optum360coding.com hipaa tool kit...and additional product content learn about ceu opportunities...

HTKT19/HTKT Made in the USA

OPTUM360CODING.COM

*Offer valid only for customers who are NOT part of the Medallion or Partner Account programs. You must be registered at optum360coding.com to have your online purchases tracked for rewards purposes. Shipping charges and taxes still apply and cannot be used for rewards. Optum360 Coding eReward offers valid online only. Visit optum360coding.com/onlinerewards for more information. © 2018 Optum360, LLC. All rights reserved. WF667299 SPRJ5237

Search. Explore. Shop. Get the coding tools you need, all in one convenient place.

V I S I T O P T U M 3 6 0 C O D I N G . C O M

New to optum360coding.com? Visit us at optum360coding.com/register to create an online account. You’ll have easy access to your order history, shipping information and more.

Plus, when you register, you’re automatically enrolled in our free eRewards program where you’ll earn cash back each time you order online.*

Learn more about our eRewards program at optum360coding.com/onlinerewards.

optum360coding.com

Find the products you need quickly and easily

Shop our full range of print products and learn more about our online coding tools

View sample pages and see each product’s available formats and edition years on the same page

Explore detailed product features and benefits to ensure you get the right coding tool to meet your needs

Download regularly posted product updates and additional product content

Learn about CEU opportunities

Attend a product webinar

!GET MORE WHEN YOU

ORDERONLINE SHOP

SEARCHEXPLORE

Power up your codingoptum360coding.com

2 0 1 9

2019

HIPAA Tool KitA medical practice guide to assessment, implementation and policy and procedure development

HIPA

A Tool K

it

© 2018 Optum360, LLC i

Contents

Introduction ........................................................................................................ 1New for the 2019 Edition ................................................................................................................................. 1

Ransomware and Other Cyberattacks: What All Covered Entities Need to Know ................ 1Detailed Guidance on the Use of Mobile Devices Within Medical Offices .............................. 1HIPAA Privacy and Security Handbooks for Office and Clinical Staff ....................................... 1Earn Five CEUs from AAPC and Our Certificate of "HIPAA Skills Proficiency" ......................... 2

About This Manual........................................................................................................................................... 2A Word About “Covered Entities” ................................................................................................................ 3A Brief Refresher Course on HIPAA .............................................................................................................. 3A Brief Update on HIPAA................................................................................................................................ 4

Progress Report ..................................................................................................................................... 6Ongoing Compliance with HIPAA................................................................................................................ 8

Hot Topics Related to Patient Privacy .............................................................................................. 9HIPAA Privacy in Emergency Situations .......................................................................................... 9Confidentiality of Alcohol and Drug Abuse Patient Records ...................................................10Notice of Privacy Practices ................................................................................................................10

HIPAA Privacy Standards .................................................................................. 17Overview of HIPAA Privacy Requirements...............................................................................................17

Scope of the HIPAA Privacy Standards ..........................................................................................17Notice, Authorization, Accounting, and Amendment ...............................................................17Notice and Authorization ..................................................................................................................18Patient Requests to Restrict Uses and Disclosures of Protected Health Information ........18Using and Disclosing Protected Health Information ..................................................................18The Minimum Necessary Standard .................................................................................................19Privacy Violations ................................................................................................................................21Office for Civil Rights Audits .............................................................................................................24

Special Situations ..........................................................................................................................................39Ensuring that Business Associates Comply with the Privacy Rules ........................................39What the Business Associate Agreement Must Contain ...........................................................41Documentation Requirements ........................................................................................................43Rules for Accessing and Amending Information .........................................................................44Status of the Privacy Rules ................................................................................................................47

Monitoring the Impact of the Privacy Rules............................................................................................48Understanding Protected Health Information .............................................................................48Reviewing HIPAA Privacy Requirements and Model Policies ..................................................49Comparing HIPAA and State Privacy Requirements ..................................................................50Examining Users, Uses, and Disclosures of Information ............................................................50Examining Current Privacy Practices ..............................................................................................51Examining How Business Associates Use Information ..............................................................52

Developing a Strategy for Complying with HIPAA’s Privacy Rules....................................................52Strategic Considerations ...................................................................................................................52HIPAA Privacy Milestones .................................................................................................................58Key Compliance Decisions ................................................................................................................58

HIPAA Compliance Work Plan.....................................................................................................................58Privacy Policy and Procedure Manual ............................................................................................59Notice and Authorization Forms .....................................................................................................59Review Minimum Necessary Policies .............................................................................................59Amend Contracts with Business Associates .................................................................................59Procedures to Provide for Access to and Amendment of Protected

Health Information ...................................................................................................................59Complaint Process ..............................................................................................................................60Documentation Procedures and Systems .....................................................................................60

ii © 2018 Optum360, LLC

Contents HIPAA Tool Kit

Conduct Privacy Training Sessions .................................................................................................60Privacy Audit Program .......................................................................................................................60Resources on the Web .......................................................................................................................60

Privacy Model Policies and Procedures ............................................................61Creating a HIPAA Privacy Compliance Plan.............................................................................................61Model Policies and Procedures ..................................................................................................................62

P-1000 General Administrative Policies and Procedures ..................................................64P-1100 Staff Responsibilities ....................................................................................................65P-1200 Staff Training ..................................................................................................................68P-1300 Staff Compliance and Sanctions ................................................................................70P-1400 Business Associates and Protected Information ....................................................74PF-1400 Sample Business Associate Agreement Language ...............................................77P-1500 Development and Maintenance of Privacy Policies and Procedures ...............82P-1600 Documentation and Record Keeping .......................................................................84P-2000 Use and Disclosure of Protected Health Information ...........................................86P-2100 Use and Disclosure of Information for Treatment Purposes ..............................87P-2200 Use of Patient Information for Payment Purposes ...............................................89P-2300 Use and Disclosure of Information for Healthcare Operations ..........................91P-2400 Law Enforcement and Public Health ........................................................................92P-2500 Marketing and Fundraising ........................................................................................98P-2600 Other Disclosure Situations ......................................................................................100P-2700 Disclosure of Protected Health Information After Death ..................................104P-2800 Communications and Media Relations ..................................................................105P-3000 Notice and Authorization ..........................................................................................107P-3100 Notice of Privacy Practices ........................................................................................108PF-3100 Notice of Privacy Practices ........................................................................................112P-3300 Authorization of Use or Disclosure .........................................................................116PF-3300 Standard Authorization of Use and Disclosure of Protected

Health Information .....................................................................................................120P-3400 Patient Requests for Restrictions on Uses and Disclosures of Confidential

Communications .........................................................................................................124PF-3400 Request for Confidential Communication of Protected Health

Information ...................................................................................................................127P-4000 Personal Representatives, Parents, Spouses, and Others ..................................128P-4100 Personal Representatives ..........................................................................................129P-4200 Parental Access to Protected Health Information Concerning Children .......131P-4300 Disclosure of Information to Family Members .....................................................132P-4400 Disclosure of Information to Close Personal Friends ..........................................133P-4500 Disclosure of Information in an Emergency Situation .......................................134P-5000 Patient Access to Health Information ....................................................................136PF-5000 Request to Inspect or Copy Protected Health Information ...............................142PF-5030 Approval of Request to Inspect or Copy Protected Health Information .......143PF-5040 Denial of Request to Inspect or Copy Protected Health Information .............144PF-5042 Review of Denial to Permit Inspection or Copying of Protected Health

