Laidlaw Inc. HIPAA Privacy Standards Assessment...

49
1 Laidlaw Inc. HIPAA Privacy Standards Assessment Questionnaire Submitted by: Anthony O. Boswell Ethics, Privacy & Compliance Officer Corporate Counsel

Transcript of Laidlaw Inc. HIPAA Privacy Standards Assessment...

Page 1: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

1

Laidlaw Inc.

HIPAA Privacy StandardsAssessment Questionnaire

Submitted by:Anthony O. BoswellEthics, Privacy & Compliance OfficerCorporate Counsel

Page 2: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

2

HIPAA Privacy Standards

Assessment Questionnaire

A. Uses and Disclosures of Protected Health Information: General Rules, 45 C.F.R. §164.502

HIPAAStandards

ImplementationFeatures

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

General Rule

45 C.F.R.§164.502

A Covered Entity may not useor disclose PHI, except aspermitted or required by theprivacy regulations.

Permitted Disclosures:

• To the individual.• With a Consent, to carry

out treatment, payment,or health care operations.

• Without consent, if incertain circumstances.

• With an Authorization• Pursuant to an

agreement under, theprovisions permittingUses and DisclosuresRequiring an Opportunityfor the Individual to Agreeor to Object.

• As permitted and incompliance with the

Has your entity identified the flow ofprotected health information bothinternally and externally?

Does your entity have agreements inplace regarding the disclosure or useof PHI?

Page 3: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

3

HIPAAStandards

ImplementationFeatures

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

provisions permittingdisclosures withoutconsents, authorizationsor opportunity to Agree orObject.

Required Disclosures:

• To an individual, whenrequested as permittedand in compliance withthe provisions permitting:Access of individuals toPHI and Accounting ofdisclosures of PHI.

• When required by theSecretary to investigateor determine the CoveredEntity's compliance.

How does an individual have accessto his or her PHI? Does your entityhave a policy or procedure aboutproviding such access to anindividual?

Page 4: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

4

B. Uses and Disclosures: Organization Requirements, 45 C.F.R. §164.504

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

BusinessAssociateContracts

45 C.F.R.§164.504(e)(1)

Identify potential BusinessAssociates by reviewing thedefinition of “businessassociate” and determiningwhether an arrangementfalls within the definition.

1. Does your organization have apolicy and procedure in place foridentifying and contracting withbusiness associates?

2. If not, how and when will businessassociate identification andcontracting be implemented?

3. Are any of your contracts oral ormemorialized in writing by way of apurchase order or invoice?

4. Do you have an accurate listing ofall your organization’s contracts (oral,written or otherwise)?

• If so, do you have a description ofthe type of service each contractaddresses?

5. What is your organization’s recordretention requirement for contracts?

6. Who in your organization isresponsible for contract drafting,contract negotiation and contractadministration?

Page 5: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

5

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

ImplementationSpecifications:

BusinessAssociateContracts

45 C.F.R.§164.504(e)(2)

A contract between theCovered Entity and abusiness associate mustcontain certainrequirements. Thoserequirements includeprovisions pertaining to:

• Specific permitted andrequired use anddisclosures of PHI;

• Prohibition on other useor disclosures of PHIunless as required bylaw;

• Required safeguards toprevent non-permitteduse or disclosure of PHI;

• Required notification ofnon-permitted use ordisclosure of PHI;

• Mirror obligationrequirements on agentsand sub-contractors;

• Access requirements;• Amendment

requirements;• Accounting of disclosure

requirements;• Required availability of

internal practices, booksand records to DHHS;

• Right to terminatecontract for material

1. Do your existing contracts containwritten provisions which includeprovisions protecting the privacy ofhealth information?

2. Does your organization require itsbusiness associates to provide privacytraining to its employees?

3. Does your organization conduct anydue diligence on vendors it doesbusiness with?

• If so, does it regularly check thename of its vendors against theExcluded Party list?

5. Does your organization operateunder a Corporate Integrity Agreementor similar agreement with the Office ofthe Inspector General?

6. Does your organization contractwith federal agencies?

7. Does your organization havecontract administration policies andprocedures that governs the process tobe followed when contracts areterminated?

• If so, does it require the return anddestruction of all files? Does thethird party retain copies?

Page 6: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

6

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

breach; and• Required post-

termination obligations.

9. If the third party vendor retainscopies, are the contract termsamended to provide for insuring thesecurity and privacy of PHI?

10. If your organization does not havecontract termination policies andprocedures, how and when will they beimplemented?

Page 7: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

7

C. Consent for Uses or Disclosures to Carry Out Treatment, Payment, or Health CareOperations, 45 C.F.R. §164.506

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Disclosures WithConsents

45 C.F.R.§164.502

A covered health careprovider must obtain theindividual’s consent prior tousing or disclosing PHI tocarry out payment, treatmentor health care operations.

