Dependency Assessment Template

Document Sample
Dependency Assessment Template Powered By Docstoc
					HIPAA Assessment
Toolkit
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion

Table of Contents
INTRODUCTION .....................................................................................................................................................................................1
   HIPAA READINESS ASSESSMENT PROCESS ...........................................................................................................................................1
     Step 1: Organize Team and Conduct Project Kick-Off .....................................................................................................................2
     Step 2: Conduct HIPAA Education and Strategy..............................................................................................................................3
     Step 3: HIPAA Assessments ............................................................................................................................................................6
     Step 4: Assess Results.....................................................................................................................................................................7
   RECOMMENDED PROJECT ORGANIZATION STRUCTURE ...........................................................................................................................8
HIPAA EDUCATION ...............................................................................................................................................................................9
      Background.......................................................................................................................................................................................9
      HIPAA Implementation Timeline.....................................................................................................................................................10
      Key Legislative Highlights...............................................................................................................................................................12
      Key Impacts ....................................................................................................................................................................................13
      Key Questions and Recommendations ..........................................................................................................................................17
RFP DEVELOPMENT ...........................................................................................................................................................................18
   RFP TABLE OF CONTENTS ...................................................................................................................................................................18
   RFP PROPOSAL...................................................................................................................................................................................19
    Proposal Format .............................................................................................................................................................................19
HIPAA IMPACT ASSESSMENT GUIDELINES AND TOOLS ..............................................................................................................22
   HIPAA ASSUMPTION MATRIX ...............................................................................................................................................................25
     Guidelines for Completing the HIPAA Assumption Matrix ..............................................................................................................25
     HIPAA Assumption Matrix (Sample)...............................................................................................................................................26
     HIPAA Assumption Matrix: .............................................................................................................................................................27
   HIPAA SYSTEM IMPACT ASSESSMENT MATRIX .....................................................................................................................................28
     Guidelines for Completing the HIPAA System Impact Assessment Matrix ....................................................................................28
     HIPAA System Impact Assessment Matrix (Sample) .....................................................................................................................31
     HIPAA System Impact Assessment Matrix:....................................................................................................................................32
   HIPAA BUSINESS IMPACT ASSESSMENT MATRIX ..................................................................................................................................34
     Guidelines for Completing the HIPAA Business Impact Assessment Matrix..................................................................................34
     HIPAA Business Impact Assessment Matrix (Sample)...................................................................................................................37
     HIPAA Business Impact Assessment Matrix: .................................................................................................................................39
   HIPAA VENDOR MATRIX ......................................................................................................................................................................41
Developed for BCBSA by First Consulting Group                                                   V2                                                                                             Page i
                                                                                          July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion

    Guidelines for Completing the HIPAA Vendor Matrix .....................................................................................................................41
    HIPAA Vendor Matrix (Sample) ......................................................................................................................................................42
    HIPAA Vendor Matrix:.....................................................................................................................................................................43
  HIPAA INTERNAL DEPENDENCY MATRIX...............................................................................................................................................44
    Guidelines for Completing the HIPAA Internal Dependency Matrix................................................................................................44
    HIPAA Internal Dependency Assessment Matrix (Sample)............................................................................................................45
    HIPAA Internal Dependency Assessment Matrix: ..........................................................................................................................46
  HIPAA SOLUTION MATRIX ....................................................................................................................................................................47
    Guidelines for Completing the HIPAA Solution Matrix....................................................................................................................47
    HIPAA Solution Matrix ....................................................................................................................................................................48
  HIPAA TRANSACTION VOLUME ASSESSMENT .......................................................................................................................................49
    Guidelines for Completing the HIPAA Transaction Volume Assessment .......................................................................................49
    HIPAA Transaction Volume Assessment (Sample)........................................................................................................................50
    HIPAA Transaction Volume Assessment: ......................................................................................................................................51
  HIPAA SECURITY ASSESSMENT MATRIX ..............................................................................................................................................52
    Guidelines for Completing HIPAA Security Assessment Matrix .....................................................................................................52
    HIPAA Security Assessment Matrix:...............................................................................................................................................53
  HIPAA PROJECT INVENTORY ASSESSMENT TOOL .................................................................................................................................60
    Guidelines for Completing HIPAA Project Inventory Assessment Tool ..........................................................................................60
    HIPAA Project Inventory Assessment Matrix:.................................................................................................................................61
  HIPAA PRIVACY RULES DICTIONARY TOOL ..........................................................................................................................................62
    Guidelines for Using the HIPAA Privacy Dictionary........................................................................................................................62
  HIPAA PRIVACY ASSUMPTION MATRIX .................................................................................................................................................68
    Guidelines for Completing the HIPAA Privacy Assumption Matrix .................................................................................................68
    HIPAA Privacy Assumption Matrix (Sample) ..................................................................................................................................69
    HIPAA Privacy Assumption Matrix..................................................................................................................................................70
  HIPAA PRIVACY BUSINESS IMPACT ASSESSMENT MATRIX ....................................................................................................................71
    Guidelines for Completing the HIPAA Privacy Business Impact Assessment Matrix .....................................................................71
    HIPAA Privacy Business Impact Assessment Matrix .....................................................................................................................74
  HIPAA PRIVACY SYSTEM IMPACT ASSESSMENT MATRIX .......................................................................................................................77
    Guidelines for Completing the HIPAA System Impact Assessment Matrix ....................................................................................77
    HIPAA Privacy System Impact Assessment Matrix ........................................................................................................................79
GLOSSARY OF TERMS: HIPAA STANDARDS AND BUSINESS PROCESSES...............................................................................81



Developed for BCBSA by First Consulting Group                                               V2                                                                                        Page ii
                                                                                      July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



Introduction
In an effort to better understand the impacts and implications of the Health Insurance Portability and Accountability Act of 1996
(HIPAA) and determine their readiness for compliance, nationwide healthcare organizations are conducting HIPAA Readiness
Assessments. A successful readiness assessment addresses all major areas of HIPAA compliance and reviews all business and
technical areas within the organization that are impacted by HIPAA. The assessment results then become the blueprint for
management to define the next level of activity necessary for achieving compliance.

Blues Plans have begun asking BCBSA for an overall HIPAA assessment approach that will help them set the scope and framework
by which they can begin to estimate the impacts and opportunities that HIPAA will create during the next two years, and the costs
and staff required to deal with them. This document has been created in response to those requests.

The HIPAA readiness assessment process defined within this document will provide BCBS [Plan Name] with the capability to
conduct detailed assessments regarding both its business and technical environment. The assessments will help the BCBS [Plan
Name] to identify the level of compliance based on the current definition of the HIPAA Administrative Simplification requirements,
which are focused on the areas of Security and Electronic Data Interchange (EDI).

The assessment approach contained within this document is accompanied by a toolkit, comprised of specially developed
tools/templates, to assist in the execution of the approach. Detailed instructions have been provided along with the tools/templates
to illustrate their use during the assessment process. There is an education section on HIPAA that explains its key highlights and
impacts. Also included is a sample RFP that Blue Plans can use to evaluate external consultants should they decide to seek
external aid in performing their HIPAA assessments. Finally, a compliance inventory database is outlined, that will be used to
tabulate and quantify the information gathered as a result of the assessment. Each organization must give consideration to the
development of a database (i.e., Access) into which to enter assessment results. The design is dependent upon how each
organization chooses to analyze the assessment results.

HIPAA Readiness Assessment Process
The recommended HIPAA assessment approach for BCBS [Plan Name] is outlined in detail below. The approach is composed of
four major steps:

Step 1:   Organize Team and Conduct Project Kick-Off
Step 2:   Conduct Education and Develop Strategy
Step 3:   Perform HIPAA Assessment
Step 4:   Assess Results

Developed for BCBSA by First Consulting Group                    V2                                                          Page 1
                                                           July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



Step 1: Organize Team and Conduct Project Kick-Off
During this step, an appropriate infrastructure is put in place to ensure that the project is well managed and that all stakeholders are
involved at an appropriate level. The necessity of a plan of action, assignment of responsibilities, identification and assessment of all
manner of resources and tools, the establishment of a viable management system and an effective communications network for
project monitoring and coordinating purposes are addressed in this step. As a necessary adjunct to this step, the features of a
suggested Project Organization Structure are outlined in this document and discussed on page 8.

The table below lists the possible activities in this step and their expected products:

 Tasks                                                Outcomes

     Build a Workplan and Timeline                        Project Plan
     Develop Project Charter                              Project Organization
     Identify Key Stakeholders and Organize               Customized HIPAA Toolkit
     Teams                                                Kickoff Meeting
     Identify Senior Officer Champion                     Communication Plan
     Customize HIPAA Tools/Templates
     Conduct Kickoff Meeting
     Document Meeting Minutes, Attendees,
     Decisions




Developed for BCBSA by First Consulting Group                        V2                                                           Page 2
                                                               July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Step 2: Conduct HIPAA Education and Strategy
During this step, leadership and stakeholders determine how BCBS [Plan Name] will approach the challenge of addressing the
mandates of HIPAA legislation. For this purpose, education is the key. Leadership and stakeholders must understand the HIPAA
mandates and the impact that they will have on the organization at all levels. Leadership must define an approach to achieving
compliance. Compliance can be achieved either by simply becoming compliant with the mandates or by devising an approach to
maximize the strategic advantages that can be realized by full integration of the Administrative Simplification components of HIPAA.
An assessment of these elements cannot be made without a sound understanding of HIPAA. Education is significant because it will
enable Business and IT leadership to align their business and technology strategies with the organization’s HIPAA approach.

There are two general approaches available to organizations for addressing HIPAA: Basic Compliance and Competitive Response.
The graphic below outlines these two approaches illustrating their features and their pros and cons. The Status Quo is illustrated, as
well, though this is not an option for the Plans.



                                                                             Full Compliance


                                       Basic Compliance                                   “Do It Better”
                                                                                  • Support eHealth
                                                  “Just Do It”                    • Competitive industry position
   Status Quo                                                                       “First to market”
                                       •   Meets HIPAA requirements
            “Do Nothing”               •   Set up costs may be high               • Creates opportunities
                                       •   Lowers liability potential             • Reduce administrative
     • Low implementation changes
                                                                                    expenses
       and costs                       •   Overlaps with other initiatives
                                                                                  • Product differentiation
     • Potential fines
                                                                                  • Streamlined core processes and
     • Criminal penalties
                                                                                    reduce administrative expenses
     • Potential loss of government
                                                                                  • Increase data integration
       contracts
     • Loss of competitive position
     • Return to paper




Developed for BCBSA by First Consulting Group                           V2                                                     Page 3
                                                                  July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


It is not necessary that BCBS [Plan Name] adopt and commit itself fully to just one compliance approach; a combination of
approaches can be used during the assessment process. For example, BCBS [Plan Name] may take a Basic Compliance approach
for segments of business that are non-strategic and take a Competitive Response approach in areas that are central to BCBS [Plan
Name] initiatives. It is important to recognize that inaction or maintaining the Status Quo, will result in non-compliance.

It is leadership’s responsibility to understand the mandates and develop an appropriate response, based upon high-level critical
assumptions that define the degree of alignment between the organization’s policies and strategies and the compliance requirements
imposed by HIPAA. This is an important part of the strategy component of Step 2 of the assessment process, as these critical
assumptions will form the framework for the rest of the assessment process. Examples of critical assumptions are listed below.
Leadership should use these examples as a guide to develop assumptions appropriate for your organization.


Example Critical Assumptions
1. In general, the HIPAA standards will apply to all electronic and paper transactions.

2. BCBS [Plan Name] will encourage contracted providers to submit electronically.

3. BCBS [Plan Name] will accept the new national standard identifiers (provider, employer, payer and member).

4. BCBS [Plan Name] will accept new data fields and code values including new modifiers required in the HIPAA transactions.

5. In addition to accepting new codes, identifiers and code sets, BCBS [Plan Name] will replicate the inbound information on all
   outbound transactions for all information exchanges (e.g. claim status response/eligibility response).

6. BCBS [Plan Name] will work to eliminate the use of proprietary (home grown or local) codes over time. During the transition
   BCBS [Plan Name] will not require providers to submit proprietary codes.

7. All trading partner agreements (vendors, third party arrangements) with BCBS [Plan Name] stipulating data content, format
   definitions or conditions will comply with HIPAA standards.

8. BCBS [Plan Name] will require all transactions conducted through an agent on its behalf to comply with HIPAA standards.

9. BCBS [Plan Name] will not refuse to process or delay the processing of a transaction presented in a standard HIPAA compliant
   format.

Developed for BCBSA by First Consulting Group                      V2                                                          Page 4
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


10. For any current and future transactions, data content must comply with the HIPAA standard regardless of the means of
    transportation. (e.g. Internet, Extranet, Clearinghouse, Value Added Network, Direct Line, Modem, tape diskette, CD, etc.)

11. All on-line, interactive transmissions offered by BCBS [Plan Name] will comply with HIPAA standards. Although the HTML
    interaction between server and browser by which the data elements of a web-enabled transaction are solicited from a user are
    not required to use the standards, data content must be equal to that of the required standard.

12. BCBS [Plan Name] will take a competitive position regarding HIPAA and adopt a posture of aggressive compliance.

Step 2 is where the ideology of the assessment approach is developed and the most intensive work is placed on the shoulders of the
leadership. An in-depth awareness of HIPAA must be developed by leadership, and an analysis of the organization’s business and
technical aspects must be conducted in the context of that awareness to lay an effective foundation for the development of future
strategies to deal with and take advantage of HIPAA.