Information ...................................................................................................................145P-5200 Amendment of Health Information ........................................................................146PF-5210 Request to Amend Protected Health Information ..............................................147P-7000 Accounting for Disclosures .......................................................................................153P-7200 Accounting to Patients for Disclosures of Information ......................................154PF-7200 Request for Accounting of Protected Health Information Disclosures ..........156P-7300 Information to Be Provided in an Accounting of Disclosures ..........................157P-7400 Documentation of Accountings Provided to Patients .......................................158P-7500 Documentation of Disclosures Requiring an Accounting .................................159P-8000 Resolution of Complaints and Breaches ................................................................160P-8100 Submission of Complaints ........................................................................................161P-8200 Complaint Resolution Procedures ..........................................................................162P-8300 Documentation of Complaints ................................................................................164P-8400 Mitigation ......................................................................................................................165

HIPAA Tool Kit Contents

© 2018 Optum360, LLC iii

Security Regulations In-Depth ....................................................................... 167Overview ....................................................................................................................................................... 167

Administrative Safeguards ............................................................................................................ 167Physical Safeguards ......................................................................................................................... 168Technical Safeguards ...................................................................................................................... 168

Cybersecurity: How to Protect Against Breaches and Mitigate Attacks........................................ 169Ransomware and Other Cyberattacks ....................................................................................... 169NIST Resource Guide ....................................................................................................................... 174Maintaining Privacy and Security When Using Mobile Devices .......................................... 177

Crosswalk Between HIPAA Security Rule and NIST Security Framework...................................... 180General Obligation to Ensure Security................................................................................................... 181Flexibility ....................................................................................................................................................... 182Administrative Safeguards ....................................................................................................................... 196

Administrative Safeguard Standard 1: Security Management Process .............................. 197Administrative Safeguard Standard 2: Assigned Security Responsibility .......................... 209Administrative Safeguard Standard 3: Workforce Security ................................................... 209Administrative Safeguard Standard 4: Information Access Management ........................ 210Administrative Safeguard Standard 5: Security Awareness and Training ......................... 213Administrative Safeguard Standard 6: Security Incident Procedures ................................. 214Administrative Safeguard Standard 7: Contingency Plan ...................................................... 215Administrative Safeguard Standard 8: Evaluation of Compliance ....................................... 219Administrative Safeguard Standard 9: Business Associate Contracts ................................. 219

Physical Safeguards ................................................................................................................................... 220Physical Safeguard Standard 1: Facility Access Controls ........................................................ 220Physical Safeguard Standard 2: Workstation Use .................................................................... 222Physical Safeguard Standard 3: Workstation Security ............................................................ 222Physical Safeguard Standard 4: Device and Media Controls ................................................. 223

Technical Safeguards ................................................................................................................................. 224Technical Safeguard Standard 1: Access Control ..................................................................... 225Technical Safeguard Standard 2: Audit Controls ..................................................................... 227Technical Safeguard Standard 3: Integrity Controls ................................................................ 228Technical Safeguard Standard 4: Person or Entity Authentication ...................................... 229Technical Safeguard Standard 5: Transmission Security ........................................................ 229

Business Associate Contracts/Agreements Standard ........................................................................ 230NIST Resource Guide ....................................................................................................................... 232

Policies and Procedures Standards......................................................................................................... 234Documentation Requirements ..................................................................................................... 234

Breach Notification Interim Final Rule/Final Rule .............................................................................. 235Breach Notification Rule Requirements ..................................................................................... 235Definitions .......................................................................................................................................... 235Risk Assessment ................................................................................................................................ 237Techniques for Protecting PHI ...................................................................................................... 237Limited Data Sets ............................................................................................................................. 238Exceptions to Breach ....................................................................................................................... 239Timing of Breach .............................................................................................................................. 240Notification to Individuals—Timeliness, Content, and Methods ......................................... 241Notification by a Business Associate ........................................................................................... 244Law Enforcement Delay .................................................................................................................. 245Administrative Requirements ....................................................................................................... 245Preemption Over or by State Laws .............................................................................................. 246HHS Guidance on Securing PHI .................................................................................................... 246

How to Respond to a Data Breach—Case Study ................................................................................ 246Red Flags Rule.............................................................................................................................................. 249

Questions and Answers About the Red Flags Rule .................................................................. 250

Security Model Policies and Procedures ........................................................ 253Creating a HIPAA Security Compliance Plan ........................................................................................ 253Instructions for Using the Model Policies and Procedures ............................................................... 253Introduction to the Security Policy and Procedure Manual ............................................................. 254Compliance Checklist................................................................................................................................. 254

Instructions ........................................................................................................................................ 254

iv © 2018 Optum360, LLC


Administrative Safeguards .......................................................................................................................256SP-1 Assigned Security Responsibility .............................................................................256Sample Job Description ...................................................................................................................256NIST Resource Guide ........................................................................................................................258SP-2 Security Management Process .................................................................................258SP-2.1 Risk Analysis ..................................................................................................................258SP-2.2 Risk Management ........................................................................................................259SP-2.3 Sanction Policy .............................................................................................................260SP-2.4 Information System Activity Review ......................................................................261SP-3 Workforce Security ......................................................................................................262NIST Resource Guide ........................................................................................................................262SP-3.1 Authorization/Supervision ........................................................................................263SP-3.2 Workforce Clearance ..................................................................................................265SP-3.3 Termination Procedures ............................................................................................265SP-4 Information Access Management ...........................................................................267NIST Resource Guide ........................................................................................................................267SP-4.1 Isolating Healthcare Clearinghouse Functions ....................................................268SP-4.2 Access Authorization ..................................................................................................269SP-4.3 Access Establishment and Modification ................................................................270SP-5 Security Awareness and Training ............................................................................270SP-5.1 Security Reminders .....................................................................................................272SP-5.2 Protection from Malicious Software .......................................................................273SP-5.3 Log-in Monitoring .......................................................................................................274SP-5.4 Password Management .............................................................................................274SP-6 Security Incident Procedures ....................................................................................276NIST Resource Guide ........................................................................................................................276SP-7 Contingency Plan ........................................................................................................278NIST Resource Guide ........................................................................................................................278SP-7.1 Data Backup Plan .........................................................................................................280SP-7.2 Disaster Recovery Plan ...............................................................................................281SP-7.3 Emergency-mode Operation Plan ..........................................................................282SP-7.4 Testing and Revision Procedures ............................................................................283SP-7.5 Applications and Data Criticality Analysis .............................................................284SP-8 Evaluation .....................................................................................................................285NIST Resource Guide ........................................................................................................................286SP-9 Business Associate Contracts ...................................................................................287

