Docstoc

HIPAA

Document Sample
HIPAA Powered By Docstoc
					      North Carolina Department of
       Health and Human Services




      User Guide for the
System Functionality Statement
    A Tool for HIPAA Assessment




               Prepared By:

         NC DHHS HIPAA Office




             January 3, 2011
                        User Guide for the System Functionality Statement




This page was intentionally left blank.




                  ii
                                                        User Guide for the System Functionality Statement




                                           Disclaimer
Information contained in this document represents the NC DHHS HIPAA Office staff’s views and
interpretations of HIPAA and its accompanying regulations as published in the Federal Register as of
the release date of this document. Any conclusions or recommendations contained herein are based
on these interpretations. This information is subject to change and should be used only for the
purpose intended by the NC DHHS HIPAA Office. Unless otherwise noted on an individual
document, NC DHHS HIPAA Office grants permission to copy and distribute files, documents, and
information for non-commercial use, provided the items are copied and distributed without alteration.
If you believe that information obtained from this document is inaccurate or out-of-date, please notify
the DHHS HIPAA Office via email at DHHS.HIPAA.PMO.TCI@ncmail.net.




                                                  iii
                                       User Guide for the System Functionality Statement



Change History

Version Date        Version Description

November 20, 2001   Original document, version 1

November 26, 2003   Updated for use in process to integrate new entries, version 2




                                  iv
                                                                                              User Guide for the System Functionality Statement



Table of Contents
1 INTRODUCTION ............................................................................................................................................................ 1

2 RECOMMENDED PROCESS FOR COMPLETING THE SFS ................................................................................ 2

3 HOW TO COMPLETE THE SFS .................................................................................................................................. 2
    3.1 CONTACT INFORMATION .............................................................................................................................................. 3
    3.2 SYSTEM FUNCTIONALITY ............................................................................................................................................. 3
    3.3 BUSINESS PROCESSES SUPPORTED ............................................................................................................................... 3
4 TCI-RELATED QUESTIONS ........................................................................................................................................ 3
    4.1   QUESTION 1 (MEDICAL DIAGNOSIS CODES) ................................................................................................................ 3
    4.2   QUESTION 2 (MEDICAL PROCEDURE CODES) ............................................................................................................... 4
    4.3   QUESTION 3 (DENTAL PROCEDURE CODES)................................................................................................................. 4
    4.4   QUESTION 4 (PHARMACY CODES)................................................................................................................................ 5
    4.5   QUESTION 5 (ADJUSTMENT REASON CODES)............................................................................................................... 5
    4.6   QUESTION 6 (PROVIDER SPECIALTY CODES) ............................................................................................................... 5
    4.7   QUESTION 7 (NATIONAL IDENTIFIERS)......................................................................................................................... 5
    4.8   QUESTION 8 (ADMINISTRATIVE AND FINANCIAL TRANSACTIONS)............................................................................... 6
5 PRIVACY-RELATED QUESTIONS ............................................................................................................................. 8
    5.1 QUESTION 9 (PRIVACY: HEALTH INFORMATION) ......................................................................................................... 8
    5.2 QUESTION 10 (PRIVACY: IDENTITY OF AN INDIVIDUAL) .............................................................................................. 8
APPENDIX A: EXAMPLE SFS ....................................................................................................................................... 12

APPENDIX B: ACRONYM LIST .................................................................................................................................... 15




                                                                                     v
                        User Guide for the System Functionality Statement




This page was intentionally left blank.




                  vi
                                                                                    User Guide for the System Functionality Statement



1 Introduction
Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to
improve the availability of health insurance to Americans as well as to provide greater accountability
in the area of health care. This legislation includes provisions for portability, an increased ability to
prevent fraud, the promotion of medical savings accounts, improved access to long-term care, and
administrative simplification of health care processes. The NC DHHS HIPAA Office focuses on the
Administrative Simplification provisions of HIPAA.

This tool should be used in the process of performing an assessment of the impact of the HIPAA
Standards for Electronic Transactions Final Rule1 on each agency. This assessment addresses the
impact of medical code sets and identifiers on the application systems used by your organization. In
addition, this assessment will collect information that helps identify application systems that will
need further assessment related to the HIPAA Privacy2 and Security3 regulations.

