Entitiesovered Entitiesovered Entitiesovered Entities

He Health Insurance Portability and Accountability Act (HIPAA) governs the actions of covered entities. HIPAA identifies covered entities as health plans,

health care providers, and health care clearinghouses.

What is a Health Plan?

health plan is a plan that provides or pays for medical care. This includes public and private health insurers, Medicare and Medicaid, and any other program whose main purpose is to provide or pay for a health

service.

What is a Health Care Provider?

health care provider is any person or organization that furnishes, bills, or is paid for health care. The health care provider offers a medical or health service in its normal course of business.

T

A

A


HIPAA2E/0810 10

What is a Health Care Clearinghouse?

health care clearinghouse is a public or private entity that deals with the processing of Protected Health Information (information that identifies the individual). For example, these could include billing companies

and community health information systems.

Health Plans

ealth plans include group plans sponsored by employers, the church, and the government. A group health plan is an employer sponsored plan with 50 or more participants or one that is administered and

maintained by a third party administrator. Group Health Plans with fewer than 50 participants administered solely by the employer would not be classed as a covered entity by HIPAA. Under HIPAA rules, covered entities must meet requirements for handling patient’s protected health information. • Provide information to patients about their privacy

rights Covered entities must provide information to patients about their privacy rights with limited exemptions from this requirement. If a covered entity is to use or disclose patient information, it must provide the patient with a Notice of Privacy Practices, outlining its policies.

A

H


HIPAA2E/0810 11

• Adopt privacy policies Covered entities must adopt clear policies to inform staff how helath care information should be used and disclosed. A policy should include details of the acceptable uses and disclosures of health information, who is entitled to use the information. And the penalties in place for noncompliance.

• Train staff and designate a privacy officer

Covered entities must train their staff in privacy procedures relative to the policy and the Privacy Rule under HIPAA. Covered entities must also designate one member of staff to act as a privacy officer to monitor and regulate the privacy procedures in place.

Covered entity or not?

ndividuals or companies involved in the health care business must determine whether they are covered entities under HIPAA rules. Not everyone will be.

A good method of determining who is a covered entity under HIPAA rules is to use a decision test. The individuals or companies answer a series of questions to determine whether or not they are covered by HIPAA rules. There are specific criteria health plans must meet in order to be classed as covered entities. A health plan must answer yes to the following questions: • Does the plan provide or pay for medical care? • If it is a group health plan, does it have 50 or more

participants of a third-party administrator?

I


HIPAA2E/0810 12

• Is the plan a health insurance or Medicare issuer, Health Maintenance Organization, or multiemployer benefit plan?

Health care providers should ask the following questions to determine whether the organization or individual is a covered entity. If the answer to any of the following questions is no, the entity is likely not covered under HIPAA rules. 1. Are you a health care provider as defined by law ? A health care provider can include physicians, dentists, laboratories, nursing homes, hospitals, and pharmacies among others. If an organization or individual answers yes to this question, they may be a covered entity. If so, they should answer the second question. 2. Do you perform provider functions described in t he

law? Provider functions are those involving the billing or receipt of payment for health care services, as part of a normal business transaction. If he answer to this is yes, the organization or individual may be a covered entity depending on the answer to question three. 3. Do you perform at least some of these functions

electronically? To be a covered entity under HIPAA, a health care provider must perform at least some of its functions and transactions electronically. Health Care Clearinghouse A health care clearinghouse requires only one question to determine whether it is a covered entity under HIPAA rules.


HIPAA2E/0810 13

• Are you a covered entity? Does the business convert health information, either from nonstandard format (not accepted by HIPAA) to standard format (accepted by HIPAA), or vice versa? If the answer is yes, the clearinghouse is a covered entity. • Information used To be a covered entity, clearinghouses must be dealing specifically with information this is either in a standard or nonstandard electronic format and facilitates the processing of such information. Business Associate HIPAA also takes the business associates of covered entities into account. Does the business associate perform the function of processing health information for the covered entity? If the answer is yes, HIPAA is likely to consider the business an associate of the covered entity. Activities performed by business associates could include claims processing, quality assurance, data analysis, billing, or legal accreditation services, among others. Covered entities are defined by HIPAA and can be health plans, health care providers, or health care clearinghouses. HIPAA identifies covered entities according to their involvement with health care information, transactions, and data transmission.


HIPAA2E/0810 14

All covered entities have obligations to HIPAA concerning the treatment and privacy of health care information.

UNIT

2 Privacy Rule This unit is comprised of 4 Lessons that cover: Lesson 1: HIPAA Privacy Rule

• Identify a health plan’s responsibilities regarding the Privacy Rule under HIPAA

• Recognize the benefits to individuals provided by the Privacy Rule

Lesson 2: Protected Health Information

• Identify how the Privacy Rule safeguards Protected Health Information

• Identify the elements of health information that must be protected in a given scenario

Lesson 3: Privacy Notification Requirement

• Identify the main requirements for a Notice of Privacy Practices document

Lesson 4: Penalties, Enforcement and Complaints

• Identify the penalties a company faces if it fails to comply with its obligations under the Privacy Rule

• Recognize the impact of HIPAA penalties upon covered entities who do not comply

• Identify how to file a health information complaint with the Office for Civil Rights


HIPAA 2 nd Edition Unit 2 Privacy Rule

HIPAA2E/0810 17

Lesson 1Lesson 1Lesson 1Lesson 1

HIPAA Privacy Rule

Privacy Rule

Here is a Privacy Rule that health plans (including those sponsored by employers) must adhere to under the Health Insurance Portability and Accountability Act (HIPAA). The

rule is in place to protect sensitive personal health care information. Health plans that are covered entities have a number of responsibilities under the Privacy Rule.

1. Access 2. Notice 3. Limits 4. Confidence 5. Procedures 6. Training

1. Access Individuals are entitled to access their Designated Record set from covered entities within 30 days of request. There are limited exceptions to this requirement. Individuals are entitled to request changes and corrections if they identify mistakes. 2. Notice Unless they fit within limited defined exceptions, covered entities must provided a Notice of Privacy Practices regarding the use of

T

Unit 2 Privacy Rule HIPAA 2 nd Edition

HIPAA2E/0810 18

personal information. The Notice is a legal document that outlines individuals’ rights under the privacy regulations. 3. Limits Covered entities must adhere to the limits stated under the HIPAA Privacy Rule regarding the use of personal information. They must prohibit the use of records for marketing purposes unless the patient has consented.

4. Confidence Covered entities have a responsibility to maintain individuals’ privacy. Patient information must be treated with confidentiality—any use or disclosure of health care information must be permitted by law or subject to the patients permission. 5. Procedures Covered entities must have written privacy procedures that should be available on request and should designate what employees have access to protected health information, and for what purposes. They must also note how and when information can be disclosed. 6. Training Covered entities must train employees in the correct privacy procedures and designate a privacy officer to assist with enforcement. Covered entities must ensure that appropriate disciplinary action is taken if an employee fails to follow privacy rules. The Privacy Rule must be followed by all covered entities identified under HIPAA (unless they fall under a defined exception), and failure to do so can result in harsh civil or criminal penalties.


HIPAA2E/0810 19

Some organizations are defined exceptions and are not covered entities because they do not pay for health care services, do not process data exchange between standard and nonstandard formats, or do not provide health care transactions electronically. • Business associates • Researchers • Public Health Data Collection systems • Business associates A business associate performs services for a covered entity, accessing Protected Health Information, which it’s not legally required to protect. The business associate must abide by HIPAA through its contracts with covered entities, and now under new changes to HIPAA, directly to the government in some areas of the law. • Researchers Researchers are not covered entities because they do not directly pay for or provide health care or act as a clearinghouse. However, researchers must go through certain steps to obtain health care information from the covered entities complying with HIPAA. • Public Health Data Collection systems Public health authorities that collect medical information and data sets are not covered entities as defined by HIPAA.

Benefits to Individuals

he Privacy rule under HIPAA is beneficial to individuals who previously had no access to, or control over, their personal health information. T


HIPAA2E/0810 20

Thanks to HIPAA’s Privacy Rule, individuals can: • Obtain a copy of their Designated Record Set • Request the correction of errors • Receive a notice explaining how their protected health

information (PHI) is used in most circumstances • Give or refuse permission for PHI to be shared • Request how to be contacted about information • File complaints Other benefits include:

• Control over how PHI is used • Reassurance that unauthorized people will not see her PHI • Knowledge of what PHI exists in the Designated Record Set

Under HIPAA, health plans have a responsibility to adhere to the Privacy Rule and treat PHI with care. Records must be treated with confidentiality, and employees who adminster a health plan must be correctly trained to handle the information in accordance with the rule. Individuals benefit from the Privacy Rule with more access to their information, and more freedom to determine how their information is used. They are more informed, and have more control over who sees their PHI.


HIPAA2E/0810 21


Protected Health InformatiProtected Health InformatiProtected Health InformatiProtected Health Informationononon

Protected Health Information

rotected health information (PHI) is data transmitted in any form that identifies the individual, and relates to health, health care, or payment of health care (past, present, or

future) and is created or received by a provider, health plan, group health plan, insurer, or employer, school, or public agency or clearinghouse. PHI can be written, electronic, or oral. For example, PHI can be present in health care invoices, medical files, research databases, and even conversation.

The Privacy Rule: PHI

he Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA) states that: “A covered entity must reasonably safeguard Protected Health Information

from any intentional or unintentional use or disclosure that is in violation of the standard’s implementation specifications or other requirements of this subpart.” Safeguards The Privacy Rule safeguards PHI by requiring covered entities to implement basic administrative procedures. The rule dictates that a covered entity:

P

T


HIPAA2E/0810 22

• Designates a privacy official and trains staff on privacy policies

• Documents those involved in the handling, use, and disclosure of PHI

• Retains previous policies, complaints and documentation • Reviews existing policies

The Privacy rule also safeguards PHI in the following ways:

• Sets limitations on the use and release of health records • Places restrictions on covered entities’ requests for

information • Holds those in noncompliance of PHI responsible

Safeguards are there to prevent wrongful intentional or unintentional use of PHI. Covered entities should have sanctions in place for the misuse of PHI by employees or business associates and act promptly in response to noncompliance. Certain information within PHI must be protected to prevent individuals from being identified and targeted by companies or the public. This information must also be protected so that medical information can be used for research and public health matters without disclosing personal information. “Deidentified” information is data that has had identifiable details removed so that it cannot be matched with an individual. There are 18 “identifiers” within PHI that must be removed before the information can be classed as deidentified. These are:

1. Name 2. Geographic subdivisions smaller than a state 3. All elements of dates except year


HIPAA2E/0810 23

4. Electronic mail addresses 5. Univeral Resource Locators (URLs) 6. IP address numbers 7. Biometric identifiers 8. Visual identifiers 9. Any other unique identifier 10. Telephone numbers 11. Fax numbers 12. Social security numbers 13. Medical record numbers 14. Health plan beneficiary numbers 15. Account numbers 16. Certificate or license numbers 17. Vehicle license and serial numbers 18. Device identifiers

It should be noted that under special circumstances, protected health information can be used for research purposes without deidentification. To deidentify information, you can use a “de-identification list.” A deidentification list is a check-list of the identifiers that enables you to check that deidentification is complete. Safe harbors can only apply if you have removed all identifiers. HIPAA’s Privacy Rule governs the protection of Protected Health Information, applying safeguards and requiring compliance from covered entities. HIPAA rules that PHI should be deidentified before use to prevent identification of the individual involved, thus protecting the person’s privacy and preventing intentional or unintentional misuse.


HIPAA2E/0810 24

��SkillGuideSkillGuideSkillGuideSkillGuide

Deidentification List

Instructions: Use this SkillGuide to check that you have correctly deidentified information.

Go through the list of attributes in the table and compare it to your deidentified information. If the information is not present you can mark the True boxes; if the information is present, mark the False boxes. You must be able to answer true to all statements for safe harbor to apply.

Sourced from Getting Started with HIPAA, Uday O. Ali Pabrai, Premier Press, 2003.

Attributes True False

The following identifiers of the individual or of relatives, employers, or household members of the individual have been removed or are not present:

Names

All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if according to currently available data from the Bureau of the Census

All elements of dates (except year) or dates relating to an individual, including birth date, admission date, discharge


HIPAA2E/0810 25

Attributes True False

date, date of death

All ages over 89, except that such ages and elements may be aggregated into a single category of age 90 or older

Telephone numbers

Fax numbers

Electronic mail addresses

Social Security Numbers

Medical record numbers

Health plan beneficiary numbers

Account numbers

Certificate/license numbers

Vehicle identifier and serial numbers, including license plate numbers

Device identifiers and serial numbers

Web Universal Resource Locators (URLs)

IP address numbers

Biometric identifiers, including fingerprints and voiceprints

Full face photographic images and any comparable images

Any other unique identifying number, characteristic, or code


HIPAA2E/0810 26


Privacy Notification RequirementPrivacy Notification RequirementPrivacy Notification RequirementPrivacy Notification Requirement

Privacy Notification Requirement

nder the Health Insurance Portability and Accountability Act (HIPAA), covered entities must provide individuals with a document that summarizes their privacy practices. The

document should explain the intended uses and disclosure of Personal Health Information (PHI). This document is called a Notice of Privacy Practices. A Notice of Privacy Practices has eight mandatory requirements that covered entities must include.

1. Plain language 2. Specific header 3. Uses and disclosures 4. Rights of individuals 5. Covered entities’ duties 6. Complaints procedures 7. Point of contact 8. Effective date

1. Plain language The notice must be written in plain, understandable language. 2. Specific header All notices must include a specific header that reads as follows: “This Notice describes how medical information about you may be

U


HIPAA2E/0810 27

used and disclosed and how you can get access to this information. Please review carefully.” 3. Uses and disclosures The Notice must outline how the covered entity will use and disclose information. If the covered entity wants to use the information for specific activities, it must list them. Examples include recommending alternative treatments, providing appointment reminders, or soliciting funds. 4. Rights of individuals The Notice must outline the individual’s rights under the Privacy Rule, which include the right to obtain a copy of their PHI, the right to request an amendment to the PHI, obtain a report of disclosures, and request restrictions on certain uses and disclosures. 5. Covered entities’ duties The Notice must outline the covered entities’ duties under the Privacy Rule, including maintaining the privacy of PHI, providing the Notice, and abiding by its terms. 6. Complaints procedures The Notice must specify how to register complaints relative to suspected privacy violations by the covered entity. 7. Point of contact The Notice must specify a point of contact for all further information, complaints, and inquiries relative to PHI, the covered entities, and the notice. 8. Effective date The Notice must provide an effective date.


