| Risk Assessment & Security
Standards |
 |
All
health care providers must assess potential risks and vulnerabilities to
individual patient health data in their possession and they must also develop,
implement, and maintain appropriate security measures. |
This
section of the HIPAA regulations addresses the measures that involve these
requirements.
Continue overview...
|
|
| Administrative Procedures |
|
Administrative procedures are used to protect data security,
confidentiality, and availability. These are the documented, formal procedures
for selecting and implementing information security measures. The procedures
also address staff responsibilities for the protection of patients personal
health information. |
| This
section addresses the Administrative and Supporting requirements of the HIPAA
Regulations.
Continue overview... |
|
| Physical Safeguards For Data Integrity &
Confidentiality |
|
These
safeguards protect physical computers and/or systems and related buildings and
equipment from fire and other environmental hazards, as well as intrusion and
catastrophic failure. The use of locks, keys, and administrative measures used
to control access to computer systems and facilities are also
included. |
| This
section addresses the requirements of Physical Safeguards of Data found in the
HIPAA regulations.
Continue overview... |
|
 |
| Code Sets |
|
If you
currently (or plan to in the future) conduct transactions and exchange
information "on-line" with health plans, you have until October 16, 2002 to
adopt and communicate in the HIPAA-required standard formats for electronic
transactions.  You may, however, delay
your compliance with the Transaction Standards by one full year until October
16, 2003. To qualify for the deadline extension, you must submit a compliance
plan to the Secretary of the U.S. Department of Health and Human Services by
October 16, 2002. The plan must include a budget, schedule, work plan, and
implementation strategy for achieving compliance. Continue overview... |
|
|
| The Privacy Rule |
As
soon as HIPAA became law, it also gave Congress 36 months to pass Privacy
legislation. If Congress failed to come up with a legislation, the law
authorized the Department of Health and Human Services (DHHS) to promulgate
final regulations to protect patient privacy.
Congress did not meet its
deadline, so the Department of Health and Human Services (DHHS) published
proposed standards for individually identifiable health information on November
3, 1999.
In a nutshell, the Privacy standards outline specific rights
for individuals regarding protected health information and obligations of
health care providers.
The Privacy Rule
basically provides these results
- It requires that
authorized allowable health information must be used and easily shared for
treatment and payment for health care.
- It allows health
information to be disclosed without patient authorization for certain purposes
such as research, public health, and oversight, but only under defined
circumstances.
- It requires written
authorization for use and disclosure of health information for other
purposes.
- It creates a set of
fair information practices to inform patients how their information is used and
disclosed, ensure they have access to information about them, and requires
health care providers to maintain administrative and physical safeguards to
protect the confidentiality of health information and guard it from
unauthorized access.
Under HIPAA, health
care providers are prohibited from using or disclosing health information
except as authorized by the patient or specifically permitted by the
regulation.
It is very important to note that these protections are
afforded to health information that identifies a specific individual.
A
health care provider may use "de-identified" health information in any way it
chooses, as long as the identifiers have been "stripped" and nothing is
disclosed that would allow the information to re-identified the patient.
HIPAA's Privacy regulations apply to all personally identifiable health
information in any format - oral, written or electronic. However, providers who
work in an all paper environment and do not bill electronically or have anyone
bill electronically on their behalf are not subject to any of HIPAA's Privacy
regulations. |
|
|
| The Security Rule |
The
HIPAA Security Rule defines the standards and requirements for:
- Organizational
practices including physical and logical information security policies and
procedures, the designation of an Information Security Officer and information
security education and training programs.
- Technical practices and procedures that control access to
individually identifiable health information, require the use of access audit
trails, mandate physical security, and dictate software discipline.
- Administrative
capabilities which require the presence of Chain of Trust agreements between
parties exchanging individually identifiable health information, that internal
audits be conducted on a regular basis, and the adherence to policies and
procedures relating to security incidents and terminations practices as they
relate to the access of information.
- Physical safeguards
for media control and the security of workstations.
- Technical security
services for information access authorization as well as data and entity
authentication.
HIPAA's Security
regulations apply to all personally identifiable health information in
electronic format only. They do not apply to any personally identifiable health
information in oral or paper format. Additionally, providers who work in an all
paper environment and do not bill electronically or have anyone bill
electronically on their behalf are not subject to any of HIPAA's Security
regulations |
|
|
| Electronic Transactions |
HIPAA
will create common standards for the transfer of information between health
care providers and payers. HIPAA will require the health care industry to
accept the following transaction standards for EDI:
- Claims/encounters,
eligibility verification, enrollment, and related transactions: American
National Standards Institute ANSI X12N
- Pharmacy
transactions: National Council for Prescription Drug Programs
(NCPDP)
- Diagnoses and
inpatient hospital services: International Classification of Diseases, 9th
edition, Clinical Modification (ICD-9-CM)
- Procedures:
ICD-9-CM Volume 3 and HCFA Common Procedural Coding System (HCPCS)
- Physician services:
Current Procedural Terminology (CPT)
- Dental services:
Current Dental Terminology (CDT)
|
|
|
| Unique Identifiers |
The
HIPAA regulations require the development and implementation of unique
identifiers to identify all health care providers, health plans, employers,
and individuals receiving health care services. The Department of Health and
Human Services (DHHS) is responsible for assigning them. The health care
provider identifier (for health care providers) is the National
Provider Identifier. The National Provider Identifier was originally developed
by the Health Care Financing Administration (HCFA) for use throughout the
Medicare system. It is anticipated that it will consist of 10 numbers with the
last digit being a "check digit".
The employer
identifier (for health care employers) will probably be the same
Employer Identification Number (EIN) currrently being used by the Internal
Revenue Service . The EIN has nine numeric positions.
The most
controversial of the proposed identifiers is the national individual
identifier. It is currently in limbo pending final completion of the
HIPAA privacy and security regulatory initiatives. However, it is commonly
speculated that this identifier will consist of as many as ten numbers, also
with a "check digit". Currently the funding for development of a national
individual identifier is on hold, too. According to DHHS, opinion about the
unique identifier for individuals is deeply divided. The Clinton-Gore
Administration deemed it wise to wait on the establishment of an individual
identifier until after the other HIPAA security and privacy provisions were in
place. Since the intent of the individual identifier is to positively identify
the individual's health information across the health care continuum, adequate
security and privacy measures will need to be in place first to ensure no loss
in privacy or security occurs with the use of the individual
identifier. |
|
|
| CAL HIPAA will
continue to bring you updates concerning these HIPAA issues. |
|