Physical Safeguards.....................................................................................................................................288SP-10 Facility Access Controls ..............................................................................................288NIST Resource Guide ........................................................................................................................288SP-10.1 Contingency Operations ............................................................................................290SP-10.2 Facility Security Plan ...................................................................................................291SP-10.3 Access Control and Validation Procedures ...........................................................292SP-10.4 Maintenance Records .................................................................................................293SP-11 Workstation Use ..........................................................................................................293NIST Resource Guide ........................................................................................................................294SP-12 Workstation Security ............................................................................................................295SP-13 Device and Media Controls .......................................................................................296NIST Resource Guide ........................................................................................................................296SP-13.1 Disposal ..........................................................................................................................297SP-13.2 Media Re-use ................................................................................................................298SP-13.3 Accountability ..............................................................................................................298SP-13.4 Data Backup and Storage ..........................................................................................299

Technical Safeguards ..................................................................................................................................300SP-14 Access Control ..............................................................................................................300SP-14.1 Unique User Identification ........................................................................................300SP-14.2 Emergency Access Procedures .................................................................................300SP-14.3 Automatic Logoff ........................................................................................................300SP-14.4 Encryption and Decryption .......................................................................................301NIST Resource Guide ........................................................................................................................301SP-15 Audit Controls ..............................................................................................................302NIST Resource Guide ........................................................................................................................302


© 2018 Optum360, LLC v

SP-16 Integrity ........................................................................................................................ 303SP-17 Person or Entity Authentication ............................................................................. 304NIST Resource Guide ....................................................................................................................... 305SP-18 Transmission Security ................................................................................................ 306NIST Resource Guide ....................................................................................................................... 306SP-18.1 Integrity Controls ........................................................................................................ 307NIST Resource Guide ....................................................................................................................... 307SP-18.2 Encryption .................................................................................................................... 308SP-19 Business Associate Contracts/Agreements .......................................................... 308

Breach Notification Sample Policies....................................................................................................... 311SP-20 Discovery of a Breach ................................................................................................ 311SP-21 Breach Investigation .................................................................................................. 312SP-22 Risk Assessment .......................................................................................................... 312SP-23 Notification .................................................................................................................. 312SP-24 Breach Information Log ............................................................................................ 314

Red Flag Rules Sample Policies................................................................................................................ 315SP-25 Creation of Medical Identity Theft Prevention Program ................................. 315SP-26 Identify the Red Flags That Signal Possible Medical Identity Theft ............... 315SP-27 Detect Medical Identity Theft As It Occurs .......................................................... 316SP-28 Prevent and Mitigate Identity Theft ..................................................................... 316SP-29 Update the Medical Identity Theft Prevention Program ................................. 317

Identifiers ....................................................................................................... 319HIPAA Uniform Identifier Requirements ............................................................................................... 319

Uses of Identifiers ............................................................................................................................. 319Provider Identifiers .......................................................................................................................... 319Employer Identifiers ........................................................................................................................ 324Health Plan Identifiers ..................................................................................................................... 324Continued Compliance with Identifiers ..................................................................................... 326

Identifiers Model Policies and Procedures ..................................................... 327Compliance Checklist................................................................................................................................. 327Model Policies and Procedures ............................................................................................................... 328

IP-1 Patient Identifiers ....................................................................................................... 328IP-2 Provider Identifiers ..................................................................................................... 328

Transaction Standards .................................................................................... 329The Purpose of This Chapter .................................................................................................................... 329A Reminder About Covered Entities....................................................................................................... 329HIPAA Highlights/Review ......................................................................................................................... 329Health Plan Requirements ........................................................................................................................ 330Mandatory Submission of Claims Electronically to Medicare.......................................................... 330

Initial Claims ...................................................................................................................................... 331Small Employers ............................................................................................................................... 331Types of Claims Exempt from Electronic Submission ............................................................. 332Waivers to the Electronic Submission Requirement ............................................................... 332Contractor Approval for Waivers .................................................................................................. 332Unusual Circumstances .................................................................................................................. 333

Claims Attachments ................................................................................................................................... 333Use of Healthcare Clearinghouses.......................................................................................................... 334Content of HIPAA Transaction Standards ............................................................................................. 335Transaction Standards Approved So Far............................................................................................... 336Terms Used in the Transaction Standards ............................................................................................ 339Electronic Funds Transfer.......................................................................................................................... 340Claim Edits and Rejections........................................................................................................................ 341

Interchange Control or ISA Edits .................................................................................................. 341GS Edits ............................................................................................................................................... 341IG Edits ................................................................................................................................................ 342Provider Authorization Edits ......................................................................................................... 342Payer-Specific Edits .......................................................................................................................... 342Trading Partner EDI Specifications ............................................................................................... 342

HIPAA Code Sets.......................................................................................................................................... 342

vi © 2018 Optum360, LLC


The Meaning of “Code Sets” ...........................................................................................................343Revisions to the Code Set Regulations ........................................................................................343

Trading Partner Agreements ...................................................................................................................344Responsibilities of Trading Partners .............................................................................................344Effective Date for Transaction Standards ....................................................................................344How to Assess HIPAA’s Impact ......................................................................................................344

Survey of Coding Practices ........................................................................................................................345Survey of Trading Partners ........................................................................................................................346

Transaction Standards Model Policies and Procedures .................................349Compliance Checklists................................................................................................................................349

Survey of Information Systems ......................................................................................................349Survey of Trading Partners .............................................................................................................350Survey of Coding Practices .............................................................................................................352T-1000 Use of Standard Transactions ...................................................................................353T-1200 Testing and Certification of Compliance with Federal Transaction

Standards ......................................................................................................................356T-2000 Trading Partner Agreements ....................................................................................356T-3000 Updating Code Sets and Practices ..........................................................................356

Employee Training and Education ..................................................................359Employee Handbooks ................................................................................................................................359Privacy Training ...........................................................................................................................................359Developing and Implementing Training Programs ............................................................................359Instructor’s Guide.........................................................................................................................................360

Section 1: A Hypothetical Case History ........................................................................................360Section 2: Using and Sharing Information ..................................................................................364Section 3: Notice of Privacy Practices ...........................................................................................371Section 4: Authorization ..................................................................................................................377Section 5: Accountings ....................................................................................................................381Section 6: Patient Access to Information ....................................................................................383

Privacy Training Presentation ..................................................................................................................385Privacy Refresher Training .........................................................................................................................425HIPAA Skills Test—Privacy Regulations .................................................................................................426Security Training .........................................................................................................................................438Developing and Implementing Training Programs ............................................................................438Instructor’s Guide.........................................................................................................................................438

Information Security ........................................................................................................................438Administrative Safeguards .............................................................................................................439Physical Safeguards ..........................................................................................................................442Technical Safeguards .......................................................................................................................443Privacy and Security Training .........................................................................................................445

Security Training Presentation ................................................................................................................446HIPAA Skills Test—Security Regulations ..............................................................................................458

HIPAA Skills Test—Security ............................................................................................................467What would you do? ..................................................................................................................................470

Conducting Internal HIPAA Audits .................................................................473Making the Case for HIPAA Auditing ......................................................................................................473

Deciding What Information to Audit ...........................................................................................474Creating an Audit Plan .....................................................................................................................476Conducting the Audit ......................................................................................................................477Evaluating and Reporting Audit Findings ...................................................................................477Privacy and Security Auditing ........................................................................................................479