HIPAA2E/0810 28

A revised Notice must be issued if alterations in privacy practices are made and must be given before the changes are implemented unless they are required by law. If the Notice does not specify a specific use or disclosure, the covered entity is required to ask for individuals’ authorization before any PHI is used or disclosed. Guidelines for the Implementation of a Privacy Noti ce Use this guide to assist you when implementing a privacy notice. A Notice of Privacy Practices is important for a covered entity to ensure that it correctly advises individuals of details relating to the handling of PHI. The Notice is required to abide by HIPAA’s Privacy Rule.


HIPAA2E/0810 29


Guidelines for the Implementation of a Privacy Noti ce

Instructions: Use this SkillGuide to assist you when implementing a Privacy Notice.

All information sourced from www.oahhs.org

Overview

The Privacy Notice forms the backbone of your privacy practices. It gives the patient written notice of all the possible uses and disclosures of protected health information (PHI) that you might make, explain the patient's rights and the provider's duties with respect to the PHI. The patient consents to use and disclosure of their PHI based on the information provided in the Privacy Notice.

Requirements for the Notice

A prominent header reading "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."

• A separate description of each of the uses and disclosures that you are permitted to make for treatment, payment and healthcare. The notice must include at least one example of the types of uses and disclosures you are permitted to make.


HIPAA2E/0810 30

• A separate description of each of the uses and disclosures of the covered entity are permitted to make without individual authorization, including at least one example.

• Statements that other uses and disclosures would be made only with the individual's authorization and that the individual can revoke the authorization.

• If you expect to contact individuals for any of the following activities, a list of the activities: providing appointment reminders, describing or recommending treatment alternatives, providing information about health-related benefits and services or soliciting funds for the covered entities own benefit. If the covered entity does not list these activities in your Privacy Notice, you are prohibited from doing them.

• A description of the individual's rights under the privacy regulations and how the individual may exercise those rights.

• A statement that you are required by law to maintain the privacy of PHI, to provide notice of your legal duties and privacy practices and adhere to the notice.

• A statement that your privacy practices may be changed and how the individual would be informed of these changes.

• Instructions on how to make a complaint with you or the Department of Health and Human Services if they believe their privacy rights have been violated.

• If the Privacy Notice was provided electronically, how the individual may receive a paper copy.

• The name and telephone number of a contact person or office.

• The date the notice went into effect. • Written in plain, understandable language.

Things to remember


HIPAA2E/0810 31

• The most important feature of the Privacy Notice is that it is understood by the individual and provides actual notice of your privacy practices. Accordingly, you must make the Privacy Notice available in languages other than English as appropriate for your community and provide necessary interpreter services or alternative means of communication. Remember that any covered entity that is a recipient of federal financial assistance generally is required under Title VI to provide material in the primary language of persons with limited English proficiency.

• You must promptly revise your Privacy Notice if you materially change any of your uses or disclosures, the individual's rights, your legal duties or other privacy practices described in the notice.

• You may not implement a material change prior to the effective date of the revised notice unless you have reserved the right to do so in your notice (unless the change is required by law).

Frequently asked questions

1. Must the patient be given an actual copy of the Privacy Notice or merely access to the notice? If you maintain a physical service delivery site, you may prominently post the notice where it is reasonable to expect individuals seeking service to be able to read it. The notice must also be available on site for individuals to take on request. Revisions to the notice must be posted promptly and also available on site.

2. How must a healthcare provider with a direct treatment relationship with the patient notify the patient of revisions to the Privacy Notice?


HIPAA2E/0810 32

Revisions to the notice must be posted promptly in a place where the patient is likely to see it. You must also have a copy of the revised notice available on site for the patient to take on request.

3. Must the patient sign the Privacy Notice? No, but it is a good idea to document that the patient was given a copy of the notice and an opportunity to review and understand it, including any interpreter services that may be necessary, before signing the consent. One way to do this is to include a statement to that effect on the consent form and require a signature and date.


HIPAA2E/0810 33


Penalties, Enforcement and ComplaintsPenalties, Enforcement and ComplaintsPenalties, Enforcement and ComplaintsPenalties, Enforcement and Complaints

Penalties

he Health Insurance Portability and Accountability Act (HIPAA), sets severe civil and criminal penalties for noncompliance with its Privacy Rule. These can involve

fines and sometimes imprisonment. Noncompliance with HIPAA could include any or all of the following:

• Willful misuse of information • Use of identifiers in violation of HIPAA requirements • Obtaining or disclosing information to parties not permitted

by HIPAA rules or without patient consent.

Fines

ivil penalties apply when a covered entity violates the transaction standards under HIPAA. The penalties are:

• A fine of $100 for a single violation or provision • A fine of $25,000 for multiple violations of a single standard

during a calendar year Federal criminal penalties can be particularly harsh, and apply to health plans, clearinghouses, and health care providers that knowingly misuse or obtain information wrongfully.

T

C


HIPAA2E/0810 34

Offense Penalty Knowingly wrongful disclosure of PHI

Up to $50,000 fine Up to one year imprisonment

Wrongful disclosure of PHI committed under false pretenses

Up to $100,000 fine Up to five years imprisonment

Wrongful disclosure of PHI with intent to sell, transfer, or use for gain or harm

Up to $250,000 fine Up to ten years imprisonment

HIPAA’s penalties apply to covered entities. Covered entities are liable for violations by employees who administer health plans. They are also liable for their business associates. In addition to HIPAA penalties, most states have their own laws against the misuse and/or disclosure of personal information and can enforce further penalties.

The Impact of Noncompliance

oncompliance with the Privacy Rule can have a significant, negative impact on all involved. It can affect the employees and business associates of covered entities,

the individuals whose information has been violated, and the covered entity itself. Whether a covered entity is a health plan, a health care clearinghouse, or a health care provider, noncompliance can have a detrimental effect on the running of a business. • Bad publicity

N


HIPAA2E/0810 35

Bad publicity for a covered entity could drive away business. It could also affect the public’s trust, and result in serious consequences for the health system as a whole. • Audits and investigations Audits and investigations occur immediately after a complaint is made. These could prove disruptive to the running of the business, as well as uncomfortable, embarrassing, and potentially damaging to a covered entity’s reputation. • Monetary loss Covered entities could suffer huge monetary losses as a result of noncompliance, paying large penalties if the violation is serious.

Compliance

IPAA’s main focus is on compliance. Compliance is important for everyone concerned in the use and disclosure of health information in order to protect

individuals and ensure those covered by HIPAA rules meet defined standards and treat information with respect. If an individual believes that a covered entity has violated the Privacy Rule under HIPAA in some way, she is entitled to file a complaint. • Complaints The individual can file an internal complaint with a privacy officer, or an external complaint with the Office of Civil Rights (OCR). Consider these questions about filing an external complaint, following a HIPAA violation.

H


HIPAA2E/0810 36

• Who can complain? A complainant can be any person who believes that a covered entity has violated the Privacy Rule under HIPAA and has misused or wrongfully disclosed Protected Health Information. • Who is impacted? Covered entities and their employees, business associates and senior management may be impacted following a complaint. • What are the time constraints? A complaint must be filed within 180 days of the time the complainant knew or should have known of the violation’s occurrence. • To whom does the individual complain? An individual can complain to the Privacy Officer of the covered entity or they can contact the OCR if an external complaint process is selected. • What happens next? The OCR will receive and investigate complaints and is responsible for enforcing Privacy Rule penalties. HIPAA prohibits the accused party from retaliating against complainants. If a complainant wishes to file a complaint with the OCR, he must do so in the correct manner and provide all necessary information. • Complaint format • Complainant details • Violator details • Violation report


HIPAA2E/0810 37

• Complaint format The complaint should be in writing. It can be in a letter or sent electronically by e-mail. Alternatively, an OCR complaint form can be sued. The complaint should be sent to the OCR office in the region that the alleged violation took place. • Complainant details The complainant should provide complete contact information including full name, address, phone numbers and email address. If he is filing a complaint on behalf of someone else, he must give that person’s details, too. • Violator details The complainant must include the full name, address, and contact details of the individual, agency, or organization that has committed the alleged violation of the Privacy Rule. • Violation Report The complainant must describe how and when the Privacy Rule was violated, and why he believes it happened. The complainant should be concise, honest and accurate. Health Information Privacy Complaint Form Use this Health Information Privacy Complaint Form as a guide for how to file a complaint with the Office of Civil Rights. HIPAA’s Privacy Rule prevents the wrongful use and disclosure of protected health information. The OCR enforces HIPAA and ensures that the penalties for violation are harsh. If individuals think that a violation of HIPAA has taken place, they can file a complaint with the OCR, who will investigate any unlawful behavior.


HIPAA2E/0810 38


Health Information Privacy Complaint Form

Instructions: Use this SkillGuide when you need to file a complaint with the Office of Civil Rights relative to a violation of HIPAA's Privacy Rule.

Print off a copy of the form when you need to make a complaint, and complete the fields accordingly.

Information

Please complete this section in BLOCK CAPITALS as accurately and precisely as possible

Your name

Your street address

Your city and state

Your zip code

Are you making this complaint for someone else?

YES NO

If Yes, provide full name

If Yes, provide full address


HIPAA2E/0810 39

Information

Please complete this section in BLOCK CAPITALS as accurately and precisely as possible

When do you believe that the violation of health information privacy rights occurred?

Describe briefly what happened. How and why do you believe your (or someone else's) health information privacy rights were violated, or the Privacy Rule otherwise violated? Please be specific (use additional pages if necessary).

Your Signature

Date


HIPAA2E/0810 40

��Job AidJob AidJob AidJob Aid

Compliance Considerations under HIPAA

ob aid purpose: check your levels of compliance under the Health Insurance Portability and Accountability Act.

If you are a covered entity under HIPAA, consider taking these steps to assist your success in compliance.

• Furnish yourself with a copy of the HIPAA act in full, available from U.S. government approved web sites.

• Read through the act and ensure that you are complying with the terms set. Pay particular attention to the Administrative Simplification subtitle if you are a covered entity dealing with sensitive health information.

• Use the Deidentification Safe Harbor List provided with this course to ensure that all Protected Health Information is deidentified correctly before you use or disclose it.

• If you use a Notice of Privacy Practices, use the Guidelines for the Implementation of a Privacy Notice provided with this course to ensure that your Notice contains the correct information.

J

Electronic Health Data Electronic Health Data Electronic Health Data Electronic Health Data

TransactionsTransactionsTransactionsTransactions Congress designed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification Rules to create shared data standards for health care providers, health plans, and information clearinghouses. These common standards make it easier to provide adequate care for patients, process insurance claims, and send and receive payments for health services. By using a single set of standards for exchanging electronic data, health care organizations can share health information more quickly and at a lower cost. This course is designed to help the learner comprehend the implications of implementing HIPAA data transaction rules. The course includes a lesson which presents basic concepts of electronic data interchange (EDI) and how EDI principles will be applied to health related business transactions. Another lesson describes the structure of technical transaction standards used in

PPPPPPPPPPPPAAARRRTTT

Part 2 Electronic Health Data Transactions HIPAA 2 nd Edition

HIPAA2E/0810 42

HIPAA administrative simplification rules. This course is designed to provide a managerial perspective on transaction standards. However, the course includes links to documents programmers or systems analysts will need to create or alter software to comply with HIPAA regulations.

UNIT

3

Electronic Data Electronic Data Electronic Data Electronic Data

InterchangeInterchangeInterchangeInterchange This unit is comprised of 2 Lessons that cover: Lesson 1: Shared Data Across Organizations

• Identify examples of the primary characteristics of an electronic data interchange environment

Lesson 2: Standardized Data

• Match transaction types that must be transmitted in standard format with the category to which each belongs


HIPAA 2 nd Edition Unit 3 Electronic Data Interchange


Shared Data Across OrganizationsShared Data Across OrganizationsShared Data Across OrganizationsShared Data Across Organizations

or many years, every business kept its own records – and kept them secret from the rest of the world. Electronic Data Interchange (EDI) requires business

managers to change their thinking.

In an Electronic Data Interchange (EDI) environment, businesses share information. An EDI environment is a standardized and structured way of recording and transmitting data. EDI has three distinguishing characteristics:

1. Frequently repeated transactions 2. Standardized data sharing among trade partners 3. The use of electronic media to communicate

Frequently repeated transactions Businesses share information about these transactions with trading partners. Each transaction records a specific action or event, like purchasing a part, selling a menu item, or performing a medical procedure. There must be a defined number of choices for each action. Each transaction must record the part purchased, the menu item sold, or the procedure performed.

Standardized data sharing among trading partners Organizations creating EDI transactions must describe those transactions in a way their trading partners will understand.

F

Unit 3 Electronic Data Interchange HIPAA 2 nd Edition

HIPAA2E/0810 46

All of the participants in an EDI trading environment must agree how each transaction will be coded. In addition, all of the participants must agree on a sequence for all of the data elements in a transaction.

There are many organizations that set standards for EDI transactions for different industries. The Accredited Standards Committee (ASC) defines transaction standards used in many industries, including healthcare.

For example, physicians and hospitals immunize patients against many different diseases. Each type of immunization is identified with a specific code. Any health insurer can determine which immunizations a doctor has performed by interpreting the codes.

The use of electronic media to communicate EDI transactions can be in the form of files transmitted across networks, or shipped on magnetic tapes, disks, or any other computer-based medium.

The process of providing—and paying for—healthcare provides many different types of repeated transactions. Medical professionals already have a standardized vocabulary to describe interactions with patients. HIPAA (Health Insurance Portability and Accountability Act) transaction rules add the final piece of the EDI environment — the use of standardized electronic transactions to share the data among many business partners.

The implementation of HIPAA rules will allow organizations that participate in the treatment of patients to record, transmit, and receive information about patients in a standardized format.


HIPAA2E/0810 47


Standardized Data Standardized Data Standardized Data Standardized Data

HIPAA transaction rules specify how to standardize the most frequently performed transactions—not every possible transaction.

