Docstoc

Hipaa Products

Document Sample
Hipaa Products Powered By Docstoc
					 The NM Health Policy Commission
   In collaboration with NM CHILI
                 Presents:
    The HIPAA Awareness &
     Preparedness Program
WHAT you need to do, and HOW to do it



         www.healthlinknm.org/nmchili

          Last Revised: March 3rd, 2003
                                                                                                                          2


                               HIPAA DESK REFERENCE

                                         TABLE OF CONTENTS

1.) Glossary of Terms………………...………………………………………...                                                                     2
2.) HIPAA Basic Guidelines …………………………………………………..                                                                     8
3.) HIPAA Myths & Facts……………………………………………………..                                                                       11
4.) Example Scenarios………………………………………………………….                                                                        12
5.) HIPAA Regulations…………………………………………….………......                                                                    14
    Master HIPAA Assessment Checklist………………………………………                                                                15
    Transactions & Code Sets……………………………………………......                                                                 17
    Transactions & Code Sets Implementation Checklist……………………….                                                     21
    Model Transactions & Code Sets Compliance Plan………………………...                                                      22
    Identifiers……………………………………………………………..……                                                                          27
    Identifiers Implementation Checklist……………………………………….                                                            28
    Privacy…………………………………………………...…………………                                                                            29
    Implementation Requirements………………………………………………                                                                   30
    Privacy Implementation Checklist………………………………………….                                                               42
    Privacy Policies and Procedures Checklist………………………………….                                                         43
    Security……………………………………………….………….……..…..                                                                         44
    Security Implementation Requirements……………………………………..                                                            45
    Security Implementation Checklist…………………………………………                                                               52
    Security Policies and Procedures Checklist…………………………………                                                         53
6.) Sample Forms & Documents………………………………………………                                                                      54
    Notice of Privacy Practices………………………………………………….                                                                 55
    Authorization for Use or Disclosure of Information ……………………….                                                   60
    Request for Correction/Amendment of Health Information………………...                                                 62
    Record of Verbal Disclosure of Health Information………………………...                                                   63
    Revocation of Authorization for Disclosure of Health Information………...                                          64
    FAX Cover Letter…………………………………………………………...                                                                       65
    Model Business Associate Contract Provisions……………………………..                                                       66
7.) Resources for Additional Information…………………………………….                                                             70
8.) HIPAA Vendors…………………………………………………………….                                                                           71




                              LAST REVISED: MARCH 3RD, 2003


This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA compliance.
The information contained in this document is not intended as legal advice. A qualified attorney should be consulted prior to the
modification and/or implementation of policies, procedures and contracts.
                                                                                                                          3


                                        GLOSSARY OF TERMS




Administrative Simplification: Title II, Subtitle F, of HIPAA, which gives HHS the
authority to mandate the use of standards for the electronic exchange of health care data; to
specify what medical and administrative code sets should be used within those standards; to
require the use of national identification systems for health care patients, providers,
payers/plans, and employers; and to specify the types of measures required to protect the
security and privacy of personally identifiable health care information.
American National Standards Institute (ANSI): An organization that accredits various
standards-setting committees, and monitors their compliance with the open rule-making
process that they must follow to qualify for ANSI accreditation. HIPAA prescribes that the
standards mandated under it be developed by ANSI-accredited bodies whenever practical.
Business Associate (BA): A person or organization that performs a function or activity on
behalf of a covered entity, and has access to PHI in the course of performing the function or
activity, but is not part of the covered entity’s workforce. A business associate can also be a
covered entity in its own right.
Chain of Trust (COT): A term used in the proposed HIPAA Security Rule for a pattern of
agreements that extend protection of health care data by requiring that each covered entity
that shares health care data with another entity require that that entity provide protections
comparable to those provided by the covered entity, and that that entity, in turn, require that
any other entities with which it shares the data satisfy the same requirements.
Code Set: Any set of codes used to encode data elements, such as tables of terms, medical
concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes
and their descriptions.
Covered Entity: A health plan, a health care clearinghouse or a health care provider who
transmits any health information in electronic form in connection with a HIPAA transaction.
Data Element: The smallest named unit of information in a transaction.
Designated Record Set: A group of records maintained by or for a covered entity that
contain:
 The medical records and billing records about individuals maintained by or for a covered
   health care provider;
 The enrollment, payment, claims adjudication, and case or medical management record
   systems maintained by or for a health plan; or
 Information used by or for the covered entity to make decisions about individual health
   care treatment.
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA compliance.
The information contained in this document is not intended as legal advice. A qualified attorney should be consulted prior to the
modification and/or implementation of policies, procedures and contracts.
                                                                                                                          4


Direct Data Entry (DDE): The direct entry of data that is immediately transmitted into a
health plan’s computer.
Disclosure: The release, transfer, provision of access to, or divulging in any other manner of
information outside the entity holding the information.
Disclosure History: A list of any entities that have received IIHI for uses unrelated to
treatment and payment.
EDI Translator: A software tool for accepting an EDI transmission and converting the data
into another format, or for converting a non-EDI data file into an EDI format for
transmission.
Electronic Data Interchange (EDI): This usually means X12 and similar variable-length
formats for the electronic exchange of structured data. The term is also broadly to mean any
electronic exchange of formatted data.
Electronic Media: includes the Internet (wide-open), Extranet (using Internet technology to
link a business with information only accessible to collaborating parties), leased lines, dial-up
lines, private networks, and those transmissions that are physically moved from one location
to another using magnetic tape, disk, or compact disk media.
Group Health Plan: An employee welfare benefit plan that provides for medical care and
that either has 50 or more participants or is administered by another business entity.
Health Care Clearinghouse: An entity that processes or facilitates the processing of
information received from another entity in a nonstandard format or containing nonstandard
data content into standard data elements or a standard transaction, or that receives a standard
transaction from another entity and processes or facilitates the processing of that information
into nonstandard format or nonstandard data content for a receiving entity.
Health Care Operations:
1.) Conducting quality assessment and improvement activities, including outcomes
evaluation and development of clinical guidelines; population-based activities relating to
improving health or reducing health care costs, protocol development, case management and
care coordination, contacting of health care providers and patients with information about
treatment alternatives; and related functions that do not include treatment;
2.) Reviewing the competence or qualifications of health care professionals, evaluating
practitioner and provider performance, health plan performance, conducting training
programs in which students, trainees, or practitioners in areas of health care learn under
supervision to practice or improve their skills as health care providers, training of non-health
care professionals, accreditation, certification, licensing, or credentialing activities;
3.) Underwriting, premium rating, and other activities relating to the creation, renewal or
replacement of a contract of health insurance or health benefits, and ceding, securing, or
placing a contract for reinsurance of risk relating to claims for health care (including stop-
loss insurance and excess of loss insurance);
4.) Conducting or arranging for medical review, legal services, and auditing functions,
including fraud and abuse detection and compliance programs;


This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA compliance.
The information contained in this document is not intended as legal advice. A qualified attorney should be consulted prior to the
modification and/or implementation of policies, procedures and contracts.
                                                                                                                          5


5.) Business planning and development (i.e., conducting cost-management and planning-
related analyses related to managing and operating the entity, including formulary
development and administration, development or improvement of methods of payment or
coverage policies);
6.) Business management and general administrative activities of the entity, including, but
not limited to:
     Management activities relating to implementation of and compliance with HIPAA
       standards
     Customer service, including the provision of data analyses for policy holders, plan
       sponsors, or other customers, provided that PHI is not disclosed to such policy holder,
       plan sponsor or customer.
     Resolution of internal grievances;
     Due diligence in connection with the sale or transfer of assets to a potential successor
       in interest, if the potential successor in interest is a covered entity or, following
       completion of the sale or transfer, will become a covered entity;
     Creating de- identified health information, fundraising for the benefit of the covered
       entity, and marketing for which an individual authorization is not required.
Hybrid Entity: A covered entity whose covered functions (under HIPAA) are not its
primary functions.
Individually Identifiable Health Information (IIHI): Information that:
 Is created or received by a health care provider, health plan, employer or health care
   clearinghouse; and
 Relates to the past, present or future physical or mental health or condition of an
   individual; the provision of health care to an individual; or the past, present or future
   payment for the provision of health care to an individual; and
      That identifies the individual; or
      With respect to which there is a reasonable basis to believe the information can be
         used to identify the individual.
Local Code(s): A generic term for code values that are defined for a state or other political
subdivision, or for a specific payer. This term is most commonly used to describe HCPCS
Level III Codes, but also applies to state-assigned Institutional Revenue Codes, Condition
Codes, Occurrence Codes, Value Codes, etc.
Marketing: Marketing excludes communications that are made by a covered entity:
 For the purpose of describing the entities participating in a health care provider network
  or health plan network, or for the purpose of describing if and the extent to which a
  product or service (or payment for such product or service) is provided by a covered
  entity or included in a plan of benefits; or
 That are tailored to the circumstances of a particular individual and the communications
  are:
     Made by a health care provider to an individual as part of the treatment of the
        individual, and for the purpose of furthering the treatment of that individual; or



This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA compliance.
The information contained in this document is not intended as legal advice. A qualified attorney should be consulted prior to the
modification and/or implementation of policies, procedures and contracts.
                                                                                                                          6


           Made by a health care provider or plan to an individual in the course of treatment,
            or for the purpose of directing or recommending alternative treatments, therapies,
            health care providers or settings of care; or
           Made orally or is in writing, and the covered entity does not receive remuneration
            from a third party for making the communication.
Maximum Defined Data Set: Under HIPAA, this is all of the required data elements for a
particular standard based on a specific implementation specification. An entity creating a
transaction is free to include whatever data any receiver might want or need. The recipient is
free to ignore any portion of the data that is not needed to conduct their part of the associated
business transaction, unless the inessential data is needed for coordination of benefits.
Minimum Necessary: The concept that when using or disclosing PHI (or requesting PHI
from another covered entity), a covered entity must make reasonable efforts to limit PHI to
the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
National Patient ID: A system for uniquely identifying all recipients of health care services.
Sometimes referred to as the National Individual Identifier (NII), or as the Healthcare ID.
National Payer ID: A system for uniquely identifying all organizations that pay for health
care services. Also known as Health Plan ID, or Plan ID.
National Provider ID (NPI): A system for uniquely identifying all providers of health care
services, supplies, and equipment.
Organized Health Care Arrangement:
1.) An integrated health care setting in which individuals receive health care from more than
one health care provider;
2.) An organized system of health care in which more than one covered entity participates,
and in which the participating covered entities:
  (i) Hold themselves out to the public as participating in a joint arrangement; and
  (ii) Participate in joint activities that include at least one of the following:
        A.) Utilization review, in which health care decisions by participating covered entities
        are reviewed by other participating covered entities or by a third party on their behalf;
        B.) Quality assessment and improvement activities, in which treatment provided by
        participating covered entities is assessed by other participating covered entities or by
        a third party on their behalf; or
            C.) Payment activities, if the financial risk for delivering health care is shared, in
            part or in whole, by participating covered entities through the joint arrangement
            and if protected health information created or received by a covered entity is
            reviewed by other participating covered entities or by a third party on their behalf
            for the purpose of administering the sharing of financial risk.
3.) A group health plan and a health insurance issuer or HMO with respect to such group
health plan, but only with respect to protected health information created or received by such
health insurance issuer or HMO that relates to individuals who are or who have been
participants or beneficiaries in such group health plan;
4.) A group health plan and one or more other group health plans each of which are
maintained by the same plan sponsor; or

This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA compliance.
The information contained in this document is not intended as legal advice. A qualified attorney should be consulted prior to the
modification and/or implementation of policies, procedures and contracts.
                                                                                                                          7


5.) The group health plans described in paragraph (4) of this definition and health insurance
issuers or HMOs with respect to such group health plans, but only with respect to protected
health information created or received by such health insurance issuers or HMOs that relates
to individuals who are or have been participants or beneficiaries in any of such group health
plans.
Payment: The activities undertaken by:
 A health plan to obtain premiums or to determine or fulfill its responsibility for coverage
   and provision of benefits under the health plan; or
 A health care provider or health plan to obtain or provide reimbursement for the
   provision of health care; and
The activities relate to the individual to whom health care is provided and include, but are not
limited to:
 Determinations of eligibility or coverage (including coordination of benefits or the
    determination of cost sharing amounts), and adjudication or subrogation of health benefit
    claims;
 Risk adjusting amounts due based on enrollee health status and demographic
    characteristics;
 Billing, claims management, collection activities, obtaining payment under a contract for
    reinsurance (including stop-loss insurance and excess of loss insurance), and related
    health care data processing;
 Review of health care services with respect to medical necessity, coverage under a health
    plan, appropriateness of care, or justification of charges;
 Utilization review activities, including pre-certification and preauthorization of services,
    concurrent and retrospective review of services; and
 Disclosure to consumer reporting agencies of any of the following PHI relating to
    collection of premiums or reimbursement:
        A.) Name and address;
        B.) Date of birth;
        C.) Social security number;
        D.) Payment history;
        E.) Account number; and
        F.) Name and address of the health care provider and/or health plan.
Protected Health Information (PHI): Individually identifiable health information (IIHI)
that is:
 Transmitted by electronic media;
 Maintained in any electronic media;
   Transmitted or maintained in any other form or medium.
Psychotherapy Notes: Notes recorded (in any medium) by a health care provider who is a
mental health professional documenting or analyzing the contents of conversation during a
private counseling session or a group, joint or family counseling session and that are
separated from the rest of the individual’s medical record. Psychotherapy notes excludes
medication prescription and monitoring, counseling session start and stop times, the
modalities and frequencies of treatment furnished, results of clinical tests and any summary


This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA compliance.
The information contained in this document is not intended as legal advice. A qualified attorney should be consulted prior to the
modification and/or implementation of policies, procedures and contracts.
                                                                                                                          8


of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis and
progress to date.
Trading Partner Agreement (TPA): An agreement related to the exchange of information
in electronic transactions, whether the agreement is distinct or part of a larger agreement,
between each party to the agreement. For example, a trading partner agreement may specify,
among other things, the duties and responsibilities of each party to the agreement in
conducting a standard transaction.
Treatment: The provision, coordination or management of health care and related services
by one or more health care providers, including the coordination or management of health
care by a health care provider with a third party; consultation between health care providers
relating to a patient; or the referral of a patient for health care from one health care provider
to another.
X12: An ANSI-accredited group that defines EDI standards for many American industries,
including health care insurance. Most of the electronic transaction standards mandated or
proposed under HIPAA are X12 standards. X12N is a subcommittee of X12 that defines EDI
standards for the insurance industry, including health care insurance.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA compliance.
The information contained in this document is not intended as legal advice. A qualified attorney should be consulted prior to the
modification and/or implementation of policies, procedures and contracts.
                                                                                                                          9