HIPAA Topics ...................................................................................................489Accredited Standards Committee ...........................................................................................................489

Transaction Standards and Code Sets .........................................................................................489What is the ASC? ................................................................................................................................489What is the ASC’s role under HIPAA? ...........................................................................................489Mission of the ASC ............................................................................................................................489Principles of the ASC ........................................................................................................................490


© 2018 Optum360, LLC vii

Administrative Simplification .................................................................................................................. 490General: HIPAA .................................................................................................................................. 490Privacy Standards ............................................................................................................................. 491Requirements .................................................................................................................................... 491Transaction Standards and Code Sets ......................................................................................... 492Security Standards ........................................................................................................................... 494Identifiers ........................................................................................................................................... 496

Administrative Simplification Compliance Act.................................................................................... 497Transaction Standards and Code Sets ......................................................................................... 497What Is the Administrative Simplification Compliance Act (ASCA)? ................................... 497Model Compliance Plan .................................................................................................................. 497Electronic Claims .............................................................................................................................. 497

American Recovery and Reinvestment Act of 2009 ........................................................................... 498What is the ARRA? ............................................................................................................................ 498Business Associates ......................................................................................................................... 498Privacy-Related Provisions ............................................................................................................. 499What can we expect? ...................................................................................................................... 501

ANSI ................................................................................................................................................................ 502General ................................................................................................................................................ 502What is ANSI? .................................................................................................................................... 502Standards-Setting Organizations ................................................................................................. 502The Mission of ANSI ......................................................................................................................... 502

ASC X12N ..................................................................................................................................................... 503Transaction Standards and Code Sets—45 CFR §162.920 .................................................... 503The Final Approved ASC X12N Standards .................................................................................. 503Approved Versions ........................................................................................................................... 503Future ASC X12N Standards .......................................................................................................... 504

CMS ................................................................................................................................................................ 505General ................................................................................................................................................ 505What is CMS? ..................................................................................................................................... 505CMS’s Role Under HIPAA ................................................................................................................ 505CMS Assistance to the Provider Community ............................................................................. 505CMS As a Covered Entity ................................................................................................................. 506

Code-Set Maintaining Organization ...................................................................................................... 506Transaction Standards and Code Sets—45 CFR §162.1002 .................................................. 506Definition of Code-Set Maintaining Organizations ................................................................. 506Approved Code-Set Maintaining Organizations ...................................................................... 506

Code Sets....................................................................................................................................................... 507Transactions and Code Sets—45 CFR Part 162 Subpart J ...................................................... 507Definition of Code Sets ................................................................................................................... 507Approved Medical Code Sets ........................................................................................................ 507ICD-10-CM .......................................................................................................................................... 507ICD-10-PCS ......................................................................................................................................... 508Current Procedural Terminology (CPT®) ..................................................................................... 508Healthcare Common Procedure Coding System (HCPCS) ..................................................... 509National Drug Codes ....................................................................................................................... 511Code on Dental Procedures and Nomenclature ....................................................................... 512Nonmedical Code Sets .................................................................................................................... 512Modifications to Approved Code Sets ........................................................................................ 513Table of Medical and Nonmedical Code Sets ............................................................................ 514

Communications Under HIPAA ............................................................................................................... 520Privacy ................................................................................................................................................. 520Communication by Telephone ..................................................................................................... 520Communication by Fax ................................................................................................................... 520Communication by Email ............................................................................................................... 520Frequently Asked Questions ......................................................................................................... 521Tips for Office Communication ..................................................................................................... 523

Companion Guides ..................................................................................................................................... 526Transaction Standards and Code Sets ......................................................................................... 526Definition of Companion Guides .................................................................................................. 526Trading Partners ............................................................................................................................... 526

viii © 2018 Optum360, LLC


Sample Companion Guide ..............................................................................................................526Compliance Dates .......................................................................................................................................528

General ................................................................................................................................................528Compliance Dates for Transactions and Code Sets ..................................................................528Compliance Dates for Privacy ........................................................................................................528Compliance Dates for Security .......................................................................................................528Compliance Dates for Identifiers ...................................................................................................528

Covered Entity .............................................................................................................................................530General—45 CFR §160.102 ............................................................................................................530Definition of a Covered Entity ........................................................................................................530Subdivisions of Covered Entities ...................................................................................................530Am I a covered entity? .....................................................................................................................530How to Use These Charts ................................................................................................................530

Credentials/Certifications ..........................................................................................................................532General ................................................................................................................................................532AHIMA-Sponsored Credentials ......................................................................................................533ISC2-Sponsored Credentials ...........................................................................................................533

Data Element ................................................................................................................................................534Transactions and Code Sets—45 CFR §162.103 .......................................................................534Definition of a Data Element ..........................................................................................................534Data Element Summary ...................................................................................................................534

Data Segment ...............................................................................................................................................535Transactions and Code Sets—45 CFR §162/103 .......................................................................535Definition of a Data Segment .........................................................................................................535Example of a Data Segment ...........................................................................................................536Segment Delimiters ..........................................................................................................................536Segment Terminator ........................................................................................................................536Implementation Guides ..................................................................................................................536

Decedents .....................................................................................................................................................537Privacy—45 CFR §164.512(g) ........................................................................................................537The General Rule Regarding PHI of Decedents .........................................................................537Special Disclosures of PHI Regarding Decedents ......................................................................537Research and the PHI of Decedents .............................................................................................537

De-identified Information..........................................................................................................................538Privacy—45 CFR §164.514 .............................................................................................................538Definition of De-identified Information ......................................................................................538Reasons for Data De-identification ...............................................................................................538How to De-identify Protected Health Information ...................................................................538

Designated Record Set ..............................................................................................................................541Privacy—45 CFR §164.501 .............................................................................................................541The Definition of Designated Record Set ....................................................................................541The Definition of a Record ..............................................................................................................541Examples of Inclusions in the Designated Record Set .............................................................541Examples of Exclusions from the Designated Record Set .......................................................542State Law .............................................................................................................................................542

Direct Data Entry .........................................................................................................................................543Transactions and Code Sets—45 CFR §162.923(b) ..................................................................543Definition of Direct Data Entry .......................................................................................................543Rules Surrounding Direct Data Entry Systems ...........................................................................543Data Entry Through an Intermediary ...........................................................................................543

Direct Versus Indirect Treatment Relationship ....................................................................................544Privacy—45 CFR §164.520 .............................................................................................................544Definition of an Indirect Treatment Relationship .....................................................................544Definition of a Direct Treatment Relationship ...........................................................................544Privacy Requirements Based on Treatment Relationship .......................................................544

Disclosure.......................................................................................................................................................544Privacy—45 CFR §164.501 .............................................................................................................544Definition of Disclosure ...................................................................................................................545Verification Requirements ..............................................................................................................545Examples of Verification Procedures ............................................................................................545Disclosures to the Patient ...............................................................................................................545