HIPAA transaction rules standardize the content and format of eight types of transactions. These eight types can be grouped into three categories: coverage transactions, financial transactions, and inquiry transactions.

Coverage transactions Coverage transactions are the HIPAA-regulated transactions most likely to be performed by employers or other sponsors of health plans. There are four types of transactions related to health plan coverage.

• Enrollment and disenrollment —These transactions add people to or remove people from health plan coverage. Employers, unions, or other organizations that sponsor health plans use this transaction to provide coverage to plan participants.

• Eligibility —These transactions allow communication about which treatments and services are covered under a health plan. Healthcare providers and insurers use this transaction to confirm that specific treatments are covered.

Unit 3 Electronic Data Interchange HIPAA 2 nd Edition

HIPAA2E/0810 48

• Health plan payment —These transactions allow health plan sponsors to submit premium payments. The payment transaction may include bank routing information for transferring funds to an insurer.

• Referral certification and authorization —Referral certification and authorization transactions are used to authorize sending a patient to another physician or treatment facility. This transaction will be most frequently used for healthcare providers to communicate with insurers or health plans.

Financial transactions These three transactions are used to authorize and pay for specific procedures and treatments.

• Health care claim transactions —These are used primarily by healthcare providers. The healthcare provider reports treatment provided to patients, to health plans, or insurers to seek payment.

• Health care payment transactions —These are used by health plans or insurers to reimburse healthcare providers for treating patients, or providing medicine or other medical supplies.

• Coordination of benefits transactions —These allow health plans to communicate with each other about benefits provided for a patient. It also allows health plans to provide information about billing or payment practices to government agencies.


HIPAA2E/0810 49

Inquiry transactions This category includes just one transaction type.

• Health claim inquiry transactions —These provide a way for health plans, insurers, and healthcare providers to inquire about the status of a health care claim. Healthcare providers can use this transaction type to verify that claims have been received and check to learn whether they've been approved and paid.

HIPAA electronic transaction rules apply to "covered entities"—health plans, healthcare providers and healthcare clearinghouses. If a covered entity carries out any of these eight transaction types with another covered entity, or if it is asked to do so, it must comply with the transaction standards. Health plans (insured or uninsured) are required by law to accept standard transactions. They can't demand additional information not included in the standards, and they can't refuse transactions that include more data than they need.

Employers are not directly covered by HIPAA transaction rules. However, employer-sponsored health plans are "covered entities" that must comply with these rules. Employers that provide medical treatment to employees function as healthcare providers, and for those purposes must comply with these rules.

The current version of HIPAA transaction rules covers only these eight types of transactions. However, the HIPAA legislation allows the Department of Health and Human Services to add additional covered transactions in the future.

UNITUNITUNITUNIT

4

Health Information Health Information Health Information Health Information

Transaction DataTransaction DataTransaction DataTransaction Data This unit is comprised of 3 Lessons that cover: Lesson 1: Transaction Standards

• Match standard transaction components to their descriptions.

• Match examples to the components of the detail segment of a standard transaction

Lesson 2: Transaction Code Sets

• Match data code sets with definitions of their uses in standardized transactions

Lesson 3: Unique Identifiers

• Match unique identifiers used or proposed to be used in standard transactions to their definitions


HIPAA 2 nd Edition Unit 4 Health Information Transaction Data

HIPAA2E/0810 53


Transaction Standards Transaction Standards Transaction Standards Transaction Standards

IPAA transaction standards apply a set of rules to sending electronic health data. The rules require every set of transactions to be divided into three major components:

1. Header 2. Detail 3. Trailer

Header The header portion of a transaction is like an envelope that contains a letter. It includes the physical and electronic addresses of the sender and receiver. It also includes summary information about the transaction, for example, the total dollar value of the transaction and the dates covered by the transaction.

Detail The detail portion of a transaction is like the letter enclosed in an envelope. It may include information about just one patient, or it may accumulate information about many patients. The structure of the transaction is flexible to allow a company to group information about many patients into a single batch.

Trailer The trailer of a transaction is very short. It summarizes the number of data segments included in a transaction. That allows the receiver to check whether all of the information was received. The final code in the trailer lets the receiver know the transaction has ended.

H

Unit 4 Health Information Transaction Data HIPAA 2 nd Edition

HIPAA2E/0810 54

Arranging data elements HIPAA transaction standards require the sender to carefully arrange data elements in the proper sequence. That tells the receiver where to look for each type of information.

The "message" contained inside the detail portion of a standard transaction is made up of specific parts, the same way a letter is made up of words or a purchase order is made up of product numbers and quantities.

The smallest element of the detail portion of a transaction is the data element. A data element is a single, specific piece of information, like an employee ID number, a payment amount, a date, or a quantity. HIPAA standards specify an identifying number for each type of data element.

HIPAA standards specify whether each data element is mandatory or optional, or if the use of a data element is dependent upon the use of another element.

Data segments Data elements are grouped together to form data segments. A data segment can include all of the data elements needed to communicate information about one line of a large group of transactions. HIPAA standards also assign identifying numbers to each type of data segment.

Transaction sets Data segments of a single type are transmitted together as transaction sets. HIPAA standards specify which segments are mandatory, the order of segments, and the number of times each segment can be repeated.


HIPAA2E/0810 55

HIPAA transaction rules serve the same purpose as rules for sending a letter through the mail. With the right elements in the right places, the message gets through.


HIPAA2E/0810 56


Sample HIPAA Electronic Transaction Layout

Instructions: Use this SkillGuide as an aid to help visualize how transaction data is organized in an electronic health data transaction that conforms with HIPAA standards. This diagram illustrates an example of a Payment Advice and Remittance transaction.

Header:

ST*820*99555 Indicates the beginning of a transaction set using ASC standard X12 810 for an Invoice transaction; A control number - 99555 - identifies this batch of transactions

BPR*C*9550.00*C*ACH*CTX*01*987654321* DA*12345678*1030555222**01*199666777* DA*545545*20040517~

Indicates a premium payment of $9,550 using an Automated Clearing House transaction; The premium payer's bank transit routing number is 987654321; their bank account is 12345678; The payer's Tax ID is 1030555222; The receiver's bank transit routing number is 199666777 and their bank account is 545545. The effective date of the payment is May 17, 2004


HIPAA2E/0810 57

TRN*1*12345*1030449999~ Reassociation Key

A reassociation key combines a trace number and the sender's tax ID number to provide a unique, traceable transaction code.

REF*18*12345678 The group plan number - 12345678.

DTM*009*20040515~ The premium payer processed the payment on May 15, 2004.

DTM*035*20040516~ The premium payer delivered payment instructions to their Originating Depository Financial Institution on May 14, 1997.

N1*PE*ZIZKA HEALTH CARE ASSOCIATES FI*017777777~

The premium receiver's name (ZIZKA HEALTH CARE ASSOCIATES) and Tax ID number (017777777).

N1*PR*JOMO IOMETRICS*1*153456788~ The payer's name is JOMO BIOMETRICS and their Duns Number (153456788).

Detail:

ENT*1*2J*34*0354419599~ Start of detail transaction for first individual with Social Security Number 035441959.

NM1*EY*1*BRYER*JOHN****EI*7777117~ The individual's name, JOHN BRYER, and employee identification number - 7777117.

RMR*IG*9555111*PI*230.00~ The first policy being paid - 9555111 for JOHN BRYER. The amount being paid to this invoice is $230.00.

RMR*IG*9555222*PI*135.00~ The second policy being paid - 9555222 for JOHN BRYER. The amount being paid to this invoice $135.00.

ADDITIONAL TRANSACTIONS As many transactions as are required for more individuals may follow.


HIPAA2E/0810 58

Trailer:

SE*212*99555~ Transaction trailer with total count of individual transactions and control number (99555).


HIPAA2E/0810 59


Transaction Code SetsTransaction Code SetsTransaction Code SetsTransaction Code Sets

What are transaction code sets?

he sender and receiver of a message must agree on how to communicate important information. When people communicate medical information, accuracy and clarity can

save time, money, and even lives.

HIPAA transaction standards rely on existing professional references to define how specific activities will be described. Under the current version of HIPAA transaction rules, four familiar sources will be used to describe most medical activities:

1. International Classification of Diseases, 9th ed ition, Clinical Modification (ICD-9-CM) The National Center for Health Statistics maintains a classification system to describe diseases, injuries or other health problems. The International Classification of Diseases, 9th edition, Clinical Modification (ICD-9-CM) is used by hospitals and other health facilities to create transactions that comply with HIPAA standards. The codes in volumes 1 and 2 of the ICD-9-CM describe health conditions and diagnoses. Procedures performed to treat patients in hospitals are described by codes in volume 3 of the ICD-9-CM.

2. National Drug Codes Transactions that describe prescriptions or payments for pharmaceutical drugs and biologics are described using the

T


HIPAA2E/0810 60

National Drug Codes (NDC), maintained by the Food and Drug Administration.

Under current HIPAA regulations, only retail pharmacies are required to use standard codes. The requirement for non-retail pharmacies to use the NDC was repealed before the implementation of the HIPAA transaction standards. Many societies of healthcare professionals developed code sets for transactions long before Congress enacted HIPAA transaction rules. HIPAA rules adopt existing code sets for many types of transactions.

3. Physicians' Current Procedural Terminology Physicians and other health professionals use codes in the Current Procedural Terminology (CPT) to describe services they perform for patients. The codes in the CPT are updated regularly by the American Medical Association.

4. Code on Dental Procedures and Nomenclature Dental services are coded using the Code on Dental Procedures and Nomenclature (CDPN). The CDPN is maintained by the American Dental Association.

HIPAA transaction rules ensure that healthcare providers, health plans and insurers have adequate tools to communicate with each other. By deferring to professional references that hospitals, physicians, and other healthcare entities already use, transactions become easier to create and share.

HIPAA regulations allow the organizations that maintain code sets to continue to make additions or changes. HIPAA transaction rules automatically stay up to date without changes in the law.


HIPAA2E/0810 61


HIPAA Transaction Code Sets

Instructions: Use this SkillGuide to identify the sources of medical data code sets used for HIPAA electronic health data transactions.

Diseases, injuries, and other health-related problems and their causes

International Classification of Diseases - 9th edition - Clinical Modification, Volumes 1 and 2

Procedures or other treatment to prevent, diagnose, or treat injuries and impairments

International Classification of Diseases - 9th edition - Clinical Modification, Volume 3

Health related services provided by physicians or other health professionals

Current Physician's Terminology - 4th edition (Level 1 of Alphanumeric HCPCS), maintained by the American Medical Association

Drugs National Drug Codes

Dental Services Code on Dental Procedures and Nomenclature, maintained by the American Dental Association


HIPAA2E/0810 62

��Skill GuideSkill GuideSkill GuideSkill Guide

Sources for HIPAA Transaction Standards

Instructions: Use this SkillGuide to locate sources for detailed descriptions and standards for each type of transaction covered by HIPAA transaction rules.

Available from:

Washington Publishing Co. - www.wpc-edi.com

Health Care Claims - Dental, Professional, and Institutional - Accredited Standards Committee X12N 837 Coordination of Benefits - Dental, Professional, and Institutional - Accredited Standards Committee X12N 837

Health Care Claim Payment and Remittance Advice - Accredited Standards Committee X12N 835

Health Care Claim Status - Accredited Standards Committee X12N 276/277

Enrollment and Disenrollment - Accredited Standards Committee X12N 834

Health Care Eligibility Benefit Inquiry and Response - Dental, Professional, and Institutional - Accredited Standards Committee X12N 270/271

Payroll Deduction and Group Premium Payment -Accredited Standards Committee X12N 820

Referral Certification and Authorization - Dental, Professional, and Institutional - Accredited Standards Committee X12N 278


HIPAA2E/0810 63

Available from:

National Council for Prescription Drug Programs - www.ncpdp.org

Health Care Claim - Retail Drug - NCPDP Batch Standard, v. 1.1 or NCPDP Telecommunication Claim, v 5.1

Coordination of Benefits/Eligibility/Referral - Retail Drug - NCPDP Batch Standard, v. 1.1 or NCPDP Telecommunication Standard Format, v 5.1


Unique IdentifiersUnique IdentifiersUnique IdentifiersUnique Identifiers

What are unique identifiers?

ou will often have to give negative messages. Although this is not an appealing aspect of your job, you can make it easier by following these guidelines:

When you send urgent and confidential information, you should know who's receiving it. When you receive that kind of information, you want to be sure you know who sent it. HIPAA unique identifier rules provide a way to know exactly who is involved in a transaction. The rules describe unique identifiers for all participants in a transaction, although the identifiers have not been fully implemented yet.

Employers HIPAA transaction rules call for employers to use the same identifier already used for reporting tax information: the Employer Identification Number (EIN). In many cases, employers are not

Y


HIPAA2E/0810 64

covered by HIPAA transaction rules. However, the EIN is a required data element in any transactions that are initiated by employers.

Healthcare providers HIPAA rules mandate identifiers for healthcare providers. Providers are obligated to have and use unique identifiers by May 23, 2007. Large health plans are obligated to use provider unique identifiers as of that date, and small health plans as of a year later.

Health plans Health plans will also receive unique identifiers when HIPAA transaction rules are fully implemented. However, no guidelines have been developed to issue health plan identifiers and a deadline has not been set. Employers who sponsor health plans may still be identified by their EIN. Health plans may eventually receive the same eight-digit identifier as healthcare providers.

When they are fully implemented, unique identifiers will allow participants in electronic health data transactions to verify the identity of everyone involved in giving, receiving, or paying for treatment.

Evaluating the Evaluating the Evaluating the Evaluating the Impact of the Impact of the Impact of the Impact of the

Privacy RulesPrivacy RulesPrivacy RulesPrivacy Rules Employees and managers need to become more aware of the information they disclose about employees and who receives it. HIPAA applies to health information in all formats--including electronic transfers, documents, and spoken communications. Managers and staff will need to use new forms to track the way they use and disclose confidential information, and they'll need to implement changes at the workplace. This course helps employers evaluate the impact of HIPAA privacy requirements upon their organizations. It teaches them which practices they will need to change and whether they may qualify for certain exceptions. In addition, this course will help employers develop strategies to meet requirements by assessing the gap between what is required by the privacy rule and their organizations' current practices. The course will advise them what is involved in adopting new procedures and fulfilling administrative responsibilities.