The first step in this assessment process was to compile a System Inventory of all the application
systems used by each agency. The next step in the assessment process is to complete one System
Functionality Statement (SFS) for each application system identified in the inventory of each agency.
This User Guide for the System Functionality Statement was developed to assist agencies in
completing the SFS.

For the purposes of this assessment, an “application system” is defined as an automated or computer-
based process that is used to complete day-to-day business objectives especially for distributing
something or serving a common purpose within the business unit. An application system may
include a defined user interface (e.g., a screen with data entry fields or a prompt to which a user can
respond). Sometimes, an application system may not have a user interface, but might have a
scheduled process (e.g., a file transfer that is time-triggered). For the purpose of this assessment, a
database and its interface can be considered an application system (e.g., a Microsoft Access
database).

HIPAA requires that electronic transactions follow specific standard formats and include only the
data content (data elements and codes) documented in the Standards for Electronic Transactions Final
Rule and the HIPAA implementation guides. The SFS is a comprehensive tool that is designed for
DHHS agencies to use in determining the variety and extent of Transactions, Code sets and National
Identifiers (TCI) that are flowing through their agencies. There are no right or wrong answers to
the SFS. The SFS is an information gathering and assessment tool that will be used by agencies as
they begin their high-level impact analysis. This tool can assist an agency in determining their high
level TCI impacts.

The HIPAA Office realizes that DHHS division personnel have completed a similar SFS for the
application systems that are state supported. However, each agency may use an application system in
a different manner and the HIPAA Office requires a comprehensive assessment of each system to



1
    “Standards for Electronic Transactions; Final Rule.” Federal Register, Vol. 65 (17 August 2000 and amended 28 December 2000): Parts 160 and 162.
2
    “Standards for Privacy of Individually Identifiable Health Information; Final Rule.” Federal Register, Vol. 65 (28 December 2000): Parts 160 and 164.
3
    “Security and Electronic Signature Standards; Proposed Rule.” Federal Register, Vol. 63 (12 August 1998): Part 142.


                                                                               1
                                                        User Guide for the System Functionality Statement


ensure that DHHS has demonstrated sufficient due diligence in accessing and complying with HIPAA
regulations.

An example of a completed SFS is shown in Appendix A. A blank SFS is available in a
downloadable format on the DHHS HIPAA website:
http://dirm.state.nc.us/hipaa/hipaa2002/toolsandtemplates/toolsandtemplates.html. Scroll to the TCI,
System Functionality Statement section and select “Download the tool”.


2 Recommended Process for Completing the SFS
Complete one SFS for each application system identified in the agency System Inventory. It is
estimated that each SFS takes fifteen minutes to complete. Additional staff interaction may affect
this time estimate. The DHHS HIPAA Office recommends that the following steps be taken to
complete this assessment process:

   Identify participants required to complete all SFSs
   Assign a facilitator who has a general knowledge of the HIPAA TCI regulations
   Schedule a time and place for the participants to meet and complete all SFSs
   Distribute copies of the SFS to each participant
   Assign someone to record the answers on all of the SFSs
   Facilitator guides the participants through each question on each SFS

To obtain an accurate evaluation of the nature and extent of TCI that flows within an agency, it is
essential that representatives from different workgroups (e.g. units, branch, section) or programs
within an agency participate in the assessment process. Multiple staff from a single workgroup may
need to participate in the assessment depending upon the type of work performed and variety of ways
a workgroup interacts with each application system. The agency HIPAA Coordinator and the
business and information technology (IT) subject matter experts (i.e., the persons that know the most
about a particular system) identified for each application system on the System Inventory should
assist with completing the SFS.

One or more facilitators should be designated preferably by the agency to provide a structured
approach to completing the SFS. The facilitators should be individuals familiar with the HIPAA TCI
regulations so that they can guide the workgroup representatives through the SFS by giving examples
and answering questions. The facilitator also keeps the group focused on TCI within their own
workgroup. Contact your State Division HIPAA Coordinator if assistance is needed.

The next section provides detailed explanations of each item on the SFS.


3 How to Complete the SFS
The SFS highlights possible HIPAA impacts for a single application system. Please complete one
SFS for each application system that was identified in the agency’s System Inventory.




