optum360coding.com hipaa tool kit 2019 sample... · htkt19/htkt made in the usa optum360coding.com...
TRANSCRIPT
HTKT19/HTKT Made in the USA
OPTUM360CODING.COM
*Offer valid only for customers who are NOT part of the Medallion or Partner Account programs. You must be registered at optum360coding.com to have your online purchases tracked for rewards purposes. Shipping charges and taxes still apply and cannot be used for rewards. Optum360 Coding eReward offers valid online only. Visit optum360coding.com/onlinerewards for more information. © 2018 Optum360, LLC. All rights reserved. WF667299 SPRJ5237
Search. Explore. Shop. Get the coding tools you need, all in one convenient place.
V I S I T O P T U M 3 6 0 C O D I N G . C O M
New to optum360coding.com? Visit us at optum360coding.com/register to create an online account. You’ll have easy access to your order history, shipping information and more.
Plus, when you register, you’re automatically enrolled in our free eRewards program where you’ll earn cash back each time you order online.*
Learn more about our eRewards program at optum360coding.com/onlinerewards.
optum360coding.com
Find the products you need quickly and easily
Shop our full range of print products and learn more about our online coding tools
View sample pages and see each product’s available formats and edition years on the same page
Explore detailed product features and benefits to ensure you get the right coding tool to meet your needs
Download regularly posted product updates and additional product content
Learn about CEU opportunities
Attend a product webinar
!GET MORE WHEN YOU
ORDERONLINE SHOP
SEARCHEXPLORE
Power up your codingoptum360coding.com
2 0 1 9
2019
HIPAA Tool KitA medical practice guide to assessment, implementation and policy and procedure development
HIPA
A Tool K
it
© 2018 Optum360, LLC i
Contents
Introduction ........................................................................................................ 1New for the 2019 Edition ................................................................................................................................. 1
Ransomware and Other Cyberattacks: What All Covered Entities Need to Know ................ 1Detailed Guidance on the Use of Mobile Devices Within Medical Offices .............................. 1HIPAA Privacy and Security Handbooks for Office and Clinical Staff ....................................... 1Earn Five CEUs from AAPC and Our Certificate of "HIPAA Skills Proficiency" ......................... 2
About This Manual........................................................................................................................................... 2A Word About “Covered Entities” ................................................................................................................ 3A Brief Refresher Course on HIPAA .............................................................................................................. 3A Brief Update on HIPAA................................................................................................................................ 4
Progress Report ..................................................................................................................................... 6Ongoing Compliance with HIPAA................................................................................................................ 8
Hot Topics Related to Patient Privacy .............................................................................................. 9HIPAA Privacy in Emergency Situations .......................................................................................... 9Confidentiality of Alcohol and Drug Abuse Patient Records ...................................................10Notice of Privacy Practices ................................................................................................................10
HIPAA Privacy Standards .................................................................................. 17Overview of HIPAA Privacy Requirements...............................................................................................17
Scope of the HIPAA Privacy Standards ..........................................................................................17Notice, Authorization, Accounting, and Amendment ...............................................................17Notice and Authorization ..................................................................................................................18Patient Requests to Restrict Uses and Disclosures of Protected Health Information ........18Using and Disclosing Protected Health Information ..................................................................18The Minimum Necessary Standard .................................................................................................19Privacy Violations ................................................................................................................................21Office for Civil Rights Audits .............................................................................................................24
Special Situations ..........................................................................................................................................39Ensuring that Business Associates Comply with the Privacy Rules ........................................39What the Business Associate Agreement Must Contain ...........................................................41Documentation Requirements ........................................................................................................43Rules for Accessing and Amending Information .........................................................................44Status of the Privacy Rules ................................................................................................................47
Monitoring the Impact of the Privacy Rules............................................................................................48Understanding Protected Health Information .............................................................................48Reviewing HIPAA Privacy Requirements and Model Policies ..................................................49Comparing HIPAA and State Privacy Requirements ..................................................................50Examining Users, Uses, and Disclosures of Information ............................................................50Examining Current Privacy Practices ..............................................................................................51Examining How Business Associates Use Information ..............................................................52
Developing a Strategy for Complying with HIPAA’s Privacy Rules....................................................52Strategic Considerations ...................................................................................................................52HIPAA Privacy Milestones .................................................................................................................58Key Compliance Decisions ................................................................................................................58
HIPAA Compliance Work Plan.....................................................................................................................58Privacy Policy and Procedure Manual ............................................................................................59Notice and Authorization Forms .....................................................................................................59Review Minimum Necessary Policies .............................................................................................59Amend Contracts with Business Associates .................................................................................59Procedures to Provide for Access to and Amendment of Protected
Health Information ...................................................................................................................59Complaint Process ..............................................................................................................................60Documentation Procedures and Systems .....................................................................................60
ii © 2018 Optum360, LLC
Contents HIPAA Tool Kit
Conduct Privacy Training Sessions .................................................................................................60Privacy Audit Program .......................................................................................................................60Resources on the Web .......................................................................................................................60
Privacy Model Policies and Procedures ............................................................61Creating a HIPAA Privacy Compliance Plan.............................................................................................61Model Policies and Procedures ..................................................................................................................62
P-1000 General Administrative Policies and Procedures ..................................................64P-1100 Staff Responsibilities ....................................................................................................65P-1200 Staff Training ..................................................................................................................68P-1300 Staff Compliance and Sanctions ................................................................................70P-1400 Business Associates and Protected Information ....................................................74PF-1400 Sample Business Associate Agreement Language ...............................................77P-1500 Development and Maintenance of Privacy Policies and Procedures ...............82P-1600 Documentation and Record Keeping .......................................................................84P-2000 Use and Disclosure of Protected Health Information ...........................................86P-2100 Use and Disclosure of Information for Treatment Purposes ..............................87P-2200 Use of Patient Information for Payment Purposes ...............................................89P-2300 Use and Disclosure of Information for Healthcare Operations ..........................91P-2400 Law Enforcement and Public Health ........................................................................92P-2500 Marketing and Fundraising ........................................................................................98P-2600 Other Disclosure Situations ......................................................................................100P-2700 Disclosure of Protected Health Information After Death ..................................104P-2800 Communications and Media Relations ..................................................................105P-3000 Notice and Authorization ..........................................................................................107P-3100 Notice of Privacy Practices ........................................................................................108PF-3100 Notice of Privacy Practices ........................................................................................112P-3300 Authorization of Use or Disclosure .........................................................................116PF-3300 Standard Authorization of Use and Disclosure of Protected
Health Information .....................................................................................................120P-3400 Patient Requests for Restrictions on Uses and Disclosures of Confidential
Communications .........................................................................................................124PF-3400 Request for Confidential Communication of Protected Health
Information ...................................................................................................................127P-4000 Personal Representatives, Parents, Spouses, and Others ..................................128P-4100 Personal Representatives ..........................................................................................129P-4200 Parental Access to Protected Health Information Concerning Children .......131P-4300 Disclosure of Information to Family Members .....................................................132P-4400 Disclosure of Information to Close Personal Friends ..........................................133P-4500 Disclosure of Information in an Emergency Situation .......................................134P-5000 Patient Access to Health Information ....................................................................136PF-5000 Request to Inspect or Copy Protected Health Information ...............................142PF-5030 Approval of Request to Inspect or Copy Protected Health Information .......143PF-5040 Denial of Request to Inspect or Copy Protected Health Information .............144PF-5042 Review of Denial to Permit Inspection or Copying of Protected Health
Information ...................................................................................................................145P-5200 Amendment of Health Information ........................................................................146PF-5210 Request to Amend Protected Health Information ..............................................147P-7000 Accounting for Disclosures .......................................................................................153P-7200 Accounting to Patients for Disclosures of Information ......................................154PF-7200 Request for Accounting of Protected Health Information Disclosures ..........156P-7300 Information to Be Provided in an Accounting of Disclosures ..........................157P-7400 Documentation of Accountings Provided to Patients .......................................158P-7500 Documentation of Disclosures Requiring an Accounting .................................159P-8000 Resolution of Complaints and Breaches ................................................................160P-8100 Submission of Complaints ........................................................................................161P-8200 Complaint Resolution Procedures ..........................................................................162P-8300 Documentation of Complaints ................................................................................164P-8400 Mitigation ......................................................................................................................165
HIPAA Tool Kit Contents
© 2018 Optum360, LLC iii
Security Regulations In-Depth ....................................................................... 167Overview ....................................................................................................................................................... 167
Administrative Safeguards ............................................................................................................ 167Physical Safeguards ......................................................................................................................... 168Technical Safeguards ...................................................................................................................... 168
Cybersecurity: How to Protect Against Breaches and Mitigate Attacks........................................ 169Ransomware and Other Cyberattacks ....................................................................................... 169NIST Resource Guide ....................................................................................................................... 174Maintaining Privacy and Security When Using Mobile Devices .......................................... 177