The following lists itemizes the possible activities in this step and their expected products:

 Tasks                                                Outcomes
     HIPAA Education Sessions                             High-Level Business Benefits
     Assess Business and Technology                       Statement of Approach by Major
     Strategies                                           Business Segment and Technology
     Identify Expected Business Benefits of               Platform
     HIPAA Compliance
     Develop Statement Regarding HIPAA
     Approach
     Document Assumptions and Decision
     Rationale




Developed for BCBSA by First Consulting Group                        V2                                                          Page 5
                                                               July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Step 3: HIPAA Assessments
During this step, business and information technology stakeholders will work to outline the expected impacts that HIPAA will have on
BCBS [Plan Name]. This step is the largest part of the assessment approach process in terms of scope and amount of effort
required. It is here that the information to gauge the gap between the leadership’s expectations of HIPAA’s impact on the
organization and the operational requirements imposed by HIPAA will be gathered.

The assessment tools/templates, which comprise the toolkit found in HIPAA Impact Assessment Guidelines and Tools section of this
document, are the instruments for this purpose. Detailed instructions and completed examples, on how to use these tools/templates
to conduct the assessments, are included in this section. The information gathered in these tools/templates should be entered into a
database for the purposes of analysis and reporting. The following table lists the possible activities in this step and the expected
products:

 Tasks                                             Outcomes
     Complete Security and Privacy Gap                 Security and Privacy Gap Analysis
     Assessment (Security Assessment                   Privacy Impact Assessment
     Matrix)
                                                       Business and System Impact
     Complete Business and System Impact               Assessment
     Assessment (Business and System
     Impact Assessment Matrices)                       Inventory of Trading Partners
     Identify Existing Trading Partners                Expected HIPAA Impacts
     (Vendor Matrix)                                   Readiness Assessment Document
     Identify internal dependencies,
     assumptions, possible solutions and
     record transaction volume data
     (Internal Dependency Matrix, HIPAA
     Solution Matrix, Transaction Volume
     Assessment Matrix)
     Complete Privacy Impact Assessment
     (Privacy Introduction Tool, Privacy
     Assumption Tool, Privacy and Business
     Impact Assessment Tool)
     Conduct Readiness Assessment
Developed for BCBSA by First Consulting Group                    V2                                                          Page 6
                                                           July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Step 4: Assess Results
During this step, all the information gathered in the tools/templates is entered into a compliance inventory database. Consideration is
to be given to the development of an Access database to store the assessment results. A well-designed database will enable BCBS
[Plan Name] to manipulate and analyze the data gathered during the assessment. Specs for this database are dependent upon the
way the your organization chooses to analyze the data. This information is then used to calculate and quantify the impact of the
HIPAA elements on the organization’s business processes, systems, external relationships, and transaction volumes, and identify
the degree to which they will be impacted by HIPAA. Possible measurement criteria to quantify these impacts can be number of
impacted systems, resources and costs estimates. This information forms the basis for the identification of the next level of activity
for achieving compliance.

The following table lists the possible activities in this step and their expected products:

 Tasks                                                Major Deliverables
     Create Database                                      Assessment Results Documentation
     Enter Data
     Analyze Data
     Summarize and Report Findings



                                                                  ALERT

For HIPAA compliance purposes, you, as an independent Plan, may wish to coordinate activities related to HIPAA with your legal
department as you did with Y2K. Consider establishing a reporting structure to senior management related to these activities and
outcomes. This may be advisable, especially since the impact of HIPAA is considered much more vast and invasive to an
organization than Y2K.




Developed for BCBSA by First Consulting Group                        V2                                                         Page 7
                                                               July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



Recommended Project Organization Structure
As recognized by the industry, compliance efforts will be costly and resource intensive. To be successful, efforts will have to be
driven by the organization’s business goals and objectives. External relationships with trading partners will have to be in alignment
with these efforts. A strong governance structure to provide oversight, coordination, and risk management will have to be created by
a joint effort of business and IT. A sample project organization structure for the assessment phase is outlined below. It is
recommended that BCBS [Plan Name] adopt a project organization structure similar to it.


                                                                       Officer Champion    • Representing IT and business
                                                                                             areas
                                                                               or          • Ensure that on-going HIPAA
                                                                        Project Sponsor      assessments and compliance
                                                                                             efforts are linked to the business
                                                                                             strategy


               • Identify key individuals                                                 • Day-to-day management of
                 to participate in the      Business and                                    tasks associated with
                 assessments                 Technical                     Project          completing the HIPAA
                                                                                            assessment
               • Review all materials          Project                     Manager
                 completed within their                                                   • Coordinate and deliver
                 area
                                              Managers                                      project deliverables

               • Includes Security and
                 Privacy Officer


                                     Structured around
                                    major areas of focus   Project Teams Project Teams Project Teams
                              Representatives from key
                              business and information        SMEs           SMEs             SMEs
                                         Project
                                     technology areas
                                            Teams
The primary features of the project organization structure to support the assessment efforts are:

   An Officer Champion or Project Sponsor, representing IT and business areas, responsible for ensuring that on-going HIPAA
   assessments and compliance efforts, related to project activities are linked to the business strategy.
   A designated Project Manager responsible for the day-to-day management of tasks associated with completing the HIPAA
   assessment and the coordination and delivery of project deliverables.


Developed for BCBSA by First Consulting Group                                  V2                                                 Page 8
                                                                         July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


    BCBS [Plan Name] Business and Technical Project Managers responsible for identifying key individuals from the organization to
    participate in the assessments, and reviewing all materials completed within their area.
    Project Teams are structured around major areas of focus, which are determined by the organization. BCBS [Plan Name] may
    decide to organize around business processes, or HIPAA areas of impact such as transaction code sets, identifiers, security.
•   Subject Matter Experts (SME’s) from key business and information technology areas must participate in the assessment process.
    These areas include: claims operations, provider management, enrollment/eligibility, security, corporate communication
    /education, legal/regulatory, compliance and others as needed.




HIPAA Education
HIPAA education, as mentioned before, is key in formulating an effective assessment approach. An understanding of the HIPAA
mandates that will affect the operations of all health plans once they are enacted should be at the core of this education. This
section provides a high-level overview of the key legislative highlights and impacts of HIPAA as well as background information. The
rules have not yet been finalized, but the proposed HIPAA regulations have been published and are being used as the basis for this
section, so it should be recognized that final rules and the information comprising the key highlights are subject to change and the
information found in this section is current as of February, 2000.

Background
The original intent of HIPAA is to reduce paperwork, improve efficiency of health systems, and to protect the security and
confidentiality of electronic information. Public input and involvement were critical to the process of defining the mandates. Current
industry standards were the starting point and key public and private-industry input was solicited. New standards were only
proposed where none previously existed.

There are two parts to the Administrative Simplification provision of HIPAA:

    Standards governing the electronic transmission of certain administrative and financial transactions (EDI), and
    Standards to protect the confidentiality and security of all electronically-maintained, individually-identifiable healthcare information
    along with privacy legislation that sets boundaries for the use of that information.



Developed for BCBSA by First Consulting Group                        V2                                                              Page 9
                                                               July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Each part of HIPAA applies differentially to different healthcare organizations. The EDI components apply to those organizations that
electronically transmit administrative and financial data. The largest impact is on health plans and clearinghouses. HIPAA/EDI does
not apply to employers (except those acting as health plans, i.e. self-funded). Security and privacy, apply to health plans, providers,
and health care clearinghouses that electronically maintain patient–identifiable information.

HIPAA Implementation Timeline
Typically each element of HIPAA starts independently then proceeds through a separate review and approval process. The following
briefly highlights the steps in the process:

   •   Existing regulations and standards are reviewed
   •   Public hearings are held
   •   Notice is published
   •   60-day public comment period is held
   •   Comments are reviewed and the rule revised
   •   Final Rule is published
   •   Regulations enacted and enforced

Note: Generally, the timeframe from date of publication to the effective date is 26 months.

The table below lists the latest information available from DHHS website. The timeframe represented by these dates should be
factored into the development of any HIPAA compliance project timelines. The dates are current as of 3/20/2000.

 NPRMs Already Published


 Standard                              NPRM          Expected Final          Expected Date Compliance Required*
                                       Published     Rule Publication
 EDI Transactions and Code Sets        5/98          6/2000                  8/2002
 Provider ID                           5/98
 Employer ID                           6/98
 Security                              8/98
 Privacy**                             11/99


Developed for BCBSA by First Consulting Group                      V2                                                         Page 10
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


 NPRMs in Development


 Payer ID
 Claims
 Attachments
 Enforcement
 Patient ID                 On hold
*Standards are required to be implemented within 2 years of the effective date of the final rule. (The effective date of the rule is generally 60 days after its
publication.) However, the effective date for the National Provider Identifier is likely to be delayed a few months to allow enough time for HHS to develop the
system for implementing the identifier.
**Privacy components have been delayed by Congress, but EDI and security are expected to continue to move forward with a likely deadline for compliance with
many HIPAA mandates occurring in 2002.




Developed for BCBSA by First Consulting Group                                 V2                                                                      Page 11
                                                                        July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Key Legislative Highlights
Presented below are some of the key legislative highlights for HIPAA proposed rules as of November 1, 1999. Current proposed
rules are too voluminous to replicate here, so key highlights from the rules have been extracted to provide a basic introduction to the
legislation. They outline the EDI and security framework that the legislations have created that all health plans will have to operate
within, a framework that will be enforced by the imposition of compliance, on health plans, with the various elements of HIPAA
mandates that will be detailed in the Final Rules.
 • Health Plans may not refuse to process or delay the processing of a transaction that is presented in a standard electronic format.

•   Use of the ANSI ASC X12N and NCPDP transaction sets will introduce additional data elements that are most likely not captured
    today.

•   The unique code identifiers for Provider, Payer, Employer, and Individuals are NOT required on paper documents.

•   If a transaction is performed today or is planned to be performed in the future, the data content collected must equal the
    standard regardless of transportation means – i.e. Internet, extranet, clearinghouse, Value Added Network, direct line, modem,
    tape, diskette, CD, etc.

•   Entities that offer on-line interactive transmissions must comply with the standards. The HyperText Markup Language (HTML)
    interaction between server and a browser by which the data elements of a transaction are solicited from a user, would not have
    to use the standards, although the data content must be equal to that required for the standards.

•   Health plans that conduct transactions through an agent must assure that the agent meets all the requirements applicable to the
    health plan.

•   Trading Partner Agreements that stipulate data content, format definition or conditions that do not comply with the standards are
    no longer valid requirements and will need to be modified. (i.e. Does your provider contract specify use of proprietary codes or
    formats to submit electronic data to the plan? Does your clearinghouse vendor translate data or reformat based on specific
    directions from the plan? If so, need to be revisited).

•   The direction of standardizing the data elements and the values in the data elements will force the elimination of proprietary
    codes (i.e. diagnosis coding).




Developed for BCBSA by First Consulting Group                      V2                                                          Page 12
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Key Impacts
The EDI mandates of HIPAA’s Administrative Simplification legislation impact standard identifiers, code sets, and transaction sets,
which are essential features of any financial and administrative transactions conducted by health plans today, by dictating new
standards for them. The degree to which BCBS [Plan Name] can make its current systems and processes compliant with these
standards will determine how aggressively and securely it can deploy electronically transmitted healthcare information in the near
future. The impacts of HIPAA on these standards are outlined in detail below.

Standard Unique Identifiers
HIPAA requirements will affect the format and number of digits for the following ID numbers that are part of everyday administrative
and financial transactions conducted by health plans. The following table outlines the format for the Unique Identifiers. The Cross-
reference number relates to the Impact Matrix found on Page 15. The matrix illustrates the HIPAA impact of the standard unique
identifier changes to transactions and business processes.

  Cross-         Unique Identifier               Digits
  reference #
   A.1            Employer                        9 digit, 00-0000000
  A.2             Payer                           10-digit numeric, last digit is the check digit
  A.3             Provider                        10-digit numeric, last digit is the check digit
  A.4             Patient/Insured/Subscriber      TBD
Note: The Provider ID number assignment is random and will not have processing logic tied to the numbering scheme.

Standard Code Sets Mandated by HIPAA
Code sets for diagnosis and procedures, used by BCBS [Plan Name], must be compliant with HIPAA standards for EDI transactions
The following table outlines the format for the mandated Standard Code Sets. The Cross-reference number relates to the Impact
Matrix found on Page 15. The matrix illustrates the HIPAA impact of the standard code set changes to transactions and business
processes.




Developed for BCBSA by First Consulting Group                     V2                                                        Page 13
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion




  Cross-          Current Code Set              Future Code Set                 Current Description      Future Description
  reference #
  B.1             HCPCS Codes                   HCPCS Procedure                 5-digits alpha numeric   5-digits alpha numeric
                                                Codes
  B.2             J codes                       NDC National Drug               5-digits alpha numeric   11-digits
                                                Codes
  B.3             D codes                       CDT2-ADA Dental                 5-digits alpha numeric   5-digits alpha numeric
                                                Codes                                                    No change identified
  B.4             Proprietary codes             Eliminate proprietary           Eliminate proprietary    Eliminate proprietary codes
                                                codes                           codes


Transaction Code Sets
Use of the ANSI ASC X12 and NCPDP transaction code sets in business processes such as claims payments, enrollment, and
eligibility will introduce the following changes. The Cross-reference number relates to the Impact Matrix found on Page 15. The
matrix illustrates the HIPAA impact of the transaction code set changes to transactions and business processes.

