How to Document Decision Not to Adopt ‘Addressable’ Implementation Specification Insider

J U LY
2 0 0 3
How to Document Decision
Not to Adopt ‘Addressable’
Implementation Specification . . . . . . . 1
If you decide not to adopt an addressable
implementation specification, you’ll have
to document this decision, your reasons
for it, and the measures you chose to
meet the standard. We’ll tell you how.
Example of Documentation of
Security Decision (p. 3)
In the News . . . . . . . . . . . . . . . . . . . . . . 5
NIST Proposes New Security
Standards
Capitalize on Your Privacy Efforts
to Get Started on Security
Compliance . . . . . . . . . . . . . . . . . . . . . . 5
Are you dreading the thought of
tackling the security regs? It may
not be as bad as you think. We’ll tell
you how your privacy compliance
efforts will give you a leg up on
security compliance.
Model Form: Chart Similarities
Between Security and Privacy
Regulations (p. 7)
Ask the Insider . . . . . . . . . . . . . . . . . . . 8
Reporting ‘Encounter Information’
IN FUTURE ISSUES
■
How to Perform a HIPAA Security
Risk Analysis
■
Tips on Updating Your Information
Systems with Patches
■
How to Test Your Electronic
Transactions for TCS Compliance
How to Document Decision
Not to Adopt ‘Addressable’
Implementation Specification
In the April issue of the Insider (p. 1), we explained the difference between
the required and addressable implementation specifications in the HIPAA
security regulations. You must implement the required specifications, but you
may choose not to implement an addressable specification if you determine
that it isn’t reasonable or appropriate for your organization and that you’ll still
meet the security standard it applies to.
If you decide not to implement an addressable specification, the security
regulations require you to document this decision and your rationale behind it.
Good documentation also shows that your security decisions were sound and
reasonable—and this can protect your organization against lawsuits as well as
compliance problems, says health information attorney Susan Miller.
We’ll explain what the HIPAA security regulations’ documentation requirement involves, and how to meet it. We’ve also given you an example of
how you would document your decision not to implement an addressable
implementation specification (see p. 3). You can use this example as a basis
when you document your own decisions.
What the Regulations Say
The security regulations require you to implement certain standards and set
implementation specifications for most of those standards. But if an implementation specification for a particular standard is addressable, you don’t
have to implement the specification if it isn’t reasonable or appropriate for
your organization—and if you’ll still meet the standard.
If you decide not to implement an addressable specification, the security
regulations require you to document your decision. In that case, the regulations give two choices: You must either:
■ Adopt an alternative measure “that accomplishes the same end.” For
example, say a small practice keeps all its electronic protected health information (EPHI) on-site. The access control standard in the regulations includes
encryption as an addressable implementation specification. Instead of implementing this specification, the practice could opt to keep its computers in a
secure area and restrict access through user IDs and passwords; or
■ Adopt neither the specification nor an alternative if you find that neither is reasonable or appropriate. For example, say a sole practitioner has one
desktop computer. The practitioner may think it’s unreasonable to encrypt
(continued on p. 2)
2
HIPAA
SECURITY
COMPLIANCE
INSIDER
JULY 2003
ADDRESSABLE IMPLEMENTATION SPECIFICATION (continued from p. 1)
BOARD OF ADVISORS
M. Peter Adler, Esq.,
LLM, CISSP
Foley & Lardner
Washington, DC
Margret Amatayakul,
RHIA, CHPS, FHIMss
Margret\A Consulting, LLC
Schaumburg, IL
Reece Hirsch, Esq.
Sonnenschein, Nath &
Rosenthal
San Francisco, CA
Gwen Hughes, RHIA
Care Communications
Chicago, IL
Chris Apgar, CISSP
Sybil Ingram-Muhammad,
MBA, PhD
Providence Health Plan
Beaverton, OR
Intellimark
Stone Mountain, GA
Peter Bartoli, CTO
Robert P. Laramie
Alphafight Heavy Industries New Tech Consultancy, Inc.
San Diego, CA
N. Andover, MA
Joan Boyle
Richard D. Marks, Esq.
TriZetto Group, Inc.
Newport Beach, CA
Davis Wright Tremaine LLP
Washington, DC
Michael Ebert, CPA, CISA
Susan A. Miller, Esq.
NCO Group
Horsham, PA
HIPAA Certified, LLC
Concord, MA.
