Hipaa : A How-To Guide for Your Medical Practice

Foreword xiii Edward M. Gotlieb Section 1: Transactions and Code Sets Toolkit 1(72) How to Use the Toolkit 3(1) Introduction to HIPAA 4(1) The Legislation 4(1) Administrative Simplification Regulations 4(1) Administrative Simplification Compliance Act 4(1) Overview of the Transactions and Code Sets 5(4) Applicability 5(1) Purpose 5(1) Your Responsibility 5(1) Transactions Flowchart 6(1) Steps in Processing Transactions 7(2) How the HIPAA Transactions Apply to Providers 9(3) Covered Provider Definition 9(1) Transaction Transmission Options 10(2) How the HIPAA Transactions Are Different 12(3) HIPAA Transactions 12(1) Transactions Illustration 13(1) Transactions Paradigm 14(1) Data Content Capture 14(1) X12N Format 14(1) Connectivity 14(1) Planning for HIPAA Transactions Compliance 15(3) Tasks to Be Performed 15(1) Phased Approach to Implementation 15(1) Clearinghouses vs. Translators and Connectivity 15(1) Checklist of Tasks for Transactions and Code Sets 16(1) Prioritizing Transactions Tasks 17(1) Assessing Your Current Readiness 18(8) Status of Current Transactions 18(1) Current Inventory of Claims 19(2) Current Inventory of Eligibility and Referral Authorization 21(2) Current Inventory of Claims Status, Remittance, and Other Processes 23(2) Other Measures 25(1) Clearinghouse Usage 25(1) Working With Your Vendors 26(8) Types of Vendor Support 26(1) Testing and Certification 27(2) Vendor Information Collection 29(2) Compiling Vendor Information 31(1) Resource for Vendor Information 32(2) Transactions Analysis 34(2) New Data Requirements 34(1) Understanding Data Requirements 34(2) Transactions Operations 36(12) Professional Claims 37(5) Remittance Advice Transaction 42(2) Eligibility Inquiry and Response Transactions 44(2) Claims Status Inquiry and Response Transactions 46(1) Pre-Certification and Referral Authorization Transaction 47(1) Working With Payers 48(9) Payer Inventory 48(1) Key Resources 48(2) Inventory of Major Payers 50(3) Clearinghouse Compliance 53(1) Companion Guides and Trading Partner Agreements 54(2) Working With Payers 56(1) Cost/Benefit Analysis 57(5) Benefits Analysis 58(2) Cost Analysis 60(1) Comparison 61(1) Future Considerations 62(11) Changes to Existing Transactions 62(1) Additional Transactions 62(1) Identifiers 62(1) Code Set Changes 63(1) Other Changes 63(1) Appendix: Overview of the HIPAA Implementation Guides 64(9) Section 2: Privacy Manual 73(142) Introduction to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Manual 75(140) Step-By-Step Guide to the Privacy Rule 77(64) Step 1: Read the Overview of the Privacy Rule 79(21) Step 2: Select a Privacy Officer 100(1) Step 3: Review and Implement Privacy Officer Responsibilities 101(1) Step 4: Conduct a Walk-Through of the Practice to Identify Privacy Risk Areas 102(2) Step 5: Implement a Notice of Privacy Practices 104(3) Step 6: Implement a Written Acknowledgement Process 107(1) Step 7: Implement Privacy Policies and Procedures 108(1) Step 8: Implement a Patient Authorization Form 109(2) Step 9: Implement a Form Requesting Restrictions on Uses and Disclosures of PHI 111(2) Step 9A: Receipt of Requests for Confidential Communications of PHI 113(1) Step 10: Implement a Form to Inspect and Copy PHI 114(2) Step 11: Implement Access Denial Form 116(2) Step 12: Implement a Form to Amend PHI 118(2) Step 13: Implement a Form to Receive an Accounting of Certain Disclosures of PHI for Non-TPO Purposes 120(2) Step 14: Implement a Log to Track Disclosures of PHI 122(1) Step 15: Implement Patient Complaint Forms 123(2) Step 16: Determine Who Can Use and Disclose PHI 125(1) Step 17: Update or Develop Job Descriptions With Respect to PHI Use and Disclosure 126(1) Step 18: Develop a List of Your Business Associates 127(4) Step 19: Implement Business Associate Contracts 131(2) Step 20: Train All Physicians and Staff on Privacy Policies and Notice of Privacy Practices 133(2) Step 21: Document Physician and Staff Training 135(1) Step 22: Obtain Signed Workforce Confidentiality Agreements From All Physicians and Staff 136(2) Step 23: Monitor Compliance With the Privacy Rule 138(3) Exhibits 141(53) Exhibit 1: Privacy Officer Job Responsibilities 142(2) Exhibit 2: Internal Privacy Checklist 144(13) Exhibit 3: Notice of Privacy Practices 157(6) Exhibit 4: Receipt of Notice of Privacy Practices Written Acknowledgement Form 163(1) Exhibit 5: Sample Privacy Policies 164(2) Exhibit 5A: Sample Privacy Procedures 166(1) Exhibit 6: Patient Authorization for Use and Disclosure of Protected Health Information 167(2) Exhibit 7: Illustrations of Situations Requiring/Not Requiring Authorization 169(1) Exhibit 8: Request for Limitations and Restrictions of Protected Health Information 170(1) Exhibit 9: Request to Inspect and Copy