                                                    2
                                                                                 User Guide for the System Functionality Statement


3.1 Contact Information
Organization and contact information is requested at the top of the SFS as follows:

      Division: Name of the division or office within DHHS, which acts as your oversight agency
       (e.g., DMH/DD/SAS, DPH, DSS and so on).
      Agency: This is the name of your facility/agency (e.g., Black Mountain Center, John Umstead
       Hospital, Boone Developmental Evaluation Center and so on).
      Contact Name, Title, Telephone and Email: Information about the primary business contact
       (subject matter expert) of the application system for which this SFS applies.
      Date: Date that the SFS was completed.
      System Name: The full, official name of the application system for which the SFS applies (e.g.,
       Health Services Information System, Healthcare Enterprise and Accounts Receivable Tracking
       System and so on).
      System Acronym: If the system is commonly known by an acronym, give that acronym (e.g.,
       HSIS, HEARTS and so on).

3.2 System Functionality
Provide a brief but comprehensive explanation of the application system. Individuals, sections and/or
units using the system for different purposes should work together to complete this question. Refer to
the example SFS in Appendix A.

3.3 Business Processes Supported
Provide a brief but comprehensive explanation of the major business processes, programs or services
that this system supports. Individuals, sections and/or units utilizing the system for different purposes
should work together to complete this question. Refer to the example SFS in Appendix A.

4 TCI-Related Questions
The purpose of Questions 16 (described in the following sections) is to identify the current state of
the system’s interaction with the HIPAA-mandated code sets. The Standards for Electronic
Transactions Final Rule requires the adoption of standards for medical code sets for administrative
and financial transactions.

             A code set is any set of codes used to encode data elements such as tables of terms,
             medical concepts, medical diagnostic codes or medical procedure codes. A code set is
             comprised of the codes and the descriptors of the codes.4

4.1 Question 1 (Medical Diagnosis Codes)
As a part of the standard formats, HIPAA has adopted International Classification of Diseases, Ninth
Revision, Clinical Modification (ICD-9-CM) as the initial code set to be used for diagnosis and
procedural information. ICD-9-CM classifies both diagnoses (Volumes 1 and 2) and procedures
(Volume 3). All hospitals and ambulatory care settings use these codes to capture diagnoses. The
procedure system is used for all inpatient procedure coding.


4
    Federal Register, Vol. 65, No. 160/Thursday, August 17, 2000/Rules and Regulations. Subpart A—General Provisions, §162.103 Definitions. P50367.


                                                                            3
                                                        User Guide for the System Functionality Statement


In some cases, systems utilize an internal coding structure that mimics the standard ICD-9-CM code.
It is either a partial ICD-9-CM code, or an internal code, which is mapped (crosswalked) to the
standard ICD-9-CM. In either case, if the system stores, processes or generates medical diagnostic
codes, check Y (Yes) and provide any additional information in the Response area.


4.2 Question 2 (Medical Procedure Codes)
As a part of the standard format, HIPAA has adopted an alphanumeric code similar to the code used
by HCPCS (Health Care Financing Administration Common Procedure Coding System). Most third-
party, public and private health insurers (e.g., Medicare contractors, Medicaid program and their
fiscal agents, and private commercial health insurers) use HCPCS medical procedure codes. It is
used as a basis for paying claims for medical services provided on a fee-for-service basis and for
monitoring the quality and utilization of care. In addition, integrated health systems (i.e., managed
care organizations) use HCPCS as a basis for monitoring utilization and quality of care, and for
negotiating prospective fees and payments. Research organizations use the HCPCS data collected by
health insurers, to monitor and evaluate these programs and regional/national patterns of care.

HCPCS contains three levels:

   Level 1Physicians’ Current Procedural Terminology (CPT) is a 5-digit code developed and
    maintained by the American Medical Association (AMA). Physicians and many other
    practitioners including hospital outpatient departments use the CPT to code their services.
   Level 2Alphanumeric HCPCS contains codes for medical equipment and supplies;
    prosthetics and orthotics; injectable drugs; transportation services; and other services not
    found in CPT. Level 2 of HCPCS is updated annually and is maintained jointly by the Blue
    Cross Blue Shield Association (BCBSA), the Health Insurance Association of America
    (HIAA) and Healthcare Financing Administration (HCFA).
   Level 3Local codes includes all the codes developed by insurers and agencies to fulfill local
    needs. There is no national registry for these local codes.

In some cases, systems utilize an internal coding structure that mimics the standard HCPCS and CPT-
4 codes. It is either a partial code or an internal code that is crosswalked from the standard HCPCS
and CPT-4 codes. In either case, if the system stores, processes or generates medical procedure
codes, check Y (Yes) and provide any additional information in the Response area.