Steven M. Fleisher, Esq.
Miriam Paramore
Fleisher & Associates
Alamo, CA
E-Commerce for Healthcare
Louisville, KY
Tom Hanks
Harry E. Smith, CISSP
PricewaterhouseCoopers
LLP
Chicago, IL
PrivaPlan Associates, Inc.
Lakewood, CO
Robert M. Tennant
Medical Group Mgmt. Assn.
Washington, DC
Editor: Amy E. Watkins, Esq.
Executive Editors: David B. Klein, Esq.,
Nicole R. Lefton, Esq., Susan R. Lipp, Esq., Janet Ray
Senior Editors: Nancy Asquith, Heather Ogilvie
Copy Editors: Cynthia Gately, Graeme McLean
Proofreader: Lorna Drake
Production Director: Mary V. Lopez
Senior Production Associate: Sidney Short
Production Associate: Jennifer Chen
Director of Planning: Glenn S. Demby, Esq.
New Projects Editor: Rebecca L. Margulies, Esq.
Dir. of Ref./Information Development: John D. Boyd
Marketing Director: Peter Stowe
Associate Marketing Director: Ellen Teatsorth
Director, List Services: Denise M. Fisher
Marketing Mgrs.: Christine Chan, Michael F. Sherman,
Stephen Sullivan
Data Processing Manager: Rochelle Boorstein
Sales Manager: Joyce Lembo
Customer Service Reps.: B. Maslansky, H. Therezo
Director of Operations: Michael Koplin
Fulfillment Supervisor: Edgar A. Pinzón
Financial Manager: Janet Urbina
Asst. Office Manager: Maria Safina
Publisher: George H. Schaeffer, Esq.
Owners: Andrew O. Shapiro, Esq.,
John M. Striker, Esq.
Subscriptions: HIPAA Security Compliance Insider is
published monthly. Subscription rate: $297 for 12 monthly
issues. Address all correspondence to: Brownstone
Publishers, Inc., 149 Fifth Ave., New York, NY 10010-6801.
Tel.: 1-800-643-8095 or (212) 473-8200; fax: (212) 473-8786;
e-mail: [email protected]
Disclaimer: This publication provides general coverage of
its subject area. It is sold with the understanding that the
publisher is not engaged in rendering legal, accounting, or
other professional advice or services. If legal advice or
other expert assistance is required, the services of a competent professional should be sought. The publisher shall
not be responsible for any damages resulting from any
error, inaccuracy, or omission contained in this publication.
© 2003 by Brownstone Publishers, Inc. No part of this publication may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without written permission from the publisher.
information or use password protection to make sure that only authorized
people have access to EPHI. Instead, he may decide that he has met the standard by simply locking his office door and keeping the computer away from
public access.
Whether you implement an alternative or not, you’ll need to document
your decision, notes Miller.
What You Should Document
According to the preamble to the security regulations, what you document
depends on the scenario:
Alternative measure. If you decide to implement an alternative measure
instead of the addressable implementation specification, you must document:
■ The decision not to implement the addressable implementation specification;
■ The rationale behind this decision—that is, why it wouldn’t be reasonable or appropriate for your organization to implement the specification; and
■ The alternative measure you did implement, and how it will help your
organization meet the particular security standard.
No specification or alternative. If you decide to implement neither the
addressable implementation specification nor an alternative measure, you must
document:
■ The decision not to implement the addressable implementation specification;
■ The rationale behind rejecting the specification—that is, why you considered the measure unreasonable or inappropriate; and
■ How your organization is meeting the particular standard.
When to Document
Documentation isn’t something you can provide after the fact. It needs to be
part of the decision-making process, Miller advises.
For example, during formal board meetings, your board of directors may
make decisions about implementing addressable specifications. Your minutes
could note the discussion, and you could then attach the appropriate documentation to the minutes. “Trying to go back later to reconstruct a documentary
record of the process and resulting decision would be extremely difficult,”
cautions Miller.
What Information to Include
Your documentation must capture all the information the HIPAA security regulations require. Our example shows how to do this. It deals with encryption,
which is an addressable implementation specification under the transmission
security standard. This standard requires organizations to “implement technical
security measures to guard against unauthorized access to” EPHI transmitted
over an electronic communications network.