                   Change Description
  Cross-
  reference #

  C.1              Capture additional data elements not captured today.
  C.2(i)           Expanded code sets:
                   The data element called “Patient Status” will be eliminated and the values will now be listed under “Marital
                   Status” codes and “Patient Relationship” codes.
                   The values associated with the “Patient Relationship” codes have increased from approximately 4 code values
                   to 37 code values.
                   The data element called “Place of Service” is now called “Location Identification Code” .
                   The values associated with the identification codes have increased from approximately 23 code values to 30
                   code values.
                   The values associated with the condition codes, value codes, and amount codes have increased significantly.
Developed for BCBSA by First Consulting Group                         V2                                                          Page 14
                                                                July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


                    Change Description
  Cross-
  reference #
  C.2(ii)           Expanded code sets:
                    The data element called “Patient Status” will be eliminated and the values will now be listed under “Marital
                    Status” codes and “Patient Relationship” codes.
                    The values associated with the “Patient Relationship” codes have increased from approximately 4 code values
                    to 37 code values.
  C.2(iii)          Expanded code sets:
                    The data element called “Patient Status” will be eliminated and the values will now be listed under “Marital
                    Status” codes and “Patient Relationship” codes.
  C.3               Adjustment reason codes and claim status codes will change.
  C.4               Each professional claim will have a maximum of 50 service lines.
  C.5               For professional claims, a maximum of 5000 claims can be sent per each 837 envelope.
  C.6               Work to eliminate the use of proprietary codes over time. Cannot translate proprietary codes or bundle them
                    into different codes.
  C.7               HIPAA will require replication of outbound data in the same format that it was transmitted. Additional fields that
                    are not included in the transaction set cannot be added.
  C.8               Future claim submissions may require code plus modifier for services.
  C.9               Number of diagnosis codes allowed on a submission will increase from 4 diagnosis codes to 8 diagnosis codes
                    with 4 pointers per diagnosis code for each service line on the claim.
  C.10              Expanded demographic data elements.
  C.11              Process information at member level: member data includes individual name, individual identifier, individual
                    premium remittance detail, individual coverage period, and individual premium adjustment.

Impact Matrix
The Impact Matrix on the following page illustrates the impact that the HIPAA standards, which have been listed in the above tables
and are cross-referenced with the number in the first column of each table, will have on the transactions and the business processes
of which they are a part. It is meant to identify, from a transaction perspective, the HIPAA standards that will affect the organization’s
business processes and the associated systems that support the operations within those processes. A “Y” in the any cell of the table
indicates that there will be an impact on a particular transaction and business process by the associated HIPAA standard, and
similarly “N” denotes no impact.


Developed for BCBSA by First Consulting Group                       V2                                                           Page 15
                                                              July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Impact Matrix:
           Enrollment/Eligibility               Claim/ClaimStatus/Referral/Auths            Claim Payments     Premium Provider
                                                                                                               Payments
  Cross-     270 –       271 –      834 –        276 –     277 –      278 –        837 –    835 –     820 –     811 –   275 –
  refere     Eligibil    Eligibil   Enroll       Claim     Claim      Referr       Health   Claim     Paym      Premiu  Claim
  nce #      ity         ity        ment         s         Status     als &        care     Paym      ent       m       s
             Inquir      Respo                   Status    Respo      Author       Claim    ent       Order/    Payme   Attach
             y           nse                     Reque     nse        ization               Advic     Remitt    nt      ment
                                                 st                   s                     e         ance      Invoice
                                                                                                      Advic
                                                                                                      e
                Y           Y          Y           Y          Y          Y           Y         Y        Y         Y        Y
 A.1
 A.2            Y           Y         Y            Y          Y          Y           Y         Y        Y         Y        Y
 A.3            Y           Y         Y            Y          Y          Y           Y         Y        Y         Y        Y
 A.4            Y           Y         Y            Y          Y          Y           Y         Y        Y         N        Y
 B.1            N           N         N            Y          Y          Y           Y         Y        Y         N        Y
 B.2            N           N         N            Y          Y          Y           Y         Y        Y         N        Y
 B.3            N           N         N            Y          Y          Y           Y         Y        Y         N        Y
 B.4            N           N         N            Y          Y          Y           Y         Y        Y         N        Y
 C.1            Y           Y         Y            Y          Y          Y           Y         Y        Y         N        Y
 C.2(i)         N           N         N            Y          Y          Y           Y         Y        Y         N        Y
 C.2(ii)        Y           Y         Y            N          N          N           N         N        N         N        N
 C.2(iii)       N           N         N            N          N          N           N         N        N         Y        N
 C.3            N           N         N            Y          Y          Y           Y         Y        Y         Y        N
 C.4            N           N         N            Y          Y          Y           Y         Y        Y         N        N
 C.5            N           N         N            Y          Y          Y           Y         Y        Y         N        N
 C.6            N           N         N            Y          Y          Y           Y         Y        Y         N        Y
 C.7            Y           Y         Y            Y          Y          Y           Y         Y        Y         Y        Y
 C.8            N           N         N            Y          Y          Y           Y         Y        Y         N        N
 C.9            N           N         N            Y          Y          Y           Y         Y        Y         N        N
 C.10           Y           Y         Y            N          N          N           N         N        N         N        N
 C.11           N           N         N            N          N          N           N         N        N         Y        N

Developed for BCBSA by First Consulting Group                      V2                                                   Page 16
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Key Questions and Recommendations

Examples of key questions and recommendations that BCBS [Plan Name] should begin thinking about in preparation for HIPAA:

   •   How consistent are the coding systems within our organization today? How many times would we need to translate data
       elements to reach 100% standardization within our systems?

   •   What Medical/Clinical codes and classifications do we use in administrative transactions now?

   •   How closely aligned to ICD-9 are we today? How prevalent is the use of proprietary codes or local codes within our
       organization?

   •   Recommendation: Ask health insurers to eliminate the use of local codes that were established for administrative purposes,
       to facilitate claims payment.

   •   Recommendation: Require Code plus Modifier for services provided. What impact will this additional information have on our
       organization and the associated business processes?




Developed for BCBSA by First Consulting Group                    V2                                                       Page 17
                                                           July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



RFP Development
HIPAA Assessments are labor intensive. Moreover, they require resources who possess knowledge of the details of HIPAA
regulations along with their implications, and who are experienced in the application of implementation methodologies, applications,
and tools if the final assessment approach is to be viable.

This section outlines a sample RFP that BCBS [Plan Name] can use to evaluate external consultants for assisting it with its HIPAA
assessment if required.

RFP Table of Contents
The Table of Contents below outlines a complete RFP. Questions relating to an external consulting firms expertise and experience
in providing assistance with HIPAA assessments should be included in the to Proposal Format Section of an RFP. Examples of
those questions are detailed following the suggested Table of Contents.

INTRODUCTION ..........................................................................................................................#

BACKGROUND............................................................................................................................#
   BACKGROUND AND UNDERSTANDING ......................................................................................................................................................#
   SCOPE AND OBJECTIVES ........................................................................................................................................................................#
GENERAL REQUIREMENTS ......................................................................................................#
   RFI/RFP OBJECTIVES............................................................................................................................................................................#
   PROPOSAL PACKAGING AND SUBMISSION ...............................................................................................................................................#
   INTENT TO RESPOND ..............................................................................................................................................................................#
   VENDOR PROPOSAL GUIDELINES ............................................................................................................................................................#
   ECONOMY OF PRESENTATION .................................................................................................................................................................#
   CONFIDENTIALITY ...................................................................................................................................................................................#
   CONTRACT INCORPORATION ...................................................................................................................................................................#
   COSTS INCURRED IN RESPONDING .........................................................................................................................................................#
   NEGOTIATIONS .......................................................................................................................................................................................#
PROPOSAL FORMAT .................................................................................................................#
   PART I. SPECIFIC REQUIREMENTS ..........................................................................................................................................................#

Developed for BCBSA by First Consulting Group                                                   V2                                                                                          Page 18
                                                                                          July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


   PART II. GENERAL REQUIREMENTS .........................................................................................................................................................#
   PART III. BUSINESS REQUIREMENTS/DELIVERABLES ...............................................................................................................................#
   PART IV. PRICING ..................................................................................................................................................................................#
   PART V. BUSINESS ORGANIZATION .........................................................................................................................................................#
   PART VI. FINANCIAL STABILITY ...............................................................................................................................................................#
EVALUATION PROCESS AND SCHEDULE ..............................................................................#

SCHEDULE OF EVENTS.............................................................................................................#

PROPOSAL DUE DATE ..............................................................................................................#

BIDDER SIGNATURE PAGE.......................................................................................................#


RFP Proposal
Proposal Format
The following identifies examples of questions for the Proposal Format Section Only of an RFP.


Part I.   Specific Requirements
   •      Describe your process for conducting this HIPAA assessment?
   •      How long will the assessment take (please include a project schedule)?
   •      What is your recommendation for the project organization structure that BCBS [Plan Name] should implement to support the
          assessment process (including organization chart)?
     •    What and how much BCBS [Plan Name] involvement is required (specify staff expertise level and estimates of time
          required)?
     •    How much of the services will be performed onsite at BCBS [Plan Name] and how much will be offsite? What facilities will
          you require from BCBS [Plan Name]?


Part II. General Requirements
   • Describe your project management methodology and approach
   • What are your conflict resolution procedures during the contract phase?
Developed for BCBSA by First Consulting Group                                                   V2                                                                                         Page 19
                                                                                          July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


   •   The vendor must be able to demonstrate a thorough understanding of HIPAA provisions. What research methodology has
       been employed by your organization in preparation for HIPAA?
   •   Please provide the following information indicating your level of expertise:
          - References from at least four (4) health plans (preferably HIPAA engagements)
          - Institutional resume and individual resumes of those persons to perform this.
   •   How long do you anticipate it will take from the time an agreement is signed for you to begin the assessment?


Part III. Business Requirements/Deliverables
The HIPAA Assessment needs to provide BCBS [Plan Name] with the following:
   •   Multiple recommendations to meet HIPAA-Administrative Simplification compliance and a detailed analysis for each
       recommendation. The analysis must capture cost of resources, opportunities, risk and other significant budgetary impacts
   •   An analysis of our E-Commerce strategy and recommendations for further development inline with the HIPAA mandates
   •   An impact and gap analysis of business areas including but not limited to: claims, accounting, membership and billing,
       customer service, referral and authorization processing, provider contracting, facility management, security administration
       policies, procedures and infrastructure components, compliance and human resources. The analysis needs to identify
       impacts and gaps in these business area’s processes and procedures
   •   An impact and gap analysis of the following hardware/software components and a document that identifies a count of data
       occurrences and gaps for impacted data elements, systems, processes and components:
           - PC/LAN operating systems and environment
           - IBM OS operating system and software environment
   •   In-house written and maintained BCBS [Plan Name] systems, including but not limited to: actuarial, claims processing and
       payment, membership and billing systems, marketing systems, interfaces to national systems and interfaces to third party
       systems
   •   A detailed HIPAA impact and gap analysis of our current third party interfaces
   •   An assessment of HIPAA on our corporate strategic plan




Developed for BCBSA by First Consulting Group                     V2                                                         Page 20
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



Part IV. Pricing
In addition to the fixed price/not to exceed bid, please provide details on how that price was obtained. Include hours by experience
level, salary rates, categories of expenses, company investments (if any), and any other relevant information.


Part V. Business Organization
   • Full name
   • Address
   • Phone number
   • Web-site
   • Email address
   • Parent company (if operating as subsidiary)
   • Indicate if you are a partnership, corporation, individual or other
   • Date company founded
   • State of incorporation or licensing
   • List of principals or major stockholders
   • Executive level organizational chart
   • Y2K statement of compliance
   • Annual users conference or meeting information
   • List of branch offices or other subordinate elements that will perform or assist in performing work herein


Part VI. Financial Stability
Audited financial statement for the most current quarter and last year-ending including:
   • Balance Sheet
   • Income Statement
   • Statement of Cash Flow
   • Copies of your last two annual reports
   • R & D Budget
   • Description of any litigation in which vendor is currently involved
   • Any potential conflict of interest and plans for avoiding the conflict


Developed for BCBSA by First Consulting Group                      V2                                                        Page 21
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Impact Assessment Guidelines and Tools
The templates/tools developed to aid in the assessment of HIPAA impacts on BCBS [Plan Name’s] systems, business processes,
external relationships, etc. are contained in this section of the document. The templates/tools that follow will be used to complete the
third step of the assessment approach process that was outlined on page 7 of this document. This section also contains samples of
all the tools/templates, except for the HIPAA Solutions Matrix and the HIPAA Security Assessment Matrix, which illustrate their use in
this step of the assessment approach.

The following bullets provide an overview of the components in this tool-set and their interaction with one another:

   •   HIPAA Assumption Matrix – All assumptions that project activities were based upon before, during and after the completion
       of the HIPAA Impact Assessment Matrix should be documented and included in the HIPAA assumption matrix. This can
       include design assumptions or other necessary assumptions about the future environment.

   •   HIPAA System Impact Assessment Matrix – This is one of the primary tools for conducting the assessment. In each
       matrix, the HIPAA standard is evaluated against the identified BCBS [Plan] system. The level of impact is determined and the
       value is entered in the appropriate cell of the matrix. This tool gathers information that can be used to quantify the impacts of
       HIPAA standards on current systems.

   •   HIPAA Business Impact Assessment Matrix – This is the other primary tool for conducting the assessment. In each
       matrix, the HIPAA standard is evaluated against the identified BCBS [Plan] business process or department. The level of
       impact is determined and the value is entered in the appropriate cell of the matrix. This tool gathers information that can be
       used to quantify the impacts of HIPAA standards on current business processes or departments.

