Primary Contact Coordinator of the assessment and recipient of

Document Sample
Primary Contact Coordinator of the assessment and recipient of Powered By Docstoc
					                                                HIPAA Assessment Proposal Creation Questionnaire
                                                                                    www.fcg.com


           Primary Contact: Coordinator of the assessment and recipient of proposal.

Name
Title
Phone
E-mail
Fax
Mailing Address



                    Compliance Officer: Primary recipient of all assessment results

Name, Title
Phone
E-mail
Fax
Mailing Address



                  Privacy Official: Primary recipient of all privacy assessment results

Name, Title
Phone
E-mail
Fax
Mailing Address



              Security Official: Primary recipient of all security assessment results

Name, Title
Phone
E-mail
Fax
Mailing Address



                      EDI Lead: Primary recipient of all EDI assessment results

Name, Title
Phone
E-mail
Fax
Mailing Address




          575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
                                             HIPAA Assessment Proposal Creation Questionnaire
                                                                                 www.fcg.com


                 Legal Entities: Please list all legal entities of the corporation

Name, Employee Census
Name, Employee Census
Name, Employee Census
Name, Employee Census
Name, Employee Census



                    Total employee census for all Legal Entities:




          575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
                                                   HIPAA Assessment Proposal Creation Questionnaire
                                                                                       www.fcg.com




Scope Information: Please select each item for which a proposal is desired

        EDI Review – includes a review of existing electronic data interfaces pertaining to the nine named
        transactions in the HIPAA regulations. Also includes a software application and business process
        review regarding the code sets and standard identifiers that are currently in use.

        Security Review – includes a review of Administrative Safeguards, Physical Safeguards, and
        Technical safeguards as related to electronic protected health information. Also includes a review
        of Organizational and Documentation Requirements as specified in the HIPAA regulations.

        Additional Security Review –Through our partnership with RedSiren, Inc., FCG offers network
        penetration and vulnerability services.

            External Network Penetration Testing – evaluates the security posture of the organization’s
        external points of entry, identifies and examines vulnerabilities, determines associated risk areas,
        and offers remediation alternatives.

            Internal Network and Host Vulnerability Assessment – evaluates the security posture of the
        organization’s internal network, identifies and examines vulnerabilities, determines associated risk
        areas, and offers remediation alternatives.

        Privacy Review – FCG’s HIPAA assessment covers three key components described below. Please
        indicate which components your organization is requesting.

           Policies and Procedure Review – evaluates current policies and procedures associated with
        handling member identifiable information including but not limited to disclosure, handling of
        medical records, release of information, etc.

           Business Partner Agreement Review – evaluates current agreements with your business partners
        that handle member identifiable information to ensure appropriate safeguards are in place.

           Business Process Information Flows – evaluates current processes, identifies internal and
        external sharing of member identifiable information to ensure appropriate safeguards are in place
        and training needs are identified.




             575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
                                                   HIPAA Assessment Proposal Creation Questionnaire
                                                                                       www.fcg.com



Technology Information

                                                       Application Name                     EDI interfaces
        Legal Entity/Organization                   (Hosting patient/member                  (Electronic
                                                          information)                       interfaces)
  1)
  2)
  3)
  4)
  5)


                                        Question                                                Response

 With how many outside entities do you exchange electronic data?

 Do you have accurate documentation on each EDI interface/link?                                 Please Select

 Do you have a current application inventory?                                                   Please Select

 How is the IS function organized within your organization?                                     Please Select

 Does the IS function administer and maintain all applications and EDI interfaces/links
                                                                                                Please Select
 identified on this form?

 How is the security function organized within your organization?                               Please Select

 Do all entities indicated on this form adhere to the same security-oriented policies and
                                                                                                Please Select
 procedures?
 Is security awareness training provided to the entire employee census indicated on this
                                                                                                Please Select
 form?

 How many data centers are used by your organization?

 How many data centers will be included in the assessment?

 Do you have accurate network diagrams? (If so, please include with this form.)                 Please Select

 Which network protocols (e.g., TCP/IP, IPX) are used for internal network
 communications?




             575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
                                                   HIPAA Assessment Proposal Creation Questionnaire
                                                                                       www.fcg.com


EDI Information

In order to effectively scope out the EDI component of our HIPAA assessment, FCG needs a good
understanding of your organization’s business and systems environment as well as information about any
internal reviews that may have already taken place. The questions below are intended to serve as a base for
providing this information.

