Summary of the major points for compliance with the HIPAA Privacy Rule including how to identify if you're a covered entity, what information is included as PHI, checklist for helping your company comply.
2. • Who has to comply with HIPAA Privacy Rules
• Health Care Providers
• Health Care Clearinghouses
• Health Care Plans
• Checklist to help your Company become Compliant
• Awareness & Education – training
• Project Planning
• Electronic Transactions
• Privacy
• Security
• National Identifiers
• General Information – Compliance monitoring, policies and procedures
E Baker, JD, CRCMP
3. Does person, business
entity or agency
(i) provide,
(ii) bill, or
(iii) receive payments
for health care (1) in the
normal course of business?
NO
YES
NOT a
Health Care
Provider
Is the person, business entity or
agency conducting a covered
transaction: (2)
1. claims,
2. inquiry about benefit plan,
3. referral certification or
authorization,
4. claim status,
5. enrollment/disenrollment,
6. payment or remittance
advice,
7. premium payment,
8. coordination of benefits
YES Are the covered
transactions transmitted
in electronic form? (3)
NO
This IS a
Health
Care
Provider
YES
NO
#1 An individual, business entity or agency that is a (1) health care provider (HCP), (2) conducting covered
transaction, and (3) in electronic form or
E Baker, JD, CRCMP
4. Footnote 1
Health care is defined as: care, services, or supplies related to the health of an individual. It
includes, but is not limited to, the following:
(1) Preventive, diagnostic, rehabilitative, maintenance, or palliative care, and counseling, service,
assessment, or procedure with respect to the physical or mental condition, or functional status,
of an individual or that affects the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
See 45 C.F.R.160.103.
E Baker, JD, CRCMP
5. Footnote 2
Covered transactions are transactions for which the Secretary has adopted standards (see 45 C.F.R. Part 162).
If a healthcare provider uses another entity (such as a clearinghouse) to conduct covered transactions in
electronic form on its behalf, the health care provider is considered to be conducting the transaction in electronic
form. A transaction is a covered transaction if it meets the regulatory definitions for the type of transactions as
follows:
45 C.F.R.162.1101: Health care claims or equivalent encounter information transaction is either of the following:
(a) A request to obtain payment, and necessary accompanying information, from a health care provider to a
health plan, for health care.
(b) If there is no direct claim, because the reimbursement contract is based on a mechanism other than charges
or reimbursement rates for specific services, the transaction is the transmission of encounter information for the
purpose of reporting health care.
E Baker, JD, CRCMP
6. 45 C.F.R.162.1201: The eligibility for a health plan transaction is the transmission of either of the
following:
(a) An inquiry from a health care provider to a health plan, or from one health plan to another health
plan, to obtain any of the following information about a benefit plan for an enrollee:
(1) Eligibility to receive health care under the health plan.
(2) Coverage of health care under the health plan.
(3) Benefits associated with the benefit plan.
(b) A response from a health plan to a health care provider's (or another health plan's) inquiry
described in paragraph (a) of this section.
45 C.F.R.162.1301: The referral certification and authorization transaction is any of the following
transmissions:
(a) A request for the review of health care to obtain an authorization for the health care.
(b) A request to obtain authorization for referring an individual to another health care provider.
(c) A response to a request described in paragraph (a) or paragraph (b) of this section.
45 C.F.R.162.1401: A health care claim status transaction is the transmission of either of the
following:
(a) An inquiry to determine the status of a health care claim.
(b) A response about the status of a health care claim.
E Baker, JD, CRCMP
7. 45 C.F.R.162.1501: The enrollment and disenrollment in a health plan transaction is the transmission of subscriber
enrollment information to a health plan to establish or terminate insurance coverage.
45 C.F.R.162.1601: The health care payment and remittance advice transaction is the transmission of either of the
following for health care:
(a) The transmission of any of the following from a health plan to a health care provider's financial institution:
(1) Payment.
(2) Information about the transfer of funds.