   •   HIPAA Vendor Matrix – If there is an identified relationship with an external trading partner, vendor or other service provider
       that may be affected by HIPAA requirements, then the external dependency should be noted on the HIPAA Impact
       Assessment matrix and documented in detail on the HIPAA Vendor Matrix.

   •   HIPAA Internal Dependency Matrix – When completing the HIPAA Impact Assessment Matrix, if there is a critical upstream
       or downstream dependency with an internal system, then the internal dependency should be noted on the HIPAA Impact
       Assessment Matrix and documented in detail on the HIPAA Internal Dependency Matrix.

   •   HIPAA Solution Matrix – Possible solutions for meeting HIPAA standards should be proposed and evaluated when
       determining the level of impact on BCBS [PLAN] systems. Both short and long term solutions should be considered and
       documented in the HIPAA Solution Matrix at a high level after completing the HIPAA Impact Assessment Matrix.
Developed for BCBSA by First Consulting Group                      V2                                                          Page 22
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



   •   HIPAA Transaction Volume Assessment – Separate from the HIPAA System and Business Impact Assessment Matrices,
       this tool examines the current and expected future volumes of HIPAA and Non-HIPAA transactions within BCBS [Plan Name].
       This is relevant to transition planning.

   •   HIPAA Security Assessment Tool – This is the primary tool for conducting the security assessment and determining the
       organizations current level of alignment with HIPAA security requirements for both the technical and business
       process/administrative functions.

   •   HIPAA Project Inventory Database – The structure of the compliance inventory database, which will be used to in step 4 of
       the assessment approach to assess the results of the activities in step 3, is outlined here along with a template which shows
       the possible information that can be reported as a result of the analysis carried out in the database.

   •   HIPAA Privacy Assessment Tools – Disclaimer: The Privacy Tools in this section are preliminary. The Privacy regulations
       are not final. The tools will be modified as the final regulations are released. The following bullets provide an overview of the
       major components in this tool set.

           -   HIPAA Privacy Introduction Tool - This tool provides a detailed overview of the recommended privacy regulation.
               Before completing the HIPAA Privacy Assumption Matrix and the HIPAA Privacy Impact Assessment Matrix, review
               this document.
           -   HIPAA Privacy Assumption Matrix – Before, during and after the completion of the HIPAA Privacy Impact Assessment
               Matrix, all assumptions should be documented and included in the HIPAA Privacy Assumption Matrix.
           -   HIPAA Privacy System and Business Impact Assessment Matrices – These are the primary tool for conducting the
               privacy assessment. In each matrix, the HIPAA Privacy regulations are evaluated against the identified business
               process. The level of impact is determined and the value is entered in the appropriate cell of the matrix.

Suggested Approach
For each of the above tools, more detailed instructions are available that further describe the use of the tools for completing each
component of the HIPAA assessment step. Each set of detailed instructions is followed by a sample illustration of a populated
template/tool. This provides the user with two referential guides, one written and one pictorial, to use in filling out the actual
tool/template.




Developed for BCBSA by First Consulting Group                      V2                                                           Page 23
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


The following guidelines outline the suggested approach for completing the assessment:

Getting Started:
Before beginning the completion of the various Impact Assessment Matrices in this tool set, the HIPAA Education section should be
reviewed for reiteration of the basic understanding of HIPAA requirements, and also any available BCBS [Plan Name] business
and/or corporate initiatives so that a concept of the organization’s direction and the impact of HIPAA on that direction can be formed.
This will be a useful frame of reference to utilize in gathering the information that will populate the matrices tools/templates.

When You’re Done:
Once the tools have been completed, the Business Segment Leader should compile and forward the completed documents to the
Project Manager. This may become critical, in the future, as an audit trail but is used here primarily for planning purposes.




Developed for BCBSA by First Consulting Group                      V2                                                         Page 24
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Assumption Matrix
Guidelines for Completing the HIPAA Assumption Matrix

Purpose:
Document the assumptions made in determining the level of impact HIPAA requirements will have on the BCBS [PLAN]’s business
processes and systems.

The Business Process Team Leader should lead and coordinate this process:

 Step        Process
 1.          In the field labeled “Business Segment”, enter the name of the business segment
 2.          In the field labeled “Business Process Team”, enter the name of the team
 3.          In the field labeled “Assessment type” enter “system” or “business”
 3.          Review the business initiatives
 4.          Review the corporate initiatives
 5.          Enter assumptions on the matrix
 6.          Enter additional assumptions identified during the assessment process on the matrix




Developed for BCBSA by First Consulting Group                     V2                                                 Page 25
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Assumption Matrix (Sample)

Business Segment: _XXXXXX_________________________________________
Business Process Team:____XXXXX Operations_______________________________________
Assessment Type:__Business & Systems_________________________________________

        Assumptions
 1.     The XXXX Business and Systems assessment will take into account all corporate assumptions.
 2.     All Medicare Carriers and Intermediaries will comply with all HIPAA standards and HCFA timeframes.
 3.     All impact assessments are based on what we currently know about our business for 2000. Should we engage in
        business with other companies, or different types of businesses, the assessment will be reevaluated.
 4.     Employer ID Is not required for current claim processing, benefit calculation, or eligibility.
 5.     Employer ID is currently required for premium tracking in the Actuarial Data Warehouse.
 6.     Payer ID will be used by all Medicare carriers in place of the current sender/receiver ids.
 7.     Provider ID will not replace identifiers currently used in XXXX systems (i.e. TIN/SSN/EIN, MPIN, Medicare Provider
        Key, XXXXX Provider Key, etc), but will be an additional data element that we will be required to capture and link to
        our current identifiers.
 8.     Patient/Subscriber ID will not replace the XXXXX Membership Number, but will be an additional data element that we
        will be required to capture to link to the Membership Number. Membership Number is not health care specific.
 9.     The ANSI 821 Eligibility transaction can be generated as a batch file, and will replace the current HCFA COB
        (Coordination of Benefits) eligibility file format.
 10.    The ANSI 837 Claim transaction will replace COB version 2 and COB version 3, but there will be a transition period
        when we may receive all three formats.




Developed for BCBSA by First Consulting Group                        V2                                                         Page 26
                                                               July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Assumption Matrix:

Business Segment: __________________________________________
Business Process Team:___________________________________________
Assessment Type:___________________________________________

        Assumptions
 1.
 2.
 3.
 4.
 5.
 6.
 7.
 8.
 9.
 10.




Developed for BCBSA by First Consulting Group             V2        Page 27
                                                    July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA System Impact Assessment Matrix
Guidelines for Completing the HIPAA System Impact Assessment Matrix

Purpose:
Provide a structured approach for assessing and documenting the impact of HIPAA compliance standards on BCBS [PLAN]
systems. Following are the guidelines to assist in the completion of this assessment matrix.

Considerations:
The process for determining the magnitude of impact for each HIPAA requirement on a particular system should include the
following considerations:

•   No Change:         Is a change actually necessary to meet requirements?
•   Discard data:      Are these data elements required by BCBS [PLAN], or, can they be discarded?
•   Store data:        Although the data is not used to support a transaction, should BCBS [PLAN] still accept and store data?
•   Substitute data:   Is substitution necessary, and will system modifications be required?
•   Translate data:    Is a “one on one” translation possible with a relatively low impact, or, will a “one to many” translation be
    required?

For this matrix the impact is determined by the incremental development costs associated with a proposed system change. The cost
ranges to determine the level of impact are:

    Low                < .5 FTE Months
    Medium             .5 FTE Months – 4 FTE Months
    High               4 FTE Months – 12 FTE Months
    Very High          > 12 FTE Months




Developed for BCBSA by First Consulting Group                        V2                                                               Page 28
                                                               July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Process:
The Business Process Team Leader should lead and coordinate this process:

 Step    Process…
 1.      In the field labeled “Business Segment”, enter the name of the business segment
 2.      In the field labeled “Business Process Team”, enter the name of the team
 3.      In the column labeled “System”, enter the name of the system or sub-system
 4.      In the column labeled “Ownership”, enter the name of person/department who is accountable for maintaining the
         system or sub-system
 5.      In the column labeled, “Description”, enter a brief description of the system or sub-system
 6.      Determine the impact HIPAA Standard Identifier requirements will have on each system or sub-system
         If system is…             And the impact is …       Then, for each transaction set enter a…
         Impacted                  Low                       1
                                   Medium                    2
                                   High                      3
                                   Very High                 4
         Not impacted                         →              No impact
 7.      Determine the impact HIPAA Standard Code Set requirements will have on each system or sub-system
         If system is…             And the impact is …       Then, for each standard code set enter a…
         Impacted                  Low                       1
                                   Medium                    2
                                   High                      3
                                   Very High                 4
         Not impacted                         →              No impact




Developed for BCBSA by First Consulting Group                 V2                                                Page 29
                                                        July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



 Step    Process…
 6.      Determine the impact Transaction Set requirements will have on each system or sub-system
         If system is…           And the impact is …     Then, for each standard code set enter a…
         Impacted                Low                     1
                                 Medium                  2
                                 High                    3
                                 Very High               4
         Not impacted                       →            No impact
 7.      Assess the impact on external dependencies
         If external dependency  Then enter…
         is…
         Impacted                Y, and go to the Vendor Assessment Matrix and complete the required fields
         Not impacted            N
 8.      Assess the impact on internal dependencies
         If internal dependency  Then enter…
         is…
         Impacted                Y, and go to the Internal Dependency Matrix and complete the required fields
         Not impacted            N
 9.      Business Process Team Leaders ensure matrix is updated and returned to Manager




Developed for BCBSA by First Consulting Group                   V2                                              Page 30
                                                          July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


 HIPAA System Impact Assessment Matrix (Sample)

Business Segment: _XXXXX_(Required based on assumptions)________________________________________
Business Process Team:____XXXXX__Operations_____________________________________
                                                          Standard      Standard Code
Legend:                                                1=Low Impact                 2=Medium Impact             3=High Impact Other
                                                                                                   Transaction Sets
                                                          Identifier           Sets
4=Very High Impact
                      HIPAA
* Other is defined as but not limited to Patient Relationship codes, Narrative codes, Location codes, Amount codes and Value codes
Note: ICD-10 and CPT-5 are not included in the current mandates
              Compliance
                      Area




                                                                  Employer ID
                                                                                Payor ID
                                                                                           Provider ID
                                                                                                         Provider ID
                                                                                                                       ICD-9
                                                                                                                               CPT-4
                                                                                                                                       NDC
                                                                                                                                             HCPCS (eliminate)
                                                                                                                                                                 CDT
                                                                                                                                                                       Other*
                                                                                                                                                                                270
                                                                                                                                                                                      271
                                                                                                                                                                                            275
                                                                                                                                                                                                  276
                                                                                                                                                                                                        277
                                                                                                                                                                                                              278
                                                                                                                                                                                                                    820
                                                                                                                                                                                                                          834
                                                                                                                                                                                                                                835
                                                                                                                                                                                                                                      837
                                                                                                                                                                                                                                            External
                                                                                                                                                                                                                                                       Internal




System             Owner     Description
System 1           XXXX
Electronic Claim             Part B Electronic Claims
                             Paper Claims send to
Front End Key                                                                    1           2             2                   2                 1               1                                2                                                      3
                             keying vendor
                             Electronic claims form
Carriers                     Medicare Carriers
                                                                                 1           2             2                   2                 1               1                                2                                                      3
Manual Claim                 Paper claims processed                                          2             3                   1                 1               3
Online Check
                                                                                             2             2
Register
Letter Entry                 Vendor package for letters
                                                                                             3             3
System
Claim history                All claim history and control file
review/                      maintenance and review                                          3             3                   1                 1               2
maintenance
Provider
Provider File                Hospital and doctor file                                        2




Developed for BCBSA by First Consulting Group                                                                         V2                                                                                                                                     Page 31
                                                                                                                July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA System Impact Assessment Matrix:

Business Segment: __________________________________________
Business Process Team:___________________________________________


                   HIPAA                        Standard         Standard Code                Transaction Sets           Other
                                                Identifier            Sets
                 Compliance
                  Area
                                                E   P   P    P   I   C   N   H   C   O   2   2 2   2   2 2 8 8 8   8   Ext   Int
                                                m   a   r    r   C   P   D   C   D   t
                                                                     T
                                                                                         7     7   7   7 7 2 3 3   3   ern   ern
                                                p   y   o    o   D       C   P   T   h   0     5   6   7 8 0 4 5   7   al    al
                                                l   o   v    v   -   -       C       e
                                                                     4                                       -
                                                o   r   i    i   9           S       r
                                                y       d    d                       *
                                                e   I   e    e               (
                                                r   D   r    r               e
                                                                             l
 System           Owner           Description




Developed for BCBSA by First Consulting Group                     V2                                                             Page 32
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Legend:          1=Low Impact              2=Medium Impact                3=High Impact             4=Very High Impact
* Other is defined as but not limited to Patient Relationship codes, Narrative codes, Location codes, Amount codes and Value codes

Note: ICD-10 and CPT-5 are not included in the current mandates.




Developed for BCBSA by First Consulting Group                          V2                                                            Page 33
                                                                 July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Business Impact Assessment Matrix
Guidelines for Completing the HIPAA Business Impact Assessment Matrix

Purpose:
Provide a structured approach for assessing and documenting the impact of HIPAA compliance standards on BCBS [PLAN]
business processes. Following are guidelines to assist in the completion of this assessment matrix.