4.3 Question 3 (Dental Procedure Codes)
As a part of the standard formats, HIPAA has adopted the Code on Dental Procedures and
Nomenclature, as maintained and distributed by the American Dental Association, for dental services.
All practicing dentists use Current Dental Terminology (CDT) codes to code their services for
administrative transactions. CDT codes are also included in alphanumeric HCPCS, preceded by a D.
CDT dental codes will become standard and they will no longer be a part of HCPCS. (Note: The D
codes in the HCPCS are dental codes created by the ADA and published as CDT. To eliminate
duplication and confusion, dental codes will be removed from the HCPCS code set.)



                                                    4
                                                          User Guide for the System Functionality Statement


In some cases, systems utilize an internal coding structure that mimics the standard CDT codes. It is
either a partial code or an internal code that is crosswalked from the standard CDT code. In either
case, if the system stores, processes or generates dental procedure codes, check Y (Yes) and provide
any additional information in the Response area.


4.4 Question 4 (Pharmacy Codes)
As a part of the standard formats, HIPAA originall adopted the National Drug Code (NDC) for the
standard pharmacy code. This standard has since been repealed, so skip over this question.


4.5 Question 5 (Adjustment Reason Codes)
Claim adjustment reason codes communicate why a claim or service line was paid differently than it
was billed. If there is no adjustment to a claim/line, then there is no adjustment reason code. Claim
adjustment reason codes are used in these ASC X12N Version 4, Release 1 transaction set
implementation guides:

      004010X091 - Health Care Claim Payment/Advice (835)
      004010X096, 004010X097, 004010X098 - Health Care Claim (837): Professional,
       Institutional and Dental

If the system stores, processes or generates adjustment reason codes, check Y (Yes) and provide any
additional information in the Response area.


4.6 Question 6 (Provider Specialty Codes)
The current provider specialty codes will be replaced by the Provider Specialty Code (Health Care
Provider Taxonomy Codes). A taxonomy code codifies more than the provider type and provider
area of specialization for all medical related providers. This alphanumeric code identifies:

      Health Care Provider Type (2 byte alphanumeric)
      Health Care Provider Classification (2 byte alphanumeric)
      Health Care Provider Area of Specialization (5 byte alphanumeric)
      Health Care Provider Training Education Requirement (1 byte field answer = Y/N)

If the system stores, processes or generates a Provider Specialty Code (Taxonomy Code), check Y
(Yes) and provide any additional information in the Response area.


4.7 Question 7 (National Identifiers)
National standard identifiers are being finalized. As each identifier is finalized, it must be used
within a standard electronic transaction.

    4.7.1 Question 7a (Employer Identifier)
    In all cases where information about the employer is transmitted electronically, it would be
    beneficial to identify the employer using a standard identifier. Employers may transmit

                                                      5
                                                         User Guide for the System Functionality Statement


    information to health plans when enrolling or disenrolling an employee as a participant in a
    health plan. Employers, health care providers and health plans may need to identify the source or
    receiver of eligibility or benefit information. Although the source or receiver is usually a health
    plan, it could be an employer. Employers, health care providers and health plans may need to
    identify the employer when creating or tracking health plan premium payments or contributions
    relating to an employee.

    If the system stores, processes or generates an Employer Identifier, check Y (Yes).

    4.7.2 Question 7b (Health Plan Identifier)
    In all cases where information about the health plan is transmitted electronically, it would be
    beneficial to identify the health plan using a standard identifier. Health Plans transmit
    information to other health plans, employers, and health care providers. Employers, health care
    providers and health plans may need to identify the source or receiver of health care information.
    Employers, health care providers and other health plans may need to identify the health plan
    when making or keeping track of health care related information that is exchanged between
    them.

    If the system stores, processes or generates a Health Plan Identifier, check Y (Yes).

    4.7.3 Question 7c (Provider Identifier)
    To administer their programs, the Department of Health and Human Services, other Federal
    agencies, State Medicaid agencies and private health plans all assign identification numbers to
    their providers of health care services and supplies. These various agencies and health plans
    routinely, and independently of each other, assign identifiers to health care providers for program
    management and operations purposes. The identifiers are frequently not standardized within a
    single health plan or across plans. This lack of uniformity results in a single health care provider
    having different numbers for each program and often multiple billing numbers issued within the
    same program. This significantly complicates providers' claims submission processes. Because
    of the lack of standardization, the same identification number may accidentally be assigned to
    different health care providers. The national provider identifier is proposed to be an 8-position
    alphanumeric identifier, which includes a check digit as the eighth position.