Crosswalk Between HIPAA Security Rule and NIST Security Framework...................................... 180General Obligation to Ensure Security................................................................................................... 181Flexibility ....................................................................................................................................................... 182Administrative Safeguards ....................................................................................................................... 196
Administrative Safeguard Standard 1: Security Management Process .............................. 197Administrative Safeguard Standard 2: Assigned Security Responsibility .......................... 209Administrative Safeguard Standard 3: Workforce Security ................................................... 209Administrative Safeguard Standard 4: Information Access Management ........................ 210Administrative Safeguard Standard 5: Security Awareness and Training ......................... 213Administrative Safeguard Standard 6: Security Incident Procedures ................................. 214Administrative Safeguard Standard 7: Contingency Plan ...................................................... 215Administrative Safeguard Standard 8: Evaluation of Compliance ....................................... 219Administrative Safeguard Standard 9: Business Associate Contracts ................................. 219
Physical Safeguards ................................................................................................................................... 220Physical Safeguard Standard 1: Facility Access Controls ........................................................ 220Physical Safeguard Standard 2: Workstation Use .................................................................... 222Physical Safeguard Standard 3: Workstation Security ............................................................ 222Physical Safeguard Standard 4: Device and Media Controls ................................................. 223
Technical Safeguards ................................................................................................................................. 224Technical Safeguard Standard 1: Access Control ..................................................................... 225Technical Safeguard Standard 2: Audit Controls ..................................................................... 227Technical Safeguard Standard 3: Integrity Controls ................................................................ 228Technical Safeguard Standard 4: Person or Entity Authentication ...................................... 229Technical Safeguard Standard 5: Transmission Security ........................................................ 229
Business Associate Contracts/Agreements Standard ........................................................................ 230NIST Resource Guide ....................................................................................................................... 232
Policies and Procedures Standards......................................................................................................... 234Documentation Requirements ..................................................................................................... 234
Breach Notification Interim Final Rule/Final Rule .............................................................................. 235Breach Notification Rule Requirements ..................................................................................... 235Definitions .......................................................................................................................................... 235Risk Assessment ................................................................................................................................ 237Techniques for Protecting PHI ...................................................................................................... 237Limited Data Sets ............................................................................................................................. 238Exceptions to Breach ....................................................................................................................... 239Timing of Breach .............................................................................................................................. 240Notification to Individuals—Timeliness, Content, and Methods ......................................... 241Notification by a Business Associate ........................................................................................... 244Law Enforcement Delay .................................................................................................................. 245Administrative Requirements ....................................................................................................... 245Preemption Over or by State Laws .............................................................................................. 246HHS Guidance on Securing PHI .................................................................................................... 246
How to Respond to a Data Breach—Case Study ................................................................................ 246Red Flags Rule.............................................................................................................................................. 249
Questions and Answers About the Red Flags Rule .................................................................. 250
Security Model Policies and Procedures ........................................................ 253Creating a HIPAA Security Compliance Plan ........................................................................................ 253Instructions for Using the Model Policies and Procedures ............................................................... 253Introduction to the Security Policy and Procedure Manual ............................................................. 254Compliance Checklist................................................................................................................................. 254
Instructions ........................................................................................................................................ 254
iv © 2018 Optum360, LLC
Contents HIPAA Tool Kit
Administrative Safeguards .......................................................................................................................256SP-1 Assigned Security Responsibility .............................................................................256Sample Job Description ...................................................................................................................256NIST Resource Guide ........................................................................................................................258SP-2 Security Management Process .................................................................................258SP-2.1 Risk Analysis ..................................................................................................................258SP-2.2 Risk Management ........................................................................................................259SP-2.3 Sanction Policy .............................................................................................................260SP-2.4 Information System Activity Review ......................................................................261SP-3 Workforce Security ......................................................................................................262NIST Resource Guide ........................................................................................................................262SP-3.1 Authorization/Supervision ........................................................................................263SP-3.2 Workforce Clearance ..................................................................................................265SP-3.3 Termination Procedures ............................................................................................265SP-4 Information Access Management ...........................................................................267NIST Resource Guide ........................................................................................................................267SP-4.1 Isolating Healthcare Clearinghouse Functions ....................................................268SP-4.2 Access Authorization ..................................................................................................269SP-4.3 Access Establishment and Modification ................................................................270SP-5 Security Awareness and Training ............................................................................270SP-5.1 Security Reminders .....................................................................................................272SP-5.2 Protection from Malicious Software .......................................................................273SP-5.3 Log-in Monitoring .......................................................................................................274SP-5.4 Password Management .............................................................................................274SP-6 Security Incident Procedures ....................................................................................276NIST Resource Guide ........................................................................................................................276SP-7 Contingency Plan ........................................................................................................278NIST Resource Guide ........................................................................................................................278SP-7.1 Data Backup Plan .........................................................................................................280SP-7.2 Disaster Recovery Plan ...............................................................................................281SP-7.3 Emergency-mode Operation Plan ..........................................................................282SP-7.4 Testing and Revision Procedures ............................................................................283SP-7.5 Applications and Data Criticality Analysis .............................................................284SP-8 Evaluation .....................................................................................................................285NIST Resource Guide ........................................................................................................................286SP-9 Business Associate Contracts ...................................................................................287
Physical Safeguards.....................................................................................................................................288SP-10 Facility Access Controls ..............................................................................................288NIST Resource Guide ........................................................................................................................288SP-10.1 Contingency Operations ............................................................................................290SP-10.2 Facility Security Plan ...................................................................................................291SP-10.3 Access Control and Validation Procedures ...........................................................292SP-10.4 Maintenance Records .................................................................................................293SP-11 Workstation Use ..........................................................................................................293NIST Resource Guide ........................................................................................................................294SP-12 Workstation Security ............................................................................................................295SP-13 Device and Media Controls .......................................................................................296NIST Resource Guide ........................................................................................................................296SP-13.1 Disposal ..........................................................................................................................297SP-13.2 Media Re-use ................................................................................................................298SP-13.3 Accountability ..............................................................................................................298SP-13.4 Data Backup and Storage ..........................................................................................299
Technical Safeguards ..................................................................................................................................300SP-14 Access Control ..............................................................................................................300SP-14.1 Unique User Identification ........................................................................................300SP-14.2 Emergency Access Procedures .................................................................................300SP-14.3 Automatic Logoff ........................................................................................................300SP-14.4 Encryption and Decryption .......................................................................................301NIST Resource Guide ........................................................................................................................301SP-15 Audit Controls ..............................................................................................................302NIST Resource Guide ........................................................................................................................302
HIPAA Tool Kit Contents
© 2018 Optum360, LLC v
SP-16 Integrity ........................................................................................................................ 303SP-17 Person or Entity Authentication ............................................................................. 304NIST Resource Guide ....................................................................................................................... 305SP-18 Transmission Security ................................................................................................ 306NIST Resource Guide ....................................................................................................................... 306SP-18.1 Integrity Controls ........................................................................................................ 307NIST Resource Guide ....................................................................................................................... 307SP-18.2 Encryption .................................................................................................................... 308SP-19 Business Associate Contracts/Agreements .......................................................... 308
Breach Notification Sample Policies....................................................................................................... 311SP-20 Discovery of a Breach ................................................................................................ 311SP-21 Breach Investigation .................................................................................................. 312SP-22 Risk Assessment .......................................................................................................... 312SP-23 Notification .................................................................................................................. 312SP-24 Breach Information Log ............................................................................................ 314