1. Do you use consent forms fordisclosures for treatment, payment oroperations?

2. How many consent forms arebeing used within your entity?Please provide a copy of each one.

3. Do you specifically limit yourconsents to treatment, payment oroperations?

ImplementationSpecifications:

ObtainingConsents in DirectTreatmentRelationship

45 C.F.R.§164.506(a)

Consent should be obtainedduring the patient's firstcontact with the CoveredEntity in a direct treatmentrelationship.

1. Are guidelines on obtainingconsents included in your policiesand procedures?

ImplementationSpecifications:

Consent ContentRequirements

45 C.F.R.§164.506(c)

A consent must be in plainlanguage and containspecific terms provided inthe regulations.

A consent may not becombined in a singledocument with the Notice ofPrivacy Practices.

1. Is the current consent form inplain language containing theelements set forth below?

2. Is the consent combined withany other legal documents? If so, isit:• Visually and organizationally

separate from such other written

Page 8: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

8

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

A consent for use ordisclosure may be combinedwith other types of writtenlegal permission from theindividual (e.g., an informedconsent for treatment, aconsent to assignment ofbenefits and a researchauthorization), if the consentunder this section:

• Is visually andorganizationallyseparate from suchother written legalpermission; and

• Is separately signed bythe individual and dated.

legal permission?• Separately signed by the

individual and dated?

Page 9: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

9

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Consent NotRequired inIndirect TreatmentRelationships

45 C.F.R.§164.506(a)(2)(i)

A covered health careprovider may, withoutconsent, use or disclose PHIto carry out treatment,payment, or health careoperations if the coveredhealth care provider has anindirect treatmentrelationship with theindividual.

1. Do you address indirecttreatment consent practices in yourpolicies and procedures?

ImplementationSpecifications:

Treatment,Payment andOperations withoutConsent

45 C.F.R.§164.506(a)(3)

A covered health careprovider may, without priorconsent, use or disclose PHIcreated or received under tocarry out treatment,payment, or health careoperations:• In emergency treatment

situations, if the coveredhealth care providerattempts to obtain suchconsent as soon asreasonably practicableafter the delivery of suchtreatment;

• If required by law to treatthe individual, and thecovered health careprovider attempts toobtain such consent butis unable to obtain suchconsent; or

• Unsuccessful AttemptsIf a covered health careprovider attempts to

1. Do your policies and proceduresinclude guidelines for providingtreatment, payment and operationswithout consent?

• If so, under what circumstanceswill you proceed withoutconsent?

2. Is consent obtained inemergency treatment situations? Ifso, how? If not, when is the patientapproached about consent?(Consider how informed consent iscurrently handled.)

3. If consent was not able to beobtained, do you document that youattempted to obtain the individual'sconsent and the reason you wereunable to do so?

Page 10: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

10

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

obtain such consentfrom the individual but isunable to obtain suchconsent due tosubstantial barriers tocommunicating with theindividual, and thecovered health careprovider determines, inthe exercise ofprofessional judgment,that the individual’sconsent to receivetreatment is inferred

ImplementationSpecifications:

ConsentRevocations

45 C.F.R.§164.506(b)(5)

An individual may in writingrevoke consent under thissection at any time.

This revocation will beeffective except to the extentthat the Covered Entity hastaken action in reliancethereon.

If an individual revokes ajoint consent, the CoveredEntity that receives therevocation must inform theother entities covered by thejoint consent of therevocation as soon aspracticable.

1. What policies and procedures doyou have in place to track consentrevocations and inform appropriatepersonnel both within and outsideyour Covered Entity?

2. What policies and procedures doyou have in place to track consentrevocations and inform other entities(such as entities covered by jointconsents or business associates)?

ImplementationSpecifications:

Consent Retention

A Covered Entity mustdocument and retain anysigned consent in writtenform (or an electronic image

1. Are copies of consents stored ina central location? Are they alsokept in a patient's medical records?

Page 11: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

11

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

45 C.F.R.§164.506(b)(6)

of the form) and keep thesigned consent for aminimum of six years.

2. How long are the consentsretained?

3. Who in your organization isresponsible for record retention?

Page 12: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

12

D. Uses or Disclosures for which Authorization is Required, 45 C.F.R. §164.508

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Authorizations forUses andDisclosures

45 C.F.R.§164.508

Except as otherwiserequired or permitted by theprivacy regulations, aCovered Entity must obtainan authorization to use ordisclose PHI for purposesother than treatment,payment and healthcareoperations.

1. Do you obtain authorizations foruses and disclosures of PHI forpurposes other than treatment,payment and health care operations?