    If the system stores, processes or generates a provider identifier, check Y (Yes).

    4.7.4 Question 7d (Individual Identifier)
    Work on this identifier has been halted. Please skip to the next question.


4.8 Question 8 (Administrative and Financial Transactions)
The Standards for Electronic Transactions Final Rule identifies standards for electronic transactions
and for medical code sets to be used in those transactions. Transaction is defined as the exchange of
information between two parties to carry out financial and administrative activities related to health
care. It includes the information exchanges detailed in Questions 8a8l on the SFS.




                                                     6
                                                    User Guide for the System Functionality Statement


4.8.1 Question 8a (Health Care Claims)
Health Care Claims and Equivalent Encounters are used to submit health care claim billing
information, encounter information, or both from health care providers to health plans, either
directly or via intermediary billing services and claims clearinghouses. Health care claims are
Retail Pharmacy Drug Claims, Dental Health Care Claims, Professional Health Care Claims and
Institutional Health Care Claims.
If the system stores, processes or generates a health care claim by any means including
electronic, telephone, FAX, email, paper or othercheck Y (Yes).

4.8.2 Question 8b (Medical Claims Payment)
Health Care Claim Payment and Remittance Advise Summary is used to submit health care
claim payment information, claim adjustment information, or both from health care payers to
health care providers, either directly or via intermediaries and claims clearinghouses.

If the system stores, processes or generates a medical claim payment by any means including
electronic, telephone, FAX, email, paper or othercheck Y (Yes).

4.8.3 Questions 8c, 8d (Enrollment/Disenrollment in a Health Plan)
These transactions are used to establish communication between the sponsor of a health benefit
and the health plan. They provide enrollment, change enrollment or drop enrollment data. The
sponsor is the backer of the coverage, benefit or product. A sponsor can be an employer, union,
government agency, association or insurance company. The health plan refers to an entity that
pays claims, administers the insurance product or benefit, or both.

If the system stores, processes or generates enrollment/disenrollment information by any means
including electronic, telephone, FAX, email, paper or othercheck Y (Yes).

4.8.4 Questions 8e (Premium Payment for Health Care Coverage)
Employers, employees, unions and associations utilize this transaction to create, report and track
the payments of health plan premiums to their health insurers.

If the system stores, processes or generates a premium payment for health care coverage by any
means including: electronic, telephone, FAX, email, paper or othercheck Y (Yes).

4.8.5 Questions 8f, 8g (Eligibility Request/Response)
These transactions are used to inquire about the eligibility, coverage or benefits associated with a
benefit plan, employer, subscriber or a dependent under the subscriber’s policy. They can also
be used to communicate information about or changes to eligibility, coverage or benefits from
information sources such as insurers, sponsors, and health plans to information receivers (such as
physicians, hospitals, TPAs, and government agencies).

If the system stores, processes or generates an eligibility request/response for health care
coverage by any means including: electronic, telephone, FAX, email, paper or othercheck Y
(Yes).


                                                7
                                                         User Guide for the System Functionality Statement


    4.8.6 Questions 8h, 8I, 8j (Referrals, Authorizations, Pre-Certification)
    These transactions are used to transmit health care service referral information between
    utilization management organizations, health care providers, and health plans. They are also
    used to obtain authorization for certain health care services from a health plan.

    If the system stores, processes or generates a request/response for a referral, authorization or pre-
    certification for health care services by any means including: electronic, telephone, FAX, email,
    paper or othercheck Y (Yes).

    4.8.7 Questions 8k, 8l (Claim Status Request/Response)
    Health care providers and recipients of health care products or services (or their authorized
    agents) use Health Care Claim Status to request the status of a health care claim from a health
    plan.

    If the system stores, processes or generates a medical claim status request/response by any means
    including electronic, telephone, FAX, email, paper or othercheck Y (Yes).

5 Privacy-Related Questions

5.1 Question 9 (Privacy: Health Information)
Privacy: Health information includes information about the client’s physical and/or mental condition,
treatment of that condition, and/or payment of treatment. Such information can be written or verbal.