                                        HIPAA FOUNDATION
WHAT IS HIPAA?
HIPAA is The Health Insurance Portability and Accountability
Act of 1996. HIPAA is comprised of two legislative actions -
Health Insurance Reform and Administrative Simplification.
The Health Insurance Reform provisions, which require
implementation of practices by health plans and insurers regarding portability and continuity
of health insurance coverage, have been in effect for some time. The Administrative
Simplification portion of HIPAA requires the U.S. Department of Health and Human
Services (HHS) to develop standards and requirements for maintenance and transmission of
health information that identifies individual patients.
HIPAA Administrative Simplification standards are designed to:
  Improve the efficiency and effectiveness of the health care system by standardizing the
    exchange of electronic data for administrative and financial transactions
  Reduce health care fraud and abuse
  Protect the security, privacy and confidentiality of health information
HIPAA will impose substantial compliance requirements on practically all participants in the
U.S. health care system. Organizations directly impacted by the rules are known under
HIPAA as Covered Entities, and the information they must safeguard is referred to as
Protected Health Information (PHI) or Individually Identifiable Health Information (IIHI).
IMPACTS
HIPAA will impact all business and operational processes and information systems that
store, handle, communicate or generate health information. Health care organizations will be
required to reevaluate their current practices, policies and procedures for protecting the
security and privacy of health information. In addition, many organizations will need to
modify or replace their current systems and business processes to comply with HIPAA
regulations.1
Fortunately, HIPAA also offers health care organizations the opportunity to realize
significant cost savings and operational efficiencies. Examples of the benefits that health care
organizations can achieve through the successful implementation of HIPAA standards
include:
   Reduced labor costs through the automation of manual processes
   Reduction in processing errors
   Shorter claims processing cycle times
   Reduced waiting time for eligibility verification
   Faster coordination between referring physicians
   Increased access to cost-saving information related to coordination of benefits
   Improvement of health data quality and completeness
   Increased consumer confidence 2




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA compliance.
The information contained in this document is not intended as legal advice. A qualified attorney should be consulted prior to the
modification and/or implementation of policies, procedures and contracts.
                                                                                                              10


WHO NEEDS TO COMPLY?
Health care organizations that electronically send any
of the transactions covered in the Final Rules are
considered covered entities, and must comply with all of
HIPAA standards. This includes health plans, health care
clearinghouses and health care providers, from integrated
health care delivery networks to small physician offices.3
Initially, HIPAA privacy and security standards were envisioned as only applying to
electronic health information, but the HHS has since broadened the scope of HIPAA to
include health information in all media and formats.

REGULATIONS & COMPLIANCE DATES
HIPAA is divided into four categories of regulations, as follows:

             Regulation                                             Compliance Date

                                                       th
 Transactions & Code Sets                October 16 , 2002
                                                        th
                                         (October 16 , 2003 if compliance extension plan submitted by
                                                   th
                                         October 15 , 2002)

 Identifiers                             Estimated publication date of spring/summer 2003, with a
                                         corresponding estimated Compliance Date of summer/fall 2005.
                                                  th
 Privacy                                 April 14 , 2003
                                                  st
 Security                                April 21 , 2005


Each of these regulations will be discussed in further detail later in this Desk Reference.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              11


                            PENALTIES FOR NONCOMPLIANCE
HIPAA will enforce penalties for individuals who fail to comply with its provisions. The
HHS hopes that penalties associated with HIPAA violations will add incentive for health care
organizations to comply with its provisions. Under the proposed regulations, failure to
comply with some or all of the provisions can lead to major fines and jail time.

         Type of
      Noncompliance                                            Associated Penalties

         Failure to              $100 per violation;
         Comply                  $25,000 maximum for all violations of a single requirement

         Wrongful                $50,000 and/or up to 1 year imprisonment for knowing misuse of
         Disclosure              health information;
                                 $100,000 and/or up to 5 years imprisonment if done under false
                                 pretenses;
                                 $250,000 and/or up to 10 years imprisonment if done with intent to
                                 sell information

Besides financial, criminal and civil penalties, other possible outcomes of noncompliance
with HIPAA standards include:
    Submitted claims may no longer be honored by payors
    Loss of accreditation from organizations such as JCAHO and NCQA
    Increased attention from Legislative Auditors
    Negative publicity
Health care organizations could be held legally responsible for HIPAA violations if it is
found that they failed to implement and enforce appropriate policies and procedures to
prevent violations from happening. In extreme cases, penalties could be assessed to a covered
entity’s Privacy or Security Officer.
Members of a covered entity’s workforce must receive training on their organization’s
policies, procedures and practices regarding the privacy, confidentiality and security of
health information. If a policy to protect PHI is in place, but it is found that employees don't
know it exists or don't understand it, an institution can be held liable for violations.
However, if a health care organization has developed appropriate policies and procedures and
can prove that it has adequately educated its workforce, then the specific person or people
guilty of a willful violation could be held personally responsible and face fines and prison.

WHO WILL BE RESPONSIBLE FOR HIPAA ENFORCEMENT?
The HHS has announced that the Office of Civil Rights (OCR) will be responsible for
HIPAA enforcement. Although the HIPAA enforcement regulations have not yet been
published and finalized, the OCR has already begun hiring people to handle the tasks
associated with HIPAA enforcement.
According to OCR personnel, they don’t expect to conduct routine surveys looking for
HIPAA violations. If they are notified about a complaint regarding a specific health care
organization, the OCR may make a call, review the relevant paperwork, or make a visit.
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              12


                                  HIPAA MYTHS AND FACTS
Myth: HIPAA Will Go Away
Fact: Many people think that the extension of the HIPAA Transactions and Code Sets
compliance date, along with the recent proposed changes to the Privacy Rule, are signs that
HIPAA compliance will never actually be required. This is simply not true. The Bush
administration has announced its commitment to strong patient privacy protections, and
continues to take steps to protect PHI while maintaining access to quality health care. The
compliance deadline for Privacy is April 14th, 2003, and October 16th, 2002 for Transactions
and Codes Sets (October 16th, 2003 if you file an extension). Changes to the HIPAA
regulations can only be made by a Notice of Proposed Rule Making (NPRM), which must go
through an exhaustive review process before being finalized.
Myth: HIPAA is a Technology Issue
Fact: HIPAA will impact all areas within and employees of health care organizations,
including clinical and medical, admitting staff, billing staff, receptionists, housekeeping staff
and more. HIPAA Privacy provisions will require most organizations to review their current
policies and procedures relating to patient confidentiality, patient rights, disclosures of health
care information and workforce training. It has been estimated that 70% of the impact
HIPAA will have on health care organizations will be related to behavioral and procedural
changes.
Myth: My Organization Can Rely on Our Vendor or Clearinghouse for HIPAA
Transactions and Code Sets Compliance
Fact: HIPAA transactions involve new data, new codes for existing data and new identifiers
being communicated between providers and payers. Clearinghouses can’t create this data; it
has to be collected by people at provider sites who are using modified registration, order
entry and billing systems. Vendors can provide the modified systems, but they can’t train
your workforce, modify paper forms, and do other implementation activities that are
necessary to comply with HIPAA regulations.
Myth: HIPAA will decrease the quality and efficiency of patient care
Fact: HIPAA Regulations are actually intended to improve the quality of care. Concerns
about lack of privacy now drive a wedge between patients and their providers and impede the
provision of quality care because patients withhold information, avoid asking certain
questions or fail to seek care altogether. Among other benefits, HIPAA creates the
opportunity for patients and their health care providers to engage in a dialogue about how
their information will be used and gives patients more control over uses and disclosures.
Myth: HIPAA is Another Y2K
Fact: HIPAA regulations are often compared to Y2K. However, unlike Y2K, HIPAA is not
solely an IT systems issue. HIPAA involves many legal, procedural, administrative,
behavioral and technological facets that must be carefully evaluated before a health care
organization can begin the implementation process. Y2K was strictly a systems issue with a
defined ending and a limited and identifiable scope, whereas compliance with HIPAA will be
a constantly evolving process with no defined end.
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              13


                                       EXAMPLE SCENARIOS
HIPAA Regulations are wordy, but they boil down to common sense. It isn’t always easy to
recognize breaches when they happen—but with a little careful planning, they can be
avoided. Look at the following scenarios:
Case Scenario # 1
A physician runs a small practice with two office assistants and two nurses. The records are
stored and accessed on two computers placed opposite the waiting room and the admission
window. The office manager has kept the same user ID and password since she started
working at the clinic, and she keeps her password written on a small post-it note under her
computer keyboard in case she should forget it. When she and her assistant take breaks, they
generally leave their computers on—that way they don’t have to sign in to their profile a
second time.

Is there a risk of a breach of privacy in this situation?
There are several—careful evaluation of the office setup would reveal that the computers are
positioned so that incoming patients and those sitting in the waiting room might see them. A
simple solution is to move the computer monitors so they’re not visible to anyone but those
working on them. The fact that the office manager hasn’t changed her password is alarming.
The older passwords get, the easier they are to decode—and they should never be written
down. Office employees should be trained to change their passwords often and to select
appropriate words (not, for example, the name of a child or the date of an anniversary—a
combination of letters and numbers would be a good choice). Leaving the computer on and
signed in to a user profile or account is a hazard, too—unless each office employee signs out
at the end of her session, there is no record of who has accessed which records. Learn to
regard active, unattended accounts as open invitations to privacy breaches.

Case Scenario #2
A nurse is on her way from one patient visit to another, and she has to drop off some records
to a physician in another wing of the hospital. She’s in a hurry, and a volunteer mentions that
he’s on his way there anyway—he’ll drop them off for her. When she gives him the files, he
catches sight of the label on the top page. They are blood test results, and the volunteer is
shocked to see that they belong to his employer’s husband.

How could this situation have been avoided?
The answer is obvious: deliver materials that could identify a patient by hand. It is just as
dangerous to entrust confidential material to a messenger as it is to leave hard copies of
information on an unattended desk. In cases where hand-delivery isn’t possible, do whatever
you can to ensure receipt of materials. Don’t leave computer disks in physicians’
mailboxes—they could easily be intercepted. If you send a fax, make sure the receiving
machine is in a secure area and request confirmation of receipt. Take every precaution to
make sure the information you’re transmitting stays confidential—whether intentional or
accidental, third party access can spell a privacy breach.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              14


Case Scenario #3
Mr. Wolf is having an adverse reaction to his ulcer medication, and calls his doctor’s office
for advice. The nurse calls Dr. Smith, Mr. Wolf’s physician, for instructions, but can’t reach
him at home or on his cell. The nurse remembers that Dr. Smith mentioned that he was
playing golf that afternoon, so she calls the local golf course and asks the receptionist to
notify the doctor that Mr. Wolf has had a reaction to the prescription he had given him earlier
that day for his ulcers, and to please call back.

How should this situation have been handled?
The nurse should have simply left a message with receptionist requesting that Dr. Smith call
back as soon as possible. Never leave any kind of messages with a third party that contain
specific information about a patient that can identify him or her.

Case Scenario #4
A physician leaves a folder labeled ―STD Report‖ on a colleague’s desk. The folder contains
information on all the people that had received treatment for an STD at their facility in the
past year, including names, diagnosis, contact information and dates of treatment. The next
day, the physician’s colleague calls to ask when he will receive the report.

How could this situation have been avoided?
Never leave any materials that contain patient information in an open area. Always
personally deliver materials, whenever possible. Also, avoid labeling materials that contain
PHI in a way that draws attention to its content.

Case Scenario #5
An employee from the Medical Records Department of a small hospital is delivering records
to the ER when his best friend’s girlfriend is brought in by ambulance. Wanting to help, he
calls his best friend to let him know that his girlfriend is in the ER.

What should have happened in this situation?
The employee should have let the medical staff know that he knows the patient, and can help
locate her boyfriend if necessary. The patient has the right to decide who should know where
she is. If she is conscious, she can decide who should be notified of her location. If she is
unconscious, the medical staff will determine whether it is appropriate to notify her
boyfriend, and will decide whether the Medical Record employee should be involved.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              15




                    HIPAA REGULATIONS &
                 IMPLEMENTATION CHECKLISTS




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              16


                      MASTER HIPAA ASSESSMENT CHECKLIST
Following is a Master HIPAA Assessment Checklist. This checklist is intended to be utilized
before or in conjunction with the implementation checklists for each Regulation provided in
this booklet.
   Designate a HIPAA compliance project leader and assemble a HIPAA assessment
    team.
     In smaller organizations and practices, include the office manager or administrator, a
       clinical staff representative, the health information/medical records manager and
       someone from IT support (whether internal or external).
   Prepare an Assessment Project Plan
     First, familiarize yourself with the rules. The final and proposed regulations can be
       accessed online at http://aspe.os.HHS.gov/admnsimp/
     Break down the individual tasks and deliverables associated with each regulation and
       assign responsibilities
     Develop a timeline, paying attention to compliance deadlines
     Determine and finalize a compliance budget
   Review Policies, Procedures, Business Processes and Practices Relating to Patient
    Privacy and Uses and Disclosures of PHI
     Review the business processes, clinical workflow and data flows in your organization
       that involve the use and disclosure of PHI
     Review your organization's current authorization forms
     Review your organization’s current policies and procedures regarding the handling,
       storage, release, disclosure and communication of PHI
     Determine if any procedures currently exist for accounting of disclosures of PHI,
       patient requests of restrictions of PHI and patients’ rights to review and request
       amendments to their medical records
     Identify and review your contracts with Business Associates
     Contact vendors, clearinghouses, payers and other partners who use or have access to
       PHI to understand their HIPAA plans
     Review your organization’s workforce privacy training and enforcement practices
     Gather and review any State laws and/or regulations governing release of information
   Review Electronic Transactions:
     Identify all electronic transactions that your organization currently conducts
     Determine which information systems in your organization capture and exchange PHI
     Document your organization’s information systems applications
     Determine which code sets your organization utilizes
     Develop an understanding of how and where Unique Identifiers will be utilized in
       electronic transactions
   Conduct an Administrative, Technical and Physical Security Review
     Determine your organization’s current use of virus detection software, firewalls and
       other information security tools
     Identify your current applications and operating systems’ security features

This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              17


     Review current policies and procedures regarding communications security (i.e.,
      email, FAX usage, encryption, electronic signatures, Internet connections).
     Identify internal and external points of access points to networks and systems
     Map the data flow through systems and applications
     Identify current data back-up and recovery procedures
     Determine your organization’s current security practices (i.e., logon/logoff
      procedures, password usage, etc.)
     Identify and review policies and procedures for contingency and disaster planning
     Determine your organization’s current level of physical security: (i.e., locks, pass
      codes, etc.)
     Identify current procedures for security breach incident reporting and follow-up
   Perform a Security Risk Analysis
     Identify, evaluate and prioritize risks in terms of
        value of assets,
        degree of exposure,
        likely consequences of incidents (including costs, additional staff hours, etc.),
        probability / frequency of threat occurring,
        costs of alternative remediation measures, and
        your organization's strategic objectives.
     Rank priorities by comparing assets, vulnerabilities, threats and business goals
   Identify gaps between your organization's current policies, procedures, systems and
    applications in all facilities, relative to HIPAA requirements
     Using the inventory of policies and procedures, forms and documents, business
       processes and information flows, assess and document compliance levels, gaps and
       vulnerabilities against HIPAA requirements and more stringent state provisions
   Prepare a final Impact Report, Specifying the Following Details:
     Areas of non-compliance
     Observed and Potential risks
     Disparities between current policies and procedures and HIPAA requirements
     Availability of archived PHI
     Analysis of security risk management priorities/strategies
     Alternative HIPAA solutions, including beneficial EDI advances, and their costs
     Available resources
     Recommended HIPAA-related remediation and strategic measures




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              18


                                TRANSACTIONS & CODE SETS
The HIPAA Transactions and Code Sets regulations are an effort to increase the efficiency
and accuracy of electronic health care communication through the use of standardized
transactions and data elements for transactions.
There is currently no common standard format for the transfer of information between health
care provider and payor organizations. The HHS estimates that over 400 EDI (electronic data
information) formats are currently used by various payors. Therefore, providers have been
required to meet many different requirements for submitting electronic information to
different payor organizations. For providers who submit claims to hundreds of payors,
enabling computer systems to meet these requirements has been a difficult and expensive
process.4 Implementing a national standard will mean that all health care organizations will
use one format, thus simplifying and improving transaction efficiency throughout the
country.

