HIPAA Tool Kit - Optum360HIPAA Tool Kit Contents–6 © 201 OptumInsight, Inc. SP-50 Encryption ..... 2-92

HIPAA Tool Kit

2015

© 201 OptumInsight, Inc. Contents–1

ContentsIntroduction ..................................................................................Introduction-1About This Manual................................................................................................ Introduction-1A Word About “Covered Entities” ..................................................................... Introduction-1A Brief Refresher Course on HIPAA ................................................................... Introduction-2A Brief Update on HIPAA..................................................................................... Introduction-2

Progress Report ........................................................................................... Introduction-4Ongoing Compliance with HIPAA..................................................................... Introduction-8

Enforcement Rule Changes as Required by the HITECH Act ............ Introduction-9Changes to the Breach Notification Rule .............................................. Introduction-9Modifications to HIPAA Privacy Rules for Genetic Information .....Introduction-10Notice of Privacy Practices ......................................................................Introduction-10

HIPAA Privacy Standards .................................................................................1-1What’s in This Section ............................................................................................................... 1-1Overview of HIPAA Privacy Requirements .......................................................................1-2

Scope of the HIPAA Privacy Standards ....................................................................... 1-2Notice, Authorization, Accounting, and Amendment ............................................ 1-2Notice and Authorization ............................................................................................... 1-3Patient Requests to Restrict Uses and Disclosures of Protected Health

Information ............................................................................................................... 1-3Using and Disclosing Protected Health Information ............................................... 1-3The Minimum Necessary Standard .............................................................................. 1-4Privacy Violations ............................................................................................................. 1-5Office for Civil Rights Audits .......................................................................................... 1-9

Special Situations .............................................................................................................. 1-31Ensuring that Business Associates Comply with the Privacy Rules ................... 1-31Documentation Requirements ................................................................................... 1-33Rules for Accessing and Amending Information .................................................... 1-35Status of the Privacy Rules ........................................................................................... 1-37Effective Date and Compliance Date ......................................................................... 1-38

Monitoring the Impact of the Privacy Rules...................................................................... 1-38Understanding Protected Health Information ........................................................ 1-38Reviewing HIPAA Privacy Requirements and Model Policies ............................. 1-40Comparing HIPAA and State Privacy Requirements ............................................. 1-40

Examining Users, Uses, and Disclosures of Information ............................................. 1-41Examining Current Privacy Practices ......................................................................... 1-41Examining How Business Associates Use Information ......................................... 1-42

Developing a Strategy for Complying with HIPAA’s Privacy Rules.............................. 1-43Strategic Considerations .............................................................................................. 1-43HIPAA Privacy Milestones ............................................................................................ 1-48Key Compliance Decisions ........................................................................................... 1-48

HIPAA Compliance Work Plan............................................................................................... 1-48Privacy Policy and Procedure Manual ....................................................................... 1-48Notice and Authorization Forms ................................................................................ 1-49Review Minimum Necessary Policies ........................................................................ 1-49Amend Contracts with Business Associates ............................................................ 1-49Procedures to Provide for Access to and Amendment of Protected

Health Information ............................................................................................... 1-49

HTKT.book Page 1 Tuesday, July 23, 2013 3:18 PM

4

HIPAA Tool Kit

Contents–2 © 201 OptumInsight, Inc.

Complaint Process ......................................................................................................... 1-50Documentation Procedures and Systems ................................................................ 1-50Conduct Privacy Training Sessions ............................................................................ 1-50Privacy Audit Program .................................................................................................. 1-50Resources on the Web .................................................................................................. 1-50

Privacy Model Policies and Procedures .........................................................1-51What’s in This Section ............................................................................................................. 1-51Creating a HIPAA Privacy Compliance Plan....................................................................... 1-52Model Policies and Procedures............................................................................................. 1-53P-1000 General Administrative Policies and Procedures ....................................... 1-55P-1100 Staff Responsibilities ......................................................................................... 1-56P-1200 Staff Training ....................................................................................................... 1-58P-1300 Staff Compliance and Sanctions .................................................................... 1-60P-1400 Business Associates and Protected Information ........................................ 1-64P-1500 Development and Maintenance of Privacy Policies and Procedures ... 1-67P-1600 Documentation and Record Keeping ........................................................... 1-69P-2000 Use and Disclosure of Protected Health Information ............................... 1-71P-2100 Use and Disclosure of Information for Treatment Purposes ................... 1-72P-2200 The Use of Patient Information for Payment Purposes ............................ 1-74P-2300 The Use and Disclosure of Information for Health Care Operations ..... 1-75P-2400 Law Enforcement and Public Health ............................................................ 1-76P-2500 Marketing and Fundraising ............................................................................. 1-81P-2600 Other Disclosure Situations ............................................................................. 1-83P-2700 Disclosure of Protected Health Information After Death ........................ 1-86P-2800 Communications and Media Relations ........................................................ 1-87P-3000 Notice and Authorization ................................................................................ 1-89P-3100 Notice of Privacy Practices ............................................................................... 1-90P-3190 Acknowledgment of the Notice ..................................................................... 1-93P-3300 Authorization of Use or Disclosure ................................................................ 1-94P-3400 Patient Requests for Restrictions on Uses and Disclosures