(continued on p. 4)
© 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com
JULY 2003
HIPAA
SECURITY
COMPLIANCE
INSIDER
3
Example of Documentation of Security Decision
Here’s an example of the documentation you might use to back
up your decision to reject an addressable (that is, not required)
implementation specification. This example deals with encryption, which comes under HIPAA’s security regulations’ transmission security standard.
That standard requires you to implement technical security
measures to guard against unauthorized access to electronic
protected health information (EPHI) that’s being transmitted
over an electronic communications network.
The example documents what criteria you used to assess
compliance with the standard, any gaps you found in your current security, the risks of those gaps, your options for addressing the risks, and the decision you made.
ENCRYPTION
CURRENT STATE ASSESSMENT CRITERIA
To ensure:
1. That EPHI that is transmitted electronically is not vulnerable to interception by unauthorized persons; and
2. That XYZ Insurance Company’s policies and procedures
address HIPAA security requirements.
CURRENT STATE SECURITY ASSESSMENT
Readily available network access to claims information by
clearinghouses and health care providers is a benefit to XYZ
Insurance Company and its insureds, as well as the organizations that do business with them. It promotes good business relations and serves as a cost-efficient tool that allows
the company’s customer service department to be dedicated to more specific and unique tasks.
The following gaps in security have been observed:
■ There is no organization-wide policy governing access to
PHI by health care clearinghouses and providers. Sometimes information is e-mailed to other organizations,
other times the organizations are given access to the private value-added network containing EPHI and claims
information;
■
Right now, e-mail transmissions of EPHI over the Internet
to clearinghouses and providers are not protected and
could be intercepted by unauthorized users.
RISK ASSESSMENT
The risk of interception of claims information by unauthorized users over an open network is high, and the consequences of that interception are substantial. E-mail
transmissions can be intercepted, allowing others to gain
access to EPHI. XYZ Insurance Company has no way of
knowing who has intercepted the e-mail transmission and
gained access to EPHI. Intercepted information substantially increases the risk of wrongful disclosure of customer
health information. Improperly secured information subjects XYZ Insurance Company to penalties, possible civil
and/or criminal action, including imprisonment, and
irreparable harm to its reputation and public sense of trust.
OPTIONS AND CONSEQUENCES
and providers. Consequence: Information is protected if it
is intercepted, but computer response time slows down
considerably as a result of each claim that needs to be
encrypted.
Option #2 (Alternative):
Limit electronic communications involving EPHI to the existing value-added Web link for each clearinghouse and
provider, which permits unencrypted information to flow
only to that organization. Clearinghouses and providers will
be given authentication codes to ensure that they are entitled to access and receive claims information. Consequence:
Unauthorized third parties will not have access to information if it is intercepted, and computer systems remain at
optimum speed.
DECISION
To comply with HIPAA and protect the security of EPHI, XYZ
Insurance Company must implement technical policies and
procedures for electronic information systems that maintain
EPHI to allow access only to those persons or software programs that have been granted access rights.
XYZ Insurance Company’s board of directors has decided
to adopt Option #2 as an alternative to the implementation specification in HIPAA’s security regulations suggesting encryption as a method of access control. Option #2
establishes reasonable and appropriate measures and
demonstrates XYZ Insurance Company’s commitment to
protect against unauthorized access to EPHI. Specifically,
Option #2 allows access of EPHI to only those organizations that are authorized to receive it and allows XYZ
Insurance Company to meet its legal and business obligations to keep EPHI secure.
Encrypting the information as outlined in Option #1 is not
reasonable or appropriate. The slowed computer time is
prohibitive and would have a negative impact on XYZ Insurance Company’s ability to operate at an effective level.
While encrypting information pursuant to Option #1 over an
open or closed network would provide a higher degree of
protection from unauthorized access to EPHI, such instances
of unauthorized access are unlikely to occur, and the measures outlined in Option #1 would amount to overkill. The
small likelihood of unauthorized access through a closed
network would not justify the negative business effects
associated with encryption.
Option #1 (Implementation Specification):
Encrypt all information made available to clearinghouses
© 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com
4
HIPAA
ADDRESSABLE IMPLEMENTATION
SPECIFICATION (continued from p. 2)
In our example, a health care
insurer considers how to provide
clearinghouses or providers with the
necessary access to claims information. The insurer already has a private
“value added” network in place that
includes access controls such as
authentication, but it also regularly
e-mails information over the Internet.