PPPAAARRRTTT

UNITUNITUNITUNIT

5

Privacy Rule ApplicabilityPrivacy Rule ApplicabilityPrivacy Rule ApplicabilityPrivacy Rule Applicability This unit is comprised of 2 Lessons that cover: Lesson 1: Access to Healthcare Information and Priv acy Obligations

• Match the employer’s role as plan sponsor with the resulting HIPAA privacy rule obligations

• Evaluate factors to determine an organization’s obligations under the privacy rule

Lesson 2: Business Associates and Privacy

• Identify examples of business associates that are bound by privacy rules


HIPAA 2 nd Edition Unit 5 Privacy Rule Applicability

HIPAA2E/0810 69


Access to Healthcare Information and Access to Healthcare Information and Access to Healthcare Information and Access to Healthcare Information and

PPPPrivacy Obligationsrivacy Obligationsrivacy Obligationsrivacy Obligations

ny employer who sponsors a group health plan should consider how the privacy rule affects the organization, and implement the documentation and procedures

required to comply with the new regulations.

A group health plan is one that has 50 or more participants, or is administered by someone other than the employer.

HIPAA applies to group plans that provide or pay for healthcare, and that are sponsored by an employer. Obligations under the privacy rule largely depend on whether a plan is insured or self-insured, and whether an organization creates or receives protected health information (PHI) or only uses summary health information.

That’s why it’s important to understand each of the following defining factors:

• Protected health information (PHI) —This means health information that is explicitly linked to a particular individual or that contains data that reasonably could be expected to allow individual identification.

• Summary health information —This summarizes data about participants in a group health plan regarding claims history, expenses, or type. The information must

A

Unit 5 Privacy Rule Applicability HIPAA 2 nd Edition

HIPAA2E/0810 70

be de-identified, except that it may be sorted by zip code.

• Self-insured health plan —Health plans are self-insured if the employer assumes the financial risk for providing healthcare benefits to its employees. The more involved an employer is, the more likely its health plan will be considered self-insured.

A group health plan administered by an employer is covered by the new privacy standards set forth under HIPAA, and the employer is responsible for compliance. If the employer otherwise uses or discloses PHI, the same privacy rule requirements may apply.

A plan can limit the extent to which it must comply with the privacy rule requirements by limiting its receipt of information to summary health information or enrollment information. HIPAA ushers in a new era of regulatory challenges for employers and group health plans that handle PHI.

Specific obligations are affected by several key factors as follows:

• Sponsoring a self-insured group health plan —If your group health plan is self-insured, you must comply with all of the privacy rule requirements.

• Sponsoring a fully insured group health plan —If your organization's plan is fully insured, and your organization receives PHI only for enrollment or disenrollment purposes, or in summary form for use in obtaining premium bids and modifying, amending, or terminating the plan, the organization is subject to only limited requirements.


HIPAA2E/0810 71

• Handling summary health information —A plan that doesn't receive, use, or disclose PHI other than summary health information or enrollment information is subject to only limited procedural requirements.

• Receiving PHI in connection with managing a group health plan —If your employer receives PHI in connection with managing a group health plan, it will either have to obtain signed medical releases from the individuals or amend plan documents, or comply with the privacy rule with respect to use and disclosure of PHI.

Are Individual Authorizations Practical? If an employer needs to access PHI, one way to comply with the privacy rule is to obtain individual authorizations for specific disclosures. This might be practical in situations where the employer only needs to access PHI on an occasional basis.

However, if there is frequent flow of PHI from the plan to the employer, authorizations probably aren't an adequate solution, and the employer should amend plan documents to describe permitted and required uses and disclosures.

Determining Privacy Rule Obligations An organization’s group health plans and access to health information affect its obligations under the privacy rule. So it’s important to understand if the group health plan is self-insured, or if the plan or employer needs to receive protected health information other than just summary health information.

Different Requirements for Different Plans If your group health plan is self-insured, it must comply with


HIPAA2E/0810 72

all of the privacy rule requirements. (However, keep in mind that if they are self-administered by the employer and have fewer than 50 participants, they are not considered "group health plans" and are not subject to the privacy rule.) Your organization faces fewer compliance burdens under the privacy rule if your plan is fully insured and your organization doesn't create or receive PHI other than summary health information.

Employer sponsored group health plans, with limited exceptions, are covered entities under the privacy rule, which means that the privacy rule governs your use and disclosure of health information of any plan participant.

An employer may need to train staff, create policies and procedures, and change its office culture to meet new federal standards of confidentiality. Understanding and applying the standards that define privacy rule obligations is a critical first step toward compliance.


Business Associates and PrivacyBusiness Associates and PrivacyBusiness Associates and PrivacyBusiness Associates and Privacy

here are significant obligations under the privacy rule that sponsors of group health plans must impose upon certain third-party contractors, known as business

associates. T


HIPAA2E/0810 73

Plan sponsors that contract with outside vendors for services need to be aware of the privacy rule requirements regarding business associates.

Privacy and security The privacy rule permits employers to make disclosures to business associates of the plan—so long as the business associates provide satisfactory assurances in written agreements that they will appropriately safeguard the information.

Business associates Business associates are any people or organizations that perform or help perform services involving the use or disclosure of PHI, or create or receive PHI on behalf of a covered entity.

Business associates may also perform such services as claims processing or administration; data analysis, processing or administration; and quality assurance. Business associates are individuals or organizations that help in the performance of any activity or function that involves PHI.

Business associates do not include members of your workforce or service providers who may have incidental contact with PHI, such as security guards or food services companies.

Organizations that use the services of business associates are responsible for insuring that the business associate observes certain privacy protections. Business associates are not covered entities, but they use or disclose PHI on


HIPAA2E/0810 74

behalf of the covered entity, so they must contractually comply with most privacy rule requirements.

Basically, any outside vendors that need access to PHI to perform their duties on behalf of your employer or group health plan are business associates, and the plan should have a written agreement with such associates spelling out their obligations regarding protection of PHI.

UNITUNITUNITUNIT

6

Assessing Compliance Assessing Compliance Assessing Compliance Assessing Compliance

with Privacy Rule with Privacy Rule with Privacy Rule with Privacy Rule

RequirementsRequirementsRequirementsRequirements This unit is comprised of 3 Lessons that cover: Lesson 1: Areas of Vulnerability

• Match examples of privacy forms, policies, and procedures with the relevant issues under the privacy rule

Lesson 2: Privacy Gap Analysis

• Sequence examples of the proper steps to assess the gap between what will be required by the privacy rule and the organization’s current practices.

Lesson 3: Privacy Compliance

• Select examples of the components required in a privacy rule compliance plan


HIPAA 2 nd Edition Unit 6 Assessing Compliance


Areas of VulnerabilityAreas of VulnerabilityAreas of VulnerabilityAreas of Vulnerability

lthough HIPAA doesn't regulate employers directly, they are regulated indirectly under the privacy rule. If an employer sponsors a self-insured health plan, it will

be required to comply with the rule.

To comply with the privacy rule employers need to develop and implement the following:

• Participant rights forms and policies —HIPAA compliance for participant rights means that participants in group health plans must have control over their medical information.

Self-insured group health plans have to provide participants with notice of privacy practices, access to PHI, an accounting of how PHI has been disclosed, and the right to request amendments to PHI.

• Communication policies and procedures —To comply with HIPAA communication regulations, employers acting as group health plan sponsors must accommodate requests for confidential communications of PHI.

The HIPAA privacy rule requires that participants be allowed to request that the plan communicate PHI by an alternative means or at an alternative location other than their home address or telephone number.

A

Unit 6 Assessing Compliance HIPAA 2 nd Edition

HIPAA2E/0810 78

• Guidelines and contracts that support administrative requirements —In terms of administration, organizations must provide procedural safeguards, training, and accountability.

The privacy rule requires plan sponsors to implement administrative safeguards to prevent use or disclosure of PHI in violation of HIPAA, name a privacy officer, set up a complaint mechanism, and begin a privacy training program.

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA privacy standards. As part of its administrative obligations, any covered entity is obligated to cooperate in connection with audits and inspections on the part of HHS, or in response to law enforcement requests or other legal processes.

Complying with the HIPAA privacy rule is an ongoing process. The only way to ensure compliance is to develop forms, policies, and procedures that address each of these three issues:

• Participant rights —Not only will you have to revise practices and procedures to allow participants to inspect, obtain copies of, and amend PHI, but you will also have to establish policies for providing individuals with a written accounting of disclosures.

• Communication —In addition, the policy could accommodate requests for alternative contacts by telephone, answering machine, leaving messages with other people, e-mail, or fax.

• Administration —Also, plan sponsors must get business associates to sign contracts agreeing to use


HIPAA2E/0810 79

PHI consistent with HIPAA, begin a privacy training program, implement safeguards to protect PHI, and limit the data transmitted or received to the minimum necessary for the functions being performed.

As you can see, the privacy rule imposes additional administrative burdens on employers. Most organizations have to make adjustments to comply with the regulations in terms of participant rights, communication, and administration.


Privacy Gap AnalysisPrivacy Gap AnalysisPrivacy Gap AnalysisPrivacy Gap Analysis

onsidering the costs and effort of compliance with HIPAA privacy rules, it would be a mistake for any organization to implement HIPAA solutions without

first understanding its HIPAA problems.

Concerns about health information privacy aren't new, and many organizations already have policies and procedures in place that adequately address at least some HIPAA privacy rule requirements.

A privacy gap analysis is a good procedure to assess the organization's ability to comply with HIPAA privacy rules. This analysis entails taking a look at existing systems, policies, procedures, and practices.

When you know what you've already got, it will be much easier for the organization to develop its HIPAA compliance

C


HIPAA2E/0810 80

and implementation plan. There are four steps to perform a privacy gap analysis. These steps will allow you to assess any policies, procedures, and forms associated with privacy issues, and then to look at the gap between the organization's current state and where it needs to be in order to comply with the HIPAA privacy rules.

The four steps to perform a privacy gap analysis are as follows:

1. Policies —Determine the extent to which the organization has policies. Identify existing policies that address the use of healthcare data, health information privacy, and the security of healthcare data.

2. Procedures —Identify current operating procedures. Do a comprehensive review of procedures throughout the organization to identify all that are related to information access, disclosure, and integrity.

3. Forms —Review any forms used. Identify all internal forms and documents that cover release of PHI or authorizations to release or disclose data to third parties.

4. Gaps—Compare privacy rule requirements with the results of your analysis. Review existing forms, policies, and procedures and determine what changes are required to comply with the privacy rule.

Gap analysis looks at the gaps between the current process and procedures compared to the HIPAA privacy rule. It will help the organization develop the options and desired tasks needed for achieving compliance to the rule. HIPAA compliance is a process you must apply to your business.


HIPAA2E/0810 81

This process can be simplified by following the four steps of gap analysis.

Information gathered from the gap analysis will provide a detailed list of contracts, policies and procedures, computer systems and computer applications that do not meet the HIPAA privacy rule standards. This includes current contracts, procedures or systems that don't comply.

It’s important to identify disparities between existing procedures, practices and/or culture, and HIPAA privacy rule requirements. Employers need to develop privacy documents, including participant rights, authorizations to release, content controls, and consent forms.

Gap analysis helps an organization develop a HIPAA privacy rule implementation plan by determining the extent to which it already has policies, identifying current operating procedures, reviewing any forms used, and comparing privacy rule requirements with the results of your analysis.


HIPAA2E/0810 82


HIPAA Forms

Instructions: Use this SkillGuide to help your organization develop the forms needed to achieve HIPAA privacy rule compliance.

• Business Associate Contract --The privacy rule requires contracts with business associates, providing written assurances that they will appropriately safeguard protected health information.

• Notice of Privacy Practices --You'll need to give plan participants a notice informing them of your organization's uses and disclosures of PHI, and of the their rights with respect to that information.

• Acknowledgement of Privacy Practices --Develop a form to obtain written acknowledgment that participants received notice of your organization's privacy practices.

• Workforce Confidentiality Agreement --This form lists employees' responsibilities relating to the confidentiality of PHI within the organization.

• Informational HIPAA Brochure for Plan Participants --A form like this can provide an excellent introduction to HIPAA and its effects on participants in your organization's group health plan.

• Authorization Form for Using and Disclosing PHI --Your employer must obtain a signed “authorization” to


HIPAA2E/0810 83

use or disclose information for purposes other than treatment, payment, and health care operations (except as permitted or required by law).

• Request Form for Health Record Amendment --Plan participants can use this form to ask for amendments to their PHI.

• Request Form for Accounting of Disclosures --Plan participants can request an accounting of all disclosures of PHI. Use a form like this to document such requests.

• Request Form for Inspecting PHI --Your organization will need to develop a form for documenting participants’ requests to inspect their health information.

• Request Form for Restricting Uses of PHI --Your organization needs a form that will allow plan participants to ask for restrictions upon uses or disclosures of PHI.

• Form for Filing Complaints --Complaints are a necessary, though unwelcome, part of HIPAA compliance. You'll need a form for participants who think that your organization has violated their HIPAA privacy rights, or who want to complain about a privacy-related decision.

• Form for Accounting of PHI Disclosures --You'll also want a special form for recording and documenting disclosures, which can be kept with employees' records.

• Model Fax Cover Sheet --When you send PHI via fax, you should include a cover sheet with a detailed privacy disclosure regarding the confidentiality of health information.


HIPAA2E/0810 84

Lesson Lesson Lesson Lesson 3333

Privacy CompliancePrivacy CompliancePrivacy CompliancePrivacy Compliance

y taking proactive steps to comply with the HIPAA privacy rule, an employer can minimize risk, and protect the privacy of employees and participants in a

group health plan.

To become HIPAA compliant as quickly as possible, most organizations create an overall project plan identifying individual solutions and timelines. The plan should address four areas: policy, information, training, and sanctions. The organization will need to develop a privacy policy to safeguard PHI, provide individual access to PHI, amend PHI, and restrict PHI.

Informing employees of their rights The HIPAA legislation created several new legal rights for employees and other plan participants to exercise control over the release of their medical information.