of Confidential Communications ................................................................... 1-98P-4000 Personal Representatives, Parents, Spouses, and Others ......................1-101P-4100 Personal Representatives ..............................................................................1-102P-4200 Parental Access to Protected Health Information

Concerning Children .......................................................................................1-104P-4300 Disclosure of Information to Family Members .........................................1-105P-4400 Disclosure of Information to Close Personal Friends ..............................1-106P-4500 Disclosure of Information in an Emergency Situation ............................1-107P-5000 Patient Access to Health Information .........................................................1-109P-5200 Amendment of Health Information ............................................................1-114P-7000 Accounting for Disclosures ............................................................................1-119P-7200 Accounting to Patients for Disclosures of Information ..........................1-120P-7300 Information to Be Provided in an Accounting of Disclosures ...............1-122P-7400 Documentation of Accountings Provided to Patients ............................1-123P-7500 Documentation of Disclosures Requiring an Accounting .....................1-124P-8000 Resolution of Complaints and Breaches ....................................................1-125P-8100 Submission of Complaints .............................................................................1-126P-8200 Complaint Resolution Procedures ...............................................................1-127P-8300 Documentation of Complaints .....................................................................1-129P-8400 Mitigation ..........................................................................................................1-130


4

Contents


Privacy Model Forms ................................................................................... 1-131What’s in This Section ...........................................................................................................1-131PF-1000 Notice of Privacy Practices .............................................................................1-131PF-2000 Acknowledgment of Receipt of Notice of Privacy Practices .................1-134PF-2100 Documentation of Attempt to Obtain Acknowledgment of

Receipt of Notice of Privacy Practices .........................................................1-135PF-3000 Standard Authorization of Use and Disclosure of Protected

Health Information ..........................................................................................1-136PF-3200 Remuneration for Marketing Disclosures ..................................................1-138PF-3300 Authorization of Disclosure of Protected Health Information

by Another Covered Entity for Use by [Name of Organization] ...........1-139PF-3400 Revocation of Authorization for Use and Disclosure of Protected

Health Information ..........................................................................................1-141PF-4000 Request for Confidential Communication of Protected

Health Information ..........................................................................................1-142PF-5000 Request to Inspect or Copy Protected Health Information ...................1-143PF-5100 Approval of Request to Inspect or Copy Protected Health

Information .......................................................................................................1-144PF-5200 Denial of Request to Inspect or Copy Protected Health

Information .......................................................................................................1-145PF-5210 Review of Denial to Permit Inspection or Copying of Protected

Health Information ..........................................................................................1-147PF-6000 Request to Amend Protected Health Information ..................................1-148PF-7000 Request for Accounting of Protected Health

Information Disclosures .................................................................................1-150PF-8000 Sample Business Associate Agreement Language ..................................1-151

Privacy Training .......................................................................................... 1-157Developing and Implementing Training Programs ......................................................1-157Instructor’s Guide...................................................................................................................1-157

Section 1: A Hypothetical Case History ...................................................................1-157Section 2: Using and Sharing Information .............................................................1-161Section 3: Notice of Privacy Practices ......................................................................1-168Section 4: Authorization .............................................................................................1-175Section 5: Accountings ...............................................................................................1-179Section 6: Patient Access to Information ................................................................1-181

Privacy Training Presentation .......................................................................................1-184Privacy Refresher Training ...................................................................................................1-225HIPAA Skills Test—Privacy Regulations ...........................................................................1-226

Privacy Auditing .......................................................................................... 1-233What’s in This Section ...........................................................................................................1-233An Introduction to Auditing................................................................................................1-233Auditing Under HIPAA ..........................................................................................................1-233