Our documentation example
shows how the insurer would document its decision to limit electronic
communications involving EPHI to
the private network connection,
instead of meeting the standard by
encrypting information transmitted
over an open network.
Like our example, your documentation should cover the following
points:
Assessment criteria. List the criteria you’re using to assess your current degree of compliance with a
particular standard—in this case,
transmission security. Our example’s
assessment criteria are ensuring that
EPHI transmitted electronically isn’t
vulnerable to interception, and that
the organization’s policies and procedures address HIPAA security
requirements.
Gaps found. Next, assess your
organization’s compliance with the
standard in light of the criteria, and
document any problems or security
gaps you identified. For instance, our
example says that two gaps in transmission security were identified:
■ The lack of an organizationwide policy governing access to
SECURITY
COMPLIANCE
INSIDER
claims information by clearinghouses
and providers; and
■ Possible interception of data
transmitted via an open network like
the Internet.
Risk assessment. Then, identify
the risks created by the security gaps
you found. For instance, our example
says that the organization determined
that the risk of interception by unauthorized persons of e-mails containing
EPHI is high and that this risk must
be addressed to meet the transmission
security standard.
Options and consequences. List
the various security options available
to you to address the security risks
you’ve found. You should include the
consequences of each option, as well
as the cost. One of these options
should be the addressable implementation specification listed in the security regulations.
So our example considers encryption but notes that it would slow up
the computer system unnecessarily.
Next, our example documents an
alternative: to limit electronic communications that include EPHI to the
closed network and allow access only
to authorized individuals.
Decision. Finally, indicate your
decision, and explain why you determined the addressable implementation
specification would be an unreasonable and/or inappropriate security
measure. Don’t just say that you
rejected the specification because it
was too difficult or expensive to
adopt. Explain why you reached that
conclusion.
If you choose to implement an
alternative security measure, describe
JULY 2003
it and explain why it was more reasonable and appropriate for your organization, and how it will help you meet
the security standard in question.
In our example, the board determined that encryption wasn’t appropriate because limiting access to EPHI
was sufficient. A closed network link
between the insurance company and
the clearinghouse or provider would
provide the control the insurance company needed over its data while allowing a limited set of outsiders to access
it, but only after the outsider’s identity
had been authenticated. Encryption
would be overkill.
“You don’t need to implement
every addressable specification,” says
Harry Smith, a HIPAA consultant.
“But if you don’t, you’d better have a
good reason for it.” According to
Smith, encryption would be appropriate to protect a transmission link that
you can’t control or to make data
unreadable in the event of media theft,
like a stolen laptop. But it’s inappropriate and unnecessary for closed networks that have access control.
You should also attach to your documentation, copies of any letters or
other documents you get from an attorney or consultant who gives you advice about your options. That could
help you argue that you relied on expert advice. Get your attorney’s approval, though, before attaching any
letters or documents, since they could
affect your legal rights in the future. ■
Insider Sources
Susan Miller, Esq.: Vice President, HIPAA
Certified, LLC, 276 Harrington Ave., Concord,
MA 01742.
Harry Smith, CISSP: Vice President of Product Development, PrivaPlan Assocs., Inc.,
10300 W. 23rd Ave., Lakewood, CO 80215.
© 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com
JULY 2003
HIPAA
SECURITY
I N
COMPLIANCE
T H E
5
INSIDER
N E W S
NIST Proposes New Security Standards
The National Institute of Standards and Technology (NIST)
recently released a draft Federal Information Processing
Standards Publication entitled Standards for Security Categorization of Federal Information and Information Systems
(FIPS Pub 199). The draft defines the minimum criteria
that federal agencies must use to categorize information
and information systems according to a range of risk levels.
The draft establishes and defines three potential levels
of risk (low, moderate, and high) for commonly recognized
objectives (confidentiality, integrity, and availability) relevant to securing federal information and information systems. It also discusses risk assessments and their purpose,
and could be used as a “best practices” standard for your
security compliance efforts.
Why should you care about this development? Because
the HIPAA security regulations refer to NIST publications
as guidelines for implementing the regulations’ requirements. In the preamble to the HIPAA security regulations,
HHS encourages health care organizations to monitor
NIST activities and provide comments and suggestions
when NIST requests them.