Red Flag Rules Sample Policies................................................................................................................ 315SP-25 Creation of Medical Identity Theft Prevention Program ................................. 315SP-26 Identify the Red Flags That Signal Possible Medical Identity Theft ............... 315SP-27 Detect Medical Identity Theft As It Occurs .......................................................... 316SP-28 Prevent and Mitigate Identity Theft ..................................................................... 316SP-29 Update the Medical Identity Theft Prevention Program ................................. 317
Identifiers ....................................................................................................... 319HIPAA Uniform Identifier Requirements ............................................................................................... 319
Uses of Identifiers ............................................................................................................................. 319Provider Identifiers .......................................................................................................................... 319Employer Identifiers ........................................................................................................................ 324Health Plan Identifiers ..................................................................................................................... 324Continued Compliance with Identifiers ..................................................................................... 326
Identifiers Model Policies and Procedures ..................................................... 327Compliance Checklist................................................................................................................................. 327Model Policies and Procedures ............................................................................................................... 328
IP-1 Patient Identifiers ....................................................................................................... 328IP-2 Provider Identifiers ..................................................................................................... 328
Transaction Standards .................................................................................... 329The Purpose of This Chapter .................................................................................................................... 329A Reminder About Covered Entities....................................................................................................... 329HIPAA Highlights/Review ......................................................................................................................... 329Health Plan Requirements ........................................................................................................................ 330Mandatory Submission of Claims Electronically to Medicare.......................................................... 330
Initial Claims ...................................................................................................................................... 331Small Employers ............................................................................................................................... 331Types of Claims Exempt from Electronic Submission ............................................................. 332Waivers to the Electronic Submission Requirement ............................................................... 332Contractor Approval for Waivers .................................................................................................. 332Unusual Circumstances .................................................................................................................. 333
Claims Attachments ................................................................................................................................... 333Use of Healthcare Clearinghouses.......................................................................................................... 334Content of HIPAA Transaction Standards ............................................................................................. 335Transaction Standards Approved So Far............................................................................................... 336Terms Used in the Transaction Standards ............................................................................................ 339Electronic Funds Transfer.......................................................................................................................... 340Claim Edits and Rejections........................................................................................................................ 341
Interchange Control or ISA Edits .................................................................................................. 341GS Edits ............................................................................................................................................... 341IG Edits ................................................................................................................................................ 342Provider Authorization Edits ......................................................................................................... 342Payer-Specific Edits .......................................................................................................................... 342Trading Partner EDI Specifications ............................................................................................... 342
HIPAA Code Sets.......................................................................................................................................... 342
vi © 2018 Optum360, LLC
Contents HIPAA Tool Kit
The Meaning of “Code Sets” ...........................................................................................................343Revisions to the Code Set Regulations ........................................................................................343
Trading Partner Agreements ...................................................................................................................344Responsibilities of Trading Partners .............................................................................................344Effective Date for Transaction Standards ....................................................................................344How to Assess HIPAA’s Impact ......................................................................................................344
Survey of Coding Practices ........................................................................................................................345Survey of Trading Partners ........................................................................................................................346
Transaction Standards Model Policies and Procedures .................................349Compliance Checklists................................................................................................................................349
Survey of Information Systems ......................................................................................................349Survey of Trading Partners .............................................................................................................350Survey of Coding Practices .............................................................................................................352T-1000 Use of Standard Transactions ...................................................................................353T-1200 Testing and Certification of Compliance with Federal Transaction
Standards ......................................................................................................................356T-2000 Trading Partner Agreements ....................................................................................356T-3000 Updating Code Sets and Practices ..........................................................................356
Employee Training and Education ..................................................................359Employee Handbooks ................................................................................................................................359Privacy Training ...........................................................................................................................................359Developing and Implementing Training Programs ............................................................................359Instructor’s Guide.........................................................................................................................................360
Section 1: A Hypothetical Case History ........................................................................................360Section 2: Using and Sharing Information ..................................................................................364Section 3: Notice of Privacy Practices ...........................................................................................371Section 4: Authorization ..................................................................................................................377Section 5: Accountings ....................................................................................................................381Section 6: Patient Access to Information ....................................................................................383
Privacy Training Presentation ..................................................................................................................385Privacy Refresher Training .........................................................................................................................425HIPAA Skills Test—Privacy Regulations .................................................................................................426Security Training .........................................................................................................................................438Developing and Implementing Training Programs ............................................................................438Instructor’s Guide.........................................................................................................................................438
Information Security ........................................................................................................................438Administrative Safeguards .............................................................................................................439Physical Safeguards ..........................................................................................................................442Technical Safeguards .......................................................................................................................443Privacy and Security Training .........................................................................................................445
Security Training Presentation ................................................................................................................446HIPAA Skills Test—Security Regulations ..............................................................................................458
HIPAA Skills Test—Security ............................................................................................................467What would you do? ..................................................................................................................................470
Conducting Internal HIPAA Audits .................................................................473Making the Case for HIPAA Auditing ......................................................................................................473
Deciding What Information to Audit ...........................................................................................474Creating an Audit Plan .....................................................................................................................476Conducting the Audit ......................................................................................................................477Evaluating and Reporting Audit Findings ...................................................................................477Privacy and Security Auditing ........................................................................................................479
HIPAA Topics ...................................................................................................489Accredited Standards Committee ...........................................................................................................489
Transaction Standards and Code Sets .........................................................................................489What is the ASC? ................................................................................................................................489What is the ASC’s role under HIPAA? ...........................................................................................489Mission of the ASC ............................................................................................................................489Principles of the ASC ........................................................................................................................490
HIPAA Tool Kit Contents
© 2018 Optum360, LLC vii
Administrative Simplification .................................................................................................................. 490General: HIPAA .................................................................................................................................. 490Privacy Standards ............................................................................................................................. 491Requirements .................................................................................................................................... 491Transaction Standards and Code Sets ......................................................................................... 492Security Standards ........................................................................................................................... 494Identifiers ........................................................................................................................................... 496
Administrative Simplification Compliance Act.................................................................................... 497Transaction Standards and Code Sets ......................................................................................... 497What Is the Administrative Simplification Compliance Act (ASCA)? ................................... 497Model Compliance Plan .................................................................................................................. 497Electronic Claims .............................................................................................................................. 497
American Recovery and Reinvestment Act of 2009 ........................................................................... 498What is the ARRA? ............................................................................................................................ 498Business Associates ......................................................................................................................... 498Privacy-Related Provisions ............................................................................................................. 499What can we expect? ...................................................................................................................... 501