Manual Auditing ...........................................................................................................1-234Use of Technology in Auditing .................................................................................1-236Audit Plan .......................................................................................................................1-237

Helpful Tools ...........................................................................................................................1-237Incidental Disclosures Log ........................................................................................1-237Walk-Through Form ....................................................................................................1-238Privacy Notice Review .................................................................................................1-238

Security Regulations In-Depth .........................................................................2-1What’s in This Section ............................................................................................................... 2-1


4

HIPAA Tool Kit


Overview .......................................................................................................................................2-2General Obligation to Ensure Security ..................................................................................2-3Flexibility.......................................................................................................................................2-3Administrative Safeguards .................................................................................................... 2-24

Administrative Safeguard Standard 1: Security Management Process ............ 2-25Administrative Safeguard Standard 2: Assigned Security Responsibility ........ 2-26Administrative Safeguard Standard 3: Workforce Security ................................. 2-26Administrative Safeguard Standard 4: Information Access Management ...... 2-27Administrative Safeguard Standard 5: Security Awareness and Training ....... 2-29Administrative Safeguard Standard 6: Security Incident Procedures ............... 2-31Administrative Safeguard Standard 7: Contingency Plan ................................... 2-32Administrative Safeguard Standard 8: Evaluation of Compliance ..................... 2-36Administrative Safeguard Standard 9: Business Associate Contracts ............... 2-36

Physical Safeguards................................................................................................................. 2-36Physical Safeguard Standard 1: Facility Access Controls ...................................... 2-36Physical Safeguard Standard 2: Workstation Use .................................................. 2-38Physical Safeguard Standard 3: Workstation Security .......................................... 2-38Physical Safeguard Standard 4: Device and Media Controls ............................... 2-39

Technical Safeguards .............................................................................................................. 2-40Technical Safeguard Standard 1: Access Control ................................................... 2-41Technical Safeguard Standard 2: Audit Controls ................................................... 2-42Technical Safeguard Standard 3: Integrity Controls .............................................. 2-43Technical Safeguard Standard 4: Person or Entity Authentication ................... 2-44Technical Safeguard Standard 5: Transmission Security ...................................... 2-45

Business Associate Contracts/Agreements Standard ..................................................... 2-45Policies and Procedures Standards ..................................................................................... 2-47

Documentation Requirements ................................................................................... 2-48Breach Notification Interim Final Rule/Final Rule ............................................................ 2-48

Breach Notification Rule Requirements ................................................................... 2-48Effective Date .................................................................................................................. 2-49Definitions ........................................................................................................................ 2-49Clarification of the Phrase ‘Compromises the Security or Privacy

of Protected Health Information’ ...................................................................... 2-51Risk Assessment ............................................................................................................. 2-51Techniques for Protecting PHI .................................................................................... 2-52The Type and Amount of Information Disclosed ................................................... 2-53Limited Data Sets ........................................................................................................... 2-53Exceptions to Breach ..................................................................................................... 2-54Timing of Breach ............................................................................................................ 2-55Notification to Individuals—Timeliness, Content, and Methods ...................... 2-55Notification by a Business Associate ......................................................................... 2-59Law Enforcement Delay ................................................................................................ 2-59Administrative Requirements ..................................................................................... 2-60Preemption Over or by State Laws ............................................................................ 2-60HHS Guidance on Securing PHI .................................................................................. 2-60

How to Respond to a Data Breach—Case Study ............................................................. 2-61Red Flags Rule........................................................................................................................... 2-64

Questions and Answers About the Red Flags Rule ................................................ 2-65

Security Model Policies and Procedures ........................................................2-69What’s in This Section ............................................................................................................. 2-69Creating a HIPAA Security Compliance Plan ................................................................ 2-71Instructions for Using the Model Policies and Procedures ............................................ 2-71Introduction to the Security Policy and Procedure Manual .......................................... 2-72