Considerations:
When determining the magnitude of impact each HIPAA requirement has on BCBS [PLAN] business processes, the following
alternatives should be considered:

     •   No change to business process
     •   Minimal change to business process
     •   Significant change to business process
     •   Eliminate business process
     •   Generate incremental operational changes
     •   Cross functional dependency identified (e.g. training, systems)

For this matrix the impact is determined by the incremental costs associated with a change in business process. The cost ranges to
determine the level of impact are:

    Low              < .5 FTE Months
    Medium           .5 FTE Months – 4 FTE Months
    High             4 FTE Months – 12 FTE Months
    Very High        > 12 FTE Months




Developed for BCBSA by First Consulting Group                     V2                                                       Page 34
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Process:
The Business Process Team Leader should lead and coordinate this process:

 Step    Process…
 1.      In the field labeled “Business Segment”, enter the name of the business segment
 2.      In the field labeled “Business Process Team”, enter the name of the team
 3.      Determine the impact HIPAA Standard Identifier requirements will have on each business process
         If business process is… And the impact is …        Then, for each standard identifier category enter a…
         Impacted                  Low                      1
                                   Medium                   2
                                   High                     3
                                   Very High                4
         Not impacted                        →              No impact
 4.      Determine the impact HIPAA Standard Code Set requirements will have on each business process
         If business process is… And the impact is …        Then, for each standard code set enter a…
         Impacted                  Low                      1
                                   Medium                   2
                                   High                     3
                                   Very High                4
         Not impacted                        →              No impact
 5.      Determine the impact Transaction Set requirements will have on each business process
         If business process is… And the impact is …        Then, for each standard code set enter a…
         Impacted                  Low                      1
                                   Medium                   2
                                   High                     3
                                   Very High                4
         Not impacted                        →              No impact
 6.      Assess the impact on external dependencies

Developed for BCBSA by First Consulting Group                   V2                                                 Page 35
                                                          July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



 Step    Process…
         If external dependency Then enter…
         is…
         Impacted               Y, and go to the Vendor Assessment Matrix and complete the required fields
         Not impacted           N
 7.      Business Process Team Leaders ensure matrix is updated and returned to Manager




Developed for BCBSA by First Consulting Group                 V2                                             Page 36
                                                        July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion

HIPAA Business Impact Assessment Matrix (Sample)

Business Segment: ______XXXXX____________________________________
Business Process Team:________XXXXX__Operations________________________________

 HIPAA Compliance Area                      S   P Standard                      Standard Code                                   Transaction Sets                Other
                                            e   r Identifier                         Sets
                                            c   i
                                            u   v
                                            r   a
                                            i   c
                                            t   y
                                            y
                                                    E       P       P       P       I       C       N       H       C   O   2   2 2   2   2   2   8   8   8 8   Exter
                                                    m       a       r       r       C       P       D       C       D   t
                                                                                            T
                                                                                                                            7     7   7   7   7   2   3   3 3   nal
                                                    p       y       o       o       D               C       P       T   h   0     5   6   7   8   0   4   5 7
                                                    l       o       v       v       -       -               C           e
                                                                                            4                                                         -
                                                    o       r       i       i       9                       S           r
                                                    y               d       d                                           *
                                                    e       I       e       e                               (
                                                    r       D       r       r                               e
                                                                                                            l
                                                    I               I       I                               i
 Business Process                          O    D
 Benefits                                                                                                                                                        N
 Enrollment                                         2                   2                                                                                        N
 Eligibility                                                                                                                                                     Y
 Provider/Network                                               2                                                                                                Y
 Billing                                            2                   3                                                                                        N
 Capitation                                                                                                                                                      N
 Claims/Warm Transfer                               2   2       2       2               2                       4                                                Y
 Medical Management                                 2           2       2               2                       2                                                Y
 Case Management                                    2           2       2               2                       2                                                Y
 Provider Settlement                                            2       2                                                                                        N
 Underwriting                                       2                   2       1       1       1       1       1                                                N
 Actuarial                                          1   2               1       1       1       1       1       1                                                N
 Finance                                                2       2                                                                                                Y
 Reporting                                          3   3       3       3               3                       3                                                Y


Developed for BCBSA by First Consulting Group                                 V2                                                                                        Page 37
                                                                        July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion

 Customer Service                                     2   2   2 2       1          1                                           N
 Claim and Actuarial Data Warehouses                  2   1   2 2       2          2                                           N
Legend: 1=Low Impact              2=Medium Impact             3=High Impact              4=Very High Impact
* Other is defined as but not limited to Patient Relationship codes, Narrative codes, Location codes, Amount codes and Value codes

Note: ICD-10 and CPT-5 are not included in the current mandates.




Developed for BCBSA by First Consulting Group                          V2                                                            Page 38
                                                                 July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Business Impact Assessment Matrix:

Business Segment: __________________________________________
Business Process Team:___________________________________________

 HIPAA Compliance Area                      S   P Standard           Standard Code                Transaction Sets               Other
                                            e   r Identifier              Sets
                                            c   i
                                            u   v
                                            r   a
                                            i   c
                                            t   y
                                            y
                                                    E   P   P    P   I   C   N   H   C   O   2   2 2   2   2   2   8   8   8 8   Exter
                                                    m   a   r    r   C   P   D   C   D   t
                                                                         T
                                                                                             7     7   7   7   7   2   3   3 3   nal
                                                    p   y   o    o   D       C   P   T   h   0     5   6   7   8   0   4   5 7
                                                    l   o   v    v   -   -       C       e
                                                                         4                                             -
                                                    o   r   i    i   9           S       r
                                                    y       d    d                       *
                                                    e   I   e    e               (
                                                    r   D   r    r               e
                                                                                 l
                                                    I       I    I               i
 Business Process                          O    D




Developed for BCBSA by First Consulting Group                         V2                                                                 Page 39
                                                                July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion




Legend: 1=Low Impact            2=Medium Impact               3=High Impact              4=Very High Impact
* Other is defined as but not limited to Patient Relationship codes, Narrative codes, Location codes, Amount codes and Value codes
Note: ICD-10 and CPT-5 are not included in the current mandates.




Developed for BCBSA by First Consulting Group                          V2                                                            Page 40
                                                                 July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Vendor Matrix
Guidelines for Completing the HIPAA Vendor Matrix

Purpose:
Identify the organizations trading partner’s, vendors and/or service providers impacted by HIPAA requirements.

The Business Process Team Leader should lead and coordinate this process:

 Step   Process…
 1.     In the field labeled “Business Segment”, enter the name of the business segment
 2.     In the field labeled “Business Process Team”, enter the name of the team
 3.     Identify your trading partners impacted by HIPAA requirements
 4.     In the field labeled Vendor, enter the name of the trading partner
 5.     In the field labeled Vendor Address & Phone Number, enter the trading partner’s address
 6.     In the field labeled Type of Service Provided, enter the type of service provided by the trading partner
 7.     In the field labeled System or Business, enter a “S” if this vendor relates back to the System Impact Matrix or a “B” if this
        vendor relates back to the Business Impact Matrix
 8.     In the field labeled Effective and Termination Date of Contract, enter the effective and termination date of your contract with
        the trading partner
 9.     Business Process Team Leaders ensure Matrix is updated and returned to Manager




Developed for BCBSA by First Consulting Group                       V2                                                           Page 41
                                                              July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Vendor Matrix (Sample)

Business Segment: _____XXXX______   _____________________________
Business Process Team:________XXXX__Operations_________________________________

 Vendor Name                     Vendor Address &        Type of Service      System (S) or Business (B)   Effective (E) and
                                 Phone Number            Provided             Vendor                       Termination (T)
                                                                                                           Date of Contract
 ABC Vendor                                              Electronic Claims    Business                     (E) =
                                 123 Main Street                                                           (T) =
                                 Chicago, IL 90909
                                                         Electronics Claims   Business                     (E) =

 Electronic Claims Company       987 Sunset Drive                                                          (T) =
                                 Los Angeles, CA 60606
                                                                                                           (E) =
                                                                                                           (T) =
                                                                                                           (E) =
                                                                                                           (T) =
                                                                                                           (E) =
                                                                                                           (T) =
                                                                                                           (E) =
                                                                                                           (T) =




Developed for BCBSA by First Consulting Group                      V2                                                  Page 42
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Vendor Matrix:

Business Segment: __________________________________________
Business Process Team:___________________________________________

 Vendor Name                     Vendor Address &   Type of Service    System (S) or Business (B)   Effective (E) and
                                 Phone Number       Provided           Vendor                       Termination (T)
                                                                                                    Date of Contract
                                                                                                    (E) =
                                                                                                    (T) =
                                                                                                    (E) =
                                                                                                    (T) =
                                                                                                    (E) =
                                                                                                    (T) =
                                                                                                    (E) =
                                                                                                    (T) =
                                                                                                    (E) =
                                                                                                    (T) =
                                                                                                    (E) =
                                                                                                    (T) =
                                                                                                    (E) =
                                                                                                    (T) =




Developed for BCBSA by First Consulting Group                V2                                                Page 43
                                                       July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Internal Dependency Matrix
Guidelines for Completing the HIPAA Internal Dependency Matrix

Purpose:
Identify the internal dependencies between systems that will be impacted by HIPAA requirements. Assessment of internal
dependency impacts will allow BCBS [Plan name] to map out how dealing with a HIPAA standard effect on an information element in
a system can impact another system downstream that uses that same information element. This also helps to bring the ownership of
both systems onto the same page by informing them about how HIPAA and compliance efforts will affect their systems concurrently.

The Business Process Team Leader should lead and coordinate this process:

 Step        Process
 1.          In the field labeled “Business Segment”, enter the name of the business segment
 2.          In the field labeled “Business Process Team”, enter the name of the team
 3.          In the field labeled “Internal Dependency”, enter the dependency
 4.          In the field labeled “Description of dependency”, enter a brief descriptions of the dependency
 5.          In the field labeled “Type of service provided”, enter the type of services supported by the Internal Dependency
 6.          Attach the Internal Dependency Assessment Matrix to the System Impact Assessment Matrix




Developed for BCBSA by First Consulting Group                      V2                                                           Page 44
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Internal Dependency Assessment Matrix (Sample)

Business Segment: ______XXXX ____________________________________
Business Process Team:____XXXX Operations_______________________________________

 Internal Dependency        Description of Dependency                     Type of Service Provided
 XXXX                       Client                                        Generates Membership Number
 YYYY Customer              Value Chain Partner providing member data     Member Database, Fulfillment processing (checks,
 Service Inc                and operational support                       EOBs and letters), Customer Service systems, Warm
                                                                          Transfer calls
 XXXX Corporate             Data feeds and corporate systems              Financial feeds, CPT codes
 XXXX Corporate             Provider data feeds                           EPD
 Integrity Plus             Fraud Analysis                                AFW- Impromptu Software




Developed for BCBSA by First Consulting Group                   V2                                                      Page 45
                                                          July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Internal Dependency Assessment Matrix:

Business Segment: __________________________________________
Business Process Team:___________________________________________

 Internal Dependency        Description of Dependency                   Type of Service Provided




Developed for BCBSA by First Consulting Group                 V2                                   Page 46
                                                        July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Solution Matrix
Guidelines for Completing the HIPAA Solution Matrix
Purpose:
Capture proposed possible solutions for system and business process compliance with HIPAA. The short term (2 years after Final
Rule Target Date) and long term (4 years after Final Rule Target Date) approaches for compliance can be identified at a high level
from the information collected in the rest of the tools in this tool kit; the solutions can be based upon them and evaluated.
The Business Process Team Leader should lead and coordinate this process:
 Step      Process
 1.          In the field labeled “Business Segment”, enter the name of the business segment
 2.          In the field labeled “Business Process Team”, enter the name of the team
 3.          Determine short -term level of system compliance with HIPAA requirements
             If the short term level of   Then a √ mark is placed in the …
             compliance is…
             Minimal compliance           Minimal compliance column
             Best practice                Best practice column
 4.          In the column labeled “Describe high level compliance solution”, enter the short-term solution
 5.          In the column labeled, “Business Advantage Description”, explain how this solution will be advantageous to
             BCBS [PLAN]
 6.          Determine long-term level of business compliance with HIPAA requirements
             If the long-term level of    Then a √ mark is placed in the …
             compliance is…
             Minimal compliance           Minimal compliance column
             Best practice                Best practice column
 7.          In the column labeled “Describe high level compliance solution”, enter the long-term solution
 8.          In the column labeled “Business Advantage Description”, explain how this solution will be advantageous to
             BCBS [PLAN]
 9.          Business Process Team Leaders ensure Matrix is updated and returned to Manager
Developed for BCBSA by First Consulting Group                     V2                                                        Page 47
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Solution Matrix

Business Segment: __________________________________________
Business Process Team:___________________________________________

Short Term
                 Minimal         Best       Describe high level compliance solution:   Business Advantage
                 Compliance      Practice                                              Description
 System

 Business
 Process


Long Term
                 Minimal         Best       Describe high level compliance solution    Business Advantage
                 Compliance      Practice                                              Description
 System

 Business
 Process




Developed for BCBSA by First Consulting Group                   V2                                          Page 48
                                                          July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Transaction Volume Assessment
Guidelines for Completing the HIPAA Transaction Volume Assessment

Purpose:
Determine the level of impact HIPAA will have on the organization based on the volume of each transaction type. Identifying the
increase or decrease in volume for various transaction sets can help narrow the focus of compliance efforts onto those areas of
BCBS [Plan Name] whose transaction sets volume will make them critical aspects of BCBS [Plan Name’s] operations. This
assessment can further aid in aligning the various areas with the appropriate compliance responses (non, basic, competitive).