An employee privacy rights notice should explain every worker’s rights, including their right to inspect, read and copy their health records. It should also tell how to file a complaint if privacy rights are ever violated.

Management and staff training Consider management and staff training to provide those responsible for implementation with the tools necessary to effectively manage the process of moving the organization toward compliance. Provide training for all employees, then

B


HIPAA2E/0810 85

ongoing and timely training for new employees to ensure that all employees understand the new privacy protection procedures.

Consider a grievance policy Covered entities under the privacy rules also must provide recourse if privacy is violated. So you may need to establish a grievance process so that participants can make inquiries or complaints regarding the privacy of their records.

Covered entities will likely need to upgrade operations to handle HIPAA's privacy requirements. Employers that sponsor self-insured group health plans would be smart to come up with a privacy-rule compliance plan to make sure they apply effective policies and procedures to control the access and use of PHI.

Four basic components will be required to achieve compliance:

1. Establishing privacy policies —To achieve privacy rule compliance, an employer must establish a policy for handling PHI. The policy identifies the circumstances in which the employer will use PHI, the limitations on its use, and procedures and protections involving its use.

2. Providing Information —An employer must notify plan participants and beneficiaries about its policy to protect the confidentiality of their health information.

3. Training —One of the administrative requirements is for employers to provide workforce training on privacy policies and procedures for all employees—particularly those who are directly involved with PHI.


HIPAA2E/0810 86

4. Establishing sanctions —The employer must establish and apply appropriate sanctions against plan workforce members who violate privacy policies and procedures or the HIPAA privacy standards.

To achieve compliance with the HIPAA privacy rules, a covered entity must establish privacy policies, provide information and training, and establish sanctions for breaches of confidentiality.

Organizations must take reasonable steps to protect the privacy and confidentiality of health information, in whatever form, whether written, oral, or electronic; and meet or exceed the standards for protecting health information set forth under the HIPAA privacy rules. To accomplish this, an organization should establish privacy policies, provide information, train employees, and establish sanctions.


HIPAA2E/0810 87


Sample HIPAA Privacy Policy

Instructions: Use this SkillGuide as a model to help develop an appropriate, comprehensive HIPAA privacy policy for your organization.

Purpose

This policy is established to comply with the regulatory provisions promulgated under the Health Insurance Portability and Accountability Act of 1996, and other implementing regulations that may be promulgated by the Secretary of the Department of Health and Human Services, and to provide guidance for this organization with respect to HIPAA.

Policy

It is the policy of this organization to take reasonable steps to safeguard protected health information subject to the regulations, standards, implementation specifications or other requirements of the Standard Transactions Rules, Privacy Rules and Security Rules promulgated by the Secretary of the Department of Health and Human Services (HHS) pursuant to the Health Insurance Portability and Accountability Act of 1996.

1. Privacy. The organization shall take reasonable steps to (1) protect health information in its possession, so as to assure the privacy and confidentiality of the information, in whatever form,


HIPAA2E/0810 88

whether written, oral or electronic; and (2) meet or exceed the standards for protecting health information set forth by the HIPAA privacy rule. The organization shall comply with HIPAA regulations with respect to safeguarding the privacy and confidentiality of health information in its possession.

2. Individual Rights and Notice. Consistent with the provisions of the Privacy Rule, the organization shall assure the rights of individuals to:

• have access to their health information • have written, meaningful notice regarding the ways in which

their health information is used and disclosed • have an opportunity to request restrictions to the use and

disclosure of their health information, and to have reasonable requests honored

• have an opportunity to request corrections or amendments to their health information

• receive, upon written request, an accounting of the disclosures made of their health information

• file complaints regarding the organization's use or disclosure of health information, and to be free from retaliation for having filed such a complaint or complaints.

3. Minimum Necessary. The organization shall restrict its uses of, disclosures of, and requests for protected health information to the minimum necessary to accomplish the purpose that prompted the use, disclosure or request for information. Access to information shall be position or task-based so that employees have access only to the minimum information necessary for them to perform their jobs. All access levels, including full access, shall be properly documented and, if required by HIPAA, justified.


HIPAA2E/0810 89

4. Training. Employees shall receive training enabling them to understand and fulfill their duties and obligations with respect to privacy and confidentiality of health information in their possession. Employees shall receive appropriate training as soon as possible after hire, but in no event later than 30 days after the date the employee begins working. All training shall be documented in each employee's personnel file.

5. Reporting Violations; Compliance. Employees shall report violations of HIPAA regulations or the organization's HIPAA policies to their direct supervisor, department manager, or to the privacy official. No retaliation shall be taken against any employee who reports a violation. Employees who violate HIPAA or organizational policy shall be subject to disciplinary action.

6. Privacy Official. The organization shall designate an individual to serve as privacy official for the organization. The privacy official will be responsible for the development and implementation of the organization’s privacy policies and procedures. 7. Business Associates. A business associate is an entity that performs functions for or provides services to, or on behalf of, the organization, where the function or service involves the use or disclosure of individually identifiable health information. Business associates must agree via contract that they will comply with the HIPAA regulations.

Effective Date


HIPAA2E/0810 90


HIPAA Compliance Checklist

Instructions: Use this SkillGuide as an assessment tool to help your organization gauge where it is in the overall picture of HIPAA privacy rule compliance.

Task Description

Responsible Person

Comments/Completion Date

PROJECT PLANNING

Create a HIPAA taskforce or appoint employees to spearhead HIPAA implementation

Establish executive and board level responsibility for HIPAA compliance

Establish HIPAA compliance objectives Estimate resources required to implement HIPAA Determine if compliance can be achieved with current staff or whether consultant assistance will be needed

Discuss HIPAA with outside vendors

Discuss HIPAA with legal counsel

Adopt or develop a set of Privacy Principles

Draft a Privacy Officer job description


HIPAA2E/0810 91

Assign a Privacy Officer

Establish a Privacy Oversight Committee

Undertake a detailed regulatory review

Conduct surveys and departmental interviews

Conduct a policy/procedure assessment

Draft necessary policies and procedures or modify current policies and procedures to comply with HIPAA

Conduct a plan participant rights assessment

Draft needed consents, authorizations, and other required documents

Conduct a gap analysis/risk assessment

Develop a work plan to address identified risks

Monitor legal developments regarding HIPAA compliance dates and modifications

Develop a training plan and conduct workforce trainings

Develop and conduct trainings for upper level management

Determine business associates

Develop business associate agreements or addenda to current agreements

Develop chain of trust agreements for sharing of electronic information

Review web site to determine whether it is HIPAA compliant

PHI INVENTORY

Undertake a comprehensive inventory of the PHI your organization maintains


HIPAA2E/0810 92

Determine workforce job descriptions, who in workforce will have access to PHI and categories of PHI that will be accessible

Determine what business associates or other external sources will have access to PHI

Evaluate internal and external information access, disclosure, and release of information practices against the “minimum necessary” requirements

Assess vulnerabilities that expose PHI

Establish a mechanism to track access to PHI and allow designated staff to review or receive a report on such activity

Establish a common standard for handling PHI and a mechanism for communicating when those standards are not met

Develop a procedure that identifies information that will be subject to protection

Develop methods for disclosing only the minimum amount of PHI necessary to accomplish any intended purpose

Develop a mechanism for accounting for all disclosures of PHI

Create a system to track and archive all disclosures of PHI

Develop guidelines for use and disclosure of PHI

Create a system for correcting patient records

CONSENTS/AUTHORIZATION

Conduct an inventory of existing consent and authorization forms

Evaluate health claims processing forms

Review existing forms for compliance with HIPAA requirements

Review existing forms for compliance with 42 CFR 2 requirements


HIPAA2E/0810 93

Review existing forms for compliance with applicable state laws that preempt HIPAA

Evaluate need to update or develop consents, authorizations and notice of privacy practices

Check for readability

Conduct trainings regarding use and applicability of forms

Develop a policy/procedure concerning when PHI may be disclosed without a consent or authorization

Develop a policy/procedure concerning when a consent or authorization is incomplete or invalid

Develop a policy/procedure regarding the need to retain signed consents and authorizations for six years

Develop a plan for dissemination

PATIENT RIGHTS

Design communications mechanisms that provide explanations about the PHI typically maintained

Develop a Notice of Privacy Practices

Develop a policy and practice concerning dissemination of notice in the event material changes are made to the organization’s privacy practices

Draft consents Draft authorizations

Draft disclosure to business associates

Develop a form and a policy/procedure concerning amendments or corrections of PHI


HIPAA2E/0810 94

Develop a form for individual to request restriction on use or disclosure of PHI

Develop a form for required accounting of disclosures

Provide a mechanism for inspection and to obtain a copy of individual’s own PHI

Develop a policy for formal process to file complaints about privacy issues

Revise current notices and policies to comply with HIPAA


Conduct trainings concerning workforce responsibility and implementation of patient Rights

Develop a plan for dissemination of forms

BUSINESS ASSOCIATES

Identify business associates and/or qualified service organizations

Conduct an inventory of existing agreements

Review existing agreements for compliance with Privacy Rule requirements

Review existing agreements for compliance with 42 CFR 2 requirements

Review existing agreements for compliance with state laws that preempt HIPAA

Develop a confidentiality statement

Develop business associate agreements or addenda to current agreements

Conduct trainings to ensure staff and business associates understand the importance of privacy practices


HIPAA2E/0810 95

Ensure ongoing compliance monitoring of all business associate agreements to ensure privacy issues are addressed and business associates are compliant with privacy standards

POLICY & PROCEDURES

Review existing policies and practices

Check for compliance with Privacy Rule requirements

Check for compliance with 42 CFR 2 requirements

Check for compliance with other state laws that are stricter than HIPAA

Develop a policy/procedure concerning uses and disclosures with authorization

Develop a policy/procedure concerning uses and disclosures without authorization

Develop a policy/procedure for disclosures to business associates

Develop a policy/procedure to comply with minimum necessary standard

Develop a policy/procedure concerning right of an individual to request restrictions on use or disclosure of the individual’s PHI

Develop a policy/procedure concerning creation of de-identified information

Develop a policy/procedure concerning dissemination of required notices

Develop a policy/procedure concerning records to which access will be granted

Develop a policy/procedure concerning grounds for denying requests for access to PHI

Develop a policy/procedure concerning copying fees


HIPAA2E/0810 96

Develop a policy/procedure concerning providing required accounting of disclosures

Develop a policy/procedure concerning accepting or denying requests for amendment or corrections of PHI, and how other entities will be notified of any amendments or corrections Develop a policy/procedure concerning identification of persons responsible for making decisions under the organization’s policies and procedures Develop policies/procedures concerning training of the organization’s workforce

Develop a policy/procedure concerning identification of the person(s) (or offices) serving as the privacy official and contact person

Develop a policy/procedure concerning regulating access to PHI, including safeguards

Develop a policy/procedure concerning the mechanism for lodging complaints and the procedure for receiving and resolving complaints

Develop a policy/procedure concerning workforce and business associate sanctions for violations of HIPAA

Develop a policy/procedure for mitigating violations of HIPAA

Develop a policy/procedure concerning sending communications to an individual via alternative means or to an alternative location

Evaluate practices/policies related to marketing and fundraising

Develop a policy/procedure concerning psychotherapy notes (if applicable)

Evaluate practices/policies relating to research

Perform a gap analysis to determine where requirements are not being addressed through current policies and practices


HIPAA2E/0810 97

Develop additional policies/procedures depending on the organization’s operations (the above list is brief and additional policies/procedures will be necessary)


Conduct trainings

Plan for dissemination

TRAINING

Review privacy training and enforcement practices

Develop or update privacy training and orientation for all employees, volunteers, medical and professional staff, contractors, alliances, business associates and other appropriate third parties

Implement mandatory attendance of entire workforce at privacy trainings

Develop a statement attesting to staff comprehension and agreement to comply with policies and practices

Develop a statement to document that staff reattest to statement every three years

Develop a mechanism for ongoing privacy awareness reminders and updates within organization

Develop a plan for additional training when organization materially changes privacy practices or procedures Develop a training plan for persons joining the workforce after the initial organization trainings

Train staff concerning accountability in regards to their responsibilities for protecting patient privacy and sanctions for noncompliance


HIPAA2E/0810 98

OTHER HIPAA CONSIDERATIONS

Assess and document compliance levels, gaps and vulnerabilities against HIPAA, 42 CFR 2, and state law requirements

Assess ongoing program effectiveness and compliance

Conduct ongoing and comprehensive audits

Design a monitoring and enforcement program

Track implementation issues

Assure continuing review of policies and practices for modification or improvement

Begin testing of computer and other systems for compliance with HIPAA requirements

Maintain appropriate administrative, technical and physical safeguards to protect PHI and reasonably safeguard PHI from any use or disclosure

Implementing Privacy RulesImplementing Privacy RulesImplementing Privacy RulesImplementing Privacy Rules The Health Insurance Portability and Accountability Act (HIPAA) mandates how healthcare plans, providers, and clearinghouses store and transmit individuals' health information. Implementation of and compliance with the HIPAA privacy rules is mandatory. These rules present significant challenges to the day-to-day operations of organizations involved in the healthcare industry. Organizations that don't change internal procedures to comply with HIPAA regulations risk significant fines. This course offers a practical guide to implementing and complying with the HIPAA privacy rules. The course helps healthcare professionals, managers, and staff personnel understand HIPAA regulations and how to implement the changes required for compliance.

PPPAAARRRTTT

UNIT

7

Preparing Your Staff and Preparing Your Staff and Preparing Your Staff and Preparing Your Staff and

AssociatesAssociatesAssociatesAssociates This unit is comprised of 2 Lessons that cover: Lesson 1: Privacy Training

• Choose correct examples of how privacy training topics might be presented to employees

Lesson 2: Complying with Business Associate Provisions

• Select examples of procedures required to achieve compliance with business associate provisions.


HIPAA 2 nd Edition Unit 7 Preparing Your Staff & Associates

HIPAA2E/0810 103


Privacy TrainingPrivacy TrainingPrivacy TrainingPrivacy Training

he Health Insurance Portability and Accountability Act's (HIPAA) privacy rule requires formal training and documentation to ensure accountability for privacy of

protected health information (PHI). Evidence of compliance must be documented and retained for at least six years.