© 2018 Optum360, LLC ix

Example Situations and Suggested Protocols .......................................................................... 546Disclosures to Family, Friends, or Others Involved in the Patient’s Care ............................ 546Disclosures to Clergy ....................................................................................................................... 546Facility/Hospital Directories .......................................................................................................... 547Disclosures to Other Providers ...................................................................................................... 548Disclosures to Third Parties Involved in Payment .................................................................... 548

DSMO ............................................................................................................................................................ 549Transactions and Code Sets—45 CFR §162.910 ....................................................................... 549What are the DSMOs? ..................................................................................................................... 549The Review/Modification Process ................................................................................................ 549Currently Designated DSMOs ....................................................................................................... 549

Electronic Data Interchange (EDI)........................................................................................................... 550Transactions and Code Sets ........................................................................................................... 550Definition of EDI ............................................................................................................................... 550Benefits of EDI ................................................................................................................................... 550The Administrative Simplification Compliance Act and EDI Requirements for

Small Providers ....................................................................................................................... 550Electronic Media ......................................................................................................................................... 551

General—45 CFR §160.103 ........................................................................................................... 551Definitions of Electronic Media ..................................................................................................... 551What Is Not Electronic Media ........................................................................................................ 551

Electronic Signatures ................................................................................................................................ 552Security ............................................................................................................................................... 552Electronic Signatures and the Security Rule .............................................................................. 552State Law on Electronic Signatures ............................................................................................. 552AHIMA Best Practice Standards .................................................................................................... 552SAFE Project ....................................................................................................................................... 553

Electronic Transactions.............................................................................................................................. 553Transactions and Code Sets—45 CFR §160.103 ....................................................................... 553Definition of an Electronic Transaction ...................................................................................... 553Types of Electronic Transactions .................................................................................................. 553Electronic Transactions and HIPAA Standards .......................................................................... 554

Emergency Situations ................................................................................................................................ 554Release of Information During Emergency Situations ............................................................ 554

Employer Identifiers ................................................................................................................................... 555Unique Identifiers—45 CFR §162.610 ........................................................................................ 555Rule for Employer Identifiers ......................................................................................................... 555Adopted Standards .......................................................................................................................... 555Transactions Affected ...................................................................................................................... 556

Enforcement................................................................................................................................................. 556General ................................................................................................................................................ 556OCR Enforcement of the Privacy and Security Rule ................................................................. 556Privacy Complaint Process ............................................................................................................. 557Compliance and Enforcement Rule ............................................................................................. 560Transactions and Code Sets Complaint Process ....................................................................... 565Electronic Data Interchange (EDI) ................................................................................................ 568

Fundraising Under HIPAA ........................................................................................................................ 573Privacy—45 CFR §164.514 (f) ........................................................................................................ 573Requirements Under the Regulations ......................................................................................... 573Issues with Current Typical Fundraising Practices ................................................................... 573

Genetic Non-Discrimination Act (GINA) of 2008 ................................................................................. 576Privacy—45 CFR §164.520 ............................................................................................................. 576GINA’s Requirements ...................................................................................................................... 576HIPAA Omnibus and GINA ............................................................................................................. 576

Government Access to Information ....................................................................................................... 577Privacy—45 CFR §164.512(f) ......................................................................................................... 577The Privacy Rule and Government Access to Information ..................................................... 577Guidance from the Office for Civil Rights on Government Access to PHI .......................... 577

Healthcare .................................................................................................................................................... 580General—45 CFR §160.103 ........................................................................................................... 580Healthcare Defined .......................................................................................................................... 580

x © 2018 Optum360, LLC


Other Government Definitions ......................................................................................................580Other Services ....................................................................................................................................584Helpful Questions and Answers ....................................................................................................585

Healthcare Clearinghouse ........................................................................................................................586General—45 CFR §160.103 ............................................................................................................586Clearinghouse Defined ....................................................................................................................586Frequently Asked Questions ..........................................................................................................586

Healthcare Operations ...............................................................................................................................589Privacy—45 CFR §164.501 .............................................................................................................589Healthcare Operations Defined .....................................................................................................589Operations Versus Research ...........................................................................................................590American Recovery and Reinvestment Act of 2009 .................................................................590

Healthcare Provider ....................................................................................................................................591General—45 CFR §160.103 ............................................................................................................591Healthcare Provider Defined ..........................................................................................................591Other Government Definitions ......................................................................................................591Are you a healthcare provider? ......................................................................................................592

Health Information ......................................................................................................................................595General—45 CFR §160.103 ............................................................................................................595Health Information Defined ...........................................................................................................595Individually Identifiable Health Information ..............................................................................595Protected Health Information ........................................................................................................595

Health Information Technology for Economic and Clinical Health (HITECH) Act ........................595Health Plan ....................................................................................................................................................596

General—45 CFR §160.103 ............................................................................................................596Health Plan Defined ..........................................................................................................................596Health Plan Comparisons ................................................................................................................596

HHS..................................................................................................................................................................600General ................................................................................................................................................600HHS: What It Does .............................................................................................................................600HHS Operating Divisions .................................................................................................................601Other HHS Agencies .........................................................................................................................602 Organization of HHS ........................................................................................................................603

Implementation Guides ............................................................................................................................604Transactions and Code Sets—45 CFR §162.920 .......................................................................604Implementation Guides ..................................................................................................................604Details on the Specifications ..........................................................................................................604Retail Pharmacy Specifications ......................................................................................................604Companion Guides ...........................................................................................................................605

Incidental Disclosures .................................................................................................................................605Privacy—45 CFR §164.502(a)(1) ....................................................................................................605Incidental Disclosures Defined and Regulatory Context .........................................................605Tips for Monitoring ...........................................................................................................................606

Individual Identifiers ..................................................................................................................................608Unique Identifiers .............................................................................................................................608Purpose of Individual Identifiers ...................................................................................................608Issues with Individual Identifiers ...................................................................................................608Frequently Asked Questions on Individual Identifiers .............................................................608

Limited Data Set...........................................................................................................................................609Privacy—45 CFR §164.514(e) .........................................................................................................609Requirements of a Limited Data Set .............................................................................................609Data-Use Agreements ......................................................................................................................610American Recovery and Reinvestment Act of 2009 .................................................................610HIPAA Compliance Tool ..................................................................................................................610Data Use Agreement for Limited Data Set ..................................................................................611

Loop ................................................................................................................................................................612Transaction Standards and Code Sets .........................................................................................612Loop Defined ......................................................................................................................................612Required and Situational Loops ....................................................................................................612Examples .............................................................................................................................................613

Marketing Under HIPAA .............................................................................................................................613


© 2018 Optum360, LLC xi

Privacy—45 CFR §164.508(a)(3) ................................................................................................... 613Definition of Marketing .................................................................................................................. 614Exceptions to the Definition .......................................................................................................... 614American Recovery and Reinvestment Act of 2009 ................................................................ 614OCR Frequently Asked Questions ................................................................................................ 615

NCPDP Format ............................................................................................................................................. 617Transactions and Code Sets—45 CFR §162.1102 .................................................................... 617Details on the Standards ................................................................................................................ 617

NDC................................................................................................................................................................. 621Transactions and Code Sets—45 CFR §162.1002 .................................................................... 621Requirements .................................................................................................................................... 621The Code Set ...................................................................................................................................... 621