2. Has your entity identified forwhat routine purposes anauthorization should be obtained(i.e., fund raising)?

Standard:

PsychotherapyNotes

45 C.F.R.§164.508(a)(2)

Psychotherapy notes cannotbe used or disclosed withoutpatient authorization, exceptto carry out treatment,payment or health careoperations consistent withconsent requirements and inthe following threesituations:• By the originator of the

notes for treatment;• To carry out training

programs in mentalhealth undersupervision; or

• To defend a legal actionor other proceedingbrought by an individual.

1. Do you require an authorizationfor disclosure of psychotherapynotes?

Page 13: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

13

ImplementationSpecifications:

Content ofAuthorizationsRequested by aCovered Entity forits Own Uses andDisclosures

45 C.F.R.§164.508(d)

An authorization is valid if itcontains the followingelements:• core elements listed

below in the chartentitled Core Elementsto be included in allAuthorization Forms and

• additional elementslisted below in the chartentitled AdditionalElements WhenCovered Entity RequestsUse or Disclosure.

A Covered Entity mustprovide the individual with acopy of the signedauthorization.

1. Do you use an authorization fordisclosures of PHI for your ownuses?

2. Do your policies and proceduresdocument when authorization mustbe obtained and by whom?

3. Who in your organization isresponsible for obtaining suchauthorizations?

4. Do you provide the individualwith a copy of the authorization?

ImplementationSpecifications:

Content ofAuthorizationsWhen CoveredEntity Requests forDisclosure forOthers

45 C.F.R.§164.508(e)

A authorization is valid if itcontains the elements in thechart, written in plainlanguage:

A valid authorization maycontain elements orinformation in addition to theelements required above,provided that such additionalelements or information arenot inconsistent with theseelements.

1. Do you use an authorization torequest disclosures by others?

2. 2. Use chart to compare currentauthorization form to HIPAArequirements.

Page 14: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

14

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

ImplementationSpecifications:

Revocation ofAuthorization

45 C.F.R.§164.508(b)(5)

An individual may revoke anauthorization at any time,provided that the revocationis in writing, except to theextent that:• The Covered Entity has

taken action in reliancethereon; or

• If the authorization wasobtained as a conditionof obtaining insurancecoverage, other lawprovides the insurer withthe right to contest aclaim under the policy.

1. Do you currently permit patientsto revoke authorization?

2. Are there written policies andprocedures addressing revocation ofauthorizations and uses?

Page 15: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

15

E. Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object,45 C.F.R. §164.510

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Facility Directories

45 C.F.R.§164.510(a)

Directories: The followingPHI may be disclosed fordirectory purposes, to theclergy and to otherpersons who ask for theindividual by name:• The individual’s name;• The individual’s

location in the facility;• The individual’s

condition described ingeneral terms; and

• The individual’sreligious affiliation (tomembers of the clergyonly).

Opportunity to Agree ofObject: A covered healthcare provider must informan individual of the PHIthat it may include in adirectory and the personsto whom it may disclosesuch information andprovide the individual withthe opportunity to restrictor prohibit some or all ofthe uses or disclosures.

1. Do you currently use or plan touse PHI in your directories?

• Do you now permit or plan topermit the individual theopportunity to agree or objectfrom having information given tothe clergy or other persons whorequest information?

2. Do you have written policies andprocedures covering uses anddisclosures for FacilityDirectories?

Page 16: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

16

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Involvement in theIndividual’s Careand NotificationPurposes

45 C.F.R.§164.510(b)

Subject to certain limitations,a Covered Entity may:• Disclose to a family

member, other relative,or a close personalfriend of the individual,or any other personidentified by theindividual, the PHIdirectly relevant to suchperson’s involvementwith the individual’s careor payment related tothe individual’s healthcare.

• Use or disclose PHI tonotify, or assist in thenotification of (includingidentifying or locating), afamily member, apersonal representativeof the individual, oranother personresponsible for the careof the individual of theindividual’s location,general condition, ordeath.

1. Under what circumstances andhow do you disclose PHI to afamily member involved in theindividuals care or treatment?

2. What processes do you have forlocating and notifying a familymember, a personalrepresentative of the individual, oranother person responsible forthe care of the individual of theindividual’s location, generalcondition, or death?

3. Do you have policies andprocedures covering uses anddisclosures for Involvement in theIndividual’s Care and NotificationPurposes?

Page 17: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

17

F. Uses and Disclosures for Which Consent, Authorization or Opportunity to Object is NotRequired, 45 C.F.R. §164.512

HIPAAStandards

ImplementationFeatures

HIPAA Synopsis Assessment Focus andQuestions

Responses Observation / Gap

Introduction:

Uses andDisclosuresWithout IndividualConsent,Authorization orOpportunity toObject or Agree

45 C.F.R.§164.512

A Covered Entity may use ordisclose PHI without thewritten consent orauthorization of the individualor the opportunity for theindividual to agree or object inthe following situations.