ANSI ................................................................................................................................................................ 502General ................................................................................................................................................ 502What is ANSI? .................................................................................................................................... 502Standards-Setting Organizations ................................................................................................. 502The Mission of ANSI ......................................................................................................................... 502
ASC X12N ..................................................................................................................................................... 503Transaction Standards and Code Sets—45 CFR §162.920 .................................................... 503The Final Approved ASC X12N Standards .................................................................................. 503Approved Versions ........................................................................................................................... 503Future ASC X12N Standards .......................................................................................................... 504
CMS ................................................................................................................................................................ 505General ................................................................................................................................................ 505What is CMS? ..................................................................................................................................... 505CMS’s Role Under HIPAA ................................................................................................................ 505CMS Assistance to the Provider Community ............................................................................. 505CMS As a Covered Entity ................................................................................................................. 506
Code-Set Maintaining Organization ...................................................................................................... 506Transaction Standards and Code Sets—45 CFR §162.1002 .................................................. 506Definition of Code-Set Maintaining Organizations ................................................................. 506Approved Code-Set Maintaining Organizations ...................................................................... 506
Code Sets....................................................................................................................................................... 507Transactions and Code Sets—45 CFR Part 162 Subpart J ...................................................... 507Definition of Code Sets ................................................................................................................... 507Approved Medical Code Sets ........................................................................................................ 507ICD-10-CM .......................................................................................................................................... 507ICD-10-PCS ......................................................................................................................................... 508Current Procedural Terminology (CPT®) ..................................................................................... 508Healthcare Common Procedure Coding System (HCPCS) ..................................................... 509National Drug Codes ....................................................................................................................... 511Code on Dental Procedures and Nomenclature ....................................................................... 512Nonmedical Code Sets .................................................................................................................... 512Modifications to Approved Code Sets ........................................................................................ 513Table of Medical and Nonmedical Code Sets ............................................................................ 514
Communications Under HIPAA ............................................................................................................... 520Privacy ................................................................................................................................................. 520Communication by Telephone ..................................................................................................... 520Communication by Fax ................................................................................................................... 520Communication by Email ............................................................................................................... 520Frequently Asked Questions ......................................................................................................... 521Tips for Office Communication ..................................................................................................... 523
Companion Guides ..................................................................................................................................... 526Transaction Standards and Code Sets ......................................................................................... 526Definition of Companion Guides .................................................................................................. 526Trading Partners ............................................................................................................................... 526
viii © 2018 Optum360, LLC
Contents HIPAA Tool Kit
Sample Companion Guide ..............................................................................................................526Compliance Dates .......................................................................................................................................528
General ................................................................................................................................................528Compliance Dates for Transactions and Code Sets ..................................................................528Compliance Dates for Privacy ........................................................................................................528Compliance Dates for Security .......................................................................................................528Compliance Dates for Identifiers ...................................................................................................528
Covered Entity .............................................................................................................................................530General—45 CFR §160.102 ............................................................................................................530Definition of a Covered Entity ........................................................................................................530Subdivisions of Covered Entities ...................................................................................................530Am I a covered entity? .....................................................................................................................530How to Use These Charts ................................................................................................................530
Credentials/Certifications ..........................................................................................................................532General ................................................................................................................................................532AHIMA-Sponsored Credentials ......................................................................................................533ISC2-Sponsored Credentials ...........................................................................................................533
Data Element ................................................................................................................................................534Transactions and Code Sets—45 CFR §162.103 .......................................................................534Definition of a Data Element ..........................................................................................................534Data Element Summary ...................................................................................................................534
Data Segment ...............................................................................................................................................535Transactions and Code Sets—45 CFR §162/103 .......................................................................535Definition of a Data Segment .........................................................................................................535Example of a Data Segment ...........................................................................................................536Segment Delimiters ..........................................................................................................................536Segment Terminator ........................................................................................................................536Implementation Guides ..................................................................................................................536
Decedents .....................................................................................................................................................537Privacy—45 CFR §164.512(g) ........................................................................................................537The General Rule Regarding PHI of Decedents .........................................................................537Special Disclosures of PHI Regarding Decedents ......................................................................537Research and the PHI of Decedents .............................................................................................537
De-identified Information..........................................................................................................................538Privacy—45 CFR §164.514 .............................................................................................................538Definition of De-identified Information ......................................................................................538Reasons for Data De-identification ...............................................................................................538How to De-identify Protected Health Information ...................................................................538
Designated Record Set ..............................................................................................................................541Privacy—45 CFR §164.501 .............................................................................................................541The Definition of Designated Record Set ....................................................................................541The Definition of a Record ..............................................................................................................541Examples of Inclusions in the Designated Record Set .............................................................541Examples of Exclusions from the Designated Record Set .......................................................542State Law .............................................................................................................................................542
Direct Data Entry .........................................................................................................................................543Transactions and Code Sets—45 CFR §162.923(b) ..................................................................543Definition of Direct Data Entry .......................................................................................................543Rules Surrounding Direct Data Entry Systems ...........................................................................543Data Entry Through an Intermediary ...........................................................................................543
Direct Versus Indirect Treatment Relationship ....................................................................................544Privacy—45 CFR §164.520 .............................................................................................................544Definition of an Indirect Treatment Relationship .....................................................................544Definition of a Direct Treatment Relationship ...........................................................................544Privacy Requirements Based on Treatment Relationship .......................................................544
Disclosure.......................................................................................................................................................544Privacy—45 CFR §164.501 .............................................................................................................544Definition of Disclosure ...................................................................................................................545Verification Requirements ..............................................................................................................545Examples of Verification Procedures ............................................................................................545Disclosures to the Patient ...............................................................................................................545
HIPAA Tool Kit Contents
© 2018 Optum360, LLC ix
Example Situations and Suggested Protocols .......................................................................... 546Disclosures to Family, Friends, or Others Involved in the Patient’s Care ............................ 546Disclosures to Clergy ....................................................................................................................... 546Facility/Hospital Directories .......................................................................................................... 547Disclosures to Other Providers ...................................................................................................... 548Disclosures to Third Parties Involved in Payment .................................................................... 548
DSMO ............................................................................................................................................................ 549Transactions and Code Sets—45 CFR §162.910 ....................................................................... 549What are the DSMOs? ..................................................................................................................... 549The Review/Modification Process ................................................................................................ 549Currently Designated DSMOs ....................................................................................................... 549
Electronic Data Interchange (EDI)........................................................................................................... 550Transactions and Code Sets ........................................................................................................... 550Definition of EDI ............................................................................................................................... 550Benefits of EDI ................................................................................................................................... 550The Administrative Simplification Compliance Act and EDI Requirements for