(3) Payment processing information.
(b) The transmission of either of the following from a health plan to a health care provider:
(1) Explanation of benefits.
(2) Remittance advice.
E Baker, JD, CRCMP
8. 45 C.F.R.162.1701: The health plan premium payment transaction is the transmission of any of the following from
the entity that is arranging for the provision of health care or is providing health care coverage payments for an
individual to a health plan:
(a) Payment.
(b) Information about the transfer of funds.
(c) Detailed remittance information about individuals for whom premiums are being paid.
(d) Payment processing information to transmit health care premium payments including any of the following:
(1) Payroll deductions.
(2) Other group premium payments.
(3) Associated group premium payment information.
45 C.F.R.162.1801: The coordination of benefits transaction is the transmission from any entity to a health plan for
the purpose of determining the relative payment responsibilities of the health plan, of either of the following for
health care:
(a) Claims.
(b) Payment information.
E Baker, JD, CRCMP
9. Footnote 3
In electronic form means: using electronic media, electronic storage media including memory devices in
computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or
disk, optical disk, or digital memory card; or transmission media used to exchange information already in
electronic storage media.
Transmission media include, for example, the internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks,
and the physical movement of removable/transportable electronic storage media.
Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be
transmissions via electronic media, because the information being exchanged did not exist in electronic form
before the transmission.
E Baker, JD, CRCMP
10. Does business entity or agency
(i) Process or
(ii) Facilitate the processing of
health information from nonstandard
format or content into standard
format or the reverse(4) 45 C.F.R.
160.103
NO
YES
NOT A HCC
1. Does the business or agency
perform this function for
another legal entity?
YES
NO
THIS IS A
HCC
#2 A health care clearinghouse (HCC) or
E Baker, JD, CRCMP
11. Is the plan (individual or group or combination thereof) the
provider or payer of the cost of “medical care”
a. Amounts paid for diagnosis, cure, mitigation, treatment
or prevention of disease or for the purpose of affecting
any structure or function of the body,
b. Amounts paid for transportation primarily for and
essential to medical care in (a), and
c. Amounts paid for insurance covering medical care in (a)
and (b)?
NO
YES
NO
THIS IS
A HEALTH PLAN
Is the plan a “group health plan” – an employee welfare
benefit plan (ERISA) that provides medical care to employees
directly or through insurance, reimbursement or otherwise
and has (1) 50 or more participants and (2) is self-
administered (administered by an entity other than the
employer that established and maintains the plan)? (45 C.F.R.
160.103)
NOT
A HEALTH PLAN
YES
Is the plan a health insurance issuer? 45
C.F.R. 160.103 (licensed to engage in
business of insurance in a state)
YES
YES
Is the plan an issuer of a
Medicare supplemental
policy? 42 U.S.C. 1395ss(g)(1)NO
NO
Is the plan an HMO?
45 C.F.R. 160.103
YES
NO
Is the plan a multi-employer welfare
benefit plan? 45 C.F.R. 160.103
YES
Does the program provide ONLY
excepted benefits (accident or disability
income insurance, supplemental to
liability, worker’s compensation, etc.)?
NO
NO
YES
Is the plan an issuer of long-
term care policies?
NO
Does the plan provide
ONLY nursing home fixed
indemnity policies?
NO
YES
YES
#3A Is the private benefit plan a “health plan” (HP)?
E Baker, JD, CRCMP
12. #3B Is the government-funded program a “health plan” (HP)?
Is the program one of the listed government health plans?
1. Medicare A, B, C (42 U.S.C. 1395 et seq),
2. Medicaid (42 U.S.C. 1396 et seq)
3. Active military personnel health care program (10
U.S.C. 1074 et seq)
4. Veterans health care (38 U.S.C. Ch. 17)
5. CHAMPUS (10 U.S.C. 1061 et seq)
6. Indian Health Care Improvement Act (25 U.S.C. 1601)
7. Federal Employees Health Benefit Program (5 U.S.C. Ch.
89)
8. SCHIP (42 U.S.C. 1397 et seq)
NO
YES
NOT A
HEALTH
PLAN
NO
THIS IS A
HEALTH PLAN
Is the program an individual or group plan that provides or
pays the cost of medical care?