1. Do your policies andprocedures enumerate the uses anddisclosures that may be madewithout an individual's consent,authorization or opportunity toobject or agree?

2. How do you account for thesetypes of disclosures when they arerelated to payment, treatment orhealth care operations?

Standard:

Required by Law

45 C.F.R.§164.512(a)

A Covered Entity may use ordisclose PHI to the extent thatsuch use or disclosure isrequired by law and the useor disclosure complies withand is limited to the relevantrequirements of such law.

1. Do policies and proceduresprovide for uses and disclosuresrequired by law?

Standard:

Public HealthActivities

45 C.F.R.§164.512(b)

• Covered entities maydisclose PHI for a varietyof public health activities.

1. What disclosures do you makefor public health activities? Is thisauthorized by state and federal law?

2. Are these disclosures coveredby policies and procedures?

3. Are those disclosuresaccounted for in some manner?

Page 18: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

18

HIPAAStandards

ImplementationFeatures

HIPAA Synopsis Assessment Focus andQuestions

Responses Observation / Gap

Standard:

Victims of Abuse,Neglect orDomesticViolence

45 C.F.R.§164.512(c)

A Covered Entity maydisclose PHI about anindividual that the CoveredEntity reasonable believes tobe a victim of abuse, neglector domestic violence to agovernment authority (e.g.,social service or protectiveservices agency) that isauthorized by law to receivesuch reports.

There are limitations to thisdisclosure that need to beaddressed including notice tothe person to whom theinformation pertains unlessthe notice could pose a risk tothat person.

1. Do you have policies andprocedures for the release of PHIrelating to victims of abuse, neglector domestic violence?

2. How do you handle these typesof releases?

3. How do you account for thesedisclosures?

Standard:

Health OversightActivities

45 C.F.R.§164.512 (d)

Except in certain limitedinstances, a Covered Entitymay disclose PHI to healthoversight agencies foroversight activities authorizedby law, including audits; civil,administrative, or criminalinvestigations; inspections;licensure or disciplinaryactions; civil, administrative,or criminal proceedings oractions; or other activitiesnecessary for appropriateoversight of variousgovernment programs.

1. Do you have policies andprocedures for release of PHI forhealth oversight activities?

2. How do you handle these typesof releases?

3. How do you plan to keep andprovide accountings for thesedisclosures?

Page 19: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

19

HIPAAStandards

ImplementationFeatures

HIPAA Synopsis Assessment Focus andQuestions

Responses Observation / Gap

Standard:

Judicial andAdministrativeProceedings

45 C.F.R.§164.512(e)

In response to an order of acourt or administrativetribunal, provided that theCovered Entity discloses onlythe PHI expressly authorizedby such order.

In response to a subpoena,discovery request, or otherlawful process, that is notaccompanied by an order of acourt or administrativetribunal, if certain criteria aremet.

1. How do you currently handledisclosures of medical records andother health information forpurposes of judicial andadministrative hearings?

2. Do you require or provide noticeto the individual that a party isseeking information about theindividual?

3. Are these disclosures includedin current policies and procedures?

4. How do you plan to account forthese disclosures?

Standard:

Law EnforcementPurposes

45 C.F.R.§164.512 (f)

Legitimate law enforcementinquiry. A Covered Entitymay disclose pursuant to alaw enforcement process,including court orders, court-ordered warrant, a judicial orgrand jury subpoena orsummons; and anadministrative request.Also see disclosures allowedfor:! Limited Information on

Identification andLocation

! Victims of Crime.! Decedents.! Crime on premises.

1. Do you have policies andprocedures for the release of PHIfor law enforcement purposes?

2. How are these releaseshandled?

3. How do you plan to account forthese disclosures?

Page 20: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

20

HIPAAStandards

ImplementationFeatures

HIPAA Synopsis Assessment Focus andQuestions

Responses Observation / Gap

Standard:

Decedents

45 C.F.R.§164.512 (g)

Coroners, Medical Examinersand Funeral Directors.A Covered Entity maydisclose PHI to a coroner ormedical examiner for thepurpose of identifying adeceased person,determining a cause of death,or other duties as authorizedby law.

Funeral directors. A CoveredEntity may disclose PHI tofuneral directors, consistentwith applicable law, asnecessary to carry out theirduties with respect to thedecedent.

1. Do you have policies andprocedures for release of PHI tocoroners, medical examiners anddirectors?

2. How would you handle thesetypes of releases?

3. How do you plan to account forsuch disclosures?

Standard:

Cadaveric Organ,Eye or TissueDonation

45 C.F.R.§164.512 (h)

A Covered Entity may use ordisclose PHI to organprocurement organizations orothers engaged in theprocurement, banking ortransplantation of organs,eyes or tissues.