Health information can be found in a variety of places. Medical records produced and maintained by
a health care provider obviously contain many reports of findings by health care providers, but health
information is also found in less obvious places. For example, employee personnel records typically
contain health information that is used for enrollment in health plans, for any physical restrictions of
work duties, and for accidents in the workplace.

Although appointment books and sign-in logs in the office of a health care provider are not generally
treated as confidential information, such information should be evaluated to determine if the
information contained in those books/logs would provide a link to an individual’s health status.

Information forwarded to health plans for payment of the provision of health care contains health
information as simple as a diagnosis or as complete as copies of treatment modalities and healthcare
providers’ observations.

HIPAA regulations require that health information about a specific individual be considered private
information and must be protected against unauthorized use or disclosure.

5.2 Question 10 (Privacy: Identity of an Individual)
If you checked Y(Yes) on any item in Question 9, indicate whether the application system also
contains individually-identifying information. If you answered N(No) to all questions in Question 9,
skip Question 10.



                                                     8
                                                          User Guide for the System Functionality Statement


Information that is specific enough to be individually identifying, or information that can provide a
direct link to an individual’s identity, is considered to be individually identifying information. The
HIPAA regulations provide a list of demographic terms that could potentially identify an individual.
Each potential identifier should be evaluated in its proper context to determine whether or not the
term could, in fact, lead to the identity of an individual. The following general information will guide
your determination of what constitutes an individual identifier.

    5.2.1 Question 10a (Individual Names)
    First and last name together is considered an identifier. Conversely, the first or last name only,
    the first name with the initial of the last name, the last name with the initial of the first name or
    initials only of both names, are not generally considered to be individually identifying
    information. Any extenuating circumstances should be taken into account when determining
    whether or not a name is individually identifying.

    5.2.2 Question 10b (Specific Addresses)
    If knowledge of any of these terms either directly identifies an individual, or provides a direct
    link to an individual, the term is considered an identifier.

    5.2.3 Question 10c [Specific Dates (Birth/Death/Admission/Discharge)]
    If knowledge of any of these dates either directly identifies an individual, or provides a direct
    link to an individual, the term is considered an identifier.

    5.2.4 Question 10d (Telephone Numbers)
    If knowledge of any of these numbers either directly identifies an individual, or provides a direct
    link to an individual, the term is considered an identifier.

    5.2.5 Question 10e (FAX Numbers)
    If knowledge of any of these numbers either directly identifies an individual, or provides a direct
    link to an individual, the term is considered an identifier.

    5.2.6 Question 10f (Email Addresses)
    If knowledge of any of these terms either directly identifies an individual, or provides a direct
    link to an individual, the term is considered an identifier.

    5.2.7 Question 10g (Social Security Numbers)
    If knowledge of any of these numbers either directly identifies an individual, or provides a direct
    link to an individual, the term is considered an identifier.

    5.2.8 Question 10h (Medical Record Numbers)
    If knowledge of any of these numbers either directly identifies an individual, or provides a direct
    link to an individual, the term is considered an identifier.

    5.2.9 Question 10i (Health Plan Beneficiary Numbers)
    If knowledge of any of these numbers either directly identifies an individual, or provides a direct
    link to an individual, the term is considered an identifier.



                                                      9
                                                     User Guide for the System Functionality Statement


5.2.10 Question 10j (Account Numbers)
If knowledge of any of these numbers either directly identifies an individual, or provides a direct
link to an individual, the term is considered an identifier.

5.2.11 Question 10k (Professional Certificate Numbers)
If knowledge of any of these numbers either directly identifies an individual, or provides a direct
link to an individual, the term is considered an identifier.

5.2.12 Question 10l (Professional License Numbers)
If knowledge of any of these numbers either directly identifies an individual, or provides a direct
link to an individual, the term is considered an identifier.

5.2.13 Question 10m (Vehicle Identifiers)
Drivers’ license numbers and information, vehicle identification and license plate numbers are
examples of information that is easily obtained. If such information readily identifies an
individual or provides a direct link to identify an individual, such information should be
considered an identifier.

5.2.14 Question 10n (Vehicle Serial Numbers)
Drivers’ license numbers and information, vehicle identification and license plate numbers are
examples of information that is easily obtained. If such information readily identifies an
individual or provides a direct link to identify an individual, such information should be
considered an identifier.