Contents


Administrative Policies and Procedures............................................................................. 2-72SP-1 Assigned Security Responsibility ............................................................... 2-72SP-2 Security Management Process ................................................................... 2-73SP-3 Risk Analysis .................................................................................................. 2-73SP-4 Risk Management ......................................................................................... 2-74SP-5 Sanction Policy .............................................................................................. 2-75SP-6 Information System Activity Review ......................................................... 2-75SP-7 Workforce Security ....................................................................................... 2-76SP-8 Authorization/Supervision .......................................................................... 2-76SP-9 Workforce Clearance .................................................................................... 2-77SP-10 Termination Procedures .............................................................................. 2-77SP-11 Information Access Management .............................................................. 2-78SP-12 Isolating Health Care Clearinghouse Functions ...................................... 2-78SP-13 Access Authorization ................................................................................... 2-78SP-14 Access Establishment and Modification ................................................... 2-78SP 15 Security Awareness and Training ............................................................... 2-79SP-16 Security Reminders ...................................................................................... 2-79SP-17 Protection from Malicious Software .......................................................... 2-80SP-18 Log-in Monitoring ........................................................................................ 2-80SP-19 Password Management ............................................................................... 2-80SP-20 Security Incident Procedures ...................................................................... 2-81SP-21 Contingency Plan ......................................................................................... 2-81SP-22 Data Backup Plan .......................................................................................... 2-82SP-23 Disaster Recovery Plan ................................................................................. 2-82SP-24 Emergency-mode Operation Plan ............................................................. 2-83SP-25 Testing and Revision Procedures ............................................................... 2-83SP-26 Applications and Data Criticality Analysis ................................................ 2-84SP-27 Evaluation ...................................................................................................... 2-84SP-28 Business Associate Contracts ...................................................................... 2-85Physical Safeguards................................................................................................................. 2-85SP-29 Facility Access Controls ............................................................................... 2-85SP-30 Contingency Operations ............................................................................. 2-85SP-31 Facility Security Plan .................................................................................... 2-85SP-32 Access Control and Validation Procedures ............................................... 2-86SP-33 Maintenance Records .................................................................................. 2-87SP-34 Workstation Use ............................................................................................ 2-87SP-35 Device and Media Controls See SP-36 and SP-37 ..................................... 2-88SP-36 Disposal .......................................................................................................... 2-88SP-37 Media Re-use ................................................................................................. 2-88SP-38 Accountability ............................................................................................... 2-88SP-39 Data Backup and Storage ............................................................................ 2-89Technical Safeguards .............................................................................................................. 2-89SP-40 Access Control ............................................................................................... 2-89SP-41 Unique User Identification .......................................................................... 2-89SP-42 Emergency Access Procedures ................................................................... 2-90SP-43 Automatic Logoff .......................................................................................... 2-90SP-44 Encryption and Decryption ......................................................................... 2-90SP-45 Audit Controls ............................................................................................... 2-90SP-46 Integrity .......................................................................................................... 2-91SP-47 Person or Entity Authentication ................................................................. 2-91SP-48 Transmission Security .................................................................................. 2-92SP-49 Integrity Controls .......................................................................................... 2-92


4

HIPAA Tool Kit


SP-50 Encryption ..................................................................................................... 2-92SP-51 Business Associate Contracts/Agreements .............................................. 2-92Breach Notification Sample Policies.................................................................................... 2-93SP-52 Discovery of a Breach ................................................................................... 2-93SP-53 Breach Investigation .................................................................................... 2-93SP-54 Risk Assessment ............................................................................................ 2-94SP-55 Notification .................................................................................................... 2-94SP-56 Breach Information Log ............................................................................... 2-96Red Flag Rules Sample Policies ............................................................................................ 2-96SP-57 Creation of Medical Identity Theft Prevention Program ........................ 2-96SP-58 Identify the Red Flags That Signal Possible Medical Identity Theft ..... 2-97SP-59 Detect Medical Identity Theft As It Occurs ............................................... 2-97SP-60 Prevent and Mitigate Identity Theft .......................................................... 2-98SP-61 Update the Medical Identity Theft Prevention Program ....................... 2-99

Security Forms ..............................................................................................2-101What’s in This Section ...........................................................................................................2-101Compliance Checklist............................................................................................................2-101

Instructions ....................................................................................................................2-101Administrative Safeguards Checklist ........................................................................... 2-104

Security Management Process .................................................................................2-104Assigned Security Responsibility .............................................................................2-107Information Access Management ............................................................................2-110Security Awareness and Training .............................................................................2-111Security Incident Procedures ....................................................................................2-114Contingency Plan .........................................................................................................2-114Testing and Revision Procedures .............................................................................2-117Evaluation ......................................................................................................................2-118Business Associate Contracts ....................................................................................2-119

Physical Safeguards Checklist ....................................................................................... 2-120Facility Access Controls ...............................................................................................2-120Workstation Use ...........................................................................................................2-122Workstation Security ...................................................................................................2-123Device and Media Controls ........................................................................................2-123