However, the privacy rule simply provides that a group health plan must train its entire work force on policies and procedures necessary for compliance with the regulations. So organizations do have considerable flexibility in terms of implementation.

Employers that sponsor group health plans are required to present a training program to educate the workforce of the covered entity—the group health plan—on the legal requirements of the privacy rule and the privacy procedures adopted by the plan.

Privacy training should include the following topics:

• Privacy rights —These are the written policies and procedures implementing all of the HIPAA privacy rule’s requirements for your organization.

• Uses and disclosures —These are standards based on who, when, and under what circumstances PHI can and cannot be used.

• Enforcement —This includes disciplinary action against the employee, and fines and criminal penalties against

T

Unit 7 Preparing Your Staff & Associates HIPAA 2 nd Edition

HIPAA2E/0810 104

the employer for violation of organizational privacy policies and the HIPAA privacy rule.

• Resources —Resources make up the organizational privacy structure—for example, privacy officer, privacy manual, legal, human resources, and quality assurance.

These topics should be addressed in your training program, but you have many options in terms of how the information will be presented and precisely what information needs to be conveyed. Obviously, the content of a training program will depend to a large extent upon how the organization revises operations to comply with the rule and the trainees' positions within the organization.

The various training topics—privacy rights, uses and disclosures, enforcement, and resources—can be presented in various ways such as:

• Workshops —Workshops or seminars can combine traditional classroom lectures—including role-playing, case studies, and discussions—with technology to train staff on privacy issues.

• Videos —Video training courses are a low-cost, easy-to-implement privacy training option that can be a good choice for independent study or new employee orientation.

• Web-based training —Web-based training programs allow employers to deliver convenient, flexible privacy training. Coursework can be completed entirely online via video presentations, monitored sessions, and online workbook instruction.


HIPAA2E/0810 105

• Interactive software —Interactive training software dynamically reacts to the trainee's actions. It provides opportunities for practicing acquired skills, which is critical for retention and transfer of learning from training to the workplace.

• Books —Simply giving your employees a book to read about the HIPAA privacy regulations probably won't be enough. However, books should be provided as needed for reference or as teaching aids.

Often, a multimedia program, utilizing several types of presentation, will provide the most effective training. No matter what methods and materials you use, make sure you cover the key topics that will be most useful to help your workforce achieve compliance with your company policy and HIPAA privacy rule requirements.

Understanding what needs to be covered in a training program—privacy rights, uses and disclosures, enforcement, and resources—is the one essential element that will help make privacy rule compliance a reality.


Complying with Business Associate Complying with Business Associate Complying with Business Associate Complying with Business Associate

ProvisionsProvisionsProvisionsProvisions

ost health plans use contractors and service providers to assist with a variety of functions. But a plan can't give protected health information (PHI) to M

Unit 7 Preparing Your Staff & Associates HIPAA 2 nd Edition

HIPAA2E/0810 106

business associates unless they promise to comply with the privacy rule.

Business associates include any agent, contractor, or other person outside of your workforce who receives PHI from your group health plan in order to perform some Health Insurance Portability and Accountability Act (HIPAA) covered function for it. (Covered entities, such as health care providers, are not business associates when they receive PHI for purposes of treatment, payment, or health care operations.

To achieve compliance with the privacy rule's business associate provisions, your organization needs to follow these procedures:

• Identify business associates —Review existing contracts—and all other instances where PHI is disclosed or transferred—to determine whether the other parties qualify as business associates. Basically, a business associate is any person or organization—other than an employee or covered entity—who performs a service or function that involves the use or disclosure of PHI.

• Enter into written contracts —Group health plans and employers must negotiate agreements with business associates and obtain authorized signatures of business associates. These contracts must include assurances that business associates will safeguard PHI and use or disclose it only as permitted by the contracts and regulations.

• Act upon violations —The privacy rule doesn't obligate you to monitor the day-to-day activities of your business


HIPAA2E/0810 107

associates. But if your group health plan learns of some activity or practice that violates the agreement, it must take reasonable steps to correct the problem, terminate the contract, or report the violation.

You need to identify those persons or organizations that constitute business associate relationships, so your organization knows when contracts containing specific HIPAA privacy rule language are required.

The written contracts your organization enters into with business associates will protect the privacy of individual PHI. Covered entities must have formal agreements in place to meet compliance guidelines under the privacy rule.

If a person who is not an employee for a covered group health plan provides a service and PHI is exchanged, this indicates a business associate relationship. You must develop a business associate agreement or contract with the external contractor or vendor. Then, if you discover the business associate has violated the contract, you must take reasonable steps to fix the problem or end the violation.

UNITUNITUNITUNIT

8

Changing Processes and Changing Processes and Changing Processes and Changing Processes and

ProceduresProceduresProceduresProcedures This unit is comprised of 3 Lessons that cover: Lesson 1: documentation

• Identify examples of privacy rule documentation requirements for covered group health plans

Lesson 2: Resolving Access Issues and Complaints

• Identify the stages for resolving access issues and complaints.

• Match the stages (receiving, evaluation, and responding) for resolving access issues and complaints with examples.

Lesson 3: Disciplinary Policies under HIPAA

• Identify the progressive disciplinary actions for violations of privacy policies


HIPAA 2 nd Edition Unit 8 Changing Processes and Procedures


HIPAA Privacy Rule Documentation HIPAA Privacy Rule Documentation HIPAA Privacy Rule Documentation HIPAA Privacy Rule Documentation

RequirementsRequirementsRequirementsRequirements

he Health Insurance Portability and Accountability Act's (HIPAA) privacy rule will require some employers and group health plans to change their current

practices related to documenting protected health information (PHI) uses and disclosures.

The privacy regulations contain extensive documentation requirements for covered group health plans that may also impact the employers that sponsor those plans.

A covered group health plan must document the following items in written or electronic form:

• Policies and procedures —Group health plans are required to adopt clear, written privacy procedures to protect PHI and track disclosures.

• Communications regarding the individual privacy rights of health plan participants —Covered entities must communicate with plan participants regarding authorization to use and disclose PHI, access PHI, requests for amendments, requests for an accounting, and PHI communications. The privacy rule requires that these communications be documented.

• Actions required to be documented by the rule —The privacy rule specifies certain actions that must be documented. A covered entity must document disposition of complaints, disciplinary actions or

T

Unit 8 Changing Processes and Procedures HIPAA 2 nd Edition

HIPAA2E/0810 112

sanctions that are applied; and other actions, activities, and designations that the privacy rule requires to be documented.

Documentation requirements must be complied with, but the rule does allow flexibility in terms of approach. So you can proactively define your documentation process to meet the needs of your organization.

Documentation of all HIPAA policies and procedures facilitates workforce training, enhances the covered entity’s accountability, and assures compliance.

An organization really has little latitude in terms of what information must be documented. The rule requires written policies and procedures. These can be set forth in a privacy manual or on a web page. Communications may be documented easily by using special forms for HIPAA correspondence. Other actions must be documented by the plan to demonstrate compliance or record PHI-related activities.

The rule that any action, activity, or designation required to be documented must be maintained in a written or electronic record includes the following:

• privacy official and contact person • that training has been provided • complaints received and their disposition • sanctions that are applied • changes to policies and procedures.

Once your organization issues consent forms, authorization forms, Notices of Privacy Practices, policies and procedures,


HIPAA2E/0810 113

and the like, your team will be less likely to misuse PHI. These documents help ensure that employees adhere to HIPAA privacy rule documentation requirements. Compliance will become a routine matter of following established procedures.


Required Amendments

Instructions: Use this SkillGuide to help your organization amend group health plan documents to achieve HIPAA privacy rule compliance.

Employer's Amendment to Plan Documents

THIS PROVISION DESCRIBES HOW PROTECTED HEALTH INFORMATION ABOUT COVERED PERSONS MAY BE USED AND DISCLOSED AND HOW COVERED PERSONS MAY ACCESS THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Protected Health Information (PHI)

Under the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Protected Health Information, or PHI, is health information, including demographic information collected from an individual that:


HIPAA2E/0810 114

1. Is created or received by a health care provider, health plan, employer, or healthcare clearinghouse; and

2. Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and: A. That identifies the individual; or B. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. This information cannot be used or disclosed without the Covered Person’s written permission except in certain specified circumstances stated in the HIPAA privacy regulations. The Plan is required by law to maintain the privacy of PHI and maintains a privacy policy and safeguards for carrying out its legal duties concerning PHI. The Plan is required to provide timely notice of any changes to its privacy policy to all affected individuals. Individuals have the right to file a complaint with the Plan and/or the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated. Any complaint filed with the Plan must be in writing and directed to the Plan Administrator. The regulations provide that no individual will be retaliated against for filing a complaint.

Rights of a Covered Person Regarding Access to or Amendment of PHI

Upon written request to the Plan, an individual has a right of access to inspect and obtain a copy of PHI about himself/herself in a designated record set for as long as the PHI is maintained in the designated record set except for:


HIPAA2E/0810 115

1. Psychotherapy notes 2. Information compiled in reasonable anticipation of, or

for use in, a civil, criminal or administrative action or proceeding; and

3. Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a to the extent the provision of access to the individual would be prohibited bylaw, or exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2).

All requests to the Plan for access to PHI must be in writing. The Plan must act on a request for access no later than thirty (30) days after receipt by granting and providing access or providing a written determination as to why access will not be provided. If the PHI requested is not maintained or accessible to the Plan on-site, the Plan may have sixty (60) days to provide the requested access. If the Plan is unable to provide access within these time frames, the Plan may have an additional thirty (30) days to provide the requested access so long as written notice of the delay and the reasons for it is provided to the requesting individual prior to expiration of the applicable time period.

In providing the requested access, the Plan must timely permit an individual to request access to inspect or to obtain a copy of the PHI about the individual that is maintained in a designated record set. If the Plan is asked to provide a photocopy or summary of the PHI, the individual requesting the PHI will be responsible for any reasonable fees incurred by the Plan in producing the same.


HIPAA2E/0810 116

The Plan may deny an individual access to PHI in the following circumstances:

1. The PHI is excepted from the right of access; 2. The PHI relates to a correctional facility inmate’s

request; 3. The PHI is obtained by a covered health care provider

in the course of research that includes treatment; 4. The individual’s access to the PHI is governed by the

Privacy Act and the denial is consistent with the provisions of that Act;

5. The PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information; or

6. A licensed health care professional has determined, in the exercise of professional judgment, that the access requested by an individual or personal representative is reasonably likely to endanger the life or physical safety of the individual or another person referenced in the PHI.

In some of these instances, the individual is given the right to have such denials reviewed and in others the Plan does not need to provide the opportunity for review of the denial. The Plan will provide the opportunity for review of the denial upon receipt of a written request if required to do so by the regulations. Such review will be performed in the manner and within the time periods prescribed in the regulations. Please contact the Plan Administrator if you have questions.

An individual has the right to ask the Plan to amend PHI or a record about the individual in a designated record set for as


HIPAA2E/0810 117

long as the PHI is maintained in the designated record set. The Plan may deny an individual’s request for amendment if it is determined that the PHI or record that is the subject of the request:

1. Was not created by the Plan, unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;

2. Is not part of the designated record set; 3. Would not be available for inspection according to the

provisions of the applicable regulations; or 4. Is accurate and complete.

All requests to the Plan for amending PHI must be in writing. The Plan must act on a request for amendment no later than sixty (60) days after receipt by granting the requested amendment or providing a written determination as to why access will not be provided. If the Plan is unable to act on the amendment within these time frames, the Plan may have an additional thirty (30) days to provide the requested access so long as written notice of the delay and the reasons for it is provided to the requesting individual prior to expiration of the applicable time period. If the request for amendment is granted, the Plan must amend the PHI in the designated record set(s) as requested, must timely inform the individual of the amendment and obtain from that individual relative to other entities who need to be informed of the amendment, and advise those entities and any persons, including business associates, who the Plan knows has the PHI that is the subject of the amendment and may have relied, or could foreseeably rely on such information to the detriment of the individual. If the request for amendment


HIPAA2E/0810 118

is denied, in whole or in part, the Plan must permit the individual to submit to the Plan a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The Plan may reasonably limit the length of the statement of disagreement. The Plan has the right to prepare a written rebuttal to the individual’s statement of disagreement. If such a rebuttal is prepared, a copy of it must be sent to the individual who submitted the statement of disagreement. Where permitted by the regulations, the statement of disagreement and rebuttal will be incorporated into any future disclosures of PHI to which the disagreement relates.

Circumstances Under Which the Plan Will Disclose PH I

The Plan does not disclose any nonpublic personal information about Covered Persons or former Covered Persons to anyone, except as permitted by law. The Plan will only disclose PHI:

1. Without a signed written authorization to the Covered Person to whom the PHI pertains (or to a minor child’s parent or guardian, if applicable);

2. Without a signed written authorization as required for healthcare operations purposes. The Plan is permitted to disclose PHI, without an additional authorization, for healthcare operations purposes. “Healthcare Operations” includes, but is not necessarily limited to, any of the following activities of the Plan to the extent that the activities are related to covered functions: quality assessment; case management; care coordination; contacting of health care providers and patients with information about treatment alternatives;


HIPAA2E/0810 119

reviewing the competence or qualifications of health care professionals; evaluating practitioner and provider performance; health plan performance; accreditation, certification, licensing, or credentialing activities; underwriting; premium rating; and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess loss insurance); conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the Plan, including formulary development and administration, development or improvement of methods of payment or coverage policies; and other business management and general administrative activities of the Plan as allowed by law;

3. To an individual who provides the Plan with a written authorization signed by the Covered Person to whom the PHI pertains;

4. As required by state or federal law, regulation or order of a court with jurisdiction.

When, and Under What Circumstances, the Plan Sponsor Will Have Access to PHI

The Plan Sponsor hereby certifies that the Plan Documents have been amended to comply with the regulations by incorporation of the following provisions. The Plan Sponsor agrees to:


HIPAA2E/0810 120

1. Not use or further disclose the information other than as permitted or required by the Plan Documents or as required by law;

2. Ensure that any agents, including a subcontractor, to whom it provides PHI received from the Plan agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such information;

3. Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the Plan Sponsor;

4. Report to the Plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware;

5. Make available PHI as required to allow the Covered Person a right of access to his or her PHI as required and permitted by the regulations;

6. Make available PHI for amendment and incorporate any amendments into PHI as required and permitted by the regulations;

7. Make available the information required to provide an accounting of disclosures as required by the regulations;

8. Make its internal practices, books, and records relating to the use and disclosure of PHI received from the Plan available to any applicable regulatory authority for purposes of determining the Plan’s compliance with the law’s requirements;

9. If feasible, return or destroy all PHI received from the Plan that the Plan Sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not


HIPAA2E/0810 121

feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and

10. Ensure that the adequate separation required between the Plan and the Plan Sponsor is established. To fulfill this requirement, the Plan Sponsor will restrict access to nonpublic personal information to the Plan Administrator(s) designated in this Plan Document or employees designated by the Plan Administrator(s) who need to know that information to perform plan administration and healthcare operations functions or assist Covered Persons enrolling and disenrolling from the Plan. The Plan Sponsor will maintain physical, electronic, and procedural safeguards that comply with applicable federal and state regulations to guard such information and to provide the minimum PHI necessary for performance of healthcare operations duties. The Plan Administrator(s) and any employee so designated will be required to maintain the confidentiality of nonpublic personal information and to follow policies the Plan Sponsor establishes to secure such information. When information is disclosed to entities that perform services or functions on the Plan’s behalf, such entities are required to adhere to procedures and practices that maintain the confidentiality of the Covered Person’s nonpublic personal information, to use the information only for the limited purpose for which it was shared, and to abide by all applicable privacy laws.