Small Providers ....................................................................................................................... 550Electronic Media ......................................................................................................................................... 551
General—45 CFR §160.103 ........................................................................................................... 551Definitions of Electronic Media ..................................................................................................... 551What Is Not Electronic Media ........................................................................................................ 551
Electronic Signatures ................................................................................................................................ 552Security ............................................................................................................................................... 552Electronic Signatures and the Security Rule .............................................................................. 552State Law on Electronic Signatures ............................................................................................. 552AHIMA Best Practice Standards .................................................................................................... 552SAFE Project ....................................................................................................................................... 553
Electronic Transactions.............................................................................................................................. 553Transactions and Code Sets—45 CFR §160.103 ....................................................................... 553Definition of an Electronic Transaction ...................................................................................... 553Types of Electronic Transactions .................................................................................................. 553Electronic Transactions and HIPAA Standards .......................................................................... 554
Emergency Situations ................................................................................................................................ 554Release of Information During Emergency Situations ............................................................ 554
Employer Identifiers ................................................................................................................................... 555Unique Identifiers—45 CFR §162.610 ........................................................................................ 555Rule for Employer Identifiers ......................................................................................................... 555Adopted Standards .......................................................................................................................... 555Transactions Affected ...................................................................................................................... 556
Enforcement................................................................................................................................................. 556General ................................................................................................................................................ 556OCR Enforcement of the Privacy and Security Rule ................................................................. 556Privacy Complaint Process ............................................................................................................. 557Compliance and Enforcement Rule ............................................................................................. 560Transactions and Code Sets Complaint Process ....................................................................... 565Electronic Data Interchange (EDI) ................................................................................................ 568
Fundraising Under HIPAA ........................................................................................................................ 573Privacy—45 CFR §164.514 (f) ........................................................................................................ 573Requirements Under the Regulations ......................................................................................... 573Issues with Current Typical Fundraising Practices ................................................................... 573
Genetic Non-Discrimination Act (GINA) of 2008 ................................................................................. 576Privacy—45 CFR §164.520 ............................................................................................................. 576GINA’s Requirements ...................................................................................................................... 576HIPAA Omnibus and GINA ............................................................................................................. 576
Government Access to Information ....................................................................................................... 577Privacy—45 CFR §164.512(f) ......................................................................................................... 577The Privacy Rule and Government Access to Information ..................................................... 577Guidance from the Office for Civil Rights on Government Access to PHI .......................... 577
Healthcare .................................................................................................................................................... 580General—45 CFR §160.103 ........................................................................................................... 580Healthcare Defined .......................................................................................................................... 580
x © 2018 Optum360, LLC
Contents HIPAA Tool Kit
Other Government Definitions ......................................................................................................580Other Services ....................................................................................................................................584Helpful Questions and Answers ....................................................................................................585
Healthcare Clearinghouse ........................................................................................................................586General—45 CFR §160.103 ............................................................................................................586Clearinghouse Defined ....................................................................................................................586Frequently Asked Questions ..........................................................................................................586
Healthcare Operations ...............................................................................................................................589Privacy—45 CFR §164.501 .............................................................................................................589Healthcare Operations Defined .....................................................................................................589Operations Versus Research ...........................................................................................................590American Recovery and Reinvestment Act of 2009 .................................................................590
Healthcare Provider ....................................................................................................................................591General—45 CFR §160.103 ............................................................................................................591Healthcare Provider Defined ..........................................................................................................591Other Government Definitions ......................................................................................................591Are you a healthcare provider? ......................................................................................................592
Health Information ......................................................................................................................................595General—45 CFR §160.103 ............................................................................................................595Health Information Defined ...........................................................................................................595Individually Identifiable Health Information ..............................................................................595Protected Health Information ........................................................................................................595
Health Information Technology for Economic and Clinical Health (HITECH) Act ........................595Health Plan ....................................................................................................................................................596
General—45 CFR §160.103 ............................................................................................................596Health Plan Defined ..........................................................................................................................596Health Plan Comparisons ................................................................................................................596
HHS..................................................................................................................................................................600General ................................................................................................................................................600HHS: What It Does .............................................................................................................................600HHS Operating Divisions .................................................................................................................601Other HHS Agencies .........................................................................................................................602 Organization of HHS ........................................................................................................................603
Implementation Guides ............................................................................................................................604Transactions and Code Sets—45 CFR §162.920 .......................................................................604Implementation Guides ..................................................................................................................604Details on the Specifications ..........................................................................................................604Retail Pharmacy Specifications ......................................................................................................604Companion Guides ...........................................................................................................................605
Incidental Disclosures .................................................................................................................................605Privacy—45 CFR §164.502(a)(1) ....................................................................................................605Incidental Disclosures Defined and Regulatory Context .........................................................605Tips for Monitoring ...........................................................................................................................606
Individual Identifiers ..................................................................................................................................608Unique Identifiers .............................................................................................................................608Purpose of Individual Identifiers ...................................................................................................608Issues with Individual Identifiers ...................................................................................................608Frequently Asked Questions on Individual Identifiers .............................................................608
Limited Data Set...........................................................................................................................................609Privacy—45 CFR §164.514(e) .........................................................................................................609Requirements of a Limited Data Set .............................................................................................609Data-Use Agreements ......................................................................................................................610American Recovery and Reinvestment Act of 2009 .................................................................610HIPAA Compliance Tool ..................................................................................................................610Data Use Agreement for Limited Data Set ..................................................................................611
Loop ................................................................................................................................................................612Transaction Standards and Code Sets .........................................................................................612Loop Defined ......................................................................................................................................612Required and Situational Loops ....................................................................................................612Examples .............................................................................................................................................613
Marketing Under HIPAA .............................................................................................................................613
HIPAA Tool Kit Contents
© 2018 Optum360, LLC xi
Privacy—45 CFR §164.508(a)(3) ................................................................................................... 613Definition of Marketing .................................................................................................................. 614Exceptions to the Definition .......................................................................................................... 614American Recovery and Reinvestment Act of 2009 ................................................................ 614OCR Frequently Asked Questions ................................................................................................ 615
NCPDP Format ............................................................................................................................................. 617Transactions and Code Sets—45 CFR §162.1102 .................................................................... 617Details on the Standards ................................................................................................................ 617
NDC................................................................................................................................................................. 621Transactions and Code Sets—45 CFR §162.1002 .................................................................... 621Requirements .................................................................................................................................... 621The Code Set ...................................................................................................................................... 621