1. Do you have policies andprocedures pertaining to thedisclosure of PHI to for organ, eyeor tissue donation?

2. How do you plan to account forsuch disclosures?

Standard:

ResearchPurposes

45 C.F.R.§164.512 (i)

Disclosures of PHI may bemade:• Pursuant to a consent if it

is research that will beperformed in the courseof providing treatment.

• Pursuant to anauthorization.

1. How do you obtainauthorizations from patients forresearch?

2. Does the authorization includepermission to use and disclose theindividual’s PHI?

Page 21: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

21

HIPAAStandards

ImplementationFeatures

HIPAA Synopsis Assessment Focus andQuestions

Responses Observation / Gap

• Pursuant to a waiver oralteration of authorizationthat has been made byan IRB or privacy boardin accordance withspecific proceduresprovided by theregulations.

3. Do you have your own IRB ordo you share one with otherentities?

4. Do you have policies andprocedures covering researchactivities?

5. How do you plan to account forsuch disclosures?

6. Who in your organization isresponsible for determining andmaking such disclosures?

Standard:

To avert aSerious Threat toHealth or Safety

45 C.F.R.§164.512 (j)

A Covered Entity maydisclose PHI, consistent with“applicable law and standardsof conduct” if the CoveredEntity believes in good faiththat the disclosure isnecessary to prevent orlessen a serious andimminent threat to the healthor safety of a person or thepublic.

1. Do you have policies andprocedures pertaining to thedisclosure of PHI to avert seriousthreat health of safety?

2. How are these disclosureshandled today?

3. How do you plan to account forsuch disclosures?

Standard:

Workers’Compensation

45 C.F.R.§164.512 (l)

A Covered Entity maydisclose PHI as authorized byand, to the extent necessary,to comply with laws relating toworkers’ compensation orother similar programs,established by law, thatprovide benefits for work-related injuries or illnesswithout regard to fault

1. How do you discloseinformation related to worker’scompensation claims?

2. Do you have policies andprocedures that cover worker’scompensation information?

3. How do you plan to account forsuch disclosures?

Page 22: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

22

G. Other Requirements Related to Disclosures of Protected Health Information, 45 C.F.R. §164.514

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

De-identification ofPHI, General Rule

45 C.F.R.§164.514(a)

Health information that doesnot identify an individual (i.e.has been de-identified) andthere is no reasonable basisto believe that theinformation can be used toidentify an individual, is notindividually identifiablehealth information.

1. Does your organization de-identify PHI?

2. If so, is it a function performedinternally or is it outsourced?

3. If outsourced, are there writtenbusiness associate contracts inplace?

ImplementationSpecification:

De-identification ofPHI

45 C.F.R.§164.514(b)

A Covered Entity maydetermine that healthinformation is not individuallyidentifiable healthinformation (i.e., is de-identified):• by removing all specific

identifiers and theCovered Entity does nothave actual knowledgethat would allow re-identification; or

• by having a persontrained in, and usingaccepted mathematicalor scientific principlesdetermine that removalof some of the identifiersposes a small enoughrisk that the recipientcan identify the personwho is the subject of theinformation.

4. Does your organization receiveremuneration of any sort for using ordisclosing PHI that is de-identified?

5. Does your organization have aquality control process in place toconfirm that de-identification is beingconducted accurately and that no re-identification of previously de-identified PHI can be performed?

6. Does your organization have anypolicies and procedures that addressthe de-identification of PHI?

Page 23: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

23

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

ImplementationSpecifications:

Re-identification ofPHI

45 C.F.R.§164.514(c)

A Covered Entity may assigna code or other means ofrecord identification to allowinformation de-identifiedunder this section to be re-identified by the CoveredEntity, provided that:• The code or other

means of recordidentification is notderived from or relatedto information about theindividual and is nototherwise capable ofbeing translated so as toidentify the individual;and

• The Covered Entity doesnot use or disclose thecode or other means ofrecord identification forany other purpose, anddoes not disclose themechanism for re-identification.

1. Does your organization re-identify any previously de-identifiedPHI?

• If so, what is the purpose for there-identification?

2. Is the re-identification functionperformed internally or is itoutsourced?

• If it is outsourced, are therewritten business associatecontracts in place?

3. Does your organization havepolicies and procedures in place thataddress the re-identification ofpreviously de-identified PHI?

Standard:

MinimumNecessaryRequirements

45 C.F.R.§164.502(b)(1)

Covered entities must makereasonable efforts to limit thedisclosure of request for PHIto the minimum amountnecessary to accomplish theintended purpose of the use,disclosure, or request.