HIPAA2E/0810 122


Resolving PHI Access Issues and Resolving PHI Access Issues and Resolving PHI Access Issues and Resolving PHI Access Issues and

ComplaintsComplaintsComplaintsComplaints

o comply with the Health Insurance Portability and Accountability Act (HIPAA), your organization will need to implement a three-stage process for handling

protected health information (PHI) access issues and complaints.

The privacy rule also requires a process for individuals to complain to both the group health plan and the Secretary of Health and Human Services (HSS) about the plan’s policies and procedures or about its compliance with the regulations. Access and complaint issues can arise regarding all individually identifiable health information, including paper records, oral communications, and information transmitted electronically.

Plan participants have a right to access their medical records and to exercise some control over how their PHI is used and disclosed. They also have a right to complain if they feel that your organization, or its policies and procedures are not in compliance with the privacy rule.

The three basic stages for resolving these access and complaint issues are as follows:

1. Receiving —Complaints and requests should generally be submitted by plan participants to the privacy office, using approved forms, in accordance with

T


HIPAA2E/0810 123

organizational policy and procedures. The privacy office's receipt of the request or complaint initiates the process.

2. Evaluating —The privacy office—or some other person designated by the privacy officer—evaluates requests, and investigates complaints or reports of violations in accordance with company policy and procedures.

3. Responding —The privacy office provides a written response to the person who submitted a complaint. The response is provided to the plan participant within a reasonable time from the date the request or complaint was filed, and summarizes the results of the evaluation and the action taken.

Employer-sponsored group health plans must control access to PHI in accordance with the privacy rule. They must also handle HIPAA privacy rule complaints. This means implementing procedures for handling each stage in the process—receiving, evaluating, and responding.

Following these stages appropriately will help your employer and the group health plan deal with the HIPAA privacy rule and comply with its provisions.


HIPAA2E/0810 124


HIPAA Forms

Instructions: Use this SkillGuide to help your organization develop the forms needed to achieve HIPAA privacy rule compliance.

HIPAA Forms

• Business Associate Contract --The privacy rule requires contracts with business associates, providing written assurances that they will appropriately safeguard protected health information.

• Notice of Privacy Practices --You'll need to give plan participants a notice informing them of your organization's uses and disclosures of PHI, and of their rights with respect to that information.

• Acknowledgement of Privacy Practices --Develop a form to obtain written acknowledgment that participants received notice of your organization's privacy practices.

• Workforce Confidentiality Agreement --This form lists employees' responsibilities relating to the confidentiality of PHI within the organization.

• Informational HIPAA Brochure for Plan Participants --A form like this can provide an excellent introduction to HIPAA and its effects on participants in your organization's group health plan.


HIPAA2E/0810 125

• Authorization Form for Using and Disclosing PHI --Your employer must obtain a signed “authorization” to use or disclose information for purposes other than treatment, payment, and health care operations (except as required by law).

• Request Form for Health Record Amendment --Plan participants can use this form to ask for amendments to their PHI.

• Request Form for Accounting of Disclosures --Plan participants can request an accounting of all disclosures of PHI. Use a form like this to document such requests.

• Request Form for Inspecting PHI --Your organization will need to develop a form for documenting participants’ requests to inspect their health information.

• Request Form for Restricting Uses of PHI --Your organization needs a form that will allow plan participants to ask for restrictions upon uses or disclosures of PHI.

• Form for Filing Complaints --Complaints are a necessary, though unwelcome, part of HIPAA compliance. You'll need a form for participants who think that your organization has violated their HIPAA privacy rights, or who want to complain about a privacy-related decision.

• Form for Accounting of PHI Disclosures --You'll also want a special form for recording and documenting disclosures, which can be kept with employees' records.

• Model Fax Cover Sheet --When you send PHI via fax, you should include a cover sheet with a detailed privacy disclosure regarding the confidentiality of health information.


HIPAA2E/0810 126


Disciplinary PoliciDisciplinary PoliciDisciplinary PoliciDisciplinary Policies under HIPAAes under HIPAAes under HIPAAes under HIPAA

mployer-sponsored group health plans need to develop sanctions applicable to their workforce to deal with violations of privacy policies, and assign a

manager to be responsible for taking disciplinary action for privacy violations.

Generally, workers may be subject to discipline for violations of either the HIPAA privacy regulations or the employer’s policies and procedures. In applying these sanctions, your goal is to apply progressive, corrective, and positive discipline.

The degree and kinds of sanctions associated with misconduct related to protected health information (PHI) will depend upon your organization’s approach to discipline. The privacy rule doesn't provide any specific requirements as to penalties for violations by members of the workforce that administers the health plan.

Most organizations use a progressive structure for disciplinary actions for violations of privacy policies such as the following:

• Verbal warning —A verbal warning includes written documentation in the employee's file that a warning has been issued, and informal coaching on The Health

E


HIPAA2E/0810 127

Insurance Portability and Accountability Act (HIPAA) privacy rule requirements.

• Written warning —Generally, a written warning documents both the violation and an agreement with the individual that these actions will not happen again. This sanction might include additional formal training regarding privacy procedures.

• Suspension —A suspension places the employee on an unpaid leave of absence for a designated period of time.

• Termination —The employee may be terminated for willful misconduct, or transferred to a position where PHI would not be available to the employee.

Keep in mind that while progressive discipline may be desirable in most cases, many employers retain the discretion to skip steps in the procedure or proceed with termination in the first instance.

Any worker associated with a covered group health plan should feel responsible for reporting known or suspected violations of the privacy policies or the HIPAA privacy rule to the privacy officer. Generally, the privacy officer will investigate and document alleged violations, and their eventual resolution, including any disciplinary actions taken. HIPAA regulations require retention of disciplinary sanction information for six years.

The progressive disciplinary policy set forth by the HIPAA compliance program should be integrated with other disciplinary policies of the organization, communicated to all members of the health plan workforce—and, potentially, other employees, and consistently enforced.


HIPAA2E/0810 128

When employees violate your organization’s privacy policies, sanctions should be imposed in accordance with the applicable employee disciplinary policies and procedures. The supervisor imposing the sanctions should have sufficient knowledge of the HIPAA privacy standards to assess the extent and impact of any violations that have occurred.

Every covered entity must have and apply appropriate sanctions against members of its workforce who fail to comply with HIPAA rules or with the organization’s own privacy policies and procedures.


HIPAA2E/0810 129

Skill GuideSkill GuideSkill GuideSkill Guide

Sample Policy Regarding Violations of Sample Policy Regarding Violations of Sample Policy Regarding Violations of Sample Policy Regarding Violations of

PrivacyPrivacyPrivacyPrivacy

Instructions: Use this SkillGuide to help your organization develop a policy for handling violations of the privacy policy.

Sanctions Applicable to Workforce for Violation of Policies

1. Any employee or trainee associated with the Company is responsible for reporting known or suspected violations of the privacy policies and/or the HIPAA Privacy Rule to the Company Privacy Officer. Violations can be reported by e-mailing HIPAA@_____.com. See www.______.com\hipaa\contacts.htm for additional information. Violations do not include disclosures by whistleblowers or by individuals who are filing a complaint, participating in an investigation, compliance review or hearing, or opposing any act or practice made unlawful by the HIPAA Privacy Rules.

2. The Company Privacy Officer will investigate and document all alleged violations, and their eventual resolution, including any disciplinary actions taken. The Privacy Officer will maintain all official documentation related to privacy violations. All affected departments and/or individuals shall cooperate fully with the investigation. The Privacy Officer shall keep Company officials apprised of ongoing investigations as appropriate. Given the nature of some of these


HIPAA2E/0810 130

investigations, there are times when the scope of the problem must be determined before notification is possible.

Disciplinary Actions

While the ultimate determination on what, if any, disciplinary action will be taken is within the sole discretion of the appointing authority, the Privacy Officer will work with the appropriate Company officials to assure the appropriate disciplinary action is taken for known violations. The officials involved in assessing applicable discipline will depend on the person’s relationship with the Company (e.g. manager, staff, trainee, classified staff).

Disciplinary actions may include, but are not limited to, the following:

1. First offense results in a verbal reprimand that is documented in the employee’s personnel file.

2. Further offenses that occur more than six (6) months apart also result in a written reprimand but also include retraining of the Company employee on the policies and procedures.

3. Second offense that occurs less than six (6) months from the first offense results in suspension without pay of up to ten (10) days. If the Company employee returns to work, retraining of the employee on policies and procedures occurs.

4. Third offense that occurs less than six (6) months from the second offense results in termination of employment.

5. Any member of the workforce who violates a criminal law (such as HIPAA or other federal and state laws)


HIPAA2E/0810 131

can expect that the Company will provide information concerning the violation to appropriate law enforcement personnel and that the Company will cooperate with any law enforcement investigation or prosecution.

At the discretion of management, the Company may terminate an employee for the first breach of the Company’s privacy policy if the seriousness of the offense warrants such action.

HIPAA2E/0810 133

Securing Protected Health Securing Protected Health Securing Protected Health Securing Protected Health

InformationInformationInformationInformation Congress designed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification Rules to make it easier for healthcare providers, insurance companies, and information clearinghouses to provide adequate care for patients. By using a single set of standards for exchanging electronic data, healthcare organizations can send and receive health information more quickly and at a lower cost. However, standardizing the electronic "language" of healthcare data creates a threat to a patient's privacy rights. The law includes specific safeguards for patients' health information. The law that establishes these rules does not place any specific requirements on employers. However, many employers sponsor healthcare insurance plans for employees and share protected health information about employees with organizations covered by the new rules.

PPPAAARRRTTT

Part 5: Securing PHI HIPAA 2 nd Edition

HIPAA2E/0810 134

Employers must protect themselves against liability under the new rules by ensuring the confidentiality, integrity, and availability of electronic protected health information it holds about employees. Companies must protect against reasonably anticipated threats to the security or integrity of health information and guard against uses or disclosures of protected information that are not allowed under the law. This course describes precautions employers should take when complying with HIPAA Administrative Simplification rules. The course explores specific standards set within HIPAA rules and legally-mandated implementation standards as well as areas where the law allows flexibility in adopting the new rules.

UNITUNITUNITUNIT

9

Administrative Administrative Administrative Administrative

Safeguards for Data Safeguards for Data Safeguards for Data Safeguards for Data

SecuritySecuritySecuritySecurity This unit is comprised of 3 Lessons that cover: Lesson 1: Data Security Policies

• Match organizational safeguards for data security under the Administrative Safeguards section of the HIPAA Security Standards with examples

Lesson 2: Security in the Workforce

• select examples of implementations of workforce standards for data security required under the Administrative Safeguards section of the HIPAA Security.

Lesson 3: Business Associate Contract Security

• identify business associate contract provisions that address security requirements of HIPAA’s Administrative Safeguards


HIPAA 2 nd Edition Unit 9 Administrative Safeguards


Data Security PoliciesData Security PoliciesData Security PoliciesData Security Policies

hile electronic media, like e-mail, allow health insurance companies to communicate more efficiently, this ease of communication raises

concerns for the safety of patient information. As a result, companies must now restructure their data security policies to meet the organizational safeguards set forth by the Security Standards of the Health Insurance Portability and Accountability Act (HIPAA).

The Administrative Safeguards section of the HIPAA Security Standard defines three requirements that can be called organizational safeguards, which help secure protected health information (PHI).

1. Security management processes The security management process requirement states that all covered entities need to implement policies and procedures to prevent, detect, contain, and correct violations to the security of PHI. An effective security management process covers risk analysis, risk management, a sanction policy, and an information system activity review. Each process strengthens the internal security management of a company.

2. Incident procedures The incident procedures requirement directs covered entities to implement procedures to address all security incidents within the organization. Specifically, companies need to respond to and record all breaches to the security of PHI. To

W

Unit 9 Administrative Safeguards HIPAA 2 nd Edition

HIPAA2E/0810 138

achieve this, you'll need to identify which occurrences constitute a security incident and develop procedures to respond to those incidents.

3. Contingency plans The organizational safeguard for contingency plans establishes policies and procedures for responding to emergencies and other occurrences that damage normal PHI operations. The contingency plan should include policies for data backup, disaster recovery, and emergency mode operations. Preparing for fires, thefts, power outages, and other disasters will ensure the safety of health information.

The organizational safeguards that you must establish within your company will create the backbone of your entire security network. These required safeguards support the standards for PHI security that have been identified by HIPAA.

By defining sound management policies, incident procedures, and contingency plans, you can ensure that your organization is prepared for any security threat.


HIPAA2E/0810 139


Organizational Safeguards Guidelines

Instructions: Use this SkillGuide as an assessment tool to help your organization gauge its compliance with the organizational requirements of the HIPAA Security Standards.