The Business Process Team Leader should lead and coordinate this process:

 Step     Process
 1.       In the field labeled “Business Segment”, enter the name of the business segment
 2.       In the field labeled “Business Process Team”, enter the name of the team
 3.       Obtain number of transactions incurred for each transaction type for 1999 and 2000
          In the column           Enter the transaction volume for…
          labeled…
          1999 Volume             1999
          2000Volume              2000
 4.       Obtain number of transactions incurred for Non-HIPAA transaction types
          In the column           Enter the transaction volume for…
          labeled…
          1999 Volume             1999
          2000 Volume             2000
 5.       Business Process Team Leaders ensures matrix is updated and returned to Manager




Developed for BCBSA by First Consulting Group                    V2                                                        Page 49
                                                           July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Transaction Volume Assessment (Sample)

Business Segment: __________XXXX________________________________
Business Process Team:_____________XXXX_Operations_____________________________

            Transaction Number/ Name                      1999 Volume       2000 Volume

 HIPAA – Electronic Transactions
270 Health Care Eligibility/ Benefit Inquiry               7,000,000         5,000,000
271 Health Care Eligibility/ Benefit Information               0                 0
275 Claims Attachment                                          0                 0
276 Health Care Claim Status Request                       6,000,000         6,500,000
277 Health Care Claim Status Notification                      0                 0
278 Health Care Service Review Information                     0                 0
820 Payment Order/ Remittance Advice                           0                 0
834 Benefit Enrollment and Maintenance                         0                 0
835 Health Care Claim Payment Advice                           0                 0
837 Health Care Claim                                          0                 0
                                               Subtotal        0                 0
 Non-HIPAA Transactions
All Paper Claims (includes Front End Keyed Claims)        15,700,000        14,000,000
    Part B                                                14,200,000
    Part A                                                 900,000

    Other                                                   600,000
Electronic Claims (COB2 & COB3 formats)                    37,900,000       40,200,0000
Eligibility Files (HCFA COB)                              171,600,000       171,600,000



Developed for BCBSA by First Consulting Group                     V2                      Page 50
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Transaction Volume Assessment:

Business Segment: __________________________________________
Business Process Team:___________________________________________

         Transaction Number/ Name                      1999        2000
                                                      Volume      Volume
 HIPAA – Electronic Transactions
270 Health Care Eligibility/ Benefit Inquiry            0             0
271 Health Care Eligibility/ Benefit Information        0             0
275 Claims Attachment                                   0             0
276 Health Care Claim Status Request                    0             0
277 Health Care Claim Status Notification               0             0
278 Health Care Service Review Information              0             0
811 Premium Payment Invoice                             0             0
820 Payment Order/ Remittance Advice                    0             0
834 Benefit Enrollment and Maintenance                  0             0
835 Health Care Claim Payment Advice                    0             0
837 Health Care Claim                                   0             0
                                           Subtotal     0             0
 Non-HIPAA – Paper Transactions
UB82 Hospital/ Inpatient Claims                         0             0
UB92 Hospital/ Inpatient Claims                         0             0
HCFA 1500 Professional Services Claims (NSF)            0             0
Other Claims Format1 (tbd)                              0             0
Other Claims Format2 (tbd)                              0             0
Other Eligibility Format1 (tbd)                         0             0
Other Enrollment Format1 (tbd)                          0             0


Developed for BCBSA by First Consulting Group                     V2        Page 51
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Security Assessment Matrix
Guidelines for Completing HIPAA Security Assessment Matrix

Purpose:
Determine the organizations current level of alignment with HIPAA security requirements for both the technical and business
process/administrative functions.

The Business Process Team Leader should lead and coordinate this process:

 Step   Process…
 1.     For each security category, determine the organizations level of compliance for the system
        If the system is …       Then place a √ in the following column …
        Fully compliant          Full Compliance
        Partially compliant      Partial Compliance
        Not Compliant            Non Compliance
 2.     For each security category, determine the organizations level of compliance for each business process
        In business process is . Then place a √ mark in the following column…
        Fully compliant          Full Compliance
        Partially compliant      Partial Compliance
        Not compliant            Non Compliance
 3.     For each security category, determine the organizations level of compliance with security documentation
        If documentation is for  And it’s…           Then enter …
        the…
        System                   Fully documented Full
                                 Partially           Partial
                                 documented
                                 Not documented      Not documented
        Business Process         Fully documented Full
                                 Partially           Partial
                                 documented
                                 Not documented      Not documented

Developed for BCBSA by First Consulting Group                 V2                                                   Page 52
                                                        July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Security Assessment Matrix:

Business Process Team: _______________________________

 Category Element                    Full Compliance       Partial Compliance     Non-Compliance       Documentation
                                    System      Business   System     Business   System   Business   System   Business
                                                Process               Process             Process             Process
 1. Administrative Procedures
 Certification: Evaluation and
 certification of computer
 system and network security.
 Chain-of-Trust Partner
 Agreement: Contract to
 secure integrity of data
 transmission with any third
 parties.
 Contingency Plan: Includes:
 application and data criticality
 analysis, data backup plan,
 disaster recovery plan,
 emergency mode operation
 plan, and testing and revision
 procedures.
 Formal Record Processing
 Mechanisms: Policies and
 procedures for receipt,
 manipulation, storage,
 dissemination, transmission,
 and/or disposal of health
 information.



Developed for BCBSA by First Consulting Group                     V2                                             Page 53
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



 Category Element                    Full Compliance       Partial Compliance     Non-Compliance       Documentation
                                   System       Business   System     Business   System   Business   System   Business
                                                Process               Process             Process             Process
 Internal Audit: Ongoing in-
 house review of the records of
 system activity (log-ins, file
 accesses and security
 incidents).
 Information Access
 Controls: Policies and
 procedures for granting
 different levels of access to
 health care information.
 Personnel Security: Granting
 of access to health information
 via an authorization process.
 Security Configuration
 Management: Practices and
 procedures to ensure that
 routine changes to system
 hardware and/or software do
 not create security
 weaknesses.
 Security Incident
 Procedures: Documented
 instructions for reporting and
 reviewing security breaches.




Developed for BCBSA by First Consulting Group                     V2                                             Page 54
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



 Category Element                    Full Compliance       Partial Compliance     Non-Compliance       Documentation
                                   System       Business   System     Business   System   Business   System   Business
                                                Process               Process             Process             Process
 Security Management
 Process: Processes to ensure
 the prevention, detection,
 containment and correction of
 security breaches. Includes
 risk analysis, risk
 management, sanction policy
 and security policy.
 Termination Procedures:
 Procedures for securing
 systems upon employee
 termination.
 Training: User education and
 awareness training.
 2. Physical Safeguards
 Assigned Security
 Responsibility: Security
 responsibility assigned to a
 specific individual or
 organization
 Media Controls: Policies and
 procedures that govern the
 receipt and removal of
 hardware and software into
 and out of a facility. Includes
 data backup, storage and
 disposal.


Developed for BCBSA by First Consulting Group                     V2                                             Page 55
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



 Category Element                    Full Compliance       Partial Compliance     Non-Compliance       Documentation
                                    System      Business   System     Business   System   Business   System   Business
                                                Process               Process             Process             Process
 Physical Access Controls:
 Limiting physical access to
 systems. Includes the
 following: disaster recovery,
 emergency mode operation,
 equipment control, facility
 security, physical access
 verification, maintenance
 records, need-to-know
 procedures, visitor sign-in, and
 testing and revision.
 Workstation Use: Instructions
 and procedures delineating
 secure use of computer
 workstations.
 Workstation Location:
 Safeguards for secure location
 of computer workstations.
 Security Awareness
 Training: Security awareness
 training for all employees,
 agents and contractors.
 3. Technical Security Services (for Data Integrity, Confidentiality and Availability):
 Access Control: Restricted
 access to health information
 by need-to-know.



Developed for BCBSA by First Consulting Group                     V2                                             Page 56
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



 Category Element                     Full Compliance      Partial Compliance     Non-Compliance       Documentation
                                     System     Business   System     Business   System   Business   System   Business
                                                Process               Process             Process             Process
 Audit Controls: Audit control
 mechanisms to record and
 examine system activity.
 Authorization Control:
 Mechanisms for obtaining
 consent for use and disclosure
 of health information.
 Data Authentication: Ability
 to corroborate that data has
 not been altered or destroyed.
 Entity Authentication: Ability
 to corroborate that user is who
 he claims he is. Includes
 automatic log-off and unique
 user identification.
 4. Technical Security Mechanisms (for Transmission Over a Communications Network)
 Integrity Controls: Ability to
 ensure validity of electronically
 transmitted and stored
 information.
 Message Authentication:
 Ability to ensure that message
 received matches message
 sent for electronically
 transmitted information.




Developed for BCBSA by First Consulting Group                     V2                                             Page 57
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



 Category Element                    Full Compliance       Partial Compliance     Non-Compliance       Documentation
                                   System       Business   System     Business   System   Business   System   Business
                                                Process               Process             Process             Process
 Plus one of the following:
 Access Controls: Protection
 of sensitive communications
 transmissions over open or
 private networks to prevent
 interception or interpretation
 by unauthorized parties.
 Encryption: Use of methods
 to encode information during
 transmission to prevent
 alteration or interception by
 unauthorized users.
 Plus, if using a network for communications, all of the following:
 Alarm: Device that senses
 and signals the presence of an
 abnormal condition within the
 system.
 Audit Trail: (see Audit
 Controls under Section 3
 above)
 Entity Authentication: (see
 Section 3 above)




Developed for BCBSA by First Consulting Group                     V2                                             Page 58
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



 Category Element                    Full Compliance       Partial Compliance     Non-Compliance        Documentation
                                   System       Business   System     Business   System    Business   System   Business
                                                Process               Process              Process             Process
 Event Reporting: Network
 message indicating
 operational irregularities or
 occurrence of a specific task
 (such as completion of a
 request for information).
 5. Electronic Signature Requirements
 If electronic signatures are employed, use of digital signature technology is required.
 Authentication of the signer’s
 identity.
 Signature Process according
 to system design and software
 instructions.
 Binding of the signature to the
 document.
 Non-Alterability after
 signature has been affixed.




Developed for BCBSA by First Consulting Group                     V2                                              Page 59
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Project Inventory Assessment Tool
Guidelines for Completing HIPAA Project Inventory Assessment Tool

Purpose:
Analyze and report the information gathered in the HIPAA Assessment step of the HIPAA Assessment Readiness Approach.

Process:
Tools/templates from the preceding sections were used to capture information about the potential impacts of HIPAA on BCBS [Plan
Name] systems, business processes, vendor relationships, and proposed solutions as part of the initial assessment. It is
recommended that this data be entered into a database. The database can be based in any application: Access, Lotus Notes etc.
Examples of the analysis that can be conducted with this data in the database discussed in Step 4: Assess Results are:

   •     Identifying the impact of HIPAA on systems
   •     Identifying the system most impacted by HIPAA
   •     Identifying the most impacted business process
   •     Identifying the most impacted vendor relationship
   •     Identifying the internal dependency most impacted by HIPAA and the associated systems

The mean impact level for each system and business process can be calculated by finding the mean of all the numerical values
entered in the system and business impact assessment matrices in each area of HIPAA impact (transaction codes, identifiers, code
sets). The following standard can then be used to estimate the FTE requirements to attain compliance.

       Low            < .5 FTE Months                             1
       Medium         .5 FTE Months – 4 FTE Months                2
       High           4 FTE Months – 12 FTE Months                3
       Very High      > 12 FTE Months                             4

These summary findings can be presented in the template shown below. The cost can be calculated as the product of a fixed rate
times the corresponding FTE months. The rate at which FTE months will be charged is set according to the specifications of BCBS
[Plan Name]. The resulting resource, time, and costs estimates, for each system and business process to deal with the different
areas of HIPAA, are tangible indicators of the scope of implementing the compliance approaches, and also the required level of
subsequent activity.


Developed for BCBSA by First Consulting Group                    V2                                                       Page 60
                                                           July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Project Inventory Assessment Matrix:

                    Standard Identifiers              Standard Code Sets             Transaction Code Sets

Areas of Impact     FTE Months           Compliance   FTE Months        Compliance   FTE Months     Compliance
↓                   Required             Cost         Required          Cost         Required       Cost
System # 1
System # 2
System # 3
Benefits
Enrollment
Eligibility
Provider Network
Billing
Capitation
Claims
Encounters
Medical
Management
Case
Management
Provider
Settlement
Underwriting
Actuarial
Finance
Reporting
Customer Service
Data Warehouse




Developed for BCBSA by First Consulting Group                 V2                                                 Page 61
                                                        July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Privacy Rules Dictionary Tool

Guidelines for Using the HIPAA Privacy Dictionary
Disclaimer: The Privacy Tools in this section are preliminary. The Privacy regulations are not final. The tools will be modified as the
final regulations are released. The following bullets provide an overview of the major components in this tool set.

Purpose
To provide a high-level view of the proposed privacy rules. Review the Privacy Rules Dictionary Tool prior to completing the privacy
assessment tools. The Business Process Team Leader will lead and coordinate this process.


Overview
The proposed rule would:
   • allow health information to be used and shared easily for the treatment and for payment of health care;
   • allow health information to be disclosed without an individual’s authorization for certain national priority purposes (such as
       research, public health and oversight), but only under defined circumstances;
   • require written authorization for use and disclosure of health information for certain other purposes;
   • create a set of fair information practices to inform people of how their information is used and disclosed;
   • ensure that people have access to information about themselves, and
   • require health plans and providers to maintain administrative and physical safeguards to protect the confidentiality and
       integrity of health information and protect against unauthorized access.