5.2.15 Question 10o (Vehicle License Plate Numbers)
Drivers’ license numbers and information, vehicle identification and license plate numbers are
examples of information that is easily obtained. If such information readily identifies an
individual or provides a direct link to identify an individual, such information should be
considered an identifier.

5.2.16 Question 10p (Medical Device Identifiers)
A serial number on a medical device that becomes the property of an individual could provide a
direct link to that individual and should be considered an identifier.

5.2.17 Question 10q (Medical Device Serial Numbers)
A serial number on a medical device that becomes the property of an individual could provide a
direct link to that individual and should be considered an identifier.

5.2.18 Question 10r (Web Universal Resource Locators (URL))
Website addresses (e.g. www.johnsmith.com) can directly identify an individual or provide a
direct link to an individual.

5.2.19 Question 10s (Internet Protocol (IP) Address Numbers)
An IP address is a set of numbers that is unique to a specific computer host on a network. If
knowledge of an IP Address either directly identifies an individual, or provides a direct link to an
individual, the term is considered an identifier.

                                                10
                                                     User Guide for the System Functionality Statement


5.2.20 Question 10t (Biometric Identifiers for Finger Prints)
A biometric finger print identifies a person by the unique physical feature of a finger print. If
knowledge of a biometric finger print either directly identifies an individual, or provides a direct
link to an individual, the term is considered an identifier.

5.2.21 Question 10u (Biometric Identifiers for Voice Prints)
A biometric voice print identifies a person by their unique voice pattern. If knowledge of a
Biometric voice print either directly identifies an individual, or provides a direct link to an
individual, the term is considered an identifier.

5.2.22 Question 10v (Imaging of Any Sort)
Imaging may include hand-written signatures, facial photos, diagnostic images or any other
identifiable image. If knowledge of an image either directly identifies an individual, or provides
a direct link to an individual, the term is considered an identifier.




                                                11
                               User Guide for the System Functionality Statement



Appendix A: Example SFS




                          12
                                                                                User Guide for the System Functionality Statement


                                                    System Functionality Statement
Division:                 ABC Division
Facility:                 ABC Agency
Contact Name:             John Doe                               Title:   Manager of Operations
Telephone:                (919)555-1212                          Email:   John.Doe@ABCAgency.com                           Date    11/19/01
                                                                                                                              :
System Name:              ABC System                                                        System Acronym:       ABCS
System Functionality                                                      This system is used to capture and manage protected health
(Briefly explain this system’s functionality.)                            information. It is also used to bill medical claims to Medicaid,
                                                                          Blue Cross/Blue Shield, Health Source, Medicare and others.
Business Processes Supported                                              Medical Claims Billing Section, Accounts Receivable Unit
(Which major business processes, programs or services does this system
support?)

                  TCI Related Questions                                    Y    N                          Response
1.   Does this system store, process or generate medical
     diagnosis codes? (e.g. ICD-9, DRG)
2.   Does this system store, process or generate medical
     procedure codes? (e.g. ICD-9, CPT-4, HCPCS, DRG, APC)
3.   Does this system store, process, or generate dental
     procedure codes? (e.g. CDT-3, CPT-4, ICD-9)
4.   Does this system store, process or generate pharmacy
     codes? (e.g. HCPCS, Jcodes)
5.   Does this system store, process or generate adjustment
     reason codes?
6.   Does this system store, process or generate provider
     specialty codes?
7.   Does this system store, process or generate the following medical identifiers?
     a. Employer Identifier
           (e.g. EIN, TAX ID, Internal #)
     b.    Health Plan Identifier
           (e.g. Plan Code, PAYER ID, Internal #)
     c.    Provider Identifier
           (e.g. Provider ID, TAX ID, EIN, Internal #)
     d.    Individual Identifier
           (e.g. SSN, Certificate #, Subscriber #, Internal #)
8.   Does this system store, process or generate any of the following types of information by any means including electronic,
     telephone, FAX, email, paper or other?
     a. Health Care Claims
           (e.g. HCFA1500, UB92, HCFA1450)
     b.    Medical Claims Payment
           (e.g. ERA, EFT, Remittance Advice, Check)
     c.    Enrollment in a Health Plan
           (Enrolling your employees in your division/agency health
           plan)
     d.    Disenrollment in a Health Plan
           (Cancel enrollment of an employee in your division/agency
           health plan)
     e.    Premium Payment for Health Care Coverage
           (Paying for the division/agency employee health care
           coverage)
     f.    Eligibility Request                                                        Medical Claim Billing Unit calls to verify eligibility
           (Requesting eligibility information from a health plan)
     g.    Eligibility Response
           (Receiving eligibility information from a health plan)
     h.    Referrals
           (Seeking referral for health care services)
     i.    Authorization
           (Seeking authorization for health care services)
     j.    Pre-Certification
           (Pre-certifying a health care service)