NOT
A HEALTH PLAN
YES
Is the program a high risk pool (as
established under state law to
provide health insurance coverage or
comparable coverage to eligible
individuals?
YES
NO
Is the program a HMO?
NO
YES
Is the principal activity of the program providing
direct health care?
YES
NO
Is the principal activity to make grants to fund providing direct health
care (funding health clinics)?
YES
NO
Is the principal purpose other than
providing or paying for health care costs
(e.g. operating prison, fellowship
program, etc.)?
YES
Does the program provide ONLY
excepted benefits (accident or disability
income insurance, supplemental to
liability, worker’s compensation, etc.)?
NO
NO
YES
E Baker, JD, CRCMP
13. # Question Not Started In Process Completed
Awareness & Education
1 Has your organization had any Awareness Education on HIPAA Regulations and Compliance?
2 Do you monitor or receive automated information regarding changes in HIPAA regulations
Project Planning
3 Have you selected a Project Manager and Project Team for your HIPAA Project?
4 Have you created a Project Plan?
Electronic Transactions
5 Have you applied for the ACSA Electronic Transaction extension for your organization?
6
Have you completed an inventory of all information systems and work flow processes with regard to
Electronic Transactions?
7 Have you compiled a list of vendors, health plans, business associates and trading partners?
8
Have you gathered, reviewed and compared your current billing forms, policies, and procedures to the
HIPAA Electronic Claims Transaction and Code Set regulations?
NEW TO HIPAA? HIPAA CHECKLIST FOR BECOMING COMPLIANT
E Baker, JD, CRCMP
14. # Question Not Started In Process Completed
Privacy
9 Has your organization designated an Information Privacy and Security Officer as required by HIPAA?
10 Have you developed a Notice of Information Practices to post in your office and distribute to each patient?
11
Have you gathered, reviewed and compared your current forms, policies, and procedures to the HIPAA Privacy
Regulations and State Privacy Regulations?
12
Have you developed policies and procedures that meet the needs of your Human Resources Department with
regard to Privacy requirements for the protection of health information of your staff?
13
Have you developed processes for documenting, retaining, distributing and discarding Protected Health
Information (PHI) as required by HIPAA?
14 Have you developed processes for receiving, investigating and documenting individual complaints?
15 Have you developed or revised current consent forms for patients in line with HIPAA regulations?
16 Do you have all forms that must be read and signed by patients in languages appropriate to their culture?
E Baker, JD, CRCMP
15. # Question Not Started In Process Completed
Security
17
Has your organization completed a Security Evaluation on the information systems used in conjunction with
maintaining your current and future Protected Health Information?
18
Does your organization have virus checking software, firewalls and operating systems that provide
encryption and other security measures?
19 Does your organization perform back-ups of your data daily?
20
Does your organization have a Disaster Recovery and Contingency Plan to meet the HIPAA Security
Standards?
21
Has your organization developed security policies and procedures with regard to confidentiality statements,
individually identifying information system users, passwords, automatic logoff, acceptable use, e-mail,
internet usage, authentication of workstations, monitoring and documenting unauthorized access, audit
trails of users, sanctions for misuse or disclosure and termination checklists?
22
Has your organization provided for the overall physical security of your information systems, facility, staff,
and medical records?
23
Has your organization developed job descriptions for HIPAA required positions and all other positions in
your organization?
National Identifiers
24
Have you located, printed and read the Proposed Regulations for National Identifiers to
include National Provider Identifier and National Payer Identifier, National Employer
Identifier?
General Information
25
Have you developed a comprehensive training program for your organizations staff (both present and
future) covering all HIPAA standards to include responsibilities and penalties for non-compliance?