Transaction Content
The HIPAA electronic transaction standards use uniform, defined data. When two health care
organizations share this data, they will be assured that they have the same definitions for the
data.
Data sets are defined in the standards as groups of data that are necessary to complete a
transaction. Codes replace much larger pieces of data. Each of the transaction standards has
identified specific codes that become part of the data or data set.
The concept of a Maximum Data Set was included in HIPAA to preserve the goal of
uniformity. Each electronic data standard has a maximum data set—a compilation of all the
individual data and data sets defined for that standard. Under HIPAA, a provider sending a
standard electronic transaction containing the maximum data set can expect the transaction to
be received and processed by any receiving party, generally a plan or payer. A provider,
therefore, could develop a claims process and send the claim out expecting that it would be
accepted by all plans or payers.
The final rule still allows for a plan or payer to ask for additional information not included in
the claim transaction set before it adjudicates the claim. However, it is expected that
eventually either the claim itself will contain all the needed data or an electronic attachment
could fulfill the need.
Organizations can agree to send less information than is included in the maximum data set.
Thus, if a provider has already sent demographic information in another transaction to a
payer, the payer and provider might agree that this data does not have to be sent again as part
of the claim. Over a period of time, sending the same data less often becomes a savings for
both parties.5
Each standard transaction Transaction has identified Required and Situational
Implementations – as well as Required and Situational Data Elements - within each
Transaction Segment.
 Situational does NOT mean Optional
  If the transaction segment or data element is relevant, it should be included in the
   transaction
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              19


For example, in the Claims Payment and Remittance Advice Transaction (835), the Payer
City, State, & Zip Code Segment (illustrated below) is always required. Other segments
within the 835 transaction are situational, such as the Foreign Currency segment. An
organization is only required to utilize the Foreign Currency segment when foreign
currency is used to pay for services. Therefore, the use of the segment is not optional;
rather it is situational based upon the circumstances of each transaction.




The bolded data elements within the City, State, & Zip Code segment (i.e., City Name,
State or Province Code and Postal Code) are required for every transaction. The other
data elements (in this case, Country Code) are situational, and are only required when
they apply to the purpose of the transaction.

COVERED ENTITIES
HIPAA rules do not uniformly address all the different types of organizations within the
healthcare industry. The rule defines how and when health care entities will use or accept
certain HIPAA electronic transaction standards.
Healthcare providers are not required to follow the HIPAA standards for transactions.
However, the rule does require that if they want to send an electronic transaction, it must
follow the standard or it does not have to be accepted by the plan or payer.
While some healthcare organizations could potentially function without utilizing electronic
transactions - and thus would not be required to follow the regulations – complying with the
transaction standards will be imperative for health care organizations. It is fully expected that
internal requirements imposed by Medicare, Medicaid and other plans and payers will make
compliance necessary.

COMPLIANCE DEADLINE
The deadline for Transactions and Code Sets implementation has been extended to October
16th, 2003. However, an implementation plan must have been sent to HHS by October 16th,
2002 for the deadline extension to apply to your organization.
If the HHS did not receive a complete implementation plan from your organization by
October 16th, 2002, it is assumed that your organization is currently in compliance with the
transactions and code sets regulations.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              20


                                             TRANSACTIONS
The HHS has chosen to use standards developed by the American National Standards
Institute’s (ANSI) Accredited Standards Committee X12 (ASC X12) and the National
Council for Prescription Drug Programs (NCPDP) as the standard formats for the following
health care transactions:
                                                                                   ASC X12
                    TRANSACTION
                                                                                 Version 4010

 Provider- Plan/Payer Transactions

 Healthcare Claim or Encounter                                                        837
 Claim Payment and Remittance Advice                                                  835
 Healthcare Claims Standard                                                         276/277
 "Coordination of Benefits"                                                           837
 Eligibility for a Health Plan                                                      270/271
 Referral Certification and Authorization                                             278

 Sponsor—Plan/Payer Transactions

 Enrollment & Disenrollment in a Health Plan                                           834
 Premium Payments                                                                      820

 Future Transactions (as identified in HIPAA)

 First Report of Injury                                                               148
 Healthcare Claim Attachment                                                     275 (?) - TBD
 Others designated by the HHS Secretary                                            ? TBD ?

As previously mentioned, while all health plans and health care clearinghouses must be able
to accept the standard transaction format and content, providers aren’t required to follow
HIPAA transactions standards themselves. Providers may utilize health care clearinghouses
to convert claims to standard format and to obtain additional data content, or supply standard
content in nonstandard format to a clearinghouse, which would then reformat it to send to
health plans. Health care providers may also choose to send standard content to health plans
via the Internet (DDE - direct data entry). In addition, providers can adopt the standard
format themselves and submit content either to a clearinghouse or to health plans directly.
Providers have many options for sending electronic health care transactions. For example,
providers may choose to use direct data entry for eligibility benefit inquiry and send standard
content for a claim to a clearinghouse. Similarly, some providers may choose to send
standard format and content directly to government payors and use a clearinghouse for
commercial payors.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              21


                                                 CODE SETS
Covered entities must adopt standard code sets to be utilized in all transactions. All parties to
any transaction will have to use and accept the same coding. Uniform coding is intended to
reduce mistakes, duplication of effort and costs.
HIPAA has designated specific medical code standards to be used within electronic health
care transactions. Fortunately, the code sets proposed as HIPAA standards are already used
by many health plans, clearinghouses and providers, which should ease the transition. These
include: 6
        ICD-9-CM (International Classification of Diseases, 9th Edition, Clinical
         Modification, Volumes 1, 2 and 3)
        CPT-4 (Current Procedural Terminology, 4th Edition)
        HCPCS - (Health care Financing Administration Common Procedure Coding System)
        CDT-2 (Codes on Dental Procedures and Nomenclature)
ICD-9-CM Volumes 1 and 2 codes will cover diseases, injuries, impairments and other
health problems, as well as causes of injury and disease impairment.
ICD-9-CM Volume 3 - Usage of these codes has been limited to procedures or other actions
taken for diseases and injuries and impairments on hospital inpatients reported by hospitals
and related to prevention, diagnosis, treatment, and management. Non-acute facilities will no
longer be allowed to use Volume 3 codes to report procedures Instead, these organizations
will have to use CPT-4 or HCPCS codes.
CPT-4 and HCPCS codes will be used for physician services, physical and occupational
therapy services, radiology procedures, clinical laboratory tests, other medical diagnostic
procedures, hearing and vision services and ambulance and other transportation services.
HCPCS codes will also be used to identify substances, equipment and medical supplies.
HCPCS Level III or "local codes" will be eliminated.
Dental Procedures and Nomenclature (CDT-2) codes will be used for dental claims.

ELIMINATED CODES
HIPAA Code Sets standards have eliminated the use of the following types of codes:
 Medicaid ―Local‖ codes (change to CPT-4)
    o In NM, for most providers not a large number of codes
    o Significant impact to Medicaid waiver programs
 Payer ―Homegrown‖ codes (change to CPT-4)
    o (Examples: Home Health, Home IV Therapy, Acupuncture, Chiropractic,
       DME)
 DSM Behavioral Health codes (change to ICD-9)
 ASA Anesthesia codes (change to CPT-4)




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                                  22


    HIPAA TRANSACTIONS & CODE SETS IMPLEMENTATION CHECKLIST

                                   TASK                                              SUGGESTED TIMELINE

1. File for a compliance extension with the CMS                                       Before October 15th, 2002

2. Determine whether your organization is considered a                                           Month 1
   “small provider” by Medicare
    Determine whether your organization will be required to
      bill Medicare electronically after October 2003

3. Identify all electronic transactions that your organization                                 Months 1-2
   currently conducts

4. Identify the code sets your organization utilizes                                           Months 2-3

5. Identify and Revise any contracts based on non-standard                                     Months 3-6
   codes

6. Decide whether your organization will contract with a                                     By March 2003
   software vendor or clearinghouse to translate your
   electronic transactions
    If you decide to use a vendor, make sure you receive a
       statement from each potential vendor regarding their
       HIPAA plans

7. Begin Testing                                                                          April – October 2003

9. Train your impacted staff on the new transaction and code                             July-September 2003
    set standards




    This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
    compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
    consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              23


                                                IDENTIFIERS
Health care providers often find themselves with different identifier codes assigned by
different health plans, and even within the same health plans. The same identifier may be
issued to multiple providers. Millions of employers are subject to similar inconsistencies,
along with health plans and patients themselves. Employers, providers, payors,
clearinghouses, patients and vendors must contend with the unnecessary confusion, extra
work, processing delays, and high costs created by this lack of standardization .7 The
proposed HIPAA Identifiers regulation mandates the use of unique identifiers for providers,
health plans, employers, and individuals receiving health care services.
The national identifier rules propose a standard for national identifiers for providers,
employers and possibly individuals (patients). Included in the rules are requirements
concerning the use of identifiers by health plans, health care clearinghouses and health care
providers. Health plans, clearinghouses and providers will use the identifiers in connection
with the standard electronic transaction formats. The use of the identifiers is anticipated to
improve the Medicare and Medicaid programs, and other public and private health programs,
as well as the efficiency of the health care industry in general, by simplifying the
administration of the system and enabling efficient electronic transmission of health
information.8

Provider Identifiers
The unique identifier for providers is the National Provider Identifier, which was
developed by HCFA for use in the Medicare system. The final provider identifier
standard is not expected to change from the proposed rule. The provider identifier will
have 10 numeric positions with a check digit as the tenth digit. Implementation of this
standard will require HHS to establish a system to assign the identifiers.
Plan Identifiers
The health plan identifier has been drafted to apply the work that HCFA did for a
Medicare Payor ID to all health plans nationwide. Like the provider identifier, the health
plan identifier is expected to have 10 numeric positions with a check digit in the tenth
position.
Employer Identifier
The employer identifier is based on the Internal Revenue Service assigned Employer
Identification Number (EIN). The EIN has nine numeric positions.
Patient Identifier
The most controversial of the proposed identifiers, the patient identifier is on hold
pending privacy legislation. However, it is anticipated that if the patient identifier rule is
passed, it will consist of ten numeric digits with a check digit.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              24


           HIPAA IDENTIFIERS IMPLEMENTATION CHECKLIST

                                                  TASK

1. Develop an understanding of how and where Unique Identifiers will be
   utilized in electronic transactions

2. Determine if you (or your organization) has more than one identifier.

3. Determine which of your provider numbers are alphanumeric (contain only
   numbers or letters)
    Non-alphanumeric identifiers may not be accepted in the standard transaction
      formats

4. Look for Final Rules to be Published in Summer or Fall 2003




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              25


                                                  PRIVACY
One of Congress' main concerns has been that with the majority of health information
standardized in a single format, and with each patient assigned a national patient identifier,
the development of lists or databases of people diagnosed with specific diseases or illnesses
would become increasingly easy and prevalent. Therefore, Congress included in HIPAA new
information security and privacy requirements with which health care providers must
comply.
The HIPAA Privacy Standard establishes new rights for patients to control the uses and
disclosures of their PHI, and mandates new obligations on the part of those who store and
transmit that information to keep it protected.9 HIPAA Privacy pertains to who has the right
to access protected health information (PHI). The privacy rule encompasses all individually
identifiable health information (IIHI) that is housed by health care organizations, regardless
of whether the information is or has ever been in electronic form.
The Privacy standards:
  Limit the use and release of private health information without patient authorization;
      Provide patients with new rights to access their medical records and to know who else
       has accessed them. The privacy regulation gives consumers significant new rights to
       monitor the release of their medical information;
      Restrict most disclosures of health information to the minimum needed for the intended
       purpose. With a few exceptions, a person’s health information should be used for health
       purposes only;
      Establish criminal and civil sanctions for improper use or disclosure of protected health
       information. For the first time, there will be specific federal penalties if a patient's
       privacy rights are violated;
      Establish new requirements for access to records by researchers and others. The privacy
       standards recognize the need to balance privacy protections with the public
       responsibility to support priorities such as conducting medical research, improving the
       quality and efficiency of care and fighting health care fraud and abuse. 10




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              26


             HIPAA PRIVACY IMPLEMENTATION REQUIREMENTS
Health care provider organizations will be required to take the following steps to comply
with the HIPAA Privacy regulations:

1.) APPOINT A PRIVACY OFFICER
All covered entities must designate a person to be responsible for the development and
implementation of privacy-related policies and procedures.
In addition, your organization must designate a contact person or office who will be
responsible for receiving patient complaints regarding health information privacy and
confidentiality, and who is able to provide further information about matters covered by your
organization’s Notice of Privacy Practices.

                              Sample Privacy Officer Job Description
The following sample job description was developed by the American Health Information
Management Association (AHIMA). The sample job description is also available on the
AHIMA Website at www.ahima.org. It is intended to serve as a framework for organizations
in the development of a position description.

