Get documents about "Primary Contact Coordinator of the assessment and recipient of
Document Sample
HIPAA Assessment Proposal Creation Questionnaire
www.fcg.com
Primary Contact: Coordinator of the assessment and recipient of proposal.
Name
Title
Phone
E-mail
Fax
Mailing Address
Compliance Officer: Primary recipient of all assessment results
Name, Title
Phone
E-mail
Fax
Mailing Address
Privacy Official: Primary recipient of all privacy assessment results
Name, Title
Phone
E-mail
Fax
Mailing Address
Security Official: Primary recipient of all security assessment results
Name, Title
Phone
E-mail
Fax
Mailing Address
EDI Lead: Primary recipient of all EDI assessment results
Name, Title
Phone
E-mail
Fax
Mailing Address
575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
HIPAA Assessment Proposal Creation Questionnaire
www.fcg.com
Legal Entities: Please list all legal entities of the corporation
Name, Employee Census
Name, Employee Census
Name, Employee Census
Name, Employee Census
Name, Employee Census
Total employee census for all Legal Entities:
575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
HIPAA Assessment Proposal Creation Questionnaire
www.fcg.com
Scope Information: Please select each item for which a proposal is desired
EDI Review – includes a review of existing electronic data interfaces pertaining to the nine named
transactions in the HIPAA regulations. Also includes a software application and business process
review regarding the code sets and standard identifiers that are currently in use.
Security Review – includes a review of Administrative Safeguards, Physical Safeguards, and
Technical safeguards as related to electronic protected health information. Also includes a review
of Organizational and Documentation Requirements as specified in the HIPAA regulations.
Additional Security Review –Through our partnership with RedSiren, Inc., FCG offers network
penetration and vulnerability services.
External Network Penetration Testing – evaluates the security posture of the organization’s
external points of entry, identifies and examines vulnerabilities, determines associated risk areas,
and offers remediation alternatives.
Internal Network and Host Vulnerability Assessment – evaluates the security posture of the
organization’s internal network, identifies and examines vulnerabilities, determines associated risk
areas, and offers remediation alternatives.
Privacy Review – FCG’s HIPAA assessment covers three key components described below. Please
indicate which components your organization is requesting.
Policies and Procedure Review – evaluates current policies and procedures associated with
handling member identifiable information including but not limited to disclosure, handling of
medical records, release of information, etc.
Business Partner Agreement Review – evaluates current agreements with your business partners
that handle member identifiable information to ensure appropriate safeguards are in place.
Business Process Information Flows – evaluates current processes, identifies internal and
external sharing of member identifiable information to ensure appropriate safeguards are in place
and training needs are identified.
575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
HIPAA Assessment Proposal Creation Questionnaire
www.fcg.com
Technology Information
Application Name EDI interfaces
Legal Entity/Organization (Hosting patient/member (Electronic
information) interfaces)
1)
2)
3)
4)
5)
Question Response
With how many outside entities do you exchange electronic data?
Do you have accurate documentation on each EDI interface/link? Please Select
Do you have a current application inventory? Please Select
How is the IS function organized within your organization? Please Select
Does the IS function administer and maintain all applications and EDI interfaces/links
Please Select
identified on this form?
How is the security function organized within your organization? Please Select
Do all entities indicated on this form adhere to the same security-oriented policies and
Please Select
procedures?
Is security awareness training provided to the entire employee census indicated on this
Please Select
form?
How many data centers are used by your organization?
How many data centers will be included in the assessment?
Do you have accurate network diagrams? (If so, please include with this form.) Please Select
Which network protocols (e.g., TCP/IP, IPX) are used for internal network
communications?
575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
HIPAA Assessment Proposal Creation Questionnaire
www.fcg.com
EDI Information
In order to effectively scope out the EDI component of our HIPAA assessment, FCG needs a good
understanding of your organization’s business and systems environment as well as information about any
internal reviews that may have already taken place. The questions below are intended to serve as a base for
providing this information.