Organizational Requirement Examples

Responsible Person


Security Management Process

Analyze possible security risks

Implement solutions for defined security risks

Sanction policy for violations to security

Policy for auditing activity in the information system

Incident


HIPAA2E/0810 140

Organizational Requirement Examples

Responsible Person


Procedures

Policy defining security incidents

Procedures for responding to and reporting all security incidents

Contingency Plans

Procedures for backing up PHI storage systems

Procedures for accessing PHI during a disaster

Procedures for operating during emergency modes


HIPAA2E/0810 141


Security in the WorkSecurity in the WorkSecurity in the WorkSecurity in the Workforceforceforceforce

he Health Insurance Portability and Accountability Act (HIPAA) outlines several security rules that can help you establish authorization procedures for employees

who need to have access to protected health information (PHI).

The Administrative Safeguards section contains four standards that affect the workforce of covered entities. These workforce standards need to be implemented for the security of the organization's electronic PHI:

1. Security responsibility —This states that organizations are required to identify a security official who is responsible for developing and implementing the HIPAA security rules within the organization. More than one person may be given security responsibilities, but a single individual needs to have the final responsibility.

2. Workforce security —This states that organizations are required to implement procedures that ensure all employees have appropriate access to PHI. Authorized personnel are granted access while unauthorized personnel are prevented from accessing the same information.

In addition to authorization procedures, this standard contains specifications for providing clearance to workforce members. Such clearance can be provided by establishing background checks for some

T


HIPAA2E/0810 142

employees. However, background checks are not a requirement of the workforce security standard.

3. Information access management —The information access management standard specifies that covered entities should implement procedures that authorize access to PHI. This standard combines protection for PHI with the procedures that allow access through the protection.

For example, a company can implement password protection for electronic PHI, making passwords the procedure for authorizing access. Additionally, companies can simply designate different types of workstations for authorized employees.

4. Security awareness and training —This states that organizations are required to implement programs and procedures that ensure all workforce members have been trained to understand the new security rules. This awareness and training should help employees perform their jobs.

Covered entities can keep their employees aware of any security risks, such as viruses, by providing them with occasional security reminders. In addition, companies that use devices for the protection of PHI need to train their employees to use them. Password management is an example of such a device.

Organizations should establish procedures for managing the authorization of employees who may appropriately access healthcare information and implement standards defining


HIPAA2E/0810 143

how access will be authorized for PHI. HIPAA's workforce standards can help you establish that authorization.

Your organization needs to identify who is responsible for data security. This employee can then oversee the authorization policies, information access management, and security awareness training.


Business Associate Contract SecurityBusiness Associate Contract SecurityBusiness Associate Contract SecurityBusiness Associate Contract Security

hile it's important for your company to implement safeguards ensuring the security of protected health information (PHI), it's equally important that

your business associate contracts provide security for the same information.

Business associates are defined as individuals or agencies, other than members of the covered entity's workforce, that perform any function involving the use or disclosure of the covered entity's PHI.

The Security Standards of the Health Insurance Portability and Accountability Act (HIPAA) demand that business associates provide satisfactory assurances that they will safeguard information that is transmitted to them.

Business associate agreements A covered entity can obtain safeguard assurances with a written business associate agreement. With an appropriate business associate agreement in place, the business associate can use or disclose PHI on behalf the covered

W


HIPAA2E/0810 144

entity. This agreement must specify that business associates will provide appropriate administrative, physical, and technical safeguards that will ensure the security of the covered entity's PHI.

The business associate agreement standards should ensure that business associate contracts contain language addressing the implementation of appropriate safeguards for PHI. Therefore, contracts should contain provisions obligating your business associates to do the following:

• implement administrative, physical, and technical safeguards that protect the integrity of PHI.

• ensure any subcontractor will safeguard PHI • report any security incidents involving PHI • authorize termination of the business associate

agreement for material contract violations.

The security procedures that you establish within your company provide a foundation for protecting all electronic PHI. Much like the foundation of your home, you should periodically evaluate your security procedures for cracks that might appear over time. You should also evaluate the efforts that your business associates are obligated to make for the security of your PHI. A thorough business associate contract can help you ensure the integrity of your company's information.


HIPAA2E/0810 145


Sample Security Contract

Instructions: Use this SkillGuide as a model to help develop an appropriate, comprehensive security contract for business associates of your organization.

Security Obligations of Associate

a. Permitted Uses and Disclosures. Associate may use and/or disclose Protected Health Information (PHI) received by Business Associate pursuant to this Agreement.

b. Nondisclosure. Associate shall not use or further disclose Plan's PHI other than as permitted or required by this Agreement or as required by law.

c. Safeguards. Associate shall use appropriate safeguards to prevent use or disclosure of Plan's PHI otherwise than as provided for by the Agreement. Associate shall maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the Associate's operations and the nature and scope of its activities.

d. Reporting of Disclosures. Associate shall report any use or disclosure of Plan's PHI, other than as provided


HIPAA2E/0810 146

for by this Agreement, of which Associate becomes aware.

e. Associate’s Agents. Associate shall ensure that any agents, including subcontractors, to whom it provides PHI received from (or created or received by Associate on behalf of) Plan, agree to the same restrictions and conditions that apply to Associate with respect to such PHI.

f. Availability of Information to Plan. Associate shall make available to Plan such information as Plan may require to fulfill its obligations to provide access to, provide a copy of, and account for disclosures with respect to PHI pursuant to HIPAA and the HIPAA Regulations.

g. Amendment of PHI. Associate shall make Plan's PHI available to Plan as Plan may require to fulfill its obligations to amend PHI pursuant to HIPAA and the HIPAA Regulations. Associate shall, as directed by Plan, incorporate any amendments to Plan's PHI into copies of such PHI maintained by Associate.

h. Internal Practices. Associate shall make its internal practices, books, and records relating to the use and disclosure of PHI received from Plan (or created or received by Associate on behalf of Plan) available to Plan and to the Secretary of the U.S. Department of Health and Human Services for purposes of determining Associate's compliance with HIPAA and the HIPAA Regulations.

i. Termination of Agreement. Associate authorizes Plan to terminate this Agreement if Plan determines that Associate has violated a material term of this Agreement.

UNITUNITUNITUNIT

10

Protecting DataProtecting DataProtecting DataProtecting Data This unit is comprised of 2 Lessons that cover: Lesson 1: Physical Safeguards

• Match standards for providing physical safeguards for protected health information to examples

• Recommend actions to improve implementation of physical safeguard standards for protecting PHI in a hypothetical company

Lesson 2: Technical Safeguards

• Match technical safeguard standards required under the HIPAA security rules for protected health information with examples.


HIPAA 2 nd Edition Unit 10 Protecting Data

HIPAA2E/0810 149


Physical SafeguardsPhysical SafeguardsPhysical SafeguardsPhysical Safeguards

he Physical Safeguards section set forth by the Security Standards of the Health Insurance Portability and Accountability Act (HIPAA) defines safeguards

that ensure the physical security of protected health information (PHI).

More specifically, physical safeguards are policies or procedures that protect an organization's electronic health information systems and the buildings that contain them from unauthorized access. There are four physical safeguards for the protection of health information.

1. Facility access controls —This safeguard states that covered entities are required to implement policies and procedures to limit physical access to electronic information systems and the facilities in which they are kept.

For example, when appropriate and reasonable, control procedures can amount to providing locks for rooms and file cabinets. Additionally, companies can validate visitor authorization using sign-in sheets.

2. Workstation use —This safeguard states that covered entities are required to implement policies that define the proper functions for, and surroundings of, all workstations that have access to PHI.

T

Unit 10 Protecting Data HIPAA 2 nd Edition

HIPAA2E/0810 150

Basically, you'll need to document your policies for workstation passwords and other operational precautions that are required for these workstations. For example, some companies ask users to log off before leaving a workstation unattended, or they prohibit unauthorized users being seated near these protected workstations

3. Workstation security —This safeguard states that covered entities are required to implement safeguards for all workstations that have access to electronic PHI. These safeguards help ensure that only authorized users can access PHI with these workstations.

Unlike the workstation use safeguard, workstation security safeguards should implement procedures that limit physical access to PHI workstations. These safeguards might restrict the type of portable devices that can leave the covered entity's building.

For example, some companies have specified that workstations with access to PHI cannot be placed in plain sight of all workforce personnel. Instead, a desktop monitor could only be viewed while seated at the workstation.

4. Device and media controls —This safeguard states that covered entities are required to implement policies and procedures that address the receipt and removal of hardware and electronic media that contain PHI. This safeguard can help you prevent unauthorized disclosure of PHI that has been stored on an outdated device.


HIPAA2E/0810 151

For example, organizations can document their procedures for cleaning a computer's hard disk before disposing of it. Additionally, this same cleaning procedure can be used for any computer meant for reuse.

Implementing the physical security standards required by HIPAA may already be part of your company's security system. Some companies or groups have more PHI than others. There are also differing levels of exposure. The guideline for any HIPAA compliance implementation is that policies and procedures for security should be reasonable and appropriate.

The Physical Safeguards section of HIPAA's Security Standards defines requirements that secure your company's building or physical work areas. The most effective and up-to-date security software easily can be undone by an unlocked door or a floppy disk that has not been appropriately cleaned. The required physical safeguards can protect your company's PHI from these physical security violations.


HIPAA2E/0810 152


Physical Safeguard Guidelines

Instructions: Use this Learning Aid to identify the actions you should take under the physical safeguards guidelines of the HIPAA Security Standards.

Standard Actions

Facility access controls

Implement policies and procedures to limit physical access to electronic information systems and the facility or facilities where they are housed, while still allowing properly authorized access. Implementation specifications (i) Contingency operations (Addressable) Establish and implement procedures that allow facility access to restore lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. (ii) Facility security plan (Addressable) Implement policies and procedures to safeguard the facility and its equipment from unauthorized physical access, tampering, and theft. (iii) Access control and validation procedures (Addressable) Implement procedures to control and validate a person's access to facilities based on their role or function.


HIPAA2E/0810 153

Standard Actions

(iv) Maintenance records (Addressable) Implement procedures and policies that document repairs and modifications to the facility's security-related physical components.

Workstation use Implement procedures and policies that specify the proper functions to be performed, the manner in which they should be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

Workstation security

Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.

Device and media controls

Implement procedures and policies that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. Implementation specifications (i) Disposal (Required) Implement procedures and policies to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. (ii) Media re-use (Required) Implement procedures for the removal of electronic protected health information from electronic media before the media are made


HIPAA2E/0810 154

Standard Actions

available for re-use. (iii) Accountability (Addressable) Maintain a record of the movements of hardware and electronic media and any person responsible for them. (iv) Data backup and storage (Addressable) Create a retrievable, exact copy of electronic protected health information, when needed, before moving the equipment.


TechnicalTechnicalTechnicalTechnical Safeguards Safeguards Safeguards Safeguards

he Health Insurance Portability and Accountability Act (HIPAA) Security Standards contains standards that address societal concerns for the accessibility that

technology offers for protected health information (PHI).

The required standards for technical safeguards promote PHI security by helping companies identify and authorize users who can access health information, while protecting unauthorized disclosure or transmission of PHI. These standards are:

1. Access controls —The access controls safeguard states that covered entities are required to implement

T


HIPAA2E/0810 155

policies and procedures to ensure control over the access of information systems that maintain electronic PHI.

Companies should assign unique names or identification numbers to identify and track system users. These identification names also can be used to grant access to PHI. Access controls should include policies or procedures that allow companies PHI access during emergency conditions.

2. Audit controls —The audit controls safeguard states that covered entities are required to install software or other mechanisms that record and examine the use of systems that maintain PHI.

The auditing mechanism is perhaps less important than the activities it records. For example, companies seeking to protect health information should be aware of any failed login attempts or incomplete validation sequences that are present in their systems logs

3. Data integrity — The data integrity safeguard is also known as the data authentication standard. It states that covered entities are required to implement policies and procedures to protect electronic PHI from improper alteration or destruction. This standard simply calls for electronic methods that ensure PHI use is appropriate.

For example, you can implement digital signatures for any file change that takes place within a folder or drive containing PHI. You can also include checksum processes with your files.


HIPAA2E/0810 156

4. Person or entity authentication —The person or entity authentication safeguard has multiple possibilities for implementation. This standard states that you must implement procedures capable of verifying that the persons or entities seeking access to your electronic PHI are the persons or entities they claim to be; these procedures prevent imposters from accessing PHI.

The standard does not specifically state what technologies you must implement for these procedures, however. So, there is some flexibility for this standard. You may choose to validate users with assigned passwords or PINs. Security access cards are another validation option. For higher levels of authentication, you might choose to install biometric scanners in your facilities, such as scanners for fingerprints, hands, or iris.

5. Transmission security —The technical safeguard standard for transmission security states that covered entities are required to implement policies and procedures that guard against unauthorized access to electronic PHI that is transmitted over an electronic communications network.

The transmission security standard states that companies should implement procedures for transmission integrity and data encryption. Transmission integrity ensures that PHI is not improperly modified without detection. Data encryption should be used when there is a high risk for interception.


HIPAA2E/0810 157

Organizations must take reasonable steps to protect the security and confidentiality of health information. When that information is stored electronically, data security becomes an even greater risk factor. However, strides in technology can help you meet or exceed the standards for securing health information set forth.


HIPAA2E/0810 158

��Skill GuideSkill GuideSkill GuideSkill Guide Technical Safeguard Guidelines

Instructions: Use this SkillGuide to identify the actions you should take under the technical safeguard guidelines of the HIPAA Security Standards.

Standard Actions

Access control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). Implementation specifications (i) Unique user identification (Required) Assign a unique name and/or number to identify and track user identity. (ii) Emergency access procedure (Required) Establish (and implement as needed) procedures to obtain the necessary electronic protected health information during an emergency.


HIPAA2E/0810 159

Standard Actions

(iii) Automatic logoff (Addressable) Implement electronic procedures to terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption (Addressable) Implement a mechanism to encrypt and decrypt electronic protected health information.

Audit controls Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use electronic protected health information.

Integrity Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Implementation specification Mechanism to authenticate electronic protected health information (Addressable) Implement electronic mechanisms to confirm that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Person or entity authentication

Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.


HIPAA2E/0810 160

Standard Actions

Transmission security Implement technical security measures to protect against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Implementation specifications (i) Integrity controls (Addressable) Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until it is disposed of. (ii) Encryption (Addressable) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.