Position Title: (Chief) Privacy Officer1
Immediate Supervisor: Chief Executive Officer, Senior Executive, or Health Information
Management (HIM) Department Head2
General Purpose: The privacy officer oversees all                     ongoing activities related to the
development, implementation, maintenance of, and                      adherence to the organization’s
policies and procedures covering the privacy of,                       and access to, patient health
information in compliance with federal and state laws                 and the healthcare organization’s
information privacy practices.
Responsibilities:
Provides development guidance and assists in the identification, implementation, and
maintenance of organization information privacy policies and procedures in coordination
with organization management and administration, the Privacy Oversight Committee, 3
and legal counsel.
Works with organization senior management and corporate compliance officer to
establish an organization-wide Privacy Oversight Committee.
Serves in a leadership role for the Privacy Oversight Committee’s activities.
Performs initial and periodic information privacy risk assessments and conducts related
ongoing compliance monitoring activities in coordination with the entity’s other
compliance and operational assessment functions.
Works with legal counsel and management, key departments, and committees to ensure
the organization has and maintains appropriate authorization forms and information
notices and materials reflecting current organization and legal practices and
requirements.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              27


Oversees, directs, delivers, or ensures delivery of initial and privacy training and
orientation to all employees, volunteers, medical and professional staff, contractors,
alliances, business associates, and other appropriate third parties.
Participates in the development, implementation, and ongoing compliance monitoring of
all trading partner and business associate agreements, to ensure all privacy concerns,
requirements, and responsibilities are addressed.
Establishes with management and operations a mechanism to track access to protected
health information, within the purview of the organization and as required by law and to
allow qualified individuals to review or receive a report on such activity.
Works cooperatively with the HIM Director and other applicable organization units in
overseeing patient rights to inspect, amend, and restrict access to protected health
information when appropriate.
Establishes and administers a process for receiving, documenting, tracking,
investigating, and taking action on all complaints concerning the organization’s privacy
policies and procedures in coordination and collaboration with other similar functions
and, when necessary, legal counsel.
Ensures compliance with privacy practices and consistent application of sanctions for
failure to comply with privacy policies for all individuals in the organization’s workforce,
extended workforce, and for all business associates, in cooperation with Human
Resources, the information security officer, administration, and legal counsel as
applicable.
Initiates, facilitates and promotes activities to foster information privacy awareness within
the organization and related entities.
Serves as a member of, or liaison to, the organization’s IRB or Privacy Committee, 4
should one exist. Also serves as the information privacy liaison for users of clinical and
administrative systems.
Reviews all system-related information security plans throughout the organization’s
network to ensure alignment between security and privacy practices, and acts as a
liaison to the information systems department.
Works with all organization personnel involved with any aspect of release of protected
health information, to ensure full coordination and cooperation under the organization’s
policies and procedures and legal requirements.
Maintains current knowledge of applicable federal and state privacy laws and
accreditation standards, and monitors advancements in information privacy technologies
to ensure organizational adaptation and compliance.
Serves as information privacy consultant to the organization for all departments and
appropriate entities.
Cooperates with the Office of Civil Rights, other legal entities, and organization officers
in any compliance reviews or investigations.
Works with organization administration, legal counsel, and other related parties to
represent the organization’s information privacy interests with external parties (state or
local government bodies) who undertake to adopt or amend privacy legislation,
regulation, or standard.


This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              28


Qualifications:
Knowledge and experience in information privacy laws, access, release of information,
and release control technologies.
Knowledge in and the ability to apply the principles of HIM, project management, and
change management.
Demonstrated organization, facilitation, communication, and presentation skills.

  Notes:
  1. The title for this position will vary from organization to organization, and may not be the primary
    title of the individual serving in the position. "Chief" would most likely refer to very large integrated
    delivery systems. The term "privacy officer" is specifically mention in the HIPAA Privacy
    Regulation.
  2. Again, the supervisor for this position will vary depending on the institution and its size. Since
    many of the functions are already inherent in the Health Information or Medical Records
    Department or function, many organizations may elect to keep this function in that department.
  3. The "Privacy Oversight Committee" described here is a recommendation of AHIMA, and should
    not be considered the same as the "Privacy Committee" described in the HIPAA privacy
    regulation. A privacy oversight committee could include representation from the organization's
    senior administration, in addition to departments and individuals who can lend an organization-
    wide perspective to privacy implementation and compliance.
  4. Not all organizations will have an Institutional Review Board (IRB) or Privacy Committee for
    oversight of research activities. However, should such bodies be present or require establishment
    under HIPAA or other federal or state requirements, the privacy officer will need to work with this
    group(s) to ensure authorizations and awareness are established where needed or required.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              29


2.) DEVELOP A NOTICE OF PRIVACY PRACTICES
Patients have the right to adequate notice of the uses and disclosures of PHI that may be
made by your organization, and of their rights and your organization’s legal duties with
respect to PHI. The Notice of Privacy Practices is a public statement that documents a
covered entity’s policies and procedures relating to the use and disclosure of PHI.
A sample Notice of Privacy Practices is included in the ―Sample Forms and Documents‖
section of this booklet.

Required Content of the Notice of Privacy Practices
The Notice of Privacy Practices must be written in plain language and contain the following
elements:
I.) Header: The following statement must be used as a header:
“THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED
AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE
REVIEW IT CAREFULLY.”
II.) Uses and Disclosures: The Notice must contain:
 A description, with at least one example, of the types of uses and disclosures that your
     organization is permitted to make for Treatment, Payment, and Health Care Operations.
 A description of each of the other purposes for which your organization is permitted or
     required to use or disclose PHI without the individual’s written authorization.
 If a use or disclosure for any purpose is prohibited or limited by other applicable law, the
     description of such use or disclosure must reflect the more stringent law.
 A statement that other uses and disclosures of PHI will be made only with the patient’s
     written authorization, and that the patient may revoke authorization.
III.) Separate Statements for Certain Uses or Disclosures: If your organization intends to
    engage in any of the following activities, the Notice must include a statement that:
 Your organization may contact the individual to provide appointment reminders or
    information about treatment alternatives or other heath-related benefits and services; or
 Your organization may contact the individual to raise funds for the covered entity.
IV.) Individual Rights: The Notice must contain a statement of the patient’s rights with
respect to PHI, as well as a description of how the patient may exercise these rights,
including the following:
 The right to request restrictions on uses and disclosures of PHI, including a statement that
    your organization isn’t required to agree to a requested restriction;
 The right to receive confidential communications of PHI;
 The right to inspect and copy PHI;
 The right to amend PHI;
 The right to receive an accounting of disclosures of PHI; and
 The right of an individual to obtain a paper copy of the Notice upon request.

V.) Covered Entity’s Duties: The Notice must contain:
 A statement that your organization is required by law to maintain the privacy of PHI and
    privacy practices with respect to PHI;
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              30


   A statement that your organization is required to abide by the terms of the Notice currently
    in effect; and
   A statement that you reserve the right to change the terms of your Notice and to make the
    new Notice provisions effective for all PHI that you maintain. The statement must also
    describe how your organization will provide patients with a revised Notice.
VI.) Complaints: The Notice must contain a statement that patients may complain to your
organization and to the HHS if they believe their privacy rights have been violated, a
description of how the patient may file a complaint and a statement that the patient will not be
retaliated against for filing a complaint.
 Contact: The Notice must contain the name and telephone number of a person or office to
    contact for further information (typically, this will be your organization’s Privacy Officer).
 Effective Date: The Notice must contain the date on which it is first in effect, which cannot
    be earlier than the date on which the Notice is printed or otherwise published.
Revisions to the Notice of Privacy Practices
You must revise and distribute your Notice whenever there is a change to the uses or
disclosures, patient rights, your legal duties or other privacy practices described in the
Notice. Except when required by law, a change to any term of the Notice cannot be
implemented prior to the effective date of the Notice in which such change is reflected.
Distribution/Accessibility Requirements
Health care providers must:
 Provide the Notice no later than the date of the first service delivery, including service
   delivered electronically, to a patient after April 14th, 2003.
 Receive written acknowledgement from the patient that he/she received a copy of the
   Notice.
   o If acknowledgement can’t be obtained at the time of first service delivery, make
       ―good faith efforts‖ to ensure that the Notice is provided within an appropriate
       timeframe.
 If your organization maintains a physical service delivery site:
   o Have the Notice available at the service delivery site for individuals to request to take
       with them; and
   o Post the Notice in a clear and prominent location; and
   o Whenever the Notice is revised, make it available upon request on or after the
       effective date of the revision.
Requirements for Electronic Notice of Privacy Practices
 If your organization maintains a Website that provides information about your customer
   services or benefits, you must post your Notice on the Website.
 You may provide the Notice to a patient by email, if the patient agrees. If your
   organization is aware that the email transmission has failed, a paper copy of the Notice
   must be provided to the patient.
 If the first service delivery to a patient is delivered via email, your organization must
   provide the Notice (via email) in response to the patient’s first request for service.
 Patients who receive electronic versions of the Notice retain the right to obtain a paper
   copy of the Notice from your organization upon request.

This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              31


3.) DEVELOP AN AUTHORIZATION FORM
Patient authorizations are required for all uses or disclosures of PHI that are made for
purposes other than treatment, payment or health care operations.
A sample Authorization Form is included in the ―Sample Forms and Documents‖ section of
this booklet.

Core Elements and Requirements for the Authorization Form
A valid authorization must contain the following elements:
 A description of the information to be used or disclosed;
 The name of the person(s) authorized to make the requested use or disclosure;
 The name of the person(s) to whom your organization may make the requested use or
   disclosure;
 An expiration date or event that relates to the patient or the purpose of the use or
   disclosure;
 A statement of the patient’s right to revoke the authorization and the exceptions to the
   right to revoke;
 A statement that information used or disclosed pursuant to the authorization may be
   subject to redisclosure by the recipient and no longer be protected by this rule;
 Signature of the patient and date;
 If the authorization is signed by a personal representative of the patient, a description of
   such representative’s authority to act for the patient; and
 The authorization must be written in plain language.
Defective Authorizations
An authorization is not valid if the document has any of the following defects:
 The expiration date has passed
 The authorization has not been filled out completely
 The authorization is known by your organization to have been revoked;
 The authorization lacks a required element;
 Any information in the authorization is known by your organization to be false.
Psychotherapy Notes
Your organization must obtain an authorization for any use or disclosure of psychotherapy
notes, except to carry out the following treatment, payment, or health care operations:
 Use by originator of the psychotherapy notes for treatment;
 Use or disclosure by your organization in training programs in which students, trainees or
   practitioners in mental health learn under supervision to practice their skills in group,
   joint, family or individual counseling; or
 Use or disclosure by your organization to defend a legal action or other proceeding
   brought by the patient.
Compound Authorizations
An authorization for use or disclosure of PHI may not be combined with any other document
to create a compound authorization, except as follows:
 An authorization for the use or disclosure of PHI created for research that includes
    treatment of the patient may be combined;
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              32


   An authorization for a use or disclosure of psychotherapy notes may only be combined
    with another authorization for a use or disclosure of psychotherapy notes;
   An authorization, other than an authorization for use or disclosure of psychotherapy
    notes, may be combined with any other authorization, except when your organization has
    conditioned the provision of treatment, payment, enrollment in the health plan or
    eligibility for benefits on the provision of one of the authorizations.
Prohibition on Conditioning of Authorizations
Your organization cannot condition the provision on the receipt of an authorization, except
under the following circumstances:
 Your organization may condition the provision of research-related treatment on provision
   of an authorization;
 Your organization may condition the provision of care that is for the purpose of creating
   PHI for disclosure to a third party on provision of an authorization for the disclosure of
   the PHI to such third party.
Revocation of Authorizations
A patient may revoke an authorization at any time, as long as the revocation is in writing.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              33


4.) DEVELOP A BUSINESS ASSOCIATE CONTRACT
Under the HIPAA Privacy Rule, a business associate is a person or organization that
performs a function or activity on behalf of a covered entity, and has access to PHI in the
course of performing the function or activity, but is not part of the covered entity’s
workforce. A business associate can also be a covered entity in its own right.
Your organization can disclose PHI to business associates under the consent for disclosures,
but only if you receive written agreement that the business associate will preserve the
confidentiality of the PHI. This written agreement is the Business Associate Agreement, and
certain protective clauses are required.

MODEL BUSINESS ASSOCIATE CONTRACT PROVISIONS
On March 27th, 2002, the HHS released model business associate contract provisions as part
of the proposed changes to the Privacy Rule. The Model Provisions are included in the
―Sample Forms and Documents‖ section of this booklet.
Keep in mind that use of the model provisions is not required for compliance with the
Privacy Rule. The language may be amended to more accurately reflect business
arrangements between your organization and your business associates.
The provisions released by the HHS address requirements identified in the Privacy Rule. The
provisions don’t include many formalities and substantive provisions that are required in a
valid contract, and alone are not sufficient as a binding contract under New Mexico state law.
BUSINESS ASSOCIATE AGREEMENT CHECKLIST
Your organization will need to take the following steps to comply with the Business
Associate Agreement requirement:
 Create an inventory of potential Business Associates. Sources for this inventory include:
     o Legal Department/Contract Files
     o Interviews or discussions with contract relationship managers
     o Accounts Payable Reports
 Determine which of the business partners you have identified meet the definition of
  ―Business Associate‖ under HIPAA.
 Develop a standard Business Associate Agreement for your organization.
 Develop a cover letter explaining the Business Associate Agreement and mail with
  agreements.
 Develop a follow-up letter and send if no response is received from business associates
  within a designated timeframe (i.e., 1 month)
 Develop a process for receiving and recording returned contracts and signed responses.
 Develop a process for negotiating contractual language with Business Associates who do
  not agree to sign your standard contract.
 Develop contract review policies and procedures.