Comments on the draft are due by Aug. 14 and can be
e-mailed to [email protected]
Insider Says: You can find draft FIPS Pub 199 at www.
csrc.nist.gov/publications/drafts/FIPS-PUB-199-ipd.pdf. ■
Capitalize on Your Privacy Efforts to Get Started
on Security Compliance
After sorting through the maze of
HIPAA privacy regulations, the idea
of tackling the HIPAA security regulations may seem overwhelming. But
it might not be as bad as you think.
“There’s a lot of overlap between the
privacy and security regulations,” says
health information security attorney
M. Peter Adler. For example, both
sets of regulations require health care
organizations to have security measures in place to protect the confidentiality of health information. And both
regulations allow a health care organization to scale its compliance efforts
to the organization’s individual size
and complexity, says HIPAA consultant Tom Hanks.
There are differences. For example, the security regulations are much
more specific than the privacy regulations about the types of security
measures that health care organizations must implement. And the security regulations apply only to protected
health information (PHI) that’s elec-
tronic—EPHI. But if your organization has complied with all of the privacy regulations’ requirements, you’re
closer to complying with the security
regulations than you think.
We’ll explain some of the key
similarities between the HIPAA privacy and security regulations. And on
p. 7, we’ve given you a Model Form
that shows these similarities. Use it
to pinpoint where the hard work your
organization has already done on
HIPAA privacy compliance can give
you a head start on complying with
the security regulations. According to
Hanks, organizations that have complied with the privacy regulations will
already have done much of what the
security regulations require.
Key Similarities Between
Privacy and Security Regs
Here’s a list of some of the main similarities between the privacy and security regulations. We also point out some
areas where your organization’s previous privacy compliance efforts can help
ease its security compliance burden.
Compliance officer. Like the privacy regulations, the security regulations require your organization to
identify one individual to be responsible for the development and implementation of policies and procedures
to comply with the regulations. In
some organizations, especially larger
ones, this responsibility for the security regulations will fall on the chief
security officer, or someone who
oversees all aspects of physical, administrative, and technical security.
But the privacy officer might also
take on this responsibility, especially
in smaller organizations where the
privacy officer is familiar with, or has
even created, many of the security
policies and procedures, says Hanks.
‘Minimum necessary’ access.
The HIPAA security regulations
require you to implement workforce
(continued on p. 6)
© 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com
6
HIPAA
SECURITY COMPLIANCE (continued from p. 5)
procedures ensuring appropriate access to EPHI. You also have to have
access controls in place to prevent
unauthorized users from obtaining
access to EPHI. This is very similar
to the HIPAA privacy regulations’
“minimum necessary” requirements,
which bar an organization from using
or disclosing more PHI than is necessary for an authorized business purpose, says Adler.
Many organizations we looked at
have already created data access
policies to comply with the privacy
regulations’ minimum necessary
requirements. These policies restrict
employees’ access to only the PHI
they need to perform their jobs. If
your organization has created these
policies—and you’ve put into place
the safeguards required by the privacy regulations—you’ve already
started to meet the security regulations’ requirements.
Policies and procedures. Both the
privacy and security regulations require organizations to implement written policies and procedures to protect
the confidentiality of health information. And even though the security
regulations apply only to EPHI, experts agree that as a practical matter,
you should also have security policies
in place to protect all PHI to meet the
privacy regulations. “You can’t have
privacy without security,” says Hanks.
If you want to keep your PHI private,
you’re going to have to put some security measures in place to protect it,
like installing locks, restricting access,
and using passwords.
Example: The security regulations
require organizations to implement
facility access controls to limit physical access to EPHI and the facility
that houses it. But to meet the privacy
regulations, you should already have
controls in place that limit access to
SECURITY
COMPLIANCE
INSIDER
your facility and PHI. By limiting
access to all PHI, you’re already limiting access to EPHI.
Insider Says: Even though the privacy and security regulations have
many similarities, go through each
standard in the security regulations to
make sure you’re meeting the entire
standard. The security regulations
have specific security requirements
that the privacy regulations don’t include. Also, the privacy regulations
focus on limiting access, not granting
it, says Hanks. For instance, the facility access control standard not only
requires that you limit access to your
facility, it also requires you to ensure
that authorized access is granted. This
means that you can’t just put a lock on
your door that keeps all users—even
authorized ones—out of your facility.
And if your lock is electronic, you
must have a way of ensuring access in
the event of, say, a power failure, or if
a physician forgets his key.