FCG’s assessment of an organization’s level of compliance with the HIPAA electronic transmission
standards falls into 3 main categories:
1) The ability of current business processes to support the electronic transaction and code set
standards
2) The ability of current software applications to support these standards
3) The current state of the applicable financial and administrative transactions themselves
Business Overview Questions (e.g. How will HIPAA impact all major processes &
Response
departments in your organization)
Has your organization assessed the role of HIPAA on these business processes and Please Select
identified potential impacts from an IT and a business perspective?
Has your organization identified the business benefits of HIPAA compliance? Please Select
Has your organization estimated any cost for HIPAA compliance? Please Select
Has your organization identified any action steps necessary to become compliant? Please Select
Has your organization identified and inventoried your vendors, business associates, Please Select
and other trading partners
If so, has your organization identified what steps must be taken to ensure HIPAA Please Select
compliance of these vendors, business associates, and other trading partners?
Organizational Structure Questions Response
What is the corporate structure of your organization? Please Select
Can you provide organizational charts and a list of business functions performed at Please Select
each site?
Does your organization currently have a Project Management Office in place (PMO)? Please Select
Are the business services functions centralized or decentralized (i.e., to what degree do
each of the entities within your organization have autonomy over business resources Please Select
and processes)?
575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
HIPAA Assessment Proposal Creation Questionnaire
www.fcg.com
Transmission Method
Current Format and -
Transaction Type of Media Version Interface Engine
Types Electronic (example – X12 837 v
EDI translator
Paper-based 3051, NSF 3.01, UB92
Email
Both 5.0, HCFA 1500, or
Proprietary version of CD / Diskette /
any of the above) Tape
Other
Claims Elec
Enrollment/ N/A
Disenrollment
Eligibility Elec
Payment and Elec
Remittance
Premium N/A
Payment
Claim Status Elec
Referral and N/A
Authorization
Transaction and Code Set Questions Response
For the transactions listed above, can transaction set formats and versions be provided Please Select
for both X12 and proprietary transactions?
Can your organization provide a list of external clearinghouses that are being used to Please Select
translate these transactions?
Does your organization operate its own transaction clearinghouse? Please Select
Regarding HIPAA identifiers, many of the numbering schemes have yet to be Please Select
finalized. For example, final regulations have not been issued for the Employer
Identification Number (EIN) or Provider Identifier (NPI). FCG has current knowledge
/ intelligence regarding the anticipated format for these identifiers. As part of the
assessment, would your organization like us to use this knowledge or would you like
to substitute other assumptions?
Changes to the identifiers listed above will likely impact current electronic Please Select
transactions, business processes and application systems. Has your organization
performed any review to determine the extent of this impact as far as necessary code
changes or user training? If so, please indicate.
Changes to standardized code sets (ICD-9, CPT-4, NDC, CDT-2, HCPCS) will likely Please Select
575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
HIPAA Assessment Proposal Creation Questionnaire
www.fcg.com
Transaction and Code Set Questions Response
impact current electronic transactions, business processes and application systems.
Has your organization performed any review to determine the extent of this impact as
far as necessary code changes or user training? If so, please indicate.
Which HIPAA standard code sets are currently in use? CPT-4, ICD-9, CDT-2,
HCPCS or NDC? Are proprietary codes in use as well?
Does your organization currently use local coding schemes (e.g. HCPCS level 3 Please Select
codes)?
Which, if any, non-HIPAA health care transaction sets are you currently transmitting?
Has your organization identified the third party EDI toolsets such EDI Editors, EDI Please Select
Mappers and Code Scanners that you plan to use during the HIPAA analysis or
compliance effort.
Documented
flow diagrams
Documented available?
What
Name of Application policies, (Illustrate the
department Frequency of
using Electronic procedures, and flow of data into,
maintains Electronic
Transmission user guides through and out
application? Transmission? available? of the
application)
1) Please Select Please Select Please Select
2) Please Select Please Select Please Select
3) Please Select Please Select Please Select
4) Please Select Please Select Please Select
5) Please Select Please Select Please Select
6) Please Select Please Select Please Select
7) Please Select Please Select Please Select
575 East Swedesford Road, Wayne, PA 19087 - 610/989-7000 610/989-7100
Related docs