Scope
a. Entities covered by the proposed rule
    • Health care providers
    • Health plans
    • Health care clearinghouses
  who transmit health information electronically
b. Health information covered by the proposed rule (“Protected health information”)
    • Protection would start when information becomes electronic, and would stay with the information as long as the information is
         in the hands of a covered entity.


Developed for BCBSA by First Consulting Group                      V2                                                          Page 62
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


       −  Information becomes electronic either by being sent electronically as one of the specified Administrative Simplification
          transactions or by being maintained in a computer system.
       − The paper progeny of electronic information is covered; the information would not lose its protections simply because it is
          printed out of the computer.
       − HIPAA protects the information itself, not the record in which the information appears.
   •   The information must be “identifiable.” If the information has any components that could be used to identify the subject, it
       would be covered.


I. General Rules
HHS proposes that covered entities will be prohibited from using or disclosing health information except: (1) as authorized by the
patient, or (2) as explicitly permitted by the regulation. The regulation would permit use and disclosure of health information without
authorization for purposes of health care treatment, payment and operations, and for specified national policy activities under
conditions tailored for each type of such permitted use or disclosure.
    • The amount of information to be used or disclosed would be restricted to the minimum amount necessary to accomplish the
        relevant purpose, taking into consideration practical and technological limitations.
        − There would be exceptions for situations in which assessment of what is minimally necessary is appropriately made by
            someone other than the covered entity (e.g., such as when an individual authorizes a use or disclosure of information, or
            when the disclosure is mandatory under another law).
        − HHS would allow covered entities to rely on requests by certain public agencies in determining the minimum necessary
            information for certain disclosures.
        − Under the principle of minimum necessary use, if an entity consists of several different components, the entity would be
            required to create barriers between components so that information is not used or shared inappropriately.
    • To encourage covered entities to strip identifiers from health information when it is possible to do so, HHS would permit a
        covered entity to use and disclose such de- identified information in any way, provided that:
        − it does not disclose the key or other mechanism that would enable the information to be re-identified, and
        − it has no reason to believe that such use or disclosure will result in the use or disclosure of protected health information
            (e.g., because the recipient has the means to re-identify the information).
    • HHS would treat the key to coded identifiers the same as the information to which it pertains. A covered entity could use or
        disclose a key only as it could use or disclose the underlying information.
    • HHS would permit covered entities to disclose protected health information to persons they hire to perform functions on their
        behalf, where such information is needed for that function. These “business partners” would include contractors such as
        lawyers, auditors, consultants, health care clearinghouses, and billing firms, but not members of the covered entity’s
        workforce.
Developed for BCBSA by First Consulting Group                      V2                                                         Page 63
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


   •   Except for provider to provider disclosures for the purposes of consultation or referral, HHS would require covered entities to
       enter into contracts with their business partners and would require the contracts to include terms to ensure that the protected
       health information disclosed to a business partner remains confidential. Business partners would not be permitted to use or
       disclose protected health information in ways that would not be permitted of the covered entity itself. HHS uses the contract
       as a tool for protecting information, because HIPAA does not provide legislative authority for the rule to reach many such
       business partners directly.
   •   The uses and disclosures permitted by this rule would be exactly that -- permitted, not required. For disclosures not
       compelled by other law, providers and payers would be free to disclose or not, according to their own policies and principles.
       At the same time, nothing in this rule would provide authority for a covered entity to refuse to make a disclosure mandated by
       other law.
   •   Only two disclosures would be required by this proposed rule: (1) disclosure to the subject individual pursuant to the
       individual’s request to inspect and copy health information about him or her, and (2) certain disclosures for the purposes of
       enforcing the rule.
   •   Health information covered by the proposed rule generally would remain protected for two years after the death of the subject
       of the information, subject to certain exceptions.


II. Disclosures without authorization for health care treatment, payment, and operations
    • Covered entities could use and disclose protected health information without authorization for treatment, payment and health
        care operations. This would include purposes such as quality assurance, utilization review, credentialing, and other activities
        that are part of ensuring appropriate treatment and payment.
    • Individuals generally could ask a covered entity to restrict further use and disclosure of protected health information for
        treatment, payment, or health care operations, with the exception of uses or disclosures required by law. The covered entity
        would not be required to agree to such a request, but if the covered entity and the individual agree to a restriction, the
        covered entity would be bound by the agreement.
    • Covered entities can have a policy of never agreeing to such requests.


III. Uses and disclosures with individual authorization
     • Covered entities could use or disclose protected health information with the individual’s authorization for almost any lawful
        purpose.
     • HHS would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information
        for other purposes, and require the authorization form to state this prohibition.

Developed for BCBSA by First Consulting Group                      V2                                                         Page 64
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


   •   While the provisions of this proposed rule are intended to make authorizations for treatment and payment purposes
       unnecessary, some States may continue to require them. Generally, this rule would not supersede such State requirements.
       However:
       − the rule would impose a new requirement that such State-mandated authorizations must be physically separate from an
           authorization for other purposes described in this rule.
       − the authorization would have to meet the rule’s requirements for the content of such authorizations (although a state law
           could require that an authorization contain additional provisions).
   •   HHS would require authorizations to specify the information to be disclosed, who would get the information, and when the
       authorization would expire. If an authorization is sought so that a covered entity may sell or barter the information, the
       covered entity would have to disclose this fact on the authorization form.
   •   Use or disclosure of information by the covered entity inconsistent with the authorization would be unlawful.
   •   Individuals could revoke an authorization.


IV. Permissible uses and disclosures for purposes other than treatment, payment and operations
    • Covered entities could use and disclose protected health information without individual authorization for the following national
       priority activities:
       − Oversight of the health care system, including quality assurance activities;
       − Public health, and in emergencies affecting life or safety;
       − Research;
       − Judicial and administrative proceedings;
       − Law enforcement;
       − To provide information to next-of-kin;
       − For identification of the body of a deceased person, or the cause of death;
       − For government health data systems;
       − For facilities’ (hospitals, etc.) directories;
       − To financial institutions, for processing payments for health care; and
       − In other situations where the use of disclosure is mandated by other law, consistent with the requirements of the other
           law.
    • Specific conditions would have to be met in order for the use or disclosure of protected health information to be permitted.
       These conditions are tailored to the need for each specific category listed above and to the types of organizations involved in
       such activities.


Developed for BCBSA by First Consulting Group                     V2                                                          Page 65
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion




V. Individual rights
The proposed rule would provide several basic rights for individuals with respect to protected health information about them.
Individuals would have:
    • The right to receive a written notice of information practices from health plans and providers. The notice must describe the
        types of uses and disclosures that the plan or provider would make with health information (not just those uses and
        disclosures that could lawfully be made). When plans and providers change their information practices, they would also have
        to update the notice. Plans and providers would be required to follow the information practices specified in their most current
        notice.
    • The right to obtain access to protected health information about them, including a right to inspect and obtain a copy of the
        information.
    • The right to request amendment or correction of protected health information that is inaccurate or incomplete.
    • The right to receive an accounting of the instances where protected health information about them has been disclosed by a
        covered entity for purposes other than treatment, payment, or health care operations (subject to certain time-limited
        exceptions for disclosures to law enforcement and oversight agencies).

VI. Administrative requirements and policy development and documentation
This proposed rule would require providers and payers to develop and implement basic administrative procedures to protect health
information and the rights of individuals with respect to that information.
    • Covered entities would be required to maintain documentation of their policies and procedures for complying with the
       requirements of the proposed rule. The documentation must include a statement of the entity’s practices regarding who would
       have access to protected health information, how that information would be used within the entity, and when that information
       would or would not be disclosed to other entities.
    • Covered entities would be required to have in place administrative systems, appropriate to the nature and scope of their
       business, that enable them to protect health information in accordance with this rule. Specifically, covered entities would be
       required to:
       − designate a privacy official;
       − provide privacy training to members of its workforce;
       − implement safeguards to protect health information from intentional or accidental misuse;
       − provide a means for individuals to lodge complaints about the entity’s information practices, and maintain a record of any
           complaints; and
Developed for BCBSA by First Consulting Group                      V2                                                         Page 66
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


       −   develop a system of sanctions for members of the workforce and business partners who violate the entity’s policies.



VII. Scalability
The regulations specify privacy standards that covered entities must meet, but leave the detailed policies and procedures for meeting
these standards to the discretion of each covered entity.
    • Implementation of these standards would be flexible and scalable, to account for the nature of each covered entity’s business,
        and the covered entity’s size and resources. Each covered entity must assess its own needs and implement privacy policies
        appropriate to its information practices and business requirements.
    • The preamble to the proposed rule includes an example of how implementation of these standards are scalable.

VIII. Preemption
Pursuant to HIPAA, this rule will preempt state laws that are in conflict with the regulatory requirements and that provide less
stringent privacy protections, with specified exceptions for certain public health functions and related activities.


IX. Enforcement
    • Under HIPAA, the Secretary is granted the authority to impose civil monetary penalties against those covered entities which
       fail to comply with the requirements of this regulation.
    • HIPAA also established criminal penalties for certain wrongful disclosures of protected health information. These penalties
       are graduated, increasing if the offense is committed under false pretenses, or with intent to sell the information or reap other
       personal gain.
    • Civil monetary penalties are capped at $25,000 for each calendar year for each standard that is violated. However, violations
       can be unbundled.


X. What this proposed rule does not do
   • The HIPAA limits the application of the proposed rule to the covered entities. It does not provide the authority for the rule to
     reach many entities that receive health information from these covered entities, so the rule cannot put in place appropriate
     restrictions on how such recipients of protected health information may use and re-disclose such information.
   • Any provider who maintains a solely paper information system is not subject to these privacy standards.


Developed for BCBSA by First Consulting Group                       V2                                                             Page 67
                                                              July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


      •   There is no statutory authority for a private right of action for individuals to enforce their privacy rights. However, the
          proposed rules make the subject individual third party beneficiaries of the business partner contract. In some states, such
          beneficiaries can sue for breach of contract.

HIPAA Privacy Assumption Matrix
Guidelines for Completing the HIPAA Privacy Assumption Matrix
Disclaimer: The Privacy Tools in this section are preliminary. The Privacy regulations are not final. The tools will be modified as the
final regulations are released. The following bullets provide an overview of the major components in this tool set.

Purpose:
Document the assumptions made to determine the level of impact HIPAA requirements will have on the business policy and
procedures.

The Business Process Team Leader will lead and coordinate this process:

 Step          Process

 1.            In the field labeled “Business Segment”, enter the name of your business segment

 2.            In the field labeled “Business Process Team”, enter the name of your team

 3.            Review your business initiatives

 4.            Review your corporate initiatives

 5.            Enter assumptions on the matrix

 6.            Enter additional assumptions identified during the assessment process on the matrix




Developed for BCBSA by First Consulting Group                        V2                                                          Page 68
                                                               July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Privacy Assumption Matrix (Sample)

Business Segment: __________________________________________
Business Process Team:___________________________________________


        Assumptions
 1.     Final rules for privacy regulations are not yet known

 2.     Privacy policies will apply organizationally and input on procedures will be on a departmental level

 3.     Policies and procedures will include all media, i.e. paper and computer generated records

 4.     Forms related to policies and procedures will need to be discovered, reviewed, revised, approved, communicated and implemented
        enterprise wide
 5.     An interdepartmental work group will be developed to draft HIPAA related privacy policies and procedures

 6.
 7.
 8.
 9.
 10.




Developed for BCBSA by First Consulting Group                           V2                                                         Page 69
                                                                  July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Privacy Assumption Matrix

Business Segment: __________________________________________
Business Process Team:___________________________________________


        Assumptions
 1.
 2.
 3.
 4.
 5.
 6.
 7.
 8.
 9.
 10.




Developed for BCBSA by First Consulting Group             V2        Page 70
                                                    July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Privacy Business Impact Assessment Matrix
Guidelines for Completing the HIPAA Privacy Business Impact Assessment Matrix
Disclaimer: The Privacy Tools in this section are preliminary. The Privacy regulations are not final. The tools will be modified as the
final regulations are released. The following bullets provide an overview of the major components in this tool set.

Purpose:
The purpose of this document is to provide a structured approach for assessing and documenting the impact of HIPAA compliance
privacy rules on business processes. This document provides guidelines to assist your team in completing this assessment matrix.

Considerations:
When determining the magnitude of impact each HIPAA privacy rule has on business processes, the following alternatives should be
considered.