Technical Safeguards Checklist ..........................................................................................2-124Access Control ...............................................................................................................2-125Audit Controls ...............................................................................................................2-126Integrity ..........................................................................................................................2-127Person or Entity Authentication ...............................................................................2-127Transmission Security .................................................................................................2-128Business Associate Contracts/Agreements ...........................................................2-128Policies and Procedures ..............................................................................................2-130Documentation Requirements .................................................................................2-130

Security Training ..........................................................................................2-131Developing and Implementing Training Programs ......................................................2-131Instructor’s Guide...................................................................................................................2-131

Information Security ....................................................................................................2-131Privacy and Security Training ....................................................................................2-138

Security Training Presentation ...........................................................................................2-138HIPAA Skills Test—Security Regulations .................................................................... 2-151

HIPAA Skills Test—Security .......................................................................................2-155


4

Contents


Security Auditing ........................................................................................ 2-157What’s in This Section ...........................................................................................................2-157What Is Auditing?...................................................................................................................2-157Technical Safeguards ...........................................................................................................2-157

Audit Controls ..............................................................................................................2-158Access Control ..............................................................................................................2-158Integrity Controls .........................................................................................................2-158Authentication .............................................................................................................2-159Transmission Security ................................................................................................2-159

Physical Safeguards ..............................................................................................................2-159Security Walk-Through Form ....................................................................................2-160

Other Ongoing Monitoring .................................................................................................2-161

Identifiers .........................................................................................................3-1What’s in This Section ............................................................................................................... 3-1HIPAA Uniform Identifier Requirements .............................................................................. 3-1

Uses of Identifiers ............................................................................................................. 3-1Provider Identifiers .......................................................................................................... 3-1Employer Identifiers ........................................................................................................ 3-7Health Plan Identifiers ..................................................................................................... 3-7Impact Assessment .......................................................................................................... 3-8Compliance Strategy ....................................................................................................... 3-8Continued Compliance with Identifiers ...................................................................... 3-8

Identifiers Model Policies and Procedures ......................................................3-9What’s in This Section ............................................................................................................... 3-9Compliance Checklist................................................................................................................ 3-9Model Policies and Procedures............................................................................................. 3-10Resources on the Web ............................................................................................................ 3-10

Transaction Standards .....................................................................................4-1What’s in This Section ............................................................................................................... 4-1The Purpose of This Chapter ..............................................................................................4-2A Reminder About “Covered Entities” .................................................................................. 4-2HIPAA Highlights/Review ........................................................................................................ 4-2Health Plan Requirements ....................................................................................................... 4-3Mandatory Submission of Claims Electronically to Medicare ......................................... 4-3Claims Attachments .................................................................................................................. 4-7Use of Health Care Clearinghouses ....................................................................................... 4-8Content of HIPAA Transaction Standards ............................................................................ 4-8Transaction Standards Approved So Far ............................................................................ 4-10Terms Used in the Transaction Standards ......................................................................... 4-12Electronic Funds Transfer....................................................................................................... 4-14Claim Edits and Rejections..................................................................................................... 4-14

Interchange Control or ISA Edits ................................................................................ 4-14GS Edits ............................................................................................................................. 4-14IG Edits .............................................................................................................................. 4-15Provider Authorization Edits ....................................................................................... 4-15Payer-Specific Edits ........................................................................................................ 4-15Trading Partner EDI Specifications ............................................................................. 4-15

Top Errors Found in Medicare Test Submissions.............................................................. 4-16Top Errors Found in 5010 Testing .............................................................................. 4-16

HIPAA Code Sets....................................................................................................................... 4-17The Meaning of ‘Code Sets’ ......................................................................................... 4-18


4

HIPAA Tool Kit


Revisions to the Code Set Regulations ..................................................................... 4-18ICD-10 Code Set........................................................................................................................ 4-20

Increased Granularity .................................................................................................... 4-22Improving Treatment Management ......................................................................... 4-22Establishing Better Clinical Outcomes and Treatment Protocols ...................... 4-22

ICD-10-CM.................................................................................................................................. 4-23ICD Structure ................................................................................................................... 4-25Coding Guidelines/Instructional Manual ................................................................. 4-25ICD-10 Code Structure .................................................................................................. 4-26