Notice of Privacy Practices ........................................................................................................................ 622Privacy—45 CFR §164.520 ............................................................................................................. 622Who Must Receive the Notice ....................................................................................................... 622Good-Faith Effort to Obtain Written Acknowledgment of Receipt ..................................... 623Content Requirements .................................................................................................................... 623Request for Restrictions on Use or Disclosure and Confidential Communication ........... 625Documentation of Compliance .................................................................................................... 625Emergency Treatment .................................................................................................................... 625

Paper Transactions ..................................................................................................................................... 626Transactions and Code Sets ........................................................................................................... 626

Payment ........................................................................................................................................................ 627Privacy—45 CFR §164.500 ............................................................................................................. 627Definition of Payment ..................................................................................................................... 627Payment and the Standard Transactions ................................................................................... 627Required, Situational, and Optional Data Elements Compared ........................................... 628

Personal Representatives.......................................................................................................................... 629Privacy—45 CFR 164.502(g) .......................................................................................................... 629Who Must Be Recognized As a Personal Representative ....................................................... 629Parents and Unemancipated Minors ........................................................................................... 629Abuse, Neglect, and Endangerment Situations ....................................................................... 630

Pre-emption ................................................................................................................................................ 631Privacy—45 CFR §160 Subpart B ................................................................................................. 631Exceptions to the Pre-emption Standards ................................................................................. 631Sample Analysis ................................................................................................................................ 631New York State Office of Mental Health HIPAA Pre-emption Analysis ............................... 632

Privacy and Litigation ................................................................................................................................ 635Subpoena of Records in Qui Tam and Class Action ................................................................. 635

Privacy Rule .................................................................................................................................................. 635Privacy—45 CFR Parts 160 & 164 ................................................................................................. 635Purpose of Privacy Regulations .................................................................................................... 635Fundamental Concepts .................................................................................................................. 636

Protected Health Information ................................................................................................................. 639Privacy—45 CFR §164.501 ............................................................................................................. 639

Provider Identifiers ..................................................................................................................................... 639Unique Identifiers—45 CFR §162.402-414 ................................................................................ 639Final Rule ............................................................................................................................................ 639Other Provisions of the Final Rule ................................................................................................ 640

Psychotherapy Notes ................................................................................................................................. 641Privacy—45 CFR 164.508(a)(2) ..................................................................................................... 641Definition of Psychotherapy Notes .............................................................................................. 641Maintaining Psychotherapy Notes .............................................................................................. 641Use and Disclosure Requirements ............................................................................................... 641Authorization Exceptions ............................................................................................................... 642Patient Right to Access ................................................................................................................... 642

Red Flags Rule.............................................................................................................................................. 642General ................................................................................................................................................ 642Questions and Answers About the Red Flags Rule .................................................................. 643

Required Safeguards .................................................................................................................................. 645Privacy—45 CFR 164.530(c) .......................................................................................................... 645

xii © 2018 Optum360, LLC


Where Privacy and Security Overlap ............................................................................................645Administrative Safeguards .............................................................................................................645Physical Safeguards ..........................................................................................................................646Technical Safeguards .......................................................................................................................646

Retail Pharmacy............................................................................................................................................646Transactions and Code Sets ............................................................................................................646Frequently Asked Questions ..........................................................................................................646

Reviews of Compliance by the Office of Inspector General ..............................................................647Security Rule .................................................................................................................................................648

Security—45 CFR Parts 160, 162 and 164 ...................................................................................648Security Safeguard Groupings .......................................................................................................648Overlap Between Safeguards .........................................................................................................649The Five General Organizational Obligations Established by the Security Rule ...............649Covered Entity Legal Obligations Under Federal Law .............................................................650American Recovery and Reinvestment Act of 2009 .................................................................650

Security Standards Matrix..........................................................................................................................650Small Provider Exemption ........................................................................................................................652

Transactions and Code Sets ............................................................................................................652Standard Setting Organization.................................................................................................................652

Transactions and Code Sets—45 CFR §160.102 .......................................................................652Details on SSOs ..................................................................................................................................652DSMOs .................................................................................................................................................652

Standards .......................................................................................................................................................653General ................................................................................................................................................653

Trading Partner ............................................................................................................................................654Transactions and Code Sets—45 CFR §162.915 .......................................................................654Definition of a Trading Partner ......................................................................................................654Examples of Trading Partner Relationships ................................................................................654Trading Partner Agreements ..........................................................................................................654

Training Requirements ...............................................................................................................................655General—45 CFR §164.530(b), 164.308(a)(5) ............................................................................655Privacy Training .................................................................................................................................655Security Training ...............................................................................................................................655NIST Resource Guide ........................................................................................................................656Other Educational Options .............................................................................................................657

Transaction Standards ................................................................................................................................659Transactions and Code Sets ............................................................................................................659Health Plan Requirements ..............................................................................................................660Mandatory Submission of Claims Electronically to Medicare ................................................660Use of Healthcare Clearinghouses in the Transaction Process ..............................................661Content of HIPAA Transaction Standards ...................................................................................661Approved Transactions ....................................................................................................................663270/271 ................................................................................................................................................665275/277 ................................................................................................................................................666276/277 ................................................................................................................................................666278 ........................................................................................................................................................666820 ........................................................................................................................................................667834 ........................................................................................................................................................667835 ........................................................................................................................................................667837 ........................................................................................................................................................667Claims Attachment ...........................................................................................................................668Top Errors Found in 5010 Testing .................................................................................................669

Treatment .....................................................................................................................................................671Privacy—45 CFR §164.501 .............................................................................................................671Definition of Treatment ...................................................................................................................671

Verification Requirements .........................................................................................................................671Privacy—45 CFR §164.504 .............................................................................................................671Verification Scenarios .......................................................................................................................672Example Situations and Suggested Protocols ...........................................................................673

Index ................................................................................................................675

© 2018 Optum360, LLC 17

HIPA

A Privacy Standards

HIPAA Privacy Standards

Overview of HIPAA Privacy RequirementsThe purpose of HIPAA’s privacy requirements is threefold:

To restrict the unwarranted disclosure of sensitive personal information

To give individuals greater control over access to sensitive personal information,including the specific information that can be disclosed, to whom, and how it may be used

To enable providers to use the personal information they need to maketreatment decisions and to meet their obligations to patients and regulatory andlaw enforcement agencies

Scope of the HIPAA Privacy StandardsThe HIPAA requirements apply to “individually identifiable health information,” which essentially means:

Information that describes the health status of an individual, including basicdemographics and the use of medical services

Information that either identifies, or can be used to identify, an individual

Individually identifiable health information is defined more fully under the heading “Understanding Protected Health Information” in this chapter.

Unlike the HIPAA transaction standards, the privacy standards apply to all individually identifiable health information that is collected, maintained, or transmitted by a healthcare provider. The privacy standards are not limited to information that is transmitted electronically as part of a standard HIPAA transaction.