Retention policy. Both sets of
regulations require you to retain your
policies and procedures—and documentation of most communications
and activities required by each regulation—for six years from the date of
creation or the date last in effect,
whichever is later, says Adler. So you
can probably just amend your retention policy that you created to comply
with the privacy regulations so that it
refers to your security policies and
procedures, he adds.
Training and awareness. The
security regulations require you to
implement a “security awareness and
training program” for all members of
your workforce, including management. The privacy regulations go a little further, says Adler, requiring you
to train your workforce on your actual
privacy policies and procedures. Basically, it’s the same thing, he explains.
“You need to ensure compliance with
JULY 2003
both sets of regulations. And you
can’t do that unless you train your
employees about your privacy and
security policies and procedures.”
If you’re in compliance with the
privacy regulations, you’ve already
established a mechanism to train the
members of your workforce on your
privacy policies and procedures. As
you go through your security policies
and amend them or adopt new ones to
comply with the security regulations,
you can just incorporate those topics
into your existing training routine,
suggests Hanks.
Sanctions. Both sets of regulations
require you to apply sanctions against
members of your workforce who fail
to comply with your policies and procedures implementing the regulations.
To meet the security regulations’ requirements, you can use the sanctions
policy created to comply with the privacy regulations, says Adler.
But be sure to review the sanctions
policy and revise it, if necessary, to
meet the security regulations’ requirements. For example, the security regulations require your organization to
identify and respond to suspected or
known security incidents, says Adler.
But you can’t respond to an incident
that you don’t know about. So you
should require members of your workforce to inform you of these security
incidents, and sanction them if they
don’t. “For example, if an employee
becomes aware of password sharing,
then you need to have a process and
procedure in place to report the incident,” says Hanks.
Business associate agreements.
The privacy and security regulations
each require organizations to obtain
satisfactory assurances—primarily
through a business associate agreement—that the people with whom
they do business will appropriately
safeguard their customers’ health
© 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com
JULY 2003
HIPAA
information. Both sets of regulations
are very specific about what must be
included in the business associate
agreement, says Hanks. But the security regulations apply only to business
associates who deal with EPHI.
To meet the privacy regulations,
you should already have created contracts for business associates who deal
with all types of PHI. This should
make it easy to figure out which
agreements now need to be revised to
comply with the security regulations.
SECURITY
COMPLIANCE
7
INSIDER
Make a list of business associates and
then place a checkmark next to the
persons or organizations who create,
receive, maintain, or transmit EPHI—
as opposed to just PHI—from you.
Those are the contracts that you’ll
need to amend by April 21, 2005—
the security regulations’ compliance
date—to meet the additional requirements of the security regulations.
Insider Says: Don’t let the similarities between HIPAA’s privacy and
security regulations lull you into a
false sense of security, warns Adler.
The security regulations require you
to conduct a risk analysis, which
weighs the potential risks to your
EPHI and the benefits of possible
safeguards against the costs and difficulties of imposing the safeguards.
To conduct a meaningful risk analysis, you must look at each standard
in the security regulations, as well as
each required and addressable implementation specification. “If your risk
(continued on p. 8)
MODEL FORM
Chart Similarities Between Security and Privacy Regulations
Here’s a Model Form that charts some of the key similarities
between HIPAA’s privacy and security regulations. We’ve left
the last column blank so that you can write in the privacy meas-
ures you’ve already taken that will help you now comply with
the HIPAA security regulations. Use this as your first step to
make sure you’re in compliance with the security regulations.