This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              34


Business Associates of Your Organization May Include (but are not limited to):

Accounting Services                                           Document Shredding Services

Accreditation Services                                        Durable Medical Equipment Businesses

Attorneys                                                     Health Care Clearinghouses

Billing Service Companies                                     Interpreter Services (hearing impaired;
                                                              foreign language)
Board of Directors
                                                              Marketing Services/Firms
Coding Services
                                                              Medical Record Storage Companies
Collection Agencies
                                                              Temporary Staffing Agencies
Computer Maintenance Services
                                                              Third Party Administrators
Consultants (risk management, IT, billing,
coding, management, etc.)                                     Transcription Services

Copy Services




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              35


5.) DEVELOP “MINIMUM NECESSARY” POLICIES
 Covered entities must limit the use and disclosure of PHI to the minimum necessary to carry
out the purpose of the use or disclosure.
Minimum Necessary Uses of PHI
Your organization must identify:
 Classes of employees in your workforce who need access to PHI to carry out their duties;
 For each class of employee, the category of PHI to which access is needed.
Your organization must then make reasonable efforts to limit the access of PHI by members
of your workforce, based upon the PHI each job class needs to carry out their job functions.
Minimum Necessary Disclosures of PHI
For any type of disclosure that your organization makes on a regular basis, you must
implement policies and procedures that limit the PHI disclosed to the amount necessary to
achieve the purpose of the disclosure.
For all other disclosures, your organization must:
 Develop criteria to limit the PHI disclosed to the level of information necessary to
   accomplish the purpose for which disclosure is sought; and
 Review requests for disclosure on an individual basis.
Your organization may rely, if such reliance is reasonable under the circumstances, on a
requested disclosure as the minimum necessary for the stated purpose when:
 Making disclosures to public officials, if the public official represents that the
   information requested is the minimum necessary for the stated purpose(s);
 The information is requested by another covered entity;
 The information is requested by a professional who is a member of your workforce or is a
   business associate of your organization for the purpose of providing professional
   services, if the professional represents that the information requested is the minimum
   necessary for the stated purpose(s); or
 Documentation or representations have been provided by a person requesting the
   information for research purposes.
Minimum Necessary Requests for PHI
Your organization must limit any request that you make to other covered entities for PHI to a
level that is necessary to accomplish the purpose for which the request is made.
For a request that is made on a routine and recurring basis, your organization must implement
policies and procedures that limit the PHI requested to the amount reasonably necessary to
accomplish the purpose for which the request is made.
For all other requests, your organization must review the request to determine that the PHI
sought is limited to the information reasonably necessary to accomplish the purpose for
which the request is made.
Other Content Requirements
Your organization may not use, disclose or request an entire medical record, except when the
entire medical record is specifically justified as the amount that is necessary to accomplish
the purpose of the use, disclosure or request.
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              36


6.) DEVELOP POLICIES & PROCEDURES TO RESPOND TO PATIENT REQUESTS
Covered providers must permit patients to request to inspect, copy, and amend their PHI and
medical records.
Although HIPAA establishes a new level of patients’ rights, the Privacy Rule includes
provisions for which health care providers can deny patient requests.
A patient’s right to obtain access to his/her PHI can be denied if the disclosure is:
  A disclosure of psychotherapy notes
  Subject to or exempt from the Clinical Laboratory Improvements Amendments of 1988
  Detrimental to the health or safety of an inmate or other inmates or individuals
     responsible for the inmate or affiliated with the inmate
  Subject to Privacy Act requirements
  Reasonably likely to endanger the life or physical safety of the individual or another
     person
  Likely to cause harm to another individual
  Of confidential information that would be likely to reveal the source
  Clinical trial information
  Of information compiled for a legal proceeding
A patient’s right to request amendments and corrections of his/ her PHI can be denied if:
  After a reasonable review, your organization determines that it did not create the
     information at issue
  The information is not part of the specified information that is available for inspection
     or copying under HIPAA
  The information is accurate and complete
  The erroneous or incomplete information would not adversely affect the individual

7.) DEVELOP A PRIVACY TRAINING PROGRAM
Your organization must train your entire workforce about your specific HIPAA Privacy
policies and procedures.
Your organization must provide HIPAA Privacy training:
  To each member of your workforce by no later than April 14th, 2003;
  Thereafter, to each new member of your workforce within a reasonable period of time
     after the person joins the workforce; and
  To each member of your workforce whose functions are affected by a change in
     Privacy policies or procedures, within a reasonable period of time after the change
     becomes effective.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              37




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              38


8.) RESPOND TO PRIVACY INFRACTIONS
Your organization must develop and apply appropriate sanctions against employees who fail
to comply with privacy policies and procedures.

9.) MAINTAIN RECORDS OF HIPAA COMPLIANCE
Your organization must be prepared to submit compliance reports if requested by the HHS.
Although such a request is unlikely, it is sensible from a risk management standpoint that
health care organizations be able to document their privacy practices.11
According to HIPAA, your organization must:
 Maintain your privacy policies and procedures in written or electronic form;
 Maintain your privacy documents and forms (i.e., Notice of Privacy Practices,
   Authorization Form) in written or electronic form;
 Maintain documentation of actions or activities relating to privacy (i.e., workforce
   training) in written or electronic form.

Retention Period
Your organization must retain documentation for six years from the date of its creation or the
date when it last was in effect, whichever is later.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              39


              HIPAA PRIVACY IMPLEMENTATION CHECKLIST

                                 TASK                                               SUGGESTED
                                                                                     TIMELINE

 1. Appoint a Privacy Officer                                                            Month 1


 2. Develop a Notice of Privacy Practices                                              Months 2-3


 3. Develop a Patient Authorization Form                                               Months 2-3


 4.    Develop Policies & Procedures                                                   Months 3-7



 5.   Develop and Finalize Business Associate                                         Months 1-11
      Agreements



  6. Develop a HIPAA Training Program for your                                       Months 7- 11
     Workforce




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              40


                   HIPAA PRIVACY POLICY & PROCEDURE CHECKLIST
   Minimum Necessary Use
     Ensure that staff members only have access to the PHI they need.

   Minimum Necessary Disclosures
     For Routine/Recurring Disclosures –Policy and procedure required; recommend
       periodic audits
     For Non-Routine/Recurring Disclosures–Include criteria to limit disclosure,
       procedure for reviewing requests

   Minimum Necessary Requests by Other Covered Entities

   De-identification of Health Information

   Patient Privacy Complaints

   Workforce Training

   Workforce Sanctions

   Marketing and Fundraising

   Release of Information

   Patient Requests for Amendments to Medical Records

   Patient Requests for Access and Copies of Medical Records

   Patient Requests for Restrictions on the Use/Disclosure of PHI for T/P/O

   Notice of Privacy Practices and Authorizations

   Business Associate Contract Termination




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              41


                                                  SECURITY
The Security Rule was finalized on February 20th, 2003, giving covered entities a compliance
deadline of April 21st, 2005. The function of the Security Rule is to ensure the
confidentiality, integrity and availability of all electronic PHI that your organization creates,
receives, maintains or transmits, and to protect PHI against any reasonably anticipated
security threats or hazards.

The Security and Privacy Standards are very complementary to each other, since security
policies, procedures and technologies will be required to keep PHI confidential. However,
security should not be confused with privacy and confidentiality. Privacy refers to the right
of individuals to control their PHI and to not have it divulged or used by others against his or
her wishes. Security applies to the spectrum of physical, technical and administrative
safeguards that are implemented to protect PHI.12

The intent of the Security Rule is to ensure that PHI cannot be altered, misused or destroyed -
intentionally or accidentally - while being electronically transmitted or stored. Thus,
compliance will require appropriate technological measures and physical security safeguards
to maintain the security of PHI. In addition, the Security Rule will require changes in
workforce behavior by altering existing and/or implementing new administrative procedures,
policies, workforce training and record-keeping practices.

HIPAA Security standards have been designed to be scaleable. The standards are technology-
independent in order to address the individual circumstances of health care organizations,
and to allow for advances in technology. It is up to your organization to implement
technologies appropriate to your exposure and level of risk.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              42


            HIPAA SECURITY IMPLEMENTATION REQUIREMENTS
The Security Rule requires health care organizations that engage in electronic maintenance or
transmission of health information to assess their security needs and risks and devise,
implement and maintain appropriate security measures to address their business
requirements.
These measures include:
        Administrative Safeguards - Documented, formal practices to manage the
         selection and execution of security measures.
        Physical Safeguards - Protection of computer systems, buildings and equipment
         that store or transmit PHI from hazards and intrusion.
        Technical Safeguards - Processes that protect and monitor information access,
         and prevent unauthorized access to data that is transmitted over a network.

The standards identified in the Security Rule are classified as either ―Required‖ or
―Addressable‖. Required [R] standards must be implemented by all covered entities.
However, an Addressable [A] standard is one for which covered entities must assess
whether the standard is a reasonable and appropriate safeguard in their environment, when
analyzed with reference to the likely contribution to protecting the entity's electronic PHI.
If you determine that one or more of the Addressable standards are not reasonable or
appropriate for your organization, you must document why it would not make sense to
implement the standard, and implement an equivalent alternative measure (if reasonable and
appropriate). If neither the Addressable standard nor a reasonable alternative is implemented,
you must document why the standard is not applicable to your organization’s environment.
In deciding which Addressable security measures to implement and utilize, covered entities
should consider the following factors:
     The size, complexity and capabilities of their organization.
     Their technical infrastructure, hardware and software security capabilities.
     What security measures are already in place.
     The costs of implementing security measures.
     The probability and criticality of potential risks to electronic PHI.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              43


                                   ADMINISTRATIVE SAFEGUARDS
 Documented, formal practices to manage the selection and execution of security measures.

               REQUIRED = [R]                                      ADDRESSABLE = [A]
Security Management Process – Covered entities must implement policies and procedures
to prevent, detect, contain and correct security violations. As part of this process, covered
entities must take the following steps:
     Risk Analysis [R] – Conduct an accurate and thorough assessment of the potential
        risks and vulnerabilities to the confidentiality, integrity and availability of
        electronic PHI.
     Risk Management [R]–- Implement security measures sufficient to reduce risks
        and vulnerabilities to a reasonable and appropriate level.
     Sanction Policy [R] –- Apply appropriate sanctions against workforce members
        who fail to comply with security policies and procedures.
     Information System Activity Review [R] - Implement procedures to regularly
        review records of information system activity (For example, audit logs, access
        reports and security incident tracking reports).
Assigned Security Responsibility [R] - Just as covered entities are required to appoint a
Privacy Officer, covered entities must also identify a Security Official who will be
responsible for the development and implementation of security policies and procedures.
Workforce Security – Covered entities must implement policies and procedures to ensure
that all members of its workforce have appropriate access to electronic PHI, and to prevent
workforce members who should not have access from obtaining access to electronic PHI.
Covered entities may need to take the following steps to ensure that this requirement is
addressed:
     Authorization and/or Supervision [A] – Implement procedures for the
         authorization and/or supervision of workforce members who work with electronic
         PHI, or in locations where it might be accessed.
     Workforce Clearance Procedure [A] - Implement procedures to determine that
         the access of a workforce member to electronic PHI is appropriate.
        Termination Procedures [A] – Implement procedures for terminating access to
         electronic PHI when the employment of a workforce member ends. (For example,
         revoking passwords and removing keys).
Information Access Management – Covered entities must implement policies and
procedures for authorizing appropriate access to electronic PHI by doing the following:
     Isolating Health Care Clearinghouse Functions [R] - If a clearinghouse is part
         of a larger organization, the clearinghouse must implement policies and
         procedures that protect electronic PHI from unauthorized access by the larger
         organization.
     Access Authorization [A] - Implement policies and procedures for granting access
         to electronic PHI (For example, access to workstations, transactions, programs,
         processes or other mechanisms).

This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              44


        Access Establishment and Modification [A] - Implement policies and procedures
         that - based upon the entity's access authorization policies - establish, document,
         review and modify a user's right of access to a workstation, transaction, program
         or process.
Security Awareness and Training – Just as the Privacy Rule requires workforce training,
the Security Rule requires that covered entities implement a security awareness and training
program for all members of its workforce that cover the following information:
     Security Reminders [A] - Periodic security updates as needed.
     Protection from Malicious Software [A] - Procedures for guarding against,
       detecting and reporting malicious software. (For example, computer viruses,
       worms, etc.)
     Log-in Monitoring [A] - Procedures for monitoring log-in attempts and reporting
       discrepancies.
     Password Management [A] - Procedures for creating, changing and safeguarding
       passwords.
Security Incident Procedures – Covered entities are required to implement policies and
procedures to address security incidents, as follows:
    Response and Reporting [R] - Identify and respond to suspected or known
       security incidents; mitigate, to the extent practicable, harmful effects of security
       incidents that are known to the covered entity; and document security incidents
       and their outcomes.
Contingency Plan – Covered entities must establish and implement policies and procedures
for responding to emergencies or other occurrences (for example: fire, vandalism, system
failure, natural disaster) that can damage systems that contain electronic PHI.
     Data Backup Plan [R] – Establish and implement procedures to create and
         maintain retrievable exact copies of electronic PHI.
     Disaster Recovery Plan [R] - Establish and implement procedures to restore any
         loss of data.
     Emergency Mode Operation Plan [R] – Establish and implement procedures to
         enable continuation of critical business processes for protection of the security of
         electronic protected health information while operating in emergency mode.
     Testing and Revision Procedure [A] – Implement procedures for periodic testing
         and revision of contingency plans
     Applications and Data Criticality Analysis [A] - Assess the relative criticality of
         specific applications and data in support of other contingency plan components.
Evaluation [R] – Covered entities must perform periodic technical and non-technical
evaluations, based initially upon the standards implemented under the Security Rule, and
subsequently in response to environmental or operational changes affecting the security of
electronic PHI, that establish the extent to which the entity's security policies and procedures
meet the requirements of the Security Rule.



This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              45


Business Associate Contracts and Other Arrangement [R] - A covered entity may permit
business associates to create, receive, maintain or transmit electronic PHI on the covered
entity's behalf only if the covered entity obtains satisfactory assurances that the business
associates will appropriately safeguard the information.
The contract between a covered entity and a business associate must provide that the business
associate will:
     Implement administrative, physical and technical safeguards that reasonably and
       appropriately protect the confidentiality, integrity, and availability of the
       electronic PHI that it creates, receives, maintains, or transmits on behalf of the
       covered entity;
     Ensure that any agent, including a subcontractor, to whom it provides electronic
       PHI agrees to implement reasonable and appropriate safeguards to protect it;
     Report to the covered entity any security incident of which it becomes aware;
     Authorize termination of the contract by the covered entity, if the covered entity
       determines that the business associate has violated a material term of the contract.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              46


                                        PHYSICAL SAFEGUARDS
      Protection of computer systems, buildings and equipment that store or transmit PHI
                                 from hazards and intrusion.

          REQUIRED = [R]                                           ADDRESSABLE = [A]
 Facility Access Controls – Covered entities must implement policies and procedures to
limit physical access to their electronic information systems and the facilities in which they
are housed, while ensuring that properly authorized access is allowed.
     Contingency Operations [A] - Establish and implement procedures that allow
        facility access in support of restoration of lost data under the disaster recovery
        plan and emergency mode operations plan.
     Facility Security Plan [A] - Implement policies and procedures to safeguard
        facilities and equipment from unauthorized physical access, tampering and theft.
     Access Control and Validation Procedures [A] - Implement procedures to control
        and validate a person's access to facilities based on their role or function
        (including visitor control), and control of access to software programs for testing
        and revision.
     Maintenance Records [A] - Implement policies and procedures to document
        repairs and modifications to the physical components of a facility that are related
        to security (for example: hardware, walls, doors and locks).

Workstation Use [R] – Covered entities are required to implement policies and procedures
that specify the proper functions to be performed, the manner in which those functions are to
be performed, and the physical attributes of the surroundings of workstations that can access
electronic PHI.

Workstation Security [R] – Covered entities must implement physical safeguards for all
workstations that access electronic PHI that will allow access to workstations by authorized
users only.

Device and Media Controls – The Security Rule requires that covered entities implement
policies and procedures to govern the receipt and removal of hardware and electronic media
that contain electronic PHI in and out of a facility, and the movement of these items within
the facility.
     Disposal [R] – Implement policies and procedures to address the final disposition
        of electronic PHI, and/or the hardware or electronic media on which it is stored.
     Media Re-Use [R] – Implement procedures for removal of electronic PHI from
        electronic media before the media are made available for re-use.
     Accountability [A] – Maintain a record of the movements of hardware and
        electronic media and any person responsible therefore.
     Data Backup and Storage [A] – Create a retrievable, exact copy of electronic PHI
        before movement of equipment.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              47


                                       TECHNICAL SAFEGUARDS
Processes that protect and monitor information access, and prevent unauthorized access
                       to data that is transmitted over a network.