                                                                           13
                                                                          User Guide for the System Functionality Statement


     k.   Claim Status Request                                                  To check claim status
          (Requesting status of a health care claim)
     l.   Claim Status Response                                                 To check claim status
          (Receiving a health care claims status response)


             Privacy-Related Questions                              Y     N                         Response
9.  Does this system or database store any of the listed, specific health information?
    a. Physical Condition
    b. Mental Condition
    c. Symptoms of Present Health Condition
    d. History of Health Condition
    e. Diagnoses
    f. Treatment Modalities
    g. Treatment Monitoring
    h. Surgical Procedures
    i. Test Results
    j. Laboratory Results
    k. Radiological Information (Reports/Results)
    l. Treatment Orders
    m. Medication Administration
    n. Medication Errors
    o. Healthcare Providers’ Observations
    p. Rehabilitation Assessments
    q. Dietary Requirements
    r. Physical Restrictions
    s. Scheduled Appointments
    t. Disability Claims Information
    u. Employee Assistance Program Information
    v. Health Plan Enrollment Information
    w. Workers Compensation Information
    x. Immunization Records
    y. Pathology Reports
    z. Complete Medical Records
    aa. Dental Treatment Records
    bb. Health Data on Insurance Claims for Payment
10. If you checked Yes on any item in question 9, does the system or database store any of the listed, individually-identifying
    information?
    a. Individual Names
    b. Specific Addresses
    c. Specific Dates (Birth/Death/Admission/Discharge)
    d. Telephone Numbers
    e. FAX Numbers
    f. Email Addresses
    g. Social Security Numbers
    h. Medical Record Numbers
    i. Health Plan Beneficiary Numbers
    j. Account Numbers
    k. Professional Certificate Numbers
    l. Professional License Numbers
    m. Vehicle Identifiers
    n. Vehicle Serial Numbers
    o. Vehicle License Plate Numbers
    p. Medical Device Identifiers
    q. Medical Device Serial Numbers
    r. Web Universal Resource Locators (URL)
    s. Internet Protocol (IP) Address Numbers
    t. Biometric Identifiers for Finger Prints
    u. Biometric Identifiers for Voice Prints
    v. Imaging of any sort



                                                                     14
                                                User Guide for the System Functionality Statement


Appendix B: Acronym List

ADA                  American Dental Association
AMA                  American Medical Association
ASC                  Accredited Standards Committee
ASC X12N             Electronic Standards Subcommittee (Insurance) of the Accredited Standards
                     Committee
CDT                  Current Dental Terminology
CPT                  Current Procedural Terminology
CPT4                 Current Procedural Terminology Fourth Edition
DHHS                 Department of Health and Human Services
EDI                  Electronic Data Interchange
EFT/ERA              Electronic Funds Transfer / Electronic Remittance Advice
EIN                  Employer Identification Number
HCFA                 Health Care Financing Administration
HCFA1500             Paper Professional Claim
HCFA1450             Paper Institutional Claim, also known as a UB92
HCPCS                HCFA Common Procedural Coding System
HHS                  Health and Human Services
HIAA                 Health Insurance Association of America
HIPAA                Health Insurance Portability Accountability Act
ICD-9-CM, Vol. 1&2   International Classification of DiseasesNinth RevisionClinical
                     Modification (Diagnostic Classifications)
ICD-9-CM, Vol. 3     International Classification of DiseasesNinth RevisionClinical
                     Modification (Inpatient Procedures)
IT                   Information Technology
NDC                  National Drug Code
NUCC                 National Uniform Claim Committee
SFS                  System Functionality Statement
SSN                  Social Security Number
TCI                  Transactions, Code Sets, and National Identifiers
UB92                 Uniform Billing Claim-V92




                                           15

				
DOCUMENT INFO