Protected Health Information 171(1) Exhibit 10: Patient Denial Letter 172(3) Exhibit 11: Request for Correction/Amendment of Protected Health Information 175(2) Exhibit 12: Request for an Accounting of Certain Disclosures of Protected Health Information for Non-TPO Purposes 177(1) Exhibit 13: Log to Track Disclosures of PHI 178(1) Exhibit 14: Patient Complaint Form 179(1) Exhibit 15: Listing of Typical Business Associates 180(1) Exhibit 16: A Medical Practice Guide for the Privacy Officer to Identify Business Associates 181(1) Exhibit 17: Business Associate Contract 182(7) Exhibit 18: Privacy Policy Training Checklist 189(1) Exhibit 19: Training Documentation Form 190(1) Exhibit 20: Workforce Confidentiality Agreement 191(2) Exhibit 21: Privacy Officer's Incident Event Log 193(1) Appendix 1: Frequently Asked Questions 194(7) Appendix 2: Facsimile Transmittal 201(1) Appendix 3: Forms Checklist 202(1) Appendix 4: Patient Consent Form (Optional) 203(2) Appendix 5: Patient Consent for Use and Disclosure of Protected Health Information 205(2) Appendix 6: Determine Whether Your Practice Uses and Discloses PHI for Research Purposes 207(3) Appendix 7: Implement a Data Use Agreement 210(2) Appendix 8: Determine Whether Your Practice Participates in an Organized Health Care Arrangement (OHCA) 212(2) Bibliography 214(1) Section 3: Security Rule Manual 215(132) Introduction to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Manual 217(130) Step-By-Step Guide to the Security Rule 221(70) Step 1: Read the Overview of the Privacy Rule 223(10) Step 2: Appoint a Security Official/Prepare and Implement Job Responsibilities 233(3) Step 3: Perform a Risk Analysis 236(2) Step 4: Determine If Computer System Is Capable of Providing Electronic/Audit Trails; Implement Audit Control Policies and Procedures 238(4) Step 5: Develop Workforce Clearance Procedures and Means of Implementing Clearance Requirements for Employees Who Access EPHI 242(5) Step 6: Design and Implement User Identification and Authentication Policies and Procedures for Electronic Information Systems 247(5) Step 7: Implement Automatic Log-Off Processes 252(3) Step 8: Implement Transmission Security/Encryption Technology 255(2) Step 9: Install Protection From Malicious Software; Report Security Incidents 257(4) Step 10: Implement Firewall Technology 261(2) Step 11: Review and Implement Computer Backup Policies and Procedures 263(3) Step 12: Develop Security Incident Policies and Procedures 266(2) Step 13: Implement Facility Maintenance Log 268(1) Step 14: Develop Facility Security and Contingency Plans 269(2) Step 15: Develop a List of Business Associates and Implement Agreements 271(5) Step 16: Create Computer Workstation Use Policies and Procedures 276(3) Step 17: Document and Train All Physicians and Staff on the Security Policies and Procedures 279(3) Step 18: Obtain Signed Workforce Confidentiality Agreements From All Physicians and Staff 282(2) Step 19: Monitor Compliance With the Security Rule 284(2) Step 20: Evaluate All Policies and Procedures Periodically 286(1) Step 21: Create Workforce Termination Procedures 287(2) Step 22: Implement Sanction Policy 289(2) Exhibits 291(53) Exhibit 1: Security Official Job Responsibilities 292(2) Exhibit 1A: Privacy and Security Official Job Responsibilities 294(2) Exhibit 2: HIPAA Security Rule Standards Matrix and Risk Analysis 296(10) Exhibit 3: Sample Audit Trails Policy and Procedures 306(1) Exhibit 4: Sample Event Record 307(1) Exhibit 5: Sample Policy for User Identification (User ID) and Authentication 308(2) Exhibit 6: Sample Anti-Virus Policies and Procedures 310(2) Exhibit 7: Security Incident Report 312(1) Exhibit 8: Sample Backup Policy and Procedure 313(2) Exhibit 9: Sample Security Incident Policies and Procedures 315(1) Exhibit 10: Sample Security Incident Log 316(1) Exhibit 11: Facility Maintenance Log 317(1) Exhibit 12: Sample Contingency Policy and Procedure 318(1) Exhibit 13: Contingency Plan Steps 319(3) Exhibit 14: Listing of Typical Business Associates 322(1) Exhibit 15: A Medical Practice Guide for the Security Official to Identify Business Associates That Access PHI 323(1) Exhibit 16: First Amendment to Business Associate Agreement 324(2) Exhibit 17: Sample Policy and Procedures on Workstation Use 326(8) Exhibit 18: Security Policy Training Checklist 334(1) Exhibit 19: Training Documentation Form 335(1) Exhibit 20: Workforce Confidentiality Agreement 336(3) Exhibit 21: Sample Workforce Termination Procedures 339(1) Exhibit 22: Workforce Termination Checklist 340(2) Exhibit 23: Sample Sanction Policy 342(2) Appendix 1: Addressable Specifications 344(1) Appendix 2: An Example of the Scalability of the Security Standard 345(1) Bibliography 346(1) Section 4: Additional Resources 347(4) Section 5: Glossary 351