26
Does your organization have a Compliance Officer and General Compliance Plan to cover such things as
fraud and abuse, codes of conduct, whistle-blower suits, auditing and monitoring, disciplinary standards and
personnel issues, responding to problems, investigations and corrective actions? E Baker, JD, CRCMP
16. PROTECTED INFORMATION
All "individually identifiable health information" held or transmitted by a covered entity or its business associate,
in any form or media, whether electronic, paper, or oral.
The Privacy Rule calls this information "protected health information (PHI).“
“Individually identifiable health information” is information, including demographic data, that relates to:
• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the
individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date,
Social Security Number).
The Privacy Rule excludes from protected health information employment records that a covered entity maintains
in its capacity as an employer and education and certain other records subject to, or defined in, the Family
Educational Rights and Privacy Act, 20 U.S.C. §1232g.
E Baker, JD, CRCMP
17. De-Identified Health Information.
There are no restrictions on the use or disclosure of de-identified health information.
De-identified health information neither identifies nor provides a reasonable basis to identify an individual.
There are two ways to de-identify information; either:
1) a formal determination by a qualified statistician; or
2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and
employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining
information could be used to identify the individual.
Required Disclosures.
A covered entity must disclose protected health information in only two situations:
(a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of
disclosures of, their protected health information; and
(b) to HHS when it is undertaking a compliance investigation or review or enforcement action
E Baker, JD, CRCMP
18. Permitted Uses and Disclosures.
A covered entity is permitted, but not required, to use and disclose protected health information, without an
individual’s authorization, for the following purposes or situations:
(1) To the Individual (unless required for access or accounting of disclosures);
(2) Treatment, Payment, and Health Care Operations;
(3) Opportunity to Agree or Object – Facility directories and or Notification and Other Purposes;
(4) Incident to an otherwise permitted use and disclosure;
(5) Public Interest and Benefit Activities – Required by Law, Public Health Activities, Victims of Abuse, Neglect or
Domestic Violence, Health Oversight Activities, Judicial and Administrative Proceedings, Law Enforcement
Purposes, Decedents, Cadaveric Organ, Eye or Tissue Donation, Research, Serious Threat to Health or Safety,
Essential Government Functions or Worker’s Compensation; and
(6) Limited Data Set for the purposes of research, public health or health care operations.
Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and
disclosures to make.
E Baker, JD, CRCMP
19. Authorization.
A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health
information that is not for treatment, payment or health care operations or otherwise permitted or required by the
Privacy Rule.
A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting
an authorization, except in limited circumstances.
An authorization must be written in specific terms. It may allow use and disclosure of protected health information
by the covered entity seeking the authorization, or by a third party.
All authorizations must be in plain language, and contain specific information regarding the information to be
disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and
other data.
Covered entity must limiting use and disclosure of information to the minimum amount necessary to accomplish
the intended purpose of the use, disclosure or request.
Develop and Implement policies and procedures that restrict access and uses of PHI based upon the specific roles of
employees within the covered entities.
E Baker, JD, CRCMP
20. Privacy Policies and Procedures. A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule.
Privacy Personnel. A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or
contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
Workforce Training and Management. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct
control of the entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and
appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and
procedures or the Privacy Rule.
Mitigation. A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its
workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.
Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or
disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or
disclosure. E.g. shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting
access to keys or pass codes.
Complaints. A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered
entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals can submit complaints to at the
covered entity and advise that complaints also can be submitted to the Secretary of HHS.
Retaliation and Waiver. A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another
appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule.
Documentation and Record Retention. A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and
procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
Fully-Insured Group Health Plan Exception. The only administrative obligations with which a fully-insured group health plan that has no more than enrollment data and
summary health information is required to comply are the (1) ban on retaliatory acts and waiver of individual rights, and (2) documentation requirements with respect to plan
documents if such documents are amended to provide for the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO that services
the group health plan
E Baker, JD, CRCMP