SIMILAR PRIVACY AND SECURITY REQUIREMENTS
PRIVACY REQUIREMENT
COMPARABLE SECURITY
REQUIREMENT
Designate privacy officer
Identify security officer
Establish minimum necessary
criteria for access to PHI
Establish appropriate controls
for access to EPHI
Implement policies and procedures
to protect the privacy of PHI
Implement policies and procedures
ensuring the confidentiality, integrity,
and availability of EPHI
Retain HIPAA documentation
for 6 years from date of creation
or date last in effect, whichever
is later
Retain HIPAA documentation
for 6 years from date of creation or
date last in effect, whichever
is later
Train all workforce members on
privacy policies and procedures
Implement training awareness program
for all members of workforce,
including management
Apply appropriate sanctions
against workforce members
who fail to comply with privacy
policies and procedures
Apply appropriate sanctions
against workforce members
who fail to comply with security
policies and procedures
Obtain satisfactory assurances
that business associates will
safeguard PHI
Obtain satisfactory assurances
that business associates will
safeguard EPHI
PRIVACY STEPS THAT APPLY
TO SECURITY COMPLIANCE
© 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com
8
HIPAA
SECURITY COMPLIANCE (continued from p. 7)
analysis concludes that the safeguards you’ve already taken to comply with the privacy regulations are
sufficient, you won’t need to do anything further,” says Adler. “But if the
risk analysis demonstrates that the
SECURITY
COMPLIANCE
INSIDER
safeguards aren’t sufficient, you’ll
have to take additional steps,” he
cautions. Next month, we’ll tell you
how to conduct a HIPAA security
risk analysis. ■
A S K
T H E
JULY 2003
Insider Sources
M. Peter Adler, Esq., LLM, CISSP: Partner,
Foley & Lardner, 3000 K St. NW, Ste. 500,
Washington, DC 20007-5101; [email protected]
law.com.
Tom Hanks: Director, Integration Solutions,
Health Care Practice, PriceWaterHouse Coopers LLP, One N. Wacker, Chicago, IL 60606;
[email protected]
I N S I D E R
The Insider welcomes questions from subscribers. You can 1) send your questions to HIPAA Security Compliance Insider,
Brownstone Publishers, Inc., 149 Fifth Ave., 16th Fl., New York, NY 10010-6801; 2) call (908) 757-2843, and speak with
the editor; 3) fax (908) 757-2844; or 4) e-mail [email protected]
Reporting ‘Encounter Information’
The payor for a number of health plans that my
organization has contracted with just told me that we
must submit a standard claim form not only for all of our
health care claims but also for “encounter information.”
What’s encounter information, and do HIPAA’s transactions
and code sets (TCS) standards require us to report it?
Q
Encounter information is information regarding a
provider’s encounter with the patient, says Kelly
Partin, HIPAA compliance coordinator and privacy officer
for a health plan. You already report encounter information—such as date of patient visit and treatment provided—with each claim form you submit to your payor. But
many HMOs also require health care providers to report
encounter information even if they’re not seeking payment
for the encounter—especially if a capitation arrangement
exists between the HMO and the provider.
A
In a capitation arrangement, the HMO pays the
provider a set amount each month, based on the number of
HMO members who are the provider’s patients. The
provider gets paid the same amount for each patient every
month, regardless of the number of times the provider sees
the patient during that month, Partin explains. “So you
could see a patient 10 times during one month or not at all,
and you would still get $100 or whatever rate you agreed
upon,” she says.
HIPAA’s TCS standards allow, but don’t require, health
care providers to submit electronic claims forms with encounter information, even when the provider doesn’t expect
reimbursement from the HMO. Sending the claim with
encounter information and a $0 claim amount lets the
HMO know that you saw the patient but that you don’t
expect to get paid for the visit.
According to Partin, there are at least three advantages
to sending encounter information to your HMO:
Quality incentive bonuses. The HMO may offer quality incentives for every service you perform. For example,
even though your payment arrangement has been capitated,
you may be entitled to a bonus for each immunization you
perform. You send a $0 claim with encounter information,
and the HMO logs the visit and pays you the immunization
bonus. “You would be amazed at the number of providers
who aren’t aware of this and don’t send in the encounter
information, even though the bonus is spelled out in the
contract,” says Partin.
Reimbursement outside scope of capitation arrangement. Some services may fall outside the HMO’s capitation arrangement and merit additional reimbursement, says
Partin. For example, giving a flu shot may be a covered
service, but not one of the capitated services. If you submit
the encounter information, you should get your capitation
check plus reimbursement for the flu shot.
Avoid inspections. If you don’t submit the encounter
information, the HMO will be required by its accreditation
agency and/or regulatory body to inspect your patient
records to make sure your patients are receiving quality
care. “That means the HMO is going to come in and go
through its members’ records to make sure each member
received his immunizations, blood pressure check, or some
other service,” says Partin. That’s a hassle for you and the
HMO. By reporting each encounter as it occurs, you’ll
avoid the HMO inspection and intrusion at your office. ■
Insider Source
Kelly Partin: HIPAA Compliance Coordinator and Privacy Officer, Botsford Health Plan, 28050 Grand River, Farmington Hills, MI 48336; 1-800479-5122.
© 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com