Notice, Authorization, Accounting, and AmendmentHIPAA establishes a complex set of requirements that include:

Providing the patient with a “notice of privacy practices” form that outlines a provider’s privacy practices, and obtaining the patient’s acknowledgment of receiving the notice

Obtaining a patient’s specific authorization to use or disclose personal information for purposes that are not included in treatment, payment, andhealthcare operations

Providing the patient, upon request, with an accounting of disclosures ofprotected health information

Giving the patient access to his or her protected health information andproviding an opportunity to request corrections in that information

Complicating the situation for physicians is a HIPAA provision that allows patients to request restrictions on the use of sensitive health information beyond the terms of a normal consent arrangement. This provision empowers patients to impose restrictions on the specific persons and organizations to whom his or her information is disclosed, and to request that communications with the provider be conducted on

© 2018 Optum360, LLC 61

Privacy Model Policies and Procedures

Privacy Model Policies and Procedures

Creating a HIPAA Privacy Compliance PlanWhether you are looking to build a new HIPAA privacy compliance plan or simply update your current plan, it is important to keep certain elements in mind. The root of all compliance activities is formed by the seven elements of a compliance program as outlined in the U.S. Sentencing Guidelines from the United States Sentencing Commission:

Standards and procedures

Oversight by an appropriate official

Education and training

Auditing and monitoring

Open lines of communication

Enforcement and discipline

Response and prevention

These seven elements are used by compliance programs in many industries and are effective building blocks of a strong compliance function. Those who build upon each element will have strong HIPAA compliance programs moving forward.

The first step in building a compliance program is to assign someone as the HIPAA privacy official. Depending on the size of the organization, this may be a full-time role, or it may be added to the existing activities of another person’s role such as the practice administrator or health information management director.

Once an appropriate official has been named to oversee the activities of the HIPAA privacy compliance program, the organization should begin to work on the other aspects of its program. A good place to begin is in the standards and procedures area, with development of a policy and procedure manual. Typically, the other elements fall into line during manual development. Immediately following this section is a large section of HIPAA privacy policies and procedures that can be used in developing a policy and procedure manual. These are just “generic” policies and procedures, however; they must be customized for each organization.

Education and training under HIPAA privacy is an important required element under the regulations but is also vital to continued compliance. Without ongoing education and reminders, staff can become complacent with protected health information and violations can occur. In the “Employee Training and Education” section of this book, there are resources for training, as well as tests that can be given to staff to assess their HIPAA privacy knowledge.

Auditing and monitoring is an essential element of any compliance program. The process of auditing and monitoring uncovers issues with potential gaps in compliance so that they may be addressed and corrected. The “Conducting Internal

© 2018 Optum360, LLC 167

Security Regulations In-Depth

Security Regulations In-Depth

OverviewThe HIPAA Security Rule establishes a total of 22 security safeguard standards. These standards are grouped under the headings of administrative safeguards, physical safeguards, technical safeguards, organizational requirements, policies and procedures, and documentation requirements. The 22 security safeguard standards define 42 implementation specifications, which are more detailed statements of what must be done to comply with the standard. Of these 42 specifications, 20 are “required,” and 22 are “addressable.”

Administrative Safeguards

Standards Sections

Implementation Specifications (R) = Required

(A) = Addressable

Security Management Process 164.308(a)(1) Risk analysis (R)

Risk management (R)

Sanction policy (R)

Information system activity review (R)

Assigned Security Responsibility 164.308(a)(2) (R)

Workforce Security 164.308(a)(3) Authorization and/or supervision (A)

Workforce clearance procedure (A)

Termination procedure (A)

Information Access Management

164.308(a)(4) Isolating healthcare clearinghouse function (R)

Access authorization (A)

Access establishment and modification (A)

Security Awareness and Training 164.308(a)(5) Security reminders (A)

Protection from malicious software (A)

Log-in monitoring (A)

Password management (A)

Security Incident Procedures 164.308(a)(6) Response and reporting (R)

Contingency Plan 164.308(a)(7) Data backup plan (R)

Disaster recovery plan (R)

Emergency mode operation plan (R)

Testing and revision procedure (A)

Applications and data criticality analysis (A)

Evaluation 164.308(a)(6) (R)

Business Associate Contracts and Other Arrangements

164.308(b)(1) Written contract or other arrangement (R)

© 2018 Optum360, LLC 327

Identifiers Model Policies and Procedures

IdentifiersModel Policies and Procedures

Compliance ChecklistYes No Every member of the professional staff has a

valid and current NPI.

List every member of the practice who bills for services:

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No ___________________________________

Yes No Staff responsible for conducting the standard transactions have been given guidance on when to use each identifier.

HIPAA Tool Kit Employee Training and Education

© 2018 Optum360, LLC 391

Employee Training and Education

Slide 8

The “Notice of Privacy Practices” is the primary vehicle HIPAA created for telling patients how practices will use their medical information.

The Notice also describes the rights of patients to authorize certain uses and disclosures of information, to request an accounting of certain uses and disclosures, to inspect their own records, and to request corrections in information.

HIPAA requires you to give the notice to every patient when they first visit the medical practice. You are required to make what HIPAA calls a “good faith effort” to obtain a written acknowledgment from the patient that he or she has been given a copy of the notice.

Slide 9

You are required to obtain a patient’s authorization to use or disclose their protected health information for a purpose other than treatment, payment, and support of the healthcare operations of the practice.

Examples of use and disclosure that require authorization are research studies and the sale of mailing lists to other organizations.

An authorization must identify the information to be disclosed or used, how the information will be used, and who will use it. The authorization must be signed by the patient or by the patient’s representative if the patient is unable to sign it.

473© 2018 Optum360, LLCCustomers are permitted to reproduce these policies for use within their own facilities or medical practices. Other distribution is prohibited.

Conducting Internal HIPA

A A

udits

Conducting Internal HIPAA Audits

Making the Case for HIPAA AuditingThe foundation of all good compliance programs—whether they address compliance with the government’s rules on coding and billing or health information privacy and security—is auditing and monitoring. Any good audit program helps an entity maintain compliance with whatever area the auditor is examining.

Although there are no set guidelines for auditing an existing Health Insurance Portability and Accountability Act program, two standards within the security rule require some form of auditing. If an organization has a HIPAA program in place, these areas should already be an active part of their HIPAA processes.

Section 164.308(a)(1)(ii)(d), Information system activity review (Required): Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Section 164.312(1)(b), Audit controls: Implement hardware, software, and/orprocedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Beginning in 2011 the Office for Civil Rights (OCR) established a pilot audit program to determine if covered entities (CE) and business associates (BA) had implemented HIPAA privacy, security, and breach notification programs as required by HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act and to assess if the guidelines and processes that were established by the CE comply with the rules. If the Department of Health and Human Services (HHS) and the OCR feel it is necessary to audit these programs, then so should covered entities.

Proof of the need for ongoing auditing and monitoring is evident in OCR’s finding from the initial pilot audits conducted in 2012. At the joint OCR and National Institute of Standards and Technology (NIST) conference, “Safeguarding Health Information: Building Assurance Through HIPAA Security,” held in September 2014, the OCR reported that “58 out of the 59 healthcare providers audited had at least one negative finding regarding security rule compliance, 56 percent became aware of additional HIPAA regulations that apply to their organizations, and two-thirds of all entities had no complete or accurate risk assessment program.” Based on the less-than-flattering findings from these phase one audits, the OCR will continue to step up HIPAA enforcement.