ICD-10-PCS................................................................................................................................. 4-27Characters ........................................................................................................................ 4-28Tables ................................................................................................................................ 4-28Use of the NDC ................................................................................................................ 4-29

Trading Partner Agreements ................................................................................................ 4-29Responsibilities of Trading Partners .......................................................................... 4-30Effective Date for Transaction Standards ................................................................. 4-30How to Assess HIPAA’s Impact ................................................................................... 4-30

Survey of Coding Practices .................................................................................................... 4-31Survey of Trading Partners .................................................................................................... 4-32

Transaction Standards Model Policies and Procedures ................................4-35What’s in This Section ............................................................................................................. 4-35Compliance Checklists............................................................................................................ 4-35

Survey of Information Systems ................................................................................... 4-35Survey of Trading Partners .......................................................................................... 4-36Survey of Coding Practices .......................................................................................... 4-37

T-1000 Use of Standard Transactions ......................................................................... 4-39T-1200 Testing and Certification of Compliance with

Federal Transaction Standards ....................................................................... 4-42T-2000 Trading Partner Agreements .......................................................................... 4-43T-3000 Updating Code Sets and Practices ................................................................ 4-44Resources On the Web............................................................................................................ 4-45

HIPAA Topics ....................................................................................................5-1Access Control .............................................................................................................................5-1Access to Data..............................................................................................................................5-6Accounting for Disclosures.......................................................................................................5-9Accredited Standards Committee .................................................................................. 5-14Addressable Versus Required ............................................................................................... 5-15Administrative Safeguards .................................................................................................... 5-19Administrative Simplification ............................................................................................... 5-20Administrative Simplification Compliance Act ............................................................ 5-27Affiliated Covered Entities ..................................................................................................... 5-28Amendments to PHI ................................................................................................................ 5-29American Recovery and Reinvestment Act of 2009 ........................................................ 5-31ANSI ............................................................................................................................................. 5-35ASC X12N ................................................................................................................................... 5-36Audit Controls........................................................................................................................... 5-37Authentication.......................................................................................................................... 5-39Authorization ............................................................................................................................ 5-42Breach Notification.................................................................................................................. 5-44Business Associate ................................................................................................................... 5-57CMS ..................................................................................................................................... 5-70Code-Set Maintaining Organization ................................................................................... 5-71


4

Contents


Code Sets.................................................................................................................................... 5-72Communications Under HIPAA ............................................................................................ 5-87Companion Guides .................................................................................................................. 5-93Complaints/Grievances .......................................................................................................... 5-95Compliance Dates .................................................................................................................... 5-96Contingency Plan..................................................................................................................... 5-97Covered Entity ........................................................................................................................5-101Credentials/Certifications ..............................................................................................5-105Data Element...........................................................................................................................5-107Data Segment .........................................................................................................................5-108Decedents ........................................................................................................................5-110De-identified Information....................................................................................................5-111Designated Record Set .........................................................................................................5-114Device and Media Controls..................................................................................................5-115Direct Data Entry ....................................................................................................................5-117Direct Versus Indirect Treatment Relationship...............................................................5-118Disclosure.................................................................................................................................5-119Documentation Requirements .....................................................................................5-123DSMO ........................................................................................................................................5-124Electronic Data Interchange (EDI)......................................................................................5-125Electronic Media .............................................................................................................5-126Electronic Signatures ............................................................................................................5-126Electronic Transactions.........................................................................................................5-128Emergency Situations ...........................................................................................................5-129Employer Identifiers ..............................................................................................................5-130Enforcement............................................................................................................................5-131Evaluation ........................................................................................................................5-147Facility Access Controls ........................................................................................................5-150Fundraising Under HIPAA ....................................................................................................5-153Genetic Non-Discrimination Act (GINA) of 2008 ............................................................5-156Government Access to Information ..................................................................................5-157Health Care ..............................................................................................................................5-161Health Care Clearinghouse..................................................................................................5-166Health Care Operations ........................................................................................................5-169Health Care Provider ......................................................................................................5-172Health Information ................................................................................................................5-176Health Information Technology for Economic Health (HITECH) Act.........................5-176Health Plan ..............................................................................................................................5-177Health Plan Identifiers ..........................................................................................................5-181HHS ............................................................................................................................................5-182Hybrid Entity ...........................................................................................................................5-186Implementation Guides .................................................................................................5-188Implementation Specifications ..........................................................................................5-189Incidental Disclosures ...........................................................................................................5-191Individual Identifiers .............................................................................................................5-194Information Access Management......................................................................................5-196Information System Activity Review .................................................................................5-198Integrity ....................................................................................................................................5-199Limited Data Set .....................................................................................................................5-202Loop...........................................................................................................................................5-205Marketing Under HIPAA .......................................................................................................5-206Media Re-Use ..........................................................................................................................5-210Minimum Necessary..............................................................................................................5-211