For this matrix the impact is determined by both the incremental costs associated with implementing and documenting changes in
policies and procedures. The cost ranges to determine the level of impact are:

    Impact Rating                 Definition                                              FTE Requirements



    0            None             No change to policies and procedures                    None
    1            Low              Incremental changes to policies and procedures          < .5 FTE Man Months
    2            Medium           Minimal changes to policies and procedures              .5 FTE Man Months – 4 FTE Man Months
    3            High             Minor changes to policies and procedures                4 FTE Man Months – 6 FTE Man Months
    4            Very High        Significant changes to policies and procedures          > 6 FTE Man Months




Developed for BCBSA by First Consulting Group                      V2                                                          Page 71
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Process:
The Business Process Team Leader will lead and coordinate this process:

 Step    Process…
 1.      In the field labeled “Business Segment”, enter the name of your business segment
 2.      In the field labeled “Business Process Team”, enter the name of your team
 3.      In the first column indicate if the policy is departmental or organizational.
 4.      Indicate if the proposed HIPAA “Policy” rule is currently implemented and if not the impact it will have on each business
         process
         If business process is… And the impact is …               Then, for each “Policy” rule enter a…
         Impacted                     Low                          1
                                      Medium                       2
                                      High                         3
                                      Very High                    4
         Not impacted                              →               0
 5.      Indicate if the proposed HIPAA “Policy” rule is currently documented and if not the impact it will have on each business
         process
         If business process is… And the impact is …               Then, for each “Policy” rule enter a…
         Impacted                     Low                          1
                                      Medium                       2
                                      High                         3
                                      Very High                    4
         Not impacted                              →               0
 6.      Indicate if the proposed HIPAA policy rule currently has an implemented “Procedure” and if not the impact it will have on
         each business process




Developed for BCBSA by First Consulting Group                     V2                                                         Page 72
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


 Step    Process…
         If business process is…  And the impact is …       Then, for each “Policy” rule enter a…
         Impacted                 Low                       1
                                  Medium                    2
                                  High                      3
                                  Very High                 4
         Not impacted                        →              0
 7.      Indicate if the proposed HIPAA policy rule currently has an documented “Procedure” and if not the impact it will
         have on each business process
         If business process is… And the impact is …        Then, for each “Policy” rule enter a…
         Impacted                 Low                       1
                                  Medium                    2
                                  High                      3
                                  Very High                 4
         Not impacted                        →              0
 8.      Business Process Team Leaders ensure matrix is updated and returned to Business Segment Team Leader




Developed for BCBSA by First Consulting Group                 V2                                                    Page 73
                                                        July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Privacy Business Impact Assessment Matrix

Disclaimer: The Privacy Tools in this section are preliminary. The Privacy regulations are not final. The tools will be modified as the
final regulations are released. The following bullets provide an overview of the major components in this tool set.

Enter Business Segment:
Enter Business Process:
 Privacy Rules                                    Department or                         Policy Impact                    Procedures Impact
                                                  Organizational Policy
                                                                          Implemented               Documented   Implemented         Documented
 1. General Rules
 Use and disclosure for treatment, payment,
 and healthcare operations.
 Minimum necessary use and disclosure.
 Right to restrict uses and disclosures.
 Creation of de-identified information.
 Application to business partners.
 Application to information about deceased
 persons.
 Adherence to the notice of information
 practices.
 2. Uses and disclosures with individual
 authorization
 Requirements when the individual has initiated
 the authorization
 Requirements when the covered entity
 initiates the authorization
 Plain language requirement and model forms
 Prohibition on conditions treatment or
 payment
 Revocation of an authorization by the
 individual
 Expired, deficient, or false authorization.
 3. Uses and disclosures permitted without
 individual authorization
 Use and disclosure for public health oversight
 Use and disclosure for health oversight
 activities



Developed for BCBSA by First Consulting Group                                   V2                                                           Page 74
                                                                          July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


 Privacy Rules                                   Department or                         Policy Impact                    Procedures Impact
                                                 Organizational Policy
                                                                         Implemented               Documented   Implemented         Documented
 Use and disclosure for judicial and
 administrative procedures
 Disclosures to coroners and medical
 examiners
 Disclosure for law enforcement
 Uses and disclosures for governmental health
 data systems
 Disclosure of directory information
 Disclosure for banking and payment
 processes
 Uses and disclosures for research
 Uses and disclosures in emergency
 circumstances
 Disclosure to next-of-kin
 Additional uses and disclosures required by
 other laws.
 Application to specialized classes
 4. Rights of Individuals
 Rights and procedures for a written notice of
 information practices
 Rights and procedures for access for
 inspection and copying
 Right and procedures with respect to an
 accounting of disclosures
 Rights and procedures for amendment and
 correction
 5. Administrative Requirements
 Designation of a privacy official
 Training
 Safeguards
 Sanctions
 Duty to mitigate
 6. Required Disclosures


 7. Creating and maintaining documentation
 of the policies
 Electronically

Developed for BCBSA by First Consulting Group                                  V2                                                           Page 75
                                                                         July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


 Privacy Rules                       Department or                              Policy Impact                                Procedures Impact
                                     Organizational Policy
                                                                  Implemented               Documented               Implemented         Documented
 Paper documentation
Legend: 1=Low Impact          2=Medium Impact                3=High Impact                      4=Very High Impact




Developed for BCBSA by First Consulting Group                          V2                                                                        Page 76
                                                                 July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



HIPAA Privacy System Impact Assessment Matrix
Guidelines for Completing the HIPAA System Impact Assessment Matrix
Disclaimer: The Privacy Tools in this section are preliminary. The Privacy regulations are not final. The tools will be modified as the
final regulations are released. The following bullets provide an overview of the major components in this tool set.

Purpose:
The purpose of this document is to provide a structured approach for assessing and documenting the impact of HIPAA compliance
privacy rules on all systems. This document provides guidelines to assist your team in completing this assessment matrix.

Considerations:
When determining the magnitude of impact each HIPAA privacy rule has on all systems, the following alternatives should be
considered.

For this matrix the impact is determined by both the incremental costs associated with implementing and documenting changes in
systems. The cost ranges to determine the level of impact are:

    Impact                        Definition                                            FTE Requirements
    Rating


    0            None             No change to policies and procedures                  None
    1            Low              Incremental changes to policies and procedures        < .5 FTE Man Months
    2            Medium           Minimal changes to policies and procedures            .5 FTE Man Months – 4 FTE Man Months
    3            High             Minor changes to policies and procedures              4 FTE Man Months – 6 FTE Man Months
    4            Very High        Significant changes to policies and procedures        > 6 FTE Man Months




Developed for BCBSA by First Consulting Group                      V2                                                          Page 77
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Process:

The Business Process Team Leader will lead and coordinate this process:

 Step    Process…
 1.      In the field labeled “Business Segment”, enter the name of your business segment
 2.      Indicate if the proposed HIPAA “Policy” rule will have an impact on any systems
         If system(s) is…            And the impact is …         Then, for each “Policy” rule enter in the “yes” column a…
         Impacted                    Low                         1
                                     Medium                      2
                                     High                        3
                                     Very High                   4
         Not impacted                None                        0

 3.      Indicate the system(s) impacted.
 4.      Business Process Team Leaders ensure matrix is updated and returned to Business Segment Team Leader




Developed for BCBSA by First Consulting Group                     V2                                                         Page 78
                                                            July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


HIPAA Privacy System Impact Assessment Matrix
Enter Business Segment:

Privacy Rules                                                                                             System Impact      System(s) Impacted
                                                                                                        Yes             No
1. General Rules
Use and disclosure for treatment, payment, and healthcare operations.
Minimum necessary use and disclosure.
Right to restrict uses and disclosures.
Creation of de-identified information.
Application to business partners.
Application to information about deceased persons.
Adherence to the notice of information practices.
Application to converted entities that are components of organizations that are not covered entities.
2. Uses and disclosures with individual authorization
Requirements when the individual has initiated the authorization
Requirements when the covered entity initiates the authorization
Model Forms
Plain language requirement
Prohibition on conditions treatment or payment
Inclusion in the accounting for uses and disclosures
Revocation of an authorization by the individual
Expired, deficient, or false authorization.
3. Uses and disclosures permitted without individual authorization
Use and disclosure for health oversight activities
Use and disclosure for public health activities
Use and disclosure for judicial and administrative procedures
Disclosures to coroners and medical examiners
Disclosure for law enforcement
Uses and disclosures for governmental health data systems
Disclosure of directory information
Disclosure for banking and payment processes
Uses and disclosures for research


Developed for BCBSA by First Consulting Group                                              V2                                             Page 79
                                                                                     July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Privacy Rules                                                                           System Impact      System(s) Impacted
                                                                                      Yes             No
Uses and disclosures in emergency circumstances
Disclosure to next-of-kin
Additional uses and disclosures required by other laws.
Application to specialized classes
4. Rights of Individuals
Rights and procedures for a written notice of information practices
Rights and procedures for access for inspection and copying
Right and procedures with respect to an accounting of disclosures
Rights and procedures for amendment and correction
5. Administrative Requirements
Designation of a privacy official
Training
Safeguards
Sanctions
Duty to mitigate
6. Required Disclosures


7. Creating and Maintaining documentation of policies
Designation of a privacy official
Training




Developed for BCBSA by First Consulting Group                               V2                                          Page 80
                                                                      July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion



GLOSSARY OF TERMS: HIPAA Standards and Business Processes

Employer ID – The employer ID (EIN) is the taxpayer identifying number of an individual or other person (whether or not an
employer) that is assigned by the IRS, Department of the Treasury. To be utilized in all electronic transactions where required to
identify the employer.

Payer ID – Numeric identifier developed by the Healthcare Financing Administration (HCFA) as a unique identifier for health plans
and self-funded employer group health plans. To be utilized in all electronic transactions where “required” to identify a health plan or
payer.

Provider ID – Numeric identifiers to uniquely enumerate all types of health care providers, both on an individual and/or group basis.
To be utilized in all electronic transactions where “required” to identify a provider.

Patient ID/Insured/Subscriber – Number to uniquely identify an individual for the purpose of assuring continuity of care, accurate
record keeping, proper claim payment, effective follow-up and preventive care. To be utilized in all electronic transactions where
“required” to identify a subscriber or member of a plan

ICD-9 – Utilized for all inpatient diagnosis and procedure coding for administrative transactions.

CPT-4 – Used by physicians and other health care professionals to code their services for administrative transactions.

NDC – Used in reporting prescription drugs in pharmacy transactions and some claims submitted by health care professionals.

HCPCS – Contains codes for medical equipment and supplies: prosthetics and orthotics; injectable drugs; transportation services;
and other services not found in CPT. (level 2 of HCPCS)

CDT – Used in reporting dental services. (These codes are also included in alphanumeric HCPCS with a “D” prefix.)

Patient Relationship Codes – Code that indicates the patient’s relationship to the subscriber.

Narrative Codes – Information entered that cannot be supported by a separate data item.

Location Codes – Code that indicates where service was rendered.


Developed for BCBSA by First Consulting Group                       V2                                                         Page 81
                                                              July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Amount Codes – Code used to describe charges, dosages, measurements, etc.

Value Codes – Additional codes to support billing instructions.

834-Healthcare Enrollment – Used to transfer enrollment information on insurance coverage, benefits or the policy from the plan
sponsor to a payer.

270/271-Healthcare Eligibility Inquiry & Response – Used to inquire and receive a response on a subscriber or dependent’s
eligibility and or/ benefit information between the provider and the payer.

278-Healthcare Services Review Request & Response (Certifications/Referrals) – Used by a provider to request a certification
or referral and allow the review entity (payer) to respond to that request.

837-Healthcare Claim/Encounter: physician, hospital, dental, COB – Provides all necessary information from a provider to allow
the destination payer to begin to adjudicate a claim or to provide coordination of benefit information.

276/277-Healthcare Claim Status Request & Response – Used to request and receive a response on the current status of a
subscriber or dependent’s claim within the adjudication process.

820-Payroll Deducted and other Group Premium Payment for Insurance Products – Used by premium remitters for the purpose
of reporting payroll deducted and other group premiums from the employer (or employer’s financial institution) to the payer. Can be
used with or without remittance detail.

Sales & Marketing – Process of ensuring potential buyers of care are aware of the features and benefits offered in the plan and to
broker the sale of available products to these potential buyers.

Benefits – Process of defining the benefits, terms and conditions of the insurance product.

Enrollment – Process of enrolling new groups (or individuals) brought into a contract relationship that requires the acquisition,
review and editing of enrollment data. In addition, it also requires the update of membership and coordination of benefit files, and the
generation of the necessary materials.

Eligibility – Provides eligibility tracking for groups and individual members; identifying benefits, terms, and conditions; and a set of
data for calculating capitation.

Developed for BCBSA by First Consulting Group                      V2                                                          Page 82
                                                             July 14, 2003
HIPAA – Template for HIPAA Assessments
BlueCross BlueShield Association – For Discussion


Provider/Network – Involves the capture and maintenance of provider demographic information, provider contract terms and
conditions for provider payment, risk pool management and other areas of negotiation.

Billing – Monthly billing of employers, government agencies and individual subscribers according to the benefit plan and number of
persons it covers.

Capitation – Process where prepayment to the provider is based on the number of members enrolled with that provider and
payment is received on specific dates.

Claims/Encounters – Process of receiving encounters and/or receiving, adjudicating, and paying claims.

Medical Management – Processes that ensure health care is provided at the appropriate level involving (1) clinical guidelines and
case management protocols; (2) case-specific member clinical data; and (3) government of health plan policies.

Case Management – Process of monitoring case-specific information for a member and managing the provision of care.

Provider Settlement – Process of conducting a financial settlement with the provider.

Underwriting – The formal process of assuming risk beginning with the risk profile of a potential insured group (using actuarial
tables) to project likely levels of utilization of services.

Actuarial – The set of services that calculate risk for the purpose of setting premium rates for insured groups and individuals.

Finance – The set of processes that control the current financial assets and obligations of a health care delivery enterprise including:
general ledger, accounts receivable, and accounts payable management.


Reporting – The process in which the organization defines and receives the data to support it’s information needs.

Customer Service – Process that assist members in accessing services, resolving problems and complaints, and clarifying benefits.
In addition, this process helps providers resolve complaints, verify member eligibility, and clarify referrals and authorizations.

Data Warehouse – The systems and associated processes that provides the organization with a repository of historical information
from multiple databases.

Developed for BCBSA by First Consulting Group                      V2                                                              Page 83
                                                             July 14, 2003

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:152
posted:1/18/2011
language:English
pages:86
Description: Dependency Assessment Template document sample