Notice of Privacy Practices ........................................................................................................................ 622Privacy—45 CFR §164.520 ............................................................................................................. 622Who Must Receive the Notice ....................................................................................................... 622Good-Faith Effort to Obtain Written Acknowledgment of Receipt ..................................... 623Content Requirements .................................................................................................................... 623Request for Restrictions on Use or Disclosure and Confidential Communication ........... 625Documentation of Compliance .................................................................................................... 625Emergency Treatment .................................................................................................................... 625
Paper Transactions ..................................................................................................................................... 626Transactions and Code Sets ........................................................................................................... 626
Payment ........................................................................................................................................................ 627Privacy—45 CFR §164.500 ............................................................................................................. 627Definition of Payment ..................................................................................................................... 627Payment and the Standard Transactions ................................................................................... 627Required, Situational, and Optional Data Elements Compared ........................................... 628
Personal Representatives.......................................................................................................................... 629Privacy—45 CFR 164.502(g) .......................................................................................................... 629Who Must Be Recognized As a Personal Representative ....................................................... 629Parents and Unemancipated Minors ........................................................................................... 629Abuse, Neglect, and Endangerment Situations ....................................................................... 630
Pre-emption ................................................................................................................................................ 631Privacy—45 CFR §160 Subpart B ................................................................................................. 631Exceptions to the Pre-emption Standards ................................................................................. 631Sample Analysis ................................................................................................................................ 631New York State Office of Mental Health HIPAA Pre-emption Analysis ............................... 632
Privacy and Litigation ................................................................................................................................ 635Subpoena of Records in Qui Tam and Class Action ................................................................. 635
Privacy Rule .................................................................................................................................................. 635Privacy—45 CFR Parts 160 & 164 ................................................................................................. 635Purpose of Privacy Regulations .................................................................................................... 635Fundamental Concepts .................................................................................................................. 636
Protected Health Information ................................................................................................................. 639Privacy—45 CFR §164.501 ............................................................................................................. 639
Provider Identifiers ..................................................................................................................................... 639Unique Identifiers—45 CFR §162.402-414 ................................................................................ 639Final Rule ............................................................................................................................................ 639Other Provisions of the Final Rule ................................................................................................ 640
Psychotherapy Notes ................................................................................................................................. 641Privacy—45 CFR 164.508(a)(2) ..................................................................................................... 641Definition of Psychotherapy Notes .............................................................................................. 641Maintaining Psychotherapy Notes .............................................................................................. 641Use and Disclosure Requirements ............................................................................................... 641Authorization Exceptions ............................................................................................................... 642Patient Right to Access ................................................................................................................... 642
Red Flags Rule.............................................................................................................................................. 642General ................................................................................................................................................ 642Questions and Answers About the Red Flags Rule .................................................................. 643
Required Safeguards .................................................................................................................................. 645Privacy—45 CFR 164.530(c) .......................................................................................................... 645
xii © 2018 Optum360, LLC
Contents HIPAA Tool Kit
Where Privacy and Security Overlap ............................................................................................645Administrative Safeguards .............................................................................................................645Physical Safeguards ..........................................................................................................................646Technical Safeguards .......................................................................................................................646
Retail Pharmacy............................................................................................................................................646Transactions and Code Sets ............................................................................................................646Frequently Asked Questions ..........................................................................................................646
Reviews of Compliance by the Office of Inspector General ..............................................................647Security Rule .................................................................................................................................................648
Security—45 CFR Parts 160, 162 and 164 ...................................................................................648Security Safeguard Groupings .......................................................................................................648Overlap Between Safeguards .........................................................................................................649The Five General Organizational Obligations Established by the Security Rule ...............649Covered Entity Legal Obligations Under Federal Law .............................................................650American Recovery and Reinvestment Act of 2009 .................................................................650
Security Standards Matrix..........................................................................................................................650Small Provider Exemption ........................................................................................................................652
Transactions and Code Sets ............................................................................................................652Standard Setting Organization.................................................................................................................652
Transactions and Code Sets—45 CFR §160.102 .......................................................................652Details on SSOs ..................................................................................................................................652DSMOs .................................................................................................................................................652
Standards .......................................................................................................................................................653General ................................................................................................................................................653
Trading Partner ............................................................................................................................................654Transactions and Code Sets—45 CFR §162.915 .......................................................................654Definition of a Trading Partner ......................................................................................................654Examples of Trading Partner Relationships ................................................................................654Trading Partner Agreements ..........................................................................................................654
Training Requirements ...............................................................................................................................655General—45 CFR §164.530(b), 164.308(a)(5) ............................................................................655Privacy Training .................................................................................................................................655Security Training ...............................................................................................................................655NIST Resource Guide ........................................................................................................................656Other Educational Options .............................................................................................................657
Transaction Standards ................................................................................................................................659Transactions and Code Sets ............................................................................................................659Health Plan Requirements ..............................................................................................................660Mandatory Submission of Claims Electronically to Medicare ................................................660Use of Healthcare Clearinghouses in the Transaction Process ..............................................661Content of HIPAA Transaction Standards ...................................................................................661Approved Transactions ....................................................................................................................663270/271 ................................................................................................................................................665275/277 ................................................................................................................................................666276/277 ................................................................................................................................................666278 ........................................................................................................................................................666820 ........................................................................................................................................................667834 ........................................................................................................................................................667835 ........................................................................................................................................................667837 ........................................................................................................................................................667Claims Attachment ...........................................................................................................................668Top Errors Found in 5010 Testing .................................................................................................669
Treatment .....................................................................................................................................................671Privacy—45 CFR §164.501 .............................................................................................................671Definition of Treatment ...................................................................................................................671
Verification Requirements .........................................................................................................................671Privacy—45 CFR §164.504 .............................................................................................................671Verification Scenarios .......................................................................................................................672Example Situations and Suggested Protocols ...........................................................................673
Index ................................................................................................................675
© 2018 Optum360, LLC 17
HIPA
A Privacy Standards
HIPAA Privacy Standards
Overview of HIPAA Privacy RequirementsThe purpose of HIPAA’s privacy requirements is threefold:
To restrict the unwarranted disclosure of sensitive personal information
To give individuals greater control over access to sensitive personal information,including the specific information that can be disclosed, to whom, and how it may be used
To enable providers to use the personal information they need to maketreatment decisions and to meet their obligations to patients and regulatory andlaw enforcement agencies
Scope of the HIPAA Privacy StandardsThe HIPAA requirements apply to “individually identifiable health information,” which essentially means:
Information that describes the health status of an individual, including basicdemographics and the use of medical services
Information that either identifies, or can be used to identify, an individual
Individually identifiable health information is defined more fully under the heading “Understanding Protected Health Information” in this chapter.
Unlike the HIPAA transaction standards, the privacy standards apply to all individually identifiable health information that is collected, maintained, or transmitted by a healthcare provider. The privacy standards are not limited to information that is transmitted electronically as part of a standard HIPAA transaction.
