Look to the AMA and Website Resources for Updates
http://www.ama-assn.org/ama/pub/dab/hipaa-toolkit-abstract.page
Know your compliance requirements.
HIPAA: Who Must Comply?
Physicians who conduct any of the below named transactions electronically are required to
comply with HIPAA:
Health Care Claim: Professional
Health Care Claim Payment/Remittance Advice
Health Care Claim Status Response
Health Care Eligibility Benefit Inquiry
Health Care Services Review Information - Review
Health Care Services Review Information - Response
Health Care Claim: Professional
2 Accredited Standards Committee
3 Standards for the Additional Information to Support a Health Care Claim or Encounter have
not yet been adopted.
Physicians can also use a tool developed by the U.S. Department of Health & Human Services
(HHS) if
they are unclear whether or not they are a covered entity under HIPAA.
How to “HIPAA” 2.0-Tip # 3: Prioritize Your Compliance Activities
............................................................
Prioritize your compliance requirements.
Understanding targets for compliance
. Federal law
. State law
. Regulatory changes and guidance
. Practice changes
Evaluate current office practices by conducting a gap analysis/risk assessment
. Compliance official – Has someone been given primary responsibility for HIPAA compliance –
including the privacy, security and breach notification requirements?
. Policies and procedures – Do your HIPAA policies and procedures reflect the realities of your
current practice and meet the requirements of current law?
. Patient requests – Is there a documented policy and procedure to handle:
. Medical Record Access, inspection and copy requests – wdhen a patient asks you to
provide the opportunity to review or obtain a copy of the patient’s medical records,
especially requests for electronic PHI copies?
. Disclosure restriction requests – when a patient asks you to limit sharing their medical
information with other covered entities?
. Amendment requests – when a patient asks you to make a change to the information in
the patient’s medical record?
. Accounting of disclosure requests – when a patient asks for a list of everyone who has
come in contact with the patient’s record?
. Confidential communication channel requests – when a patient requests to receive
information in a specific way or at a specific location; for example they request to not be
called at home for an appointment reminder?
. Notice of Privacy Practices (NPPs) – Does your practice maintain and share with your
patients a Notice of Privacy Practices that clearly details how your practice will use and
disclose PHI and your patients’ rights, including their rights to prohibit the sale of their PHI or
its use for marketing purposes, to request privacy protections and amendments to their PHI,
to access their PHI, to receive notice of any breach and to obtain an accounting of
disclosures? If your practice maintains a physical site (as opposed, for example, to being
hospital-based), do you post the Notice of Privacy Practices in a prominent location? If your
practice maintains a website, is your Notice of Privacy Practices posted on the website (also
in a prominent location)? Read more about NPPs in the next section.
. Training – Has all of your staff been trained to comply with your HIPAA policies and
procedures?
Do you periodically provide HIPAA Security training reminders?
AMA provides a host of information designed to help physicians comply with the HIPAA Privacy,
Security and Breach Notification Rules.
http://www.ama-assn.org/go/HIPAA
US Department of Health and Human Services (DHHS) Office of Civil Rights (OCR)
The HHS OCR website contains a wealth of information on the HIPAA Privacy and Security Rules,
including a list serv and a link to the Transaction and Code Sets information posted by CMS.
http://www.hhs.gov/ocr/privacy/index.html
Centers for Medicare and Medicaid Services (CMS)
This link to the CMS website includes information on the Transaction and Code Sets Rule.
http://www.cms.gov/Regulations-and-Guidance/Regulations-and-Guidance.html
Workgroup for Electronic Data Interchange (WEDI)
This is the WEDI website which includes information on EDI in the health care industry, lists of
conferences, implementation information and the availability of resources for standard
transactions. http://www.wedi.org
National Committee on Vital and Health Statistics (NCVHS)
This is the NCVHS website. NCVHS is the Advisory Body to the Department of Health and Human
Services responsible for the HIPAA Transaction and Code Set Rule. Information on membership,
how to contact the committee, announcements and agendas for past and future public hearings is
also available. http://www.ncvhs.hhs.gov
Medicare This is the Medicare EDI Web page. Here you will find information regarding Medicare EDI, advantages to using Medicare EDI, Medicare EDI formats and instructions, news and events, frequently asked questions about Medicare EDI, and information regarding Medicare paper forms and instructions.
http://www.cms.gov/Medicare/Billing/ElectronicBillingEDITrans/index.html