Exceptions: The minimumnecessary rule does notapply to treatment,

1. Do you currently place limits onthe use or disclosure of PHI?

2. Do you currently place limits onhow much PHI you will request fromother entities?

3. Do you have policies andprocedures for such?

4. Who in your organization has the

Page 24: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

24

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

disclosures pursuant to anauthorization, to theindividual, to the governmentfor investigation purposesand see others.

responsibility of monitoring efforts tolimit PHI to the minimum necessaryamount?

ImplementationSpecifications:

MinimumNecessaryDisclosures of PHI

45 C.F.R.§164.514(d)(3)

General Rule. A CoveredEntity must limit anydisclosure of PHI forpurposes of payment orhealth care operations tothat which is reasonablynecessary to accomplish thepurpose for which thedisclosure is made.

Routine and RecurringDisclosures. For routine andrecurring disclosures of PHIfor purposes of payment andhealth care operations, theCovered Entity mustimplement policies andprocedures that limitsamount of PHI disclosed.

For all other disclosures ofPHI for purposes of paymentand health care operations.Disclosures that are notidentified as routine andrecurring will require reviewon an individual basis.

1. Do you have policies andprocedures that identify routine andrecurring disclosures of PHI?

• If so, do they define to whom thedisclosures may be made?

2. How is the information that maybe disclosed to each identified entitydescribed?

3. For disclosures that do notqualify as “routine and recurring,”how will you review the disclosure todetermine if it is the amountreasonably necessary to accomplishthe purpose for which the request ismade?

Page 25: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

25

Standard:

Uses andDisclosures of PHIfor Marketing

45 C.F.R.§164.514(e)(3)

A Covered Entity may notuse or disclose PHI formarketing without anauthorization except asprovided by the followingImplementationSpecifications.

1. Do you use PHI for marketingpurposes?

• If so, do you obtainauthorizations or otherpermissions to use it from theindividual?

2. Do you have any policies andprocedures addressing the use ofhealth information for marketing?

ImplementationSpecification:

RequirementsRelating toMarketing

45 C.F.R.§164.514(e)(2)

Authorization is not requiredfor “marketingcommunications” if it:• Occurs in a face-to-face

encounter with theindividual;

• Concerns products orservices of nominalvalue; or

• Otherwise meets theterms in the followingImplementationSpecification.

Do you limit your marketing to face-to-face encounters or to providingrecipients with things of nominalvalue (e.g., pens, brochures, etc.)?

ImplementationSpecification:

Requirements forCertain MarketingCommunications

45 C.F.R.§164.514(e)(3)

Marketing Communication. A“marketing communication,”does not require anauthorization, must be aboutan entity's or a third party’shealth related products orservices, and:• Identify the Covered

Entity as the one makingthe communication;

• Prominently statewhether the CoveredEntity is receiving director indirect remuneration;and

1. Do your marketingcommunications identify the CoveredEntity as the one making thecommunication?

2. Do you currently receive or planto receive direct or indirectremuneration for any marketingactivities?

• If so, do the marketingcommunications prominentlystate that remuneration isreceived?

Page 26: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

26

• Permit the recipient theopportunity to opt outfrom furthercommunication, unless itis contained in anewsletter or similar typeof generalcommunication device.

Targeted Marketing.For targeted marketingcommunications toindividuals based on theirhealth care status orcondition:• The Covered Entity must

make a determination;and

• The communicationmust explain why theindividual has beentargeted and how theproduct or servicerelates to the health ofthe individual.

A Covered Entity maydisclose PHI for purposes ofcommunicating with abusiness associate thatassists the Covered Entity inmarketing activities.

4. Do you permit recipients fromopting out of receiving furthermarketing information?

• If so, how do you currentlyhandle or plan to honor anrecipient’s request to receive nofurther communication?

5. Do you currently engage in orplan to engage in targeted marketingactivities?

• If so, do you make adetermination prior to making thecommunication that the productor service being marketed maybe beneficial to the health of thetype or class of individualtargeted?

• Do you explain in the marketingmaterials your rationale fortargeting the recipients?

6. Do you currently outsource orplan to outsource marketingactivities?

Page 27: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

27

Standard:

Uses andDisclosures forFundraising

45 C.F.R.§164.514(f)(1)

The following informationmay be used withoutauthorization to supportfundraising efforts:• Demographic

information relating to anindividual; and

• Dates of health careprovided to an individual.

1. Do you currently use PHI insupport of fundraising activities?

• If so, do you obtainauthorizations or otherpermissions from the individualto use PHI for fundraising?

• If not, do you plan to use it in thefuture?

2. Do you have any policies andprocedures addressing the use ofhealth information for marketing?

ImplementationSpecifications:

FundraisingRequirements

45 C.F.R.§164.514(f)(2)

Notice of Privacy Practices.Covered entities mustinclude their intention to usePHI in fundraising activitiesin their notice of privacypractices.

Opt Out Right. Fundraisingmaterials must provide anopportunity for the recipientto opt-out.