             REQUIRED = [R]                                          ADDRESSABLE = [A]
Access Controls – Covered entities must implement technical policies and procedures for
electronic information systems that maintain electronic PHI that will allow access only to
people or software programs that have been granted access rights.
     Unique User Identification [R] – Assign a unique name and/or number for
        identifying and tracking user identity.
     Emergency Access Procedure [R] – Establish and implement procedures for
        obtaining necessary electronic PHI during an emergency.
     Automatic Logoff [A] – Implement electronic procedures that terminate an
        electronic session after a predetermined time of inactivity.
     Encryption and Decryption [A] - Implement a mechanism to encrypt and decrypt
        electronic PHI.

Audit Controls [R] – Covered entities are required to implement hardware, software and/or
procedural mechanisms that record and examine activity in information systems that contain
or use electronic PHI.

Integrity – Covered entities must implement policies and procedures to protect electronic
PHI from improper alteration or destruction by implementing the following addressable
requirement:
    Mechanism to Authenticate Electronic PHI [A] – Implement electronic
       mechanisms to corroborate that electronic PHI has not been altered or destroyed
       in an unauthorized manner. (For example, error correcting memory and magnetic
       disc storage, digital signatures, check sum technology, etc.)

Person or Entity Authentication [R] – The Security Rule requires that covered entities
implement procedures to verify that a person or entity seeking access to electronic PHI is
actually the one claimed. (For example, biometric identification systems, Password systems,
PIN systems, telephone callbacks, token systems (such as smart cards) that use physical
devices for user identification, etc.)

Transmission Security – Covered entities must implement technical security measures to
guard against unauthorized access to electronic PHI that is being transmitted over an
electronic communications network.
     Integrity Controls [A] – Implement security measures to ensure that electronically
        transmitted electronic PHI is not improperly modified without detection until
        disposed of.
     Encryption [A] - Implement a mechanism to encrypt electronic PHI whenever the
        risk analysis shows risk to be significant.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              48


             HIPAA SECURITY IMPLEMENTATION CHECKLIST
                                       TASK
1. Develop and execute an assessment plan
     Gather baseline information on your organization’s:
              o Hardware, software, networks
              o Policies, procedures, practices
              o Business Associate agreements
              o Data location/access/flow/ranking

2. Gap analysis
     Evaluate all hardware and software for possible impacts on security
        Compare findings to Security requirements
        Identify and document gaps

3. Develop a strategy and plan for remediation
     Assess risks for identified gaps and prioritize tasks for compliance
        Identify project budget and staffing based on gaps

4. Remediation / Implementation
     Implement Information Security Policies & Procedures
        Establish and monitor a Security awareness training program
        Enhance access control systems
        Develop a disaster recovery and contingency planning program.
        Develop and implement Chain of Trust Agreements with your Business Partners

5. Periodic Follow-up Audit & Assessment
     Certify that your systems are compliant with Security Regulations
        Establish a security testing and evaluation program
        Develop a security audit program




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                                  49


               HIPAA SECURITY POLICY & PROCEDURE CHECKLIST
   Workforce Sanctions - Sanctions against workforce members who fail to comply with
    security policies and procedures
   Information System Activity Review - Procedures to regularly review records of information
    system activity (i.e., audit logs, access reports, security incident tracking reports).
   Workforce Authorization and/or Supervision - Procedures for authorization/ supervision of
    workforce members who work with electronic PHI, or in locations where it might be accessed.
   Workforce Clearance - Procedures to determine appropriate PHI access levelf for categories
    of a workforce members.
   Employment Termination Procedures - Procedures for terminating access to electronic PHI
    when the employment of a workforce member ends.
   Information Access Authorization - Policies and procedures for granting access to electronic
    PHI.
   Information Access Establishment and Modification - Policies and procedures that
    document a user's right of access to a workstation, transaction, program or process.
   Security Awareness and Workforce Training – Policies and procedures to ensure that your
    workforce is trained on appropriate security subject matter.
   Security Incident Response and Reporting – Procedures to identify and respond to incidents,
    mitigate harmful effects of security incidents and document security incidents and their
    outcomes.
   Business Associate Policies and Procedures – Procedures for contract termination
   Contingency Operations - Procedures that allow facility access in support of restoration of
    lost data under the disaster recovery plan and emergency mode operations plan.
   Facility Security - Policies and procedures to safeguard facilities and equipment from
    unauthorized physical access, tampering and theft.
   Access Control and Validation Procedures - Procedures to control and validate a person's
    access to facilities based on their role or function, and control of access to software programs
    for testing and revision.
   Equipment Maintenance Records - Policies and procedures to document repairs and
    modifications to the physical components of a facility that are related to security.
    Workstation Use - Policies and procedures that specify the proper functions to be performed,
    the manner in which those functions are to be performed and the physical attributes of the
    surroundings of workstations that can access electronic PHI.
   Electronic Media and PHI Disposal- Policies and procedures to address the disposition of
    electronic PHI, and/or the hardware or electronic media on which it is stored.
   Electronic Media Re-Use - Procedures for removal of electronic PHI from electronic media
    before the media are made available for re-use.
   Emergency Access to PHI - Procedures for obtaining electronic PHI during an emergency.
   Person or Entity Authentication - Procedures to verify that a person or entity seeking access
    to electronic PHI is actually the one claimed.

    This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
    compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
    consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                                  50


   Data Backup Plan - Procedures to create and maintain retrievable exact copies of electronic
    PHI.
   Disaster Recovery Plan - Procedures to restore any loss of data resulting from disaster
    situations.
   Emergency Mode Operation Plan - Procedures to enable continuation of business processes
    for protection of electronic PHI while operating in emergency mode.
   Contingency Plan Testing and Revision Procedure - Procedures for periodic testing and
    revision of contingency plans




    This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
    compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
    consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              51




                  SAMPLE FORMS & DOCUMENTS




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                                52


                                     NOTICE OF PRIVACY PRACTICES

  (Note: The following sample Notice of Privacy Practices form was developed by the American Medical
  Association. The form can also be accessed at http://www.ama-assn.org/ama/pub/category/6699.html. This form is
  based on current federal law and subject to change based on changes in federal law or subsequent interpretative
  guidance. This form is based on federal law and must be modified to reflect state law where that state law is more
  stringent than the federal law or other state law exceptions apply.)

                                              [Organization Name]
                                            Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
    AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
          If you have any questions about this Notice please contact: [Name of Privacy Contact]
  This Notice of Privacy Practices describes how we may use and disclose your protected health
  information to carry out treatment, payment or health care operations and for other purposes that are
  permitted or required by law. It also describes your rights to access and control your protected health
  information. ―Protected health information‖ (PHI) is information about you, including demographic
  information, that may identify you and that relates to your past, present or future physical or mental
  health or condition and related health care services.
  We are required to abide by the terms of this Notice of Privacy Practices. We may change the terms
  of our notice, at any time. The new notice will be effective for all protected health information that
  we maintain at that time. Upon your request, we will provide you with any revised Notice of Privacy
  Practices by [accessing our website at (website address)], calling the office and requesting that a
  revised copy be sent to you in the mail or asking for one at the time of your next appointment.
  1. Uses and Disclosures of Protected Health Information
  Uses and Disclosures of Protected Health Information
  Your protected health information may be used and disclosed by your physician, our office staff and
  others outside of our office that are involved in your care and treatment for the purpose of providing
  health care services to you. Your PHI may also be used and disclosed to pay your health care bills and
  to support the operation of the physician’s practice.
  Following are examples of the types of uses and disclosures of your PHI that the physician’s office is
  permitted to make. These examples are not meant to be exhaustive, but to describe the types of uses
  and disclosures that may be made by our office.
  Treatment: We will use and disclose your PHI to provide, coordinate, or manage your health care and
  any related services. This includes the coordination or management of your health care with a third
  party that has already obtained your permission to have access to your PHI protected. For example,
  we would disclose your PHI, as necessary, to a home health agency that provides care to you. We will
  also disclose PHI to other physicians who may be treating you. For example, your PHI may be
  provided to a physician to whom you have been referred to ensure that the physician has the
  necessary information to diagnose or treat you.
  In addition, we may disclose your PHI from time-to-time to another physician or health care provider
  (e.g., a specialist or laboratory) who, at the request of your physician, becomes involved in your care
  by providing assistance with your health care diagnosis or treatment to your physician.
  Payment: Your PHI will be used, as needed, to obtain payment for your health care services. This
  may include certain activities that your health insurance plan may undertake before it approves or
  pays for the health care services we recommend for you such as; making a determination of eligibility
  This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
  compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
  consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              53

or coverage for insurance benefits, reviewing services provided to you for medical necessity, and
undertaking utilization review activities. For example, obtaining approval for a hospital stay may
require that your relevant PHI be disclosed to the health plan to obtain approval for the hospital
admission.
Healthcare Operations: We may use or disclose, as-needed, your PHI in order to support the
business activities of your physician’s practice. These activities include, but are not limited to, quality
assessment activities, employee review activities, training of medical students, licensing, marketing
and fundraising activities, and conducting or arranging for other business activities.
For example, we may disclose your PHI to medical school students that see patients at our office. In
addition, we may use a sign-in sheet at the registration desk where you will be asked to sign your
name and indicate your physician. We may also call you by name in the waiting room when your
physician is ready to see you. We may use or disclose your PHI, as necessary, to contact you to
remind you of your appointment.
We will share your PHI with third party ―business associates‖ that perform various activities (e.g.,
billing, transcription services) for the practice. Whenever an arrangement between our office and a
business associate involves the use or disclosure of your PHI, we will have a written contract that
contains terms that will protect the privacy of your PHI.
We may use or disclose your demographic information and the dates that you received treatment from
your physician, as necessary, in order to contact you for fundraising activities supported by our office.
If you do not want to receive these materials, please contact our Privacy Contact and request that
these fundraising materials not be sent to you.
Uses and Disclosures of Protected Health Information Based upon Your Written Authorization
Other uses and disclosures of your PHI will be made only with your written authorization, unless
otherwise permitted or required by law as described below. You may revoke this authorization, at any
time, in writing, except to the extent that your physician or the physician’s practice has taken an
action in reliance on the use or disclosure indicated in the authorization.
Other Permitted and Required Uses and Disclosures That May Be Made With Your
Authorization or Opportunity to Object
We may use and disclose your PHI in the following instances. You have the opportunity to agree or
object to the use or disclosure of all or part of your PHI. If you are not present or able to agree or
object to the use or disclosure of the PHI, then your physician may, using professional judgment,
determine whether the disclosure is in your best interest. In this case, only the PHI that is relevant to
your health care will be disclosed.
Facility Directories: Unless you object, we will use and disclose in our facility directory your name,
the location at which you are receiving care, your condition (in general terms), and your religious
affiliation. All of this information, except religious affiliation, will be disclosed to people that ask for
you by name. Members of the clergy will be told your religious affiliation.
Others Involved in Your Healthcare: Unless you object, we may disclose to a member of your
family, a relative, a close friend or any other person you identify, your PHI that directly relates to that
person’s involvement in your health care. If you are unable to agree or object to such a disclosure, we
may disclose such information as necessary if we determine that it is in your best interest based on
our professional judgment. We may use or disclose PHI to notify or assist in notifying a family
member, personal representative or any other person that is responsible for your care of your location,
general condition or death. Finally, we may use or disclose your PHI to an authorized public or
private entity to assist in disaster relief efforts and to coordinate uses and disclosures to family or
other individuals involved in your health care.
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              54

Other Permitted and Required Uses and Disclosures That May Be Made Without Your
Authorization or Opportunity to Object
We may use or disclose your PHI in the following situations without your authorization. These
situations include:
Required By Law: We may use or disclose your PHI to the extent that the use or disclosure is
required by law. The use or disclosure will be made in compliance with the law and will be limited to
the relevant requirements of the law. You will be notified, as required by law, of any such uses or
disclosures.
Public Health: We may disclose your PHI for public health activities and purposes to a public health
authority that is permitted by law to collect or receive the information. The disclosure will be made
for the purpose of controlling disease, injury or disability. We may also disclose your PHI, if directed
by the public health authority, to a foreign government agency that is collaborating with the public
health authority.
Communicable Diseases: We may disclose your PHI, if authorized by law, to a person who may
have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading
the disease or condition.
Health Oversight: We may disclose PHI to a health oversight agency for activities authorized by
law, such as audits, investigations, and inspections. Oversight agencies seeking this information
include government agencies that oversee the health care system, government benefit programs, other
government regulatory programs and civil rights laws.
Abuse or Neglect: We may disclose your PHI to a public health authority that is authorized by law to
receive reports of child abuse or neglect. In addition, we may disclose your PHI if we believe that you
have been a victim of abuse, neglect or domestic violence to the governmental entity or agency
authorized to receive such information. In this case, the disclosure will be made consistent with the
requirements of applicable federal and state laws.
Food and Drug Administration: We may disclose your PHI to a person or company required by the
FDA to report adverse events, product defects or problems, biologic product deviations, track
products; to enable product recalls; to make repairs or replacements, or to conduct post marketing
surveillance, as required.
Legal Proceedings: We may disclose PHI in the course of any judicial or administrative proceeding,
in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly
authorized), in certain conditions in response to a subpoena, discovery request or other lawful
process.
Law Enforcement: We may also disclose PHI, so long as applicable legal requirements are met, for
law enforcement purposes. These law enforcement purposes include (1) legal processes and otherwise
required by law, (2) limited information requests for identification and location purposes, (3)
pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct,
(5) in the event that a crime occurs on the premises of the practice, and (6) medical emergency (not
on the Practice’s premises) and it is likely that a crime has occurred.
Coroners, Funeral Directors, and Organ Donation: We may disclose PHI to a coroner or medical
examiner for identification purposes, determining cause of death or for the coroner or medical
examiner to perform other duties authorized by law. We may also disclose PHI to a funeral director,
as authorized by law, in order to permit the funeral director to carry out their duties. We may disclose
such information in reasonable anticipation of death. PHI may be used and disclosed for cadaveric
organ, eye or tissue donation purposes.