On March 21, 2016, as part of the continued efforts by the OCR to assess compliance efforts by covered entities and their business associates with the HIPAA Privacy, Security and Breach Notification rules, the OCR began Phase 2 of the audits in 2016. Phase 2 audits will review policies and procedures written and implemented by the covered entity and its business associates regarding selected standards and specifications of the Privacy, Security, and Breach Notification rules. Additional information about Phase 2 of the OCR audit program can be found

IMPORTANTAn entity relying on its own complaint/grievance process to catch instances of noncompliance could be missing processes that violate HIPAA rules.

IMPORTANTTwo-thirds of covered entitites audited did not perform a complete or accurate risk assessment. Remember, some standards are required and some are addressable. “Required” means the policies and/or procedures must be implemented. “Addressable” means the CE must assess if the standard is “reasonable and appropriate” for the environment. A risk assessment is a required element of the security rule and includes a risk analysis [164.308(a)(1)(ii)(A)] and risk management [64.308(a)(1)(ii)(B)].

HIPAA Topics HIPAA Tool Kit

604 © 2018 Optum360, LLC

HIP

AA

Top

ics

(H–M

)

Implementation Guides

Implementation GuidesTransactions and Code Sets—45 CFR §162.920

The standards for electronic transactions regulations give general information on which standards have been named for which types of transactions. Further detail on the transactions themselves can be found in the implementation specifications, also called implementation guides.

Within this topic, the following will be discussed:

Implementation guides

Details on the specifications

ASCX12N specifications

Retail pharmacy specifications

Companion guides

Implementation GuidesEach type of transaction has a separate implementation guide, which is available through sources listed in the regulation. These guides give detailed instructions on how to implement the standard, what data elements are included, and additional information important to properly trading information via electronic data interchange using these standards. Since the version 4010 specifications transitioned to the version 5010 specifications, there are no longer “Implementation Guides.” The new documents are called the “Technical Reports Type 3,” or TR3.

Details on the SpecificationsFollowing is information on how to find out which implementation guides are available for which transactions.

The Washington Publishing Company specifications are available online at http://www.wpc-edi.com. The company can also be contacted at:

Washington Publishing CompanyPMB 1615284 Randolph RoadRockville, MD 20852-2116Telephone: (301) 949-9740Fax: (301) 949-9742

The TR3 documents for version 5010 are available from the Washington Publishing Company, as well as change description guides for version 5010. The previous version 4010 implementation guides are available there as well.

Retail Pharmacy SpecificationsThe Telecommunication Standard Implementation Guide, version 5, release 1 (version 5.1), September 1999, National Council for Prescription Drug Programs

The Telecommunication Standard Implementation Guide version D.0, July 2007, National Council for Prescription Drug Programs (Effective for January 1, 2012 claims)

The Batch Standard Batch Implementation Guide, version 1, release 1 (version 1.1), January 2000, National Council for Prescription Drug Programs

HIPAA Tool Kit HIPAA Topics

© 2018 Optum360, LLC 635

HIPA

A Topics (N

–S)

Privacy Rule

Privacy and LitigationSubpoena of Records in Qui Tam and Class Action

Although comprehensive in nature, there are gray areas where specific situations are not addressed. The subpoena of records in qui tam and class action suits is currently under scrutiny in several states. The issues center around:

Entities not designated as a “covered entity”

Pre-emption of state or federal law

Informal discovery, which is not addressed under HIPAA

A covered entity is defined in HIPAA as providers, payers, and clearinghouses. Current HIPAA law does not specifically address issues of release of protected health information (PHI) to noncovered entities, specifically when requested by properly executed subpoenas.

Privacy RulePrivacy—45 CFR Parts 160 & 164

Healthcare providers, health plans, and healthcare clearinghouses collect, process, transmit, and store vast amounts of sensitive personal information on patients, health plan subscribers, and beneficiaries of public health programs. How should this information be disclosed? To whom? Under what circumstances—and with what restrictions?

In this section we will discuss:

Purpose of privacy regulations

Protected health information

Use of protected health information

Disclosure of protected health information

Minimum necessary use and disclosure

Purpose of Privacy RegulationsThe fundamental purpose of the privacy rule is to set a federal “floor” of basic protections to prevent those who do not need identifiable health information from accessing or using it for purposes never intended or known of by the individual who is the subject of that information. The privacy rule sets forth certain patient rights:

The right to request restrictions on the disclosure of their health information

The right to access and obtain a copy of the patient’s health information stored in a designated record set

The right to request amendment to the patient’s health information stored in a designated record set

The right to obtain an accounting of certain disclosures that are not for treatment, payment, and healthcare operations (or otherwise)

The right to complain of any violation of the privacy rule

© 2018 Optum360, LLC 675

Index

Index

Aabuse, neglect, and endangerment 30, 630

reporting 92access control

NIST resource guide 301access report 44, 186, 261, 440, 500access to data 302accounting for disclosures 43, 47, 153, 363, 368, 381,

419, 499access report 44

Accredited Standards Committee 489ASC defined 489ASC’s role under HIPAA 489mission of the ASC 489principles of the ASC 489, 490X12 EDI 489

adjudication 339administrative safeguards 196, 264, 439, 495, 645

standardsassigned security responsibility 645business associate contracts 645contingency plan 645evaluation 645information access management 645security incident procedures 645security management process 645

administrative simplification 3, 15, 330, 490code sets 494covered entities

minimum necessary 491requirements

notify 491TPO 491

electronic submissionscertification and authorization of referrals 493claim status 493coordination of benefits 493enrollment and disenrollment 493health insurance plan 493premium payments 493remittance advice 493

identifiers 496privacy standards 491

after implementation 492monitoring compliance 492Office for Civil Rights (OCR) 492sanctions 492

requirementsgood-faith effort 491notice of privacy practices 491privacy procedures 491secure patient records 492training 492

security standards 494safeguards 495

transaction standards and code sets 492electronic submissions 493

claimsMedicaid 493Medicare 493

clearinghouses 493encounter information 493HIPAA compliant claims 493payment policies 493

electronic transfer 492standards 492

Administrative Simplification Compliance Act (ASCA) 330, 497, 528, 550, 660

covered entity 497definition 497electronic claims 497model compliance plan 497

affiliated covered entities 55, 530American Dental Association (ADA) 7, 11, 357, 506, 512American Medical Association (AMA) 11, 318, 358, 506,

510American National Standards Institute (ANSI) 489, 502American National Standards Institute (ANSI)—see ANSIAmerican Recovery and Reinvestment Act (ARRA) 47, 381,

498, 500, 501, 575, 590, 614accounting for disclosures 43, 363business associate 40

ANSI 490, 502approved versions 503ASC X12N 502definition 502future 504mission 502standards-setting organizations 502

approved transactions 663ARRA/HITECH Act 498, 500, 501ASC X12N 503

Accredited Standards Committee 503approved standards 503

optum360coding.com hipaa tool kit...and additional product content learn about ceu opportunities...

Documents