The Covered Entity mustmake reasonable efforts toensure that individuals whodecide to opt out are notsent fundraisingcommunications.

1. Do you include your intention touse PHI in fundraising activities?

2. Do you now provide or plan toprovide the recipients the opportunityto opt out from receiving furtherinformation?

• If so, how do you now or plan tomake reasonable efforts toensure that individuals whodecide to opt out are not sentsuch communications?

Page 28: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

28

Standard:

VerificationRequirements

45 C.F.R.§164.514(h)(1)

Except in certaincircumstances, a CoveredEntity must:• verify the identity of the

person requesting PHI,as well as the authorityof that person to haveaccess to the PHI, and

• obtain anydocumentation,statements, orrepresentations, whetheroral or written, from theperson requesting thePHI when suchdocumentation,statement, orrepresentation asrequired by the privacyregulations.

Do you have policies and proceduresthat require the verification orpersons requesting PHI?

• If so, how is it handled?

ImplementationSpecification:

Verification

45 C.F.R.§164.514(h)(2)

Conditions on Disclosures:When disclosure isconditioned upondocumentation, statementsor representations, aCovered Entity may placereasonable reliance ondocumentation, etc. that ontheir face meet applicablerequirements.

Exercise of ProfessionalJudgment. In all cases, theCovered Entity may rely onthe exercise of professionaljudgment in verifying theidentity and authority of theperson requesting a use ordisclosure of PHI.

1. Do you verify requests by publicofficials for releases and disclosuresof PHI?

2. What processes do you currentlyuse? Are they documented inpolicies and procedures?

3. Who in your organization isresponsible for determining andmaking such disclosures?

Page 29: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

29

H. Notice of Privacy Practices for Protected Health Information, 45 C.F.R. §164.520

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

ImplementationSpecification:

Content of Notice

45 C.F.R.§164.520(b)

A Covered Entity’s notice ofprivacy practices should bein plain English and containnumerous requiredstatements.

1. Do you currently have a notice ofprivacy (or confidentiality) practices?

2. If so, please refer to the Notice ofPrivacy Practices ComparativeChart, below, to determine itssufficiency under the HIPAA privacyregulations.

ImplementationSpecification:

Provision of Notice

45 C.F.R.§164.520(c)(2)

A Covered Entity mustprovide its notice of privacypractices to the individual atthe first service delivery.

A Covered Entity must postits notice of privacy practicesin a clear and prominentlocation at its facilities andhave additional copiesavailable upon request.

The Covered Entity mustpromptly revise anddistribute its noticewhenever there is a materialchange to the uses anddisclosures, the individual’srights, the Covered Entity’slegal duties, or other privacypractices stated in its notice.

1. How do you currently provide thenotice of privacy practices topatients?

• If by brochure or other writtendocument, when is it given topatients?

• If by posting the notice, where areyour notices currently posted?

2. Who handles revisions of thenotice of privacy practices? Is thisperson responsible for promptlydistributing your revised notice ofprivacy practices?

3. Do you have a copy of yournotice of privacy practices? Is it keptin your compliance records?

Page 30: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

30

I. Rights to Request Privacy Protection for Protected Health Information, 45 C.F.R. §164.522

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Right to RequestRestrictions ofUses andDisclosures

45 C.F.R.§164.522(a)

A Covered Entity must allowindividuals to requestrestrictions on the use anddisclosure of their PHI,although the Covered Entitymay deny an individual’srequest or limit the scope ofsuch restriction if it believesthe restriction is not in theindividual’s best interests. Ifthe Covered Entity agrees tosuch restrictions, theCovered Entity mustdocument and abide by therestrictions.

1. Do you plan to grant any requestsfor restricting use and disclosure ofPHI?

2. Do you have policies andprocedures on what type of restrictionrequests you are planning to agree to?

ImplementationSpecifications:

Terminating aRestriction

45 C.F.R.§164.522(a)(2)

A Covered Entity mayterminate its agreement to arestriction, if (1) theindividual agrees to orrequests the termination inwriting, (2) the individualorally agrees to thetermination and the oralagreement is documented,or (3) a Covered Entityinforms the individual it isterminating an agreement toa restriction, (termination isonly effective with respect toPHI created or received afterit has informed theindividual)

1. Do you have a process forterminating the restriction with theindividual?

2. Do you document the restrictionand keep a record of it for a period ofsix years.

Page 31: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

31

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Right to RequestConfidentiality inCommunications

45 C.F.R.§164.522(b)(1)

Individuals have the right torequest that confidentialcommunications from aCovered Entity are sent toan alternative address or byalternative means.

1. Do you have policies andprocedures on what types ofconfidential communication requestsyou are is willing to agree to, and whois responsible for implementing suchrequests?