This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              55

Research: We may disclose your PHI to researchers when their research has been approved by an
institutional review board that has reviewed the research proposal and established protocols to ensure
the privacy of your PHI.
Criminal Activity: Consistent with applicable federal and state laws, we may disclose your PHI, if
we believe that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to
the health or safety of a person or the public. We may also disclose PHI if it is necessary for law
enforcement authorities to identify or apprehend an individual.
Military Activity and National Security: When the appropriate conditions apply, we may use or
disclose PHI of individuals who are Armed Forces personnel (1) for activities deemed necessary by
appropriate military command authorities; (2) for the purpose of a determination by the Department
of Veterans Affairs of your eligibility for benefits, or (3) to foreign military authority if you are a
member of that foreign military services. We may also disclose your PHI to authorized federal
officials for conducting national security and intelligence activities, including for the provision of
protective services to the President or others legally authorized.
Workers’ Compensation: Your PHI may be disclosed by us as authorized to comply with workers’
compensation laws and other similar legally-established programs.
Inmates: We may use or disclose your PHI if you are an inmate of a correctional facility and your
physician created or received your protected health information in the course of providing care to
you.
Required Uses and Disclosures: Under the law, we must make disclosures to you and when required
by the Secretary of the Department of Health and Human Services to investigate or determine our
compliance with the requirements of Section 164.500 et. seq.
2. Your Rights
Following is a statement of your rights with respect to your PHI and a brief description of how you
may exercise these rights.
You have the right to inspect and copy your protected health information. This means you may
inspect and obtain a copy of PHI about you that is contained in a designated record set for as long as
we maintain the PHI. A ―designated record set‖ contains medical and billing records and any other
records that your physician and the practice uses for making decisions about you.
Under federal law, however, you may not inspect or copy the following records; psychotherapy notes;
information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative
action or proceeding, and protected health information that is subject to law that prohibits access to
PHI. Depending on the circumstances, a decision to deny access may be reviewable. In some
circumstances, you may have a right to have this decision reviewed. Please contact our Privacy
Contact if you have questions about access to your medical record.
You have the right to request a restriction of your protected health information. This means you
may ask us not to use or disclose any part of your PHI for the purposes of treatment, payment or
healthcare operations. You may also request that any part of your PHI not be disclosed to family
members or friends who may be involved in your care or for notification purposes as described in this
Notice of Privacy Practices. Your request must state the specific restriction requested and to whom
you want the restriction to apply.
Your physician is not required to agree to a restriction that you may request. If physician believes it is
in your best interest to permit use and disclosure of your PHI, your PHI will not be restricted. If your
physician does agree to the requested restriction, we may not use or disclose your PHI in violation of
that restriction unless it is needed to provide emergency treatment. With this in mind, please discuss
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              56

any restriction you wish to request with your physician. You may request a restriction by [describe
how patient may obtain a restriction].
You have the right to request to receive confidential communications from us by alternative
means or at an alternative location. We will accommodate reasonable requests. We may also
condition this accommodation by asking you for information as to how payment will be handled or
specification of an alternative address or other method of contact. We will not request an explanation
from you as to the basis for the request. Please make this request in writing to our Privacy Contact.
You may have the right to have your physician amend your protected health information. This
means you may request an amendment of PHI about you in a designated record set for as long as we
maintain this information. In certain cases, we may deny your request for an amendment. If we deny
your request for amendment, you have the right to file a statement of disagreement with us and we
may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal. Please
contact our Privacy Contact to determine if you have questions about amending your medical record.
You have the right to receive an accounting of certain disclosures we have made, if any, of your
protected health information. This right applies to disclosures for purposes other than treatment,
payment or healthcare operations as described in this Notice of Privacy Practices. It excludes
disclosures we may have made to you, for a facility directory, to family members or friends involved
in your care, or for notification purposes. You have the right to receive specific information regarding
these disclosures that occurred after April 14, 2003. You may request a shorter timeframe. The right
to receive this information is subject to certain exceptions, restrictions and limitations.
You have the right to obtain a paper copy of this notice from us, upon request, even if you have
agreed to accept this notice electronically.
3. Complaints
You may complain to us or to the Secretary of Health and Human Services if you believe your
privacy rights have been violated by us. You may file a complaint with us by notifying our privacy
contact of your complaint. We will not retaliate against you for filing a complaint.
You may contact our Privacy Contact, [Name of Privacy Contact] at (505) XXX-XXXX or [e-mail
address of Privacy Contact] for further information about the complaint process.
This notice was published and becomes effective on [date - no later than April 14, 2003].




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              57


           AUTHORIZATION FOR USE OR DISCLOSURE OF INFORMATION
(Note: The following sample authorization form was developed by the American Medical Association. The
form can be accessed on the Internet at http://www.ama-assn.org/ama/pub/category/6900.html. This form is
based on current federal law and subject to change based on changes in federal law or subsequent
interpretative guidance. This form must be modified to reflect state law where that state law is more
stringent than the federal law or other state law exceptions apply.)


I, __________________________________, hereby authorize [Practice Name] to (check those that
apply):
____ Use the following protected health information, and/or

____ Disclose the following protected health information to:
         Name of Receiver: __________________________________________________

         Address of Receiver: ________________________________________________

                                    ________________________________________________

[Describe the information to be used or disclosed, including, but not limited to, descriptors such as
date of service, type of service provided, level of detail to be released, origin of information, etc.]




This protected health information is being used or disclosed for the following purposes:




This authorization shall be in force and effect until [date/event that relates to the patient or the
purpose of the use or disclosure] at which time this authorization to use or disclose this protected
health information expires.
I understand that I have the right to revoke this authorization, in writing, at any time by sending such
written notification to [Name of Privacy Contact] at [office address, phone number or e-mail
address]. I understand that a revocation is not effective to the extent that [Practice Name] has relied
on the use or disclosure of the protected health information.
I understand that information used or disclosed pursuant to this authorization may be subject to re-
disclosure by the recipient and may no longer be protected by federal or state law.
[Practice Name] will not condition my treatment, payment, enrollment in a health plan or eligibility
for benefits (if applicable) on whether I provide authorization for the requested use or disclosure.
I understand that I have the right to:
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              58

      Inspect or copy the protected health information to be used or disclosed as permitted under
       federal law (or state law to the extent the state law provides greater access rights.)
      Refuse to sign this authorization.
[The use or disclosure requested under this authorization will result in direct or indirect remuneration
to the [Practice Name] from a third party.] [If applicable.]
_________________________________________
Signature of Patient or Personal Representative

_______________________________
Date

_________________________________________
Name of Patient or Personal Representative

_________________________________________
Description of Personal Representative’s Authority




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              59


      REQUEST FOR CORRECTION/AMENDMENT OF HEALTH INFORMATION
 Note: This sample form was developed by the American Health Information Management Association
 (AHIMA) for discussion purposes. It should not be used without review by legal counsel to ensure
 compliance with local and state laws. The form is also available on the CPRI Website at
 http://www.cpri-host.org/toolkit/toc.html, Section 5.2, Exhibit 5.

Patient name ____________________________________ Date of birth ________________
Patient number ______________________________                       Telephone ____________________
Date of entry to be amended ______________ Type of entry to be amended _____________
Please explain how the entry is incorrect or incomplete. What should the entry state in order to be
more accurate or complete?




Would you like this amendment sent to anyone to whom we may have disclosed information in the
past? If so, please specify the name and address of the organization or individual.




_________________________________________
Signature of Patient or Legal Representative

________________________
Date

Comments of Health care Practitioner:




________________________________                                         _________________________
Signature of Health Care Practitioner                                    Date




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              60


            RECORD OF VERBAL DISCLOSURE OF HEALTH INFORMATION
Note: This sample form was developed by the American Health Information Management Association
(AHIMA) for discussion purposes. It should not be used without review by legal counsel to ensure
compliance with local and state laws. The form is also available on the CPRI Website at http://www.cpri-
host.org/toolkit/toc.html, Section 5.2, Exhibit 7

Patient Name: ______________________________                         Date of Birth: ________________

Patient Number: ____________________________

Date of Disclosure: _______________________                       Time of Disclosure: _____________

Information Disclosed to:

Name: _____________________________________________

Address: ___________________________________________

           ____________________________________________

Telephone Number: ___________________________________


Reason for disclosure: _____________________________________________________


Specific information disclosed:




_______________________________________
Signature of Individual Making Disclosure


_______________________
Date




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              61


  REVOCATION OF AUTHORIZATION FOR DISCLOSURE OF HEALTH INFORMATION

Note: This sample form was developed by the American Health Information Management Association
(AHIMA) for discussion purposes. It should not be used without review by legal counsel to ensure
compliance with local and state laws. The form is also available on the CPRI Website at http://www.cpri-
host.org/toolkit/toc.html, Section 5.2, Exhibit 4


1. I hereby revoke authorization to [Provider Name] to disclose information from the health
records of:

Patient name __________________________________                           Date of Birth: _____________

Address: ________________________________________________________________

Telephone: ____________________________

Patient Number: ________________________

covering the period(s) of health care:

From (date) _____________________________ to (date)_______________________

From (date) _____________________________ to (date)_______________________

From (date) _____________________________ to (date)_______________________

From (date) _____________________________ to (date)_______________________

2. I understand that disclosures made in good faith may have already occurred in reliance
upon my previously issued authorization and that this revocation cannot apply retroactively
to such disclosures. I also understand that the disclosure of health information may be
required by law in some instances, such as for the reporting of communicable diseases.

3. The facility, its employees, officers and physicians are hereby released from any legal
responsibility or liability for disclosure of the information I authorized previously.

Signed: __________________________________________
       Signature of Patient or Legal Representative

______________________________________________
Date

______________________________________________
Signature of Witness

______________________________________________
Date
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              62


                                   FACSIMILE COVER LETTER
 Note: This sample form was developed by the American Health Information Management
 Association (AHIMA) for discussion purposes. It should not be used without review by legal
 counsel to ensure compliance with local and state laws. The form is also available on the CPRI
 Website at http://www.cpri-host.org/toolkit/toc.html, Section 5.2, Exhibit 6.

[sending facility name]
[address]
[city, state, zip code]
[telephone number]
[facsimile number]

DATE: ______________ TIME: ____________ NUMBER OF PAGES: _____________

TO: ____________________________________________________________________
  (name and facility of authorized receiver)

TELEPHONE: ______________________                           FAX:      ___________________________
           (of receiver)                                              (of receiver)

FROM: _________________________________________________________________
      (name of sender)

TELEPHONE: _______________________                          FAX:      ___________________________
           (of sender)                                                (of sender)
Comments:




*****CONFIDENTIALITY NOTICE*****
The documents accompanying this telecopy transmission contain confidential information
belonging to the sender that is legally privileged. This information is intended only for the use of
the individual or entity named above. The authorized recipient of this information is prohibited
from disclosing this information to any other party and is required to destroy the information after
its stated need has been fulfilled, unless otherwise required by state law.
If you are not the intended recipient, you are hereby notified that any disclosure, copying,
distribution, or action taken in reliance on the contents of these documents is strictly prohibited. If
you have received this telecopy in error, please notify the sender immediately to arrange for
return of these documents.
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              63



        MODEL BUSINESS ASSOCIATE CONTRACT PROVISIONS
Note: The model provisions included below are from the proposed NPRM for the Privacy Rule, released on
March 27th, 2002. The proposed changes, including the model provisions for Business Associate Contracts,
are available online at http://www.hhs.gov/ocr/hipaa/. Words or phrases contained in brackets are intended
as either optional language or as instructions to the users of these model provisions and are not intended to
be included in the contractual provisions.

DEFINITIONS (alternative approaches)
Catch-all definition: Terms used, but not otherwise defined, in this Agreement shall have the same
meaning as those terms in 45 CFR 160.103 and 164.501.
Examples of specific definitions:
(a) Business Associate. ``Business Associate'' shall mean [Insert Name of Business Associate].
(b) Covered Entity. ``Covered Entity'' shall mean [Insert Name of Covered Entity].
(c) Individual. ``Individual'' shall have the same meaning as the term ``individual'' in 45 CFR
    164.501 and shall include a person who qualifies as a personal representative in accordance with
    45 CFR 164.502(g).
(d) Privacy Rule. ``Privacy Rule'' shall mean the Standards for Privacy of Individually Identifiable
    Health Information at 45 CFR part 160 and part 164, subparts A and E.
(e) Protected Health Information. ``Protected Health Information'' shall have the same meaning as
    the term ``protected health information'' in 45 CFR 164.501, limited to the information created or
    received by Business Associate from or on behalf of Covered Entity.
(f) Required By Law. ``Required By Law'' shall have the same meaning as the term ``required by
    law'' in 45 CFR 164.501.
(g) Secretary. ``Secretary'' shall mean the Secretary of the Department of Health and Human Services
    or his designee.

Obligations and Activities of Business Associate
(a) Business Associate agrees to not use or further disclose Protected Health Information other than as
permitted or required by the Agreement or as Required By Law.
(b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the
Protected Health Information other than as provided for by this Agreement.
(c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known
to Business Associate of a use or disclosure of Protected Health Information by Business Associate in
violation of the requirements of this Agreement. [This provision may be included if it is
appropriate for the Covered Entity to pass on its duty to mitigate damages by a Business
Associate.]
(d) Business Associate agrees to report to Covered Entity any use or disclosure of the Protected
Health Information not provided for by this Agreement.
(e) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides
Protected Health Information received from, or created or received by Business Associate on behalf
of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to
Business Associate with respect to such information.
(f) Business Associate agrees to provide access, at the request of Covered Entity, and in the time and
manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to
Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              64

under 45 CFR 164.524. [Not necessary if business associate does not have protected health
information in a designated record set.]
(g) Business Associate agrees to make any amendment(s) to Protected Health Information in a
Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the
request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity.
[Not necessary if business associate does not have protected health information in a designated
record set.]
(h) Business Associate agrees to make internal practices, books, and records relating to the use and
disclosure of Protected Health Information received from, or created or received by Business
Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the
Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the
Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy
Rule.
(i) Business Associate agrees to document such disclosures of Protected Health Information and
information related to such disclosures as would be required for Covered Entity to respond to a
request by an Individual for an accounting of disclosures of Protected Health Information in
accordance with 45 CFR 164.528.
(j) Business Associate agrees to provide to Covered Entity or an Individual, in time and manner
designated by Covered Entity, information collected in accordance with Section [Insert Section
Number in Contract Where Provision (i) Appears] of this Agreement, to permit Covered Entity to
respond to a request by an Individual for an accounting of disclosures of Protected Health Information
in accordance with 45 CFR 164.528.

PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE
General Use and Disclosure Provisions (alternative approaches)
Specify purposes:
Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected
Health Information on behalf of, or to provide services to, Covered Entity for the following purposes,
if such use or disclosure of Protected Health Information would not violate the Privacy Rule if done
by Covered Entity: [List Purposes].
Refer to underlying services agreement:
Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected
Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as
specified in [Insert Name of Services Agreement], provided that such use or disclosure would not
violate the Privacy Rule if done by Covered Entity.

SPECIFIC USE AND DISCLOSURE PROVISIONS [only necessary if parties wish to allow Business
Associate to engage in such activities]
(a) Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information for the proper management and administration of the Business Associate or to carry out
the legal responsibilities of the Business Associate.
(b) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health
Information for the proper management and administration of the Business Associate, provided that
disclosures are required by law, or Business Associate obtains reasonable assurances from the person
to whom the information is disclosed that it will remain confidential and used or further disclosed
only as required by law or for the purpose for which it was disclosed to the person, and the person
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              65

notifies the Business Associate of any instances of which it is aware in which the confidentiality of
the information has been breached.
(c) Except as otherwise limited in this Agreement, Business Associate may use Protected Health
Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR
164.504(e)(2)(i)(B).

OBLIGATIONS OF COVERED ENTITY
Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
[provisions dependent on business arrangement]
(a) Covered Entity shall provide Business Associate with the notice of privacy practices that Covered
Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice.
(b) Covered Entity shall provide Business Associate with any changes in, or revocation of, permission
by Individual to use or disclose Protected Health Information, if such changes affect Business
Associate's permitted or required uses and disclosures.
(c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of
Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522.