FCG’s assessment of an organization’s level of compliance with the HIPAA electronic transmission
standards falls into 3 main categories:
    1) The ability of current business processes to support the electronic transaction and code set
       standards
    2) The ability of current software applications to support these standards
    3) The current state of the applicable financial and administrative transactions themselves


 Business Overview Questions (e.g. How will HIPAA impact all major processes &
                                                                                               Response
                      departments in your organization)

 Has your organization assessed the role of HIPAA on these business processes and            Please Select
 identified potential impacts from an IT and a business perspective?
 Has your organization identified the business benefits of HIPAA compliance?                 Please Select
 Has your organization estimated any cost for HIPAA compliance?                              Please Select
 Has your organization identified any action steps necessary to become compliant?            Please Select
 Has your organization identified and inventoried your vendors, business associates,         Please Select
 and other trading partners
 If so, has your organization identified what steps must be taken to ensure HIPAA            Please Select
 compliance of these vendors, business associates, and other trading partners?


                          Organizational Structure Questions                                   Response

 What is the corporate structure of your organization?                                       Please Select
 Can you provide organizational charts and a list of business functions performed at         Please Select
 each site?
 Does your organization currently have a Project Management Office in place (PMO)?           Please Select
 Are the business services functions centralized or decentralized (i.e., to what degree do
 each of the entities within your organization have autonomy over business resources         Please Select
 and processes)?




             575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
                                                 HIPAA Assessment Proposal Creation Questionnaire
                                                                                     www.fcg.com


                                                                                   Transmission Method
                                                        Current Format and         -
   Transaction        Type of Media                           Version               Interface Engine
     Types             Electronic                     (example – X12 837 v
                                                                                    EDI translator
                       Paper-based                    3051, NSF 3.01, UB92
                                                                                    Email
                       Both                            5.0, HCFA 1500, or
                                                       Proprietary version of       CD / Diskette /
                                                         any of the above)            Tape
                                                                                    Other
Claims                Elec


Enrollment/           N/A
Disenrollment

Eligibility           Elec


Payment and           Elec
Remittance

Premium               N/A
Payment


Claim Status          Elec


Referral and          N/A
Authorization




                        Transaction and Code Set Questions                                   Response

For the transactions listed above, can transaction set formats and versions be provided     Please Select
for both X12 and proprietary transactions?
Can your organization provide a list of external clearinghouses that are being used to      Please Select
translate these transactions?
Does your organization operate its own transaction clearinghouse?                           Please Select
Regarding HIPAA identifiers, many of the numbering schemes have yet to be                   Please Select
finalized. For example, final regulations have not been issued for the Employer
Identification Number (EIN) or Provider Identifier (NPI). FCG has current knowledge
/ intelligence regarding the anticipated format for these identifiers. As part of the
assessment, would your organization like us to use this knowledge or would you like
to substitute other assumptions?
Changes to the identifiers listed above will likely impact current electronic               Please Select
transactions, business processes and application systems. Has your organization
performed any review to determine the extent of this impact as far as necessary code
changes or user training? If so, please indicate.
Changes to standardized code sets (ICD-9, CPT-4, NDC, CDT-2, HCPCS) will likely             Please Select

              575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
                                                  HIPAA Assessment Proposal Creation Questionnaire
                                                                                      www.fcg.com


                        Transaction and Code Set Questions                                     Response

 impact current electronic transactions, business processes and application systems.
 Has your organization performed any review to determine the extent of this impact as
 far as necessary code changes or user training? If so, please indicate.
 Which HIPAA standard code sets are currently in use? CPT-4, ICD-9, CDT-2,
 HCPCS or NDC? Are proprietary codes in use as well?
 Does your organization currently use local coding schemes (e.g. HCPCS level 3                Please Select
 codes)?
 Which, if any, non-HIPAA health care transaction sets are you currently transmitting?
 Has your organization identified the third party EDI toolsets such EDI Editors, EDI          Please Select
 Mappers and Code Scanners that you plan to use during the HIPAA analysis or
 compliance effort.

                                                                                            Documented
                                                                                           flow diagrams
                                                                     Documented               available?
                               What
 Name of Application                                                    policies,          (Illustrate the
                            department         Frequency of
  using Electronic                                                  procedures, and      flow of data into,
                             maintains           Electronic
   Transmission                                                       user guides        through and out
                            application?       Transmission?           available?               of the
                                                                                             application)

1)                                               Please Select        Please Select        Please Select

2)                                               Please Select        Please Select        Please Select

3)                                               Please Select        Please Select        Please Select

4)                                               Please Select        Please Select        Please Select

5)                                               Please Select        Please Select        Please Select

6)                                               Please Select        Please Select        Please Select

7)                                               Please Select        Please Select        Please Select




             575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100