4

HIPAA Tool Kit


Mitigation ................................................................................................................................5-212NCPDP Format ........................................................................................................................5-213NDC ................................................................................................................................... 5-217Notice of Privacy Practices...................................................................................................5-218Organized Health Care Arrangement ...............................................................................5-222Paper Transactions ................................................................................................................5-223Payment ...................................................................................................................................5-224Personal Representatives .............................................................................................. 5-227Physical Safeguards...............................................................................................................5-228Pre-emption ............................................................................................................................5-229Privacy and Litigation ...........................................................................................................5-234Privacy Official ........................................................................................................................5-234Privacy Rule ..................................................................................................................... 5-236Protected Health Information.............................................................................................5-239Provider Identifiers ................................................................................................................5-240Psychotherapy Notes ............................................................................................................5-241Red Flags Rule.........................................................................................................................5-243Required Safeguards.............................................................................................................5-245Restrictions on Use and Disclosure .............................................................................. 5-247Retail Pharmacy......................................................................................................................5-247Reviews of Compliance by the Office of Inspector General ........................................5-248Risk Analysis/Management .................................................................................................5-249Sanction Policy .......................................................................................................................5-251Security Incident Procedures ..............................................................................................5-252Security Management Process ...........................................................................................5-256Security Official ............................................................................................................... 5-260Security Rule............................................................................................................................5-263Security Standards Matrix....................................................................................................5-265Small Provider Exemption ............................................................................................. 5-267Standard Setting Organization...........................................................................................5-267Standards .................................................................................................................................5-268Technical Safeguards ..................................................................................................... 5-269Trading Partner.......................................................................................................................5-270Training Requirements .........................................................................................................5-271Transaction Standards ..........................................................................................................5-276Transmission Security ...........................................................................................................5-288Treatment ................................................................................................................................5-290Uses and Disclosures.............................................................................................................5-291Verification Requirements ............................................................................................. 5-296Workforce Security ................................................................................................................5-297Workstation Use/Security ....................................................................................................5-299

Index ......................................................................................................... Index-1


4

HIPAA Tool Kit

1–58 © 201 OptumInsight, Inc.

P-1200 Staff TrainingThis section establishes the responsibility for development and updating of staff training programs and materials on privacy policies and procedures. It also establishes the responsibility of all staff members to complete privacy training.

P-1210 Content of Privacy Training Program for StaffThe [title of privacy official] or a staff member designated by the [title of privacy official] will develop a privacy policy orientation and training program.

This purpose of this program is to make sure that all staff members are familiar with the privacy policies and procedures adopted by [name of organization].

The training and orientation program will cover:

◆ The definition and identification of protected health information

◆ Providing the “Notice of Privacy Practices” to all patients and obtaining a written acknowledgment of receipt

◆ Using and disclosing protected health information for treatment, payment, and health care operations

◆ Obtaining authorization, when required, for use and disclosure of protected information

◆ Procedures for handling suspected violations of privacy policies and procedures

◆ Penalties for violations of privacy policies and procedures

◆ Documentation required by the policies and procedures manual

Staff members will:

◆ Receive a summary of the medical practice’s privacy policies and procedures

◆ Have an opportunity to review the policies and procedures manual

◆ Have an opportunity to ask questions about the privacy policies and procedures of [name of organization]

Regulation45 CFR 164.530(b)(1) Requires training of all staff members on privacy policies and procedures.

P-1220 Initial Privacy Orientation and TrainingAll staff members must complete the privacy policy orientation and training program during their probationary period.

1. Completion of the privacy policy orientation and training program will be documented in the employee’s personnel file by the [title of privacy official] or the staff member who conducts the training.

2. Until staff members complete the privacy policy orientation and training program, their supervisors will closely monitor their use and disclosure of protected health information.

3. Prior to the end of a staff member’s probationary period, his or her supervisor should confirm that he or she has completed privacy training.