Notice, Authorization, Accounting, and AmendmentHIPAA establishes a complex set of requirements that include:
Providing the patient with a “notice of privacy practices” form that outlines a provider’s privacy practices, and obtaining the patient’s acknowledgment of receiving the notice
Obtaining a patient’s specific authorization to use or disclose personal information for purposes that are not included in treatment, payment, andhealthcare operations
Providing the patient, upon request, with an accounting of disclosures ofprotected health information
Giving the patient access to his or her protected health information andproviding an opportunity to request corrections in that information
Complicating the situation for physicians is a HIPAA provision that allows patients to request restrictions on the use of sensitive health information beyond the terms of a normal consent arrangement. This provision empowers patients to impose restrictions on the specific persons and organizations to whom his or her information is disclosed, and to request that communications with the provider be conducted on
© 2018 Optum360, LLC 61
Privacy Model Policies and Procedures
Privacy Model Policies and Procedures
Creating a HIPAA Privacy Compliance PlanWhether you are looking to build a new HIPAA privacy compliance plan or simply update your current plan, it is important to keep certain elements in mind. The root of all compliance activities is formed by the seven elements of a compliance program as outlined in the U.S. Sentencing Guidelines from the United States Sentencing Commission:
Standards and procedures
Oversight by an appropriate official
Education and training
Auditing and monitoring
Open lines of communication
Enforcement and discipline
Response and prevention
These seven elements are used by compliance programs in many industries and are effective building blocks of a strong compliance function. Those who build upon each element will have strong HIPAA compliance programs moving forward.
The first step in building a compliance program is to assign someone as the HIPAA privacy official. Depending on the size of the organization, this may be a full-time role, or it may be added to the existing activities of another person’s role such as the practice administrator or health information management director.
Once an appropriate official has been named to oversee the activities of the HIPAA privacy compliance program, the organization should begin to work on the other aspects of its program. A good place to begin is in the standards and procedures area, with development of a policy and procedure manual. Typically, the other elements fall into line during manual development. Immediately following this section is a large section of HIPAA privacy policies and procedures that can be used in developing a policy and procedure manual. These are just “generic” policies and procedures, however; they must be customized for each organization.
Education and training under HIPAA privacy is an important required element under the regulations but is also vital to continued compliance. Without ongoing education and reminders, staff can become complacent with protected health information and violations can occur. In the “Employee Training and Education” section of this book, there are resources for training, as well as tests that can be given to staff to assess their HIPAA privacy knowledge.
Auditing and monitoring is an essential element of any compliance program. The process of auditing and monitoring uncovers issues with potential gaps in compliance so that they may be addressed and corrected. The “Conducting Internal
© 2018 Optum360, LLC 167
Security Regulations In-Depth
Security Regulations In-Depth
OverviewThe HIPAA Security Rule establishes a total of 22 security safeguard standards. These standards are grouped under the headings of administrative safeguards, physical safeguards, technical safeguards, organizational requirements, policies and procedures, and documentation requirements. The 22 security safeguard standards define 42 implementation specifications, which are more detailed statements of what must be done to comply with the standard. Of these 42 specifications, 20 are “required,” and 22 are “addressable.”
Administrative Safeguards
Standards Sections
Implementation Specifications (R) = Required
(A) = Addressable
Security Management Process 164.308(a)(1) Risk analysis (R)
Risk management (R)
Sanction policy (R)
Information system activity review (R)
Assigned Security Responsibility 164.308(a)(2) (R)
Workforce Security 164.308(a)(3) Authorization and/or supervision (A)
Workforce clearance procedure (A)
Termination procedure (A)
Information Access Management
164.308(a)(4) Isolating healthcare clearinghouse function (R)
Access authorization (A)
Access establishment and modification (A)
Security Awareness and Training 164.308(a)(5) Security reminders (A)
Protection from malicious software (A)
Log-in monitoring (A)
Password management (A)
Security Incident Procedures 164.308(a)(6) Response and reporting (R)
Contingency Plan 164.308(a)(7) Data backup plan (R)
Disaster recovery plan (R)
Emergency mode operation plan (R)
Testing and revision procedure (A)
Applications and data criticality analysis (A)
Evaluation 164.308(a)(6) (R)
Business Associate Contracts and Other Arrangements
164.308(b)(1) Written contract or other arrangement (R)
© 2018 Optum360, LLC 327
Identifiers Model Policies and Procedures
IdentifiersModel Policies and Procedures
Compliance ChecklistYes No Every member of the professional staff has a
valid and current NPI.
List every member of the practice who bills for services:
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No ___________________________________
Yes No Staff responsible for conducting the standard transactions have been given guidance on when to use each identifier.
HIPAA Tool Kit Employee Training and Education
© 2018 Optum360, LLC 391
Employee Training and Education
Slide 8
The “Notice of Privacy Practices” is the primary vehicle HIPAA created for telling patients how practices will use their medical information.
The Notice also describes the rights of patients to authorize certain uses and disclosures of information, to request an accounting of certain uses and disclosures, to inspect their own records, and to request corrections in information.
HIPAA requires you to give the notice to every patient when they first visit the medical practice. You are required to make what HIPAA calls a “good faith effort” to obtain a written acknowledgment from the patient that he or she has been given a copy of the notice.
Slide 9
You are required to obtain a patient’s authorization to use or disclose their protected health information for a purpose other than treatment, payment, and support of the healthcare operations of the practice.
Examples of use and disclosure that require authorization are research studies and the sale of mailing lists to other organizations.
An authorization must identify the information to be disclosed or used, how the information will be used, and who will use it. The authorization must be signed by the patient or by the patient’s representative if the patient is unable to sign it.
473© 2018 Optum360, LLCCustomers are permitted to reproduce these policies for use within their own facilities or medical practices. Other distribution is prohibited.
Conducting Internal HIPA
A A
udits
Conducting Internal HIPAA Audits
Making the Case for HIPAA AuditingThe foundation of all good compliance programs—whether they address compliance with the government’s rules on coding and billing or health information privacy and security—is auditing and monitoring. Any good audit program helps an entity maintain compliance with whatever area the auditor is examining.
Although there are no set guidelines for auditing an existing Health Insurance Portability and Accountability Act program, two standards within the security rule require some form of auditing. If an organization has a HIPAA program in place, these areas should already be an active part of their HIPAA processes.
Section 164.308(a)(1)(ii)(d), Information system activity review (Required): Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Section 164.312(1)(b), Audit controls: Implement hardware, software, and/orprocedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
Beginning in 2011 the Office for Civil Rights (OCR) established a pilot audit program to determine if covered entities (CE) and business associates (BA) had implemented HIPAA privacy, security, and breach notification programs as required by HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act and to assess if the guidelines and processes that were established by the CE comply with the rules. If the Department of Health and Human Services (HHS) and the OCR feel it is necessary to audit these programs, then so should covered entities.
Proof of the need for ongoing auditing and monitoring is evident in OCR’s finding from the initial pilot audits conducted in 2012. At the joint OCR and National Institute of Standards and Technology (NIST) conference, “Safeguarding Health Information: Building Assurance Through HIPAA Security,” held in September 2014, the OCR reported that “58 out of the 59 healthcare providers audited had at least one negative finding regarding security rule compliance, 56 percent became aware of additional HIPAA regulations that apply to their organizations, and two-thirds of all entities had no complete or accurate risk assessment program.” Based on the less-than-flattering findings from these phase one audits, the OCR will continue to step up HIPAA enforcement.