PERMISSIBLE REQUESTS BY COVERED ENTITY
Covered Entity shall not request Business Associate to use or disclose Protected Health Information
in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
[Include an exception if the Business Associate will use or disclose protected health information
for, and the contract includes provisions for, data aggregation or management and
administrative activities of Business Associate].

TERM AND TERMINATION
(a) Term. The Term of this Agreement shall be effective as of [Insert Effective Date], and shall
terminate when all of the Protected Health Information provided by Covered Entity to Business
Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or
returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information,
protections are extended to such information, in accordance with the termination provisions in this
Section.
(b) Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business
Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or
end the violation and terminate this Agreement [and the ___ Agreement/ sections ___ of the ___
Agreement] if Business Associate does not cure the breach or end the violation within the time
specified by Covered Entity, or immediately terminate this Agreement [and the
____Agreement/sections ___ of the ___ Agreement] if Business Associate has breached a material
term of this Agreement and cure is not possible. [Bracketed language in this provision may be
necessary if there is an underlying services agreement. Also, opportunity to cure is permitted,
but not required, by the Privacy Rule.]

(c) Effect of Termination.
(1) Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any
reason, Business Associate shall return or destroy all Protected Health Information received from
Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This
provision shall apply to Protected Health Information that is in the possession of subcontractors or
agents of Business Associate. Business Associate shall retain no copies of the Protected Health
Information.
This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              66


(2) In the event that Business Associate determines that returning or destroying the Protected Health
Information is infeasible, Business Associate shall provide to Covered Entity notification of the
conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that
return or destruction of Protected Health Information is infeasible, Business Associate shall extend
the protections of this Agreement to such Protected Health Information and limit further uses and
disclosures of such Protected Health Information to those purposes that make the return or destruction
infeasible, for so long as Business Associate maintains such Protected Health Information.

MISCELLANEOUS
(a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the
section as in effect or as amended, and for which compliance is required.
(b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from
time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule
and the Health Insurance Portability and Accountability Act, Public Law 104-191.
(c) Survival. The respective rights and obligations of Business Associate under Section [Insert
Section Number Related to ``Effect of Termination''] of this Agreement shall survive the
termination of this Agreement.
(d) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that
permits Covered Entity to comply with the Privacy Rule.




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              67


                RESOURCES FOR ADDITIONAL INFORMATION
New Mexico CHILI: http://www.healthlinknm.org/nmchili
Government Websites:
New Mexico Health Policy Commission: http://hpc.state.nm.us
New Mexico Department of Health: http://www.health.state.nm.us
HHS Administrative Simplification: http://aspe.os.HHS.gov/admnsimp/
Office for Civil Rights – Privacy of Health Records: http://www.hhs.gov/ocr/hipaa/
Centers for Medicare & Medicaid Services: http://www.hcfa.gov/hipaa/hipaahm.htm

Health Care/Medical Associations
New Mexico Medical Society (NMMS): http://www.nmms.org
New Mexico Hospitals & Health Systems Association (NMHHSA): http://www.nmhhsa.org
American Medical Association (AMA): http://www.ama-assn.org
American Hospital Association (AHA): http://www.aha.org
American Health Information Management Association (AHIMA): http://www.ahima.org
Association for Electronic Health Care Transactions (AFEHCT): http://www.afehct.org
Health Information and Management Systems Society (HIMSS): http://www.himss.org

HIPAA Implementation Tools:
Workgroup for Electronic Data Interchange (WEDI) and SNIP: www.wedi.org
EDI Implementation Guides: http://hipaa.wpc-edi.com/
CPRI Toolkit – Managing Information Security in Healthcare Vol.3: http://www.cpri-
host.org/toolkit/toc.html
The North Carolina Healthcare Information and Communications Alliance, Inc. -
Security Gap Analysis Tool: http://www.nchica.org
Boundary Information Group - HIPAA Strategy and Project Plan: http://www.hipaainfo.net/

Other Informative HIPAA Websites:
HIPAAdvisory: http://www.hipaadvisory.com
BIG HIPAA: http://www.hipaainfo.net
HIPAA-iQ: http://www.hipaa-iq.com/
HIPAAcomply: http://www.hipaacomply.com/
AIS Health: http://www.aishealth.com

This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              68


                                            HIPAA VENDORS
GUIDELINES TO WORKING WITH VENDORS
Consulting and software companies throughout the country are jumping on the HIPAA
bandwagon. In order to make sure that you get the most value for your money, be very
careful in the selection of your vendors.
Take the following steps when considering outside resources to aid in your HIPAA
compliance process.
    Ask for references from previous HIPAA engagements
    Ask for references from previous health care engagements
    Ask if the vendor is a member of any HIPAA-related industry organizations or
       associations (i.e., NM CHILI, WEDI-SNIP).
    Request a thorough proposal, including cost, timeframe and assigned tasks and
       deliverables from the vendor.

If your organization is planning on hiring a clearinghouse or translator to help you
comply with the Transactions and Code Sets Regulation, be sure to inquire about your
vendor’s preparedness for HIPAA.
Capabilities that you should be looking for include:
    The ability to handle the current and new provider identifiers during the transition
    The ability to handle current and new standard code sets to support the
       transactions
    The ability to produce the outbound standard transactions that you want to
       implement (i.e., claims submission, eligibility inquiry, referral authorization
       request)
    The ability to support the inbound electronic transactions that you want to
       implement (i.e., electronic remittance advice, eligibility verification, referral
       authorization approval/denial)
    The       ability to support eligibility verification at the point of
       registration/appointment scheduling
    The ability to store and retrieve authorization approval




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                                   69


                                                  VENDOR LIST
       Note: Following is a list of vendors that provide HIPAA Products and/or services. This list is not
       intended to be comprehensive. This list should not be interpreted as an endorsement for or
       recommendation (by either the New Mexico Health Policy Commission or NM CHILI) of products or
       services sold by the vendors listed below.

          HIPAA CONSULTING, ASSESSMENT AND IMPLEMENTATION SERVICES
    Company                     Description of                   Web Address                    Phone              Location
                               Products/Services
Advanced                 Focus: All HIPAA Regulations           www.atc-1.com             (505) 823-6400       Albuquerque
Technology               Assessment                                                       (877) 628-6400
Consulting               Education & training
                         Implementation
                         Post-assessment support
AXIOM Systems,         Focus: Transactions, Code Sets &         www.axiom-                (301) 840-3861       Germantown,
Inc.                    Security                                 systems.com                                    MD
                       Assessment and Gap Analysis
                       Implementation
                       Strategy & Project Management
                       EDI Services
B.I.G. (Boundary       Focus: All HIPAA Regulations             www.hipaainfo.net         (303) 488-9911       Denver, CO
Information Group)     Executive Briefing & Strategy
                        Development
                       Project Plan Development
                       Impact Assessment & Gap
                        Analysis
                       Independent Validation &
                        Verification
Beacon Partners        Focus: All HIPAA Regulations             www.beaconpartners.       (781) 982-8400       Norwell, MA
                       Security & Privacy Readiness             com
                        Assessment
                       Educational sessions
                       Remediation services
Bency &                Focus: All HIPAA Regulations             www.bency.com             (505) 821-9336       Albuquerque
Associates, LLC        Practice management plans and
                        strategies
                       Development of Initial Impact
                        Assessment (gap) Analysis and
                        access procedures
DigitalCare, Inc.      Focus: Privacy & Security                www.digitalcare.com       (719) 477-9477       Colorado
                       Organizational Assessments                                                              Springs, CO
                       Privacy Gap Analysis
                       Security Risk Assessments
                       Security Risk Analysis
                       Vendor/Product Assessments
FourThought            Focus: All HIPAA Regulations             www.fourthoughtgro        (602) 340-8450       Phoenix, AZ
Group                  Readiness Assessments                    up.com
                       Gap & Risk Analyses

     This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
     compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
     consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                                     70

                           Remediation
Fox Systems                Focus: All HIPAA Regulations           www.hipaaconsulting       (800) 726-9593       Santa Fe
                           HIPAA Readiness Assessment             .com
                           Gap Analysis/Risk Assessment
                           Compliance Plan Development
                           Systems Development &
                            Implementation Services
                           Audit Services
Healthlink                 Focus: All HIPAA Regulations           www.healthlinkinc.c       (713) 852-2134       Houston, TX
                           Educational briefings                  om
                           Readiness assessments
                           Compliance-project management
                            office
                           Web-based inventory of systems
                            and equipment affected
HIPAADocs                Focus: Privacy & Security                www.hipaadocs.com         (866) 229-1763       Columbia, MD
                         Online HIPAA compliance and
                          training services
NM Coastline             Focus: All HIPAA Regulations             www.nmcoastline.co        (505) 858-9843       Albuquerque
Consulting               HIPAA Assessment Services for            m
                          Small Providers
ViPS                     Focus: All HIPAA Regulations             www.vips.com              (410) 832-8300       Baltimore, MD
                         Single Source Data Management
                         Inbound & Outbound ANSI
                          Configuration
                         Technical Assessment & Planning
                         Project Management & IT
                          Resource Assistance
                         Compliance implementation &
                          Verification


                                           HIPAA TRAINING SERVICES
    Company                       Description of                   Web Address                     Phone             Location
                                 Products/Services
Bency &                  Focus: All HIPAA Regulations             www.bency.com              (505) 821-9336      Albuquerque
Associates, LLC          HIPAA Awareness Training
                          sessions held in Albuquerque
                          every Tuesday and Wednesday
DigitalCare, Inc.        Focus: All HIPAA Regulations             www.digitalcare.com        (719) 477-9477      Colorado
                         Instructor-led Training                                                                 Springs, CO
                         Computer-based Training
                         Web-based Training
HIPAADocs                Focus: Privacy & Security                www.hipaadocs.com          (866)-229-1763      Columbia, MD
                         Online HIPAA training services
HCTI (Health Care        Focus: Privacy                           www.hcti.org               (206) 953-1201      Seattle, WA
Training Institute)      Online HIPAA Privacy Training
HCMarketplace            Focus: All HIPAA Regulations             www.hcmarketplace.c        (800) 650-6787      Marblehead
                         Training Manual                          om                                             MA
                         Training Videos

       This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
       compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
       consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                                 71

                      Online Learning

         SOFTWARE & OTHER INFORMATION TECHNOLOGY PRODUCT VENDORS
  Company            Description of Products/Services          Web Address               Phone                Location
Darcomm             Network Design                            www.darcomm.com           (602) 414-1414       Phoenix, AZ
Network             Security Audits
Solutions
EClickMD            Secure patient EMR platforms for a        www.eclickmd.com          (888) 660-5465       Austin, TX
                     variety of providers
e-MDs               Practice automation                       www.e-mds.com             (512) 257-5200       Cedar Park,
                    EMR application                                                                          TX
                    Billing and scheduling software
Health Axis         Standardizes outgoing forms and           www.healthaxis.com        (972) 443-5000       Irving, TX
                     translates incoming forms to
                     proprietary legacy format
Healthcare          Electronic medical records software       www.hmsci.com             (702) 920-8247       Las Vegas,
Management          HIPAA consulting                                                                         NV
Sciences Corp.
PrivaPlan           Privacy and Security compliance           www.privaplan.com         (877) 218-7707       Santa Fe
                     resource kit
VantageMed          Patient service automation systems        www.vantagemed.co         (800) 242-8845       Boulder, CO
                    Electronic patient charts                 m
                    Managed care information systems

                  HEALTH CARE TRANSACTION CLEARINGHOUSES & SERVICES
 Company            Description of Products/Services           Web Address               Phone                Location
AmpMed              Claims processing                         www.ampmed.com            (800) 526-7276       Santa Fe
Corp.               Eligibility verification
                    Patient statements
Healthcare          Web-based system designed to              www.healthxnet.com        (505) 343-0070       Albuquerque
Extranets,           streamline the flow of healthcare
LLC                  information.
                    Currently available is Eligibility
                     Verification, Medicaid Eligibility
                     Verification (MEVS), Claim Status
                     Inquiries, Hospital In-patient Census
                     Data, Preauthorization Verification,
                     and coming this quarter, XClaim, an
                     Electronic Claims Transmission
                     (ECT) solution.
Healthcare          Electronic transactions processing        www.htp-inc.com           (888) 487-8010       Columbus, OH
Transaction          middleware
Processors Inc.
Quadex, Inc.        Billing/accounts processing               www.quadex.com            (440) 777-6300       Cleveland, OH
                    EDI processing
VantageMed          Automated billing service                 www.vantagemed.co         (800) 242-8845       Boulder, Co
                    Electronic claims submission              m
WebMD               EDI Processing and Services               www.envoy.com             (800) 366-5716       Nashville, TN


   This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
   compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
   consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              72




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                                 73


                            DATA STORAGE & DESTRUCTION SERVICES
 Company             Description of Products/Services             Web Address                 Phone              Location
Allshred            Document shredding                        www.allshredservices      (419) 381-7762       Toledo, OH
Services                                                       .com
Com-Link            Secure data destruction                                             (505) 350-5353       Albuquerque
LLC
StorageTek,         Electronic data storage solution          www.storagetek.com        (505) 881-0976       Albuquerque
Inc.

                           NEW MEXICO HEALTH CARE ATTORNEYS
                   Attorney/Firm                                        Phone                             Location
Gilpin & Keefe, PC                                                  (505) 244-3861                      Albuquerque
Susan A. Moncrief Dehne                                             (505) 823-2055                      Albuquerque
Patricia J. Wagner                                                  (505) 828-1861                      Albuquerque
Marianne Bennett                                                    (505) 255-0672                      Albuquerque
Diane Fisher                                                        (505) 842-0132                      Albuquerque
Spencer A. Hall                                                     (505) 653-4451                         Lincoln
David Kaufman                                                       (505) 216-0400                         Santa Fe




   This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
   compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
   consulted prior to the modification and/or implementation of policies, procedures and contracts.
                                                                                                              74


                                                CITATIONS
1
  Cassidy, Bonnie, ―HIPAA on the Job: Enhance Your Organization’s Awareness of HIPAA‖,
2
  http://www.hipaaconsulting.com/overview.htm
3
  HIPAA-IQ
4
  HIPAA-IQ
5
  Rode, Dan, ―Understanding HIPAA Transactions and Code Sets‖, www.ahima.org
6
  Rode, Dan
7
  http://www.hipaadvisory.com/regs/natlident.htm
8
  HHS Summary
9
  http://www.nchica.org/e-Commerce/HEVpHIPAAOverview.pdf
10
   HIPAA Primer, www.hipaadvisory.com
11
   http://www.nchica.org/e-Commerce/HEVpHIPAAOverview.pdf




This report is intended to provide guidance and direction. This document does not confer, guarantee or create HIPAA
compliance. The information contained in this document is not intended as legal advice. A qualified attorney should be
consulted prior to the modification and/or implementation of policies, procedures and contracts.

				
DOCUMENT INFO
Description: Hipaa Products document sample