4

Privacy Model Policies and Procedures

© 201 OptumInsight, Inc. 1–59

4. The probationary period of any new employee who has not completed the privacy policy orientation and training program will be extended, and the employee will be ineligible for benefits that would have become available upon completion of the probationary period. In some cases, an employee who does not complete the privacy orientation and training program prior to the end of his or her probationary period will be required to complete the program before resuming normal job duties.

Regulation45 CFR 164.530(b) Establishes HIPAA requirements for staff training.

P-1230 Revised Policies and Procedures TrainingThe [title of privacy official] or a staff member designated by the [title of privacy official] will develop training materials on new or revised privacy policies and procedures.

Procedures1. Staff whose job responsibilities are affected by a change in privacy policies

and procedures must complete training on the revised policies and procedures within one month of their effective date.

2. Completion of training on revised policies and procedures will be documented in the employee’s personnel file.

Regulation45 CFR 164.530(b)(2)(ii) Requires documentation of training.

IMPORTANTNote: The medical practice’s legal counsel should review and approve any penalty that is proposed to be assessed for non-compliance with privacy policies and procedures.


4

Privacy Model Policies and Procedures

© 201 OptumInsight, Inc. 1–75

P-2300 The Use and Disclosure of Information for Health Care Operations

This section addresses the uses and disclosures of information in the course of day-to-day operations that do not require specific authorization (see policy P-3300).

Regulation45 CFR 164.506Establishes requirements for the use and disclosure of protected health information for the purposes of treatment, payment, and health care operations.

P-2310 Definition of Health Care Operations Use and disclosure of protected health information is permitted under this policy to conduct the following activities:

◆ Quality assessment and improvement

◆ Professional credentialing

◆ Medical and utilization review

◆ Legal services

◆ Auditing

◆ Business planning and market research

◆ Grievance procedures

◆ Due diligence analysis related to sales and acquisitions

◆ Creation of de-identified information and limited data sets

◆ Customer service

◆ Patient directories

◆ Compliance monitoring

Before using or disclosing protected health information for any of the functions included in health care operations, the medical practice must give the patient its “Notice of Privacy Practices.” Obtaining an acknowledgment of receipt of the notice is the responsibility of the [title of receptionist].

Procedures for obtaining an acknowledgment are established by policy P-3190.

IMPORTANTReview by legal counsel is advised.


4

HIPAA Tool Kit

1–76 © 201 OptumInsight, Inc.

P-2400 Law Enforcement and Public HealthThe policies in this section address the disclosure of protected health information to various government entities. In general, disclosure to government entities is mandated by law and does not require the authorization of the patient. However, under certain circumstances, the patient must be notified that information has been disclosed.

Regulation45 CFR 164.512 Authorizes use and disclosure of protected health information without written authorization for purposes of law enforcement and legally mandated reporting.

P-2410 Disclosure of Patient Information to Public Health Agencies

The following information may be reported to [name of public health agency] as required by law whether or not the patient authorizes the disclosure:

◆ Information required to compile vital statistics (births and deaths)

◆ Information on communicable diseases

◆ Information on reportable injuries

Regulation45 CFR 164.512(b) Permits disclosure of protected health information to public health authorities when authorized by law.

P-2420 Reporting of Abuse, Neglect, and Domestic ViolenceStaff may report cases of suspected child abuse or neglect to [state or local child abuse and neglect agency] as required by law.

Any such reports must follow the policies and procedures that are established in the following policies:

◆ Policy P-2421 addresses disclosure of protected health information concerning child abuse and neglect required by law.

◆ Policy P-2422 addresses disclosure of protected health information concerning abuse, neglect, and domestic violence required by law. These policies and procedures do not apply to mandated reporting of child abuse and neglect, which is to be handled according to policy P-2421.

◆ Policy P-2423 addresses disclosure permitted but not required by law of protected health information concerning abuse, neglect, and domestic violence.

◆ Policy P-2424 addresses voluntary disclosure of protected health information concerning abuse, neglect, or domestic violence.

◆ Policy P-2425 establishes policies and procedures for informing patients of reports of abuse, neglect, or domestic violence.

Regulation45 CFR 164.512(c) Permits disclosure of protected health information to government agencies responsible for investigating abuse, neglect, and domestic violence.

IMPORTANTReview state laws—The medical practice should review state law to determine compliance requirements involving public health reporting and add any legally mandated reporting to the above list.


4

Documents

HIPAA Tool Kit - Optum360HIPAA Tool Kit Contents–6 © 201 OptumInsight, Inc. SP-50 Encryption ..... 2-92