On March 21, 2016, as part of the continued efforts by the OCR to assess compliance efforts by covered entities and their business associates with the HIPAA Privacy, Security and Breach Notification rules, the OCR began Phase 2 of the audits in 2016. Phase 2 audits will review policies and procedures written and implemented by the covered entity and its business associates regarding selected standards and specifications of the Privacy, Security, and Breach Notification rules. Additional information about Phase 2 of the OCR audit program can be found
IMPORTANTAn entity relying on its own complaint/grievance process to catch instances of noncompliance could be missing processes that violate HIPAA rules.
IMPORTANTTwo-thirds of covered entitites audited did not perform a complete or accurate risk assessment. Remember, some standards are required and some are addressable. “Required” means the policies and/or procedures must be implemented. “Addressable” means the CE must assess if the standard is “reasonable and appropriate” for the environment. A risk assessment is a required element of the security rule and includes a risk analysis [164.308(a)(1)(ii)(A)] and risk management [64.308(a)(1)(ii)(B)].
HIPAA Topics HIPAA Tool Kit
604 © 2018 Optum360, LLC
HIP
AA
Top
ics
(H–M
)
Implementation Guides
Implementation GuidesTransactions and Code Sets—45 CFR §162.920
The standards for electronic transactions regulations give general information on which standards have been named for which types of transactions. Further detail on the transactions themselves can be found in the implementation specifications, also called implementation guides.
Within this topic, the following will be discussed:
Implementation guides
Details on the specifications
ASCX12N specifications
Retail pharmacy specifications
Companion guides
Implementation GuidesEach type of transaction has a separate implementation guide, which is available through sources listed in the regulation. These guides give detailed instructions on how to implement the standard, what data elements are included, and additional information important to properly trading information via electronic data interchange using these standards. Since the version 4010 specifications transitioned to the version 5010 specifications, there are no longer “Implementation Guides.” The new documents are called the “Technical Reports Type 3,” or TR3.
Details on the SpecificationsFollowing is information on how to find out which implementation guides are available for which transactions.
The Washington Publishing Company specifications are available online at http://www.wpc-edi.com. The company can also be contacted at:
Washington Publishing CompanyPMB 1615284 Randolph RoadRockville, MD 20852-2116Telephone: (301) 949-9740Fax: (301) 949-9742
The TR3 documents for version 5010 are available from the Washington Publishing Company, as well as change description guides for version 5010. The previous version 4010 implementation guides are available there as well.
Retail Pharmacy SpecificationsThe Telecommunication Standard Implementation Guide, version 5, release 1 (version 5.1), September 1999, National Council for Prescription Drug Programs
The Telecommunication Standard Implementation Guide version D.0, July 2007, National Council for Prescription Drug Programs (Effective for January 1, 2012 claims)
The Batch Standard Batch Implementation Guide, version 1, release 1 (version 1.1), January 2000, National Council for Prescription Drug Programs
HIPAA Tool Kit HIPAA Topics
© 2018 Optum360, LLC 635
HIPA
A Topics (N
–S)
Privacy Rule
Privacy and LitigationSubpoena of Records in Qui Tam and Class Action
Although comprehensive in nature, there are gray areas where specific situations are not addressed. The subpoena of records in qui tam and class action suits is currently under scrutiny in several states. The issues center around:
Entities not designated as a “covered entity”
Pre-emption of state or federal law
Informal discovery, which is not addressed under HIPAA
A covered entity is defined in HIPAA as providers, payers, and clearinghouses. Current HIPAA law does not specifically address issues of release of protected health information (PHI) to noncovered entities, specifically when requested by properly executed subpoenas.
Privacy RulePrivacy—45 CFR Parts 160 & 164
Healthcare providers, health plans, and healthcare clearinghouses collect, process, transmit, and store vast amounts of sensitive personal information on patients, health plan subscribers, and beneficiaries of public health programs. How should this information be disclosed? To whom? Under what circumstances—and with what restrictions?
In this section we will discuss:
Purpose of privacy regulations
Protected health information
Use of protected health information
Disclosure of protected health information
Minimum necessary use and disclosure
Purpose of Privacy RegulationsThe fundamental purpose of the privacy rule is to set a federal “floor” of basic protections to prevent those who do not need identifiable health information from accessing or using it for purposes never intended or known of by the individual who is the subject of that information. The privacy rule sets forth certain patient rights:
The right to request restrictions on the disclosure of their health information
The right to access and obtain a copy of the patient’s health information stored in a designated record set
The right to request amendment to the patient’s health information stored in a designated record set
The right to obtain an accounting of certain disclosures that are not for treatment, payment, and healthcare operations (or otherwise)
The right to complain of any violation of the privacy rule
© 2018 Optum360, LLC 675
Index
Index
Aabuse, neglect, and endangerment 30, 630
reporting 92access control
NIST resource guide 301access report 44, 186, 261, 440, 500access to data 302accounting for disclosures 43, 47, 153, 363, 368, 381,
419, 499access report 44
Accredited Standards Committee 489ASC defined 489ASC’s role under HIPAA 489mission of the ASC 489principles of the ASC 489, 490X12 EDI 489
adjudication 339administrative safeguards 196, 264, 439, 495, 645
standardsassigned security responsibility 645business associate contracts 645contingency plan 645evaluation 645information access management 645security incident procedures 645security management process 645
administrative simplification 3, 15, 330, 490code sets 494covered entities
minimum necessary 491requirements
notify 491TPO 491
electronic submissionscertification and authorization of referrals 493claim status 493coordination of benefits 493enrollment and disenrollment 493health insurance plan 493premium payments 493remittance advice 493
identifiers 496privacy standards 491
after implementation 492monitoring compliance 492Office for Civil Rights (OCR) 492sanctions 492
requirementsgood-faith effort 491notice of privacy practices 491privacy procedures 491secure patient records 492training 492
security standards 494safeguards 495
transaction standards and code sets 492electronic submissions 493
claimsMedicaid 493Medicare 493
clearinghouses 493encounter information 493HIPAA compliant claims 493payment policies 493
electronic transfer 492standards 492
Administrative Simplification Compliance Act (ASCA) 330, 497, 528, 550, 660
covered entity 497definition 497electronic claims 497model compliance plan 497
affiliated covered entities 55, 530American Dental Association (ADA) 7, 11, 357, 506, 512American Medical Association (AMA) 11, 318, 358, 506,
510American National Standards Institute (ANSI) 489, 502American National Standards Institute (ANSI)—see ANSIAmerican Recovery and Reinvestment Act (ARRA) 47, 381,
498, 500, 501, 575, 590, 614accounting for disclosures 43, 363business associate 40
ANSI 490, 502approved versions 503ASC X12N 502definition 502future 504mission 502standards-setting organizations 502
approved transactions 663ARRA/HITECH Act 498, 500, 501ASC X12N 503
Accredited Standards Committee 503approved standards 503