ImplementationSpecification:

Conditions onProvidingConfidentialCommunications

45 C.F.R.§164.522(b)(2)

A Covered Entity mayrequire that the request: (1)is reasonable with respect tothe administrative burden,(2) is in writing, (3) specifiesan alternative address orother method of contact, andthat (where relevant) theindividual providesinformation on howpayments should behandled.

1. Do you provide options foralternative means of sendinginformation (e.g. in a closed enveloperather than a postcard)?

Page 32: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

32

J. Access of Individuals to Protected Health Information, 45 C.F.R. §164.524

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Access ofIndividuals to PHIheld by theCovered Entity

45 C.F.R.§164.524(a)

An individual has a right ofaccess to inspect and obtaina copy of PHI about theindividual in a designatedrecord set, for as long as thePHI is maintained in thedesignated record set.

Exceptions:(i) Psychotherapy notes.(ii) Information compiled forcivil, criminal oradministrative proceedings.

1. Do you currently have policiesand procedures on how to address anindividual’s request to access his orher PHI?

2. Do you require such requests tobe in writing?

3. How long does it take for you toprovide an individual access to his orher PHI? (30-onsite/60 offsite)

ImplementationSpecification

Denial of Access

45 C.F.R.§164.524(d)

A Covered Entity mustprovide a timely, writtendenial to an individualrequest for access.

1. Does your organization havepolicies and procedures that addresscircumstances when access to amedical record can be denied?

2. Has your organization designateda single contact person or office toreceive individual complaints?

3. Does your organization permitreview of denials of requests toaccess medical records?

ImplementationSpecification:

Documentation

45 C.F.R.§164.524(e)

For a period of 6 years aftera request, the CoveredEntity must retain a copy ofthe record that is subject toaccess.

1. Does your organization have arecords retention policy for medicalrecords?

• If not, how and when will suchpolicies and procedures beimplemented?

Page 33: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

33

K. Amendment to Protected Health Information, 45 C.F.R. §164.526

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Amendment of PHIheld by theCovered Entity

45 C.F.R.§164.526(a)(1)

An individual has the right tohave a Covered Entityamend PHI or a recordabout the individual in adesignated record set for aslong as the PHI ismaintained in the designatedrecord set.

1. Do you currently have policies andprocedures on how to address anindividual’s request to amend theirPHI? (denial, timely provision ofresponse)

2. Do you have policies andprocedures on how to address aphysician’s or other health careprovider’s request to amend PHI?

ImplementationSpecification:

Actions on noticesof amendment

45 C.F.R.§164.526(e)

A Covered Entity that isinformed by anotherCovered Entity of anamendment to anindividual’s PHI must amendthe PHI.

Do you have policies and procedureson how to amend PHI when notified byhealth care providers, health plans orother Covered Entities?

Page 34: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

34

L. Accounting For Protected Health Information, 45 C.F.R. §164.528

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard::

Accounting ofdisclosures of PHI

45 C.F.R.§164.528(a)

An individual has a right toreceive an accounting ofdisclosures of PHI made bya Covered Entity. Theexceptions are (i)disclosures to carry outtreatment, payment andhealth care questions, (ii)individuals who are subjectof the PHI, (iii) facilitydirectories, (iv) nationalsecurity purposes and (v)correctional institutions orlaw enforcement purposes.

1. Does your organization havepolicies and procedures that govern anindividual’s request for an accountingof disclosures?

2. Does your organization keep trackof PHI disclosures to third parties?

3. Does your organization havepolicies and procedures that addressthe response time required to act onrequests for an accounting?

ImplementationSpecification:

Documentation

45 C.F.R.§164.526(f)

For a period of 6 years aftera request to amend the PHI,a Covered Entity mustdocument the titles of thepersons or officesresponsible for receiving andprocessing requests foramendments.

Have you designated an individual whowill be responsible for receiving andprocessing requests for accounting?

Page 35: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

35

M. Administrative Requirements, 45 C.F.R. §164.530

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Designation of aPrivacy Officialand ContactPerson

45 C.F.R.§164.530(a)

A Covered Entity is requiredto designate: (1) a privacyofficial, responsible for theimplementation anddevelopment of the CoveredEntity’s privacy policies andprocedures, and (2) acontact person or office whois responsible for receivingcomplaints about privacyviolations and who is able toprovide further informationabout matters in the privacynotice.

1. Have you identified the individualto serve as your privacy official?

• If no, do you plan to use someoneinternally, hire outside, oroutsource?

2. Is your privacy official yourcompliance officer?

• If yes, then will this individual beable to serve in both positions?

3. Who does your privacy officialreport to?

4. Do you have a HIPAA team orcommittee to help your privacy officialeducate, implement and monitor yourprivacy policies and procedures?

5. Have you established an internalcomplaint system for individuals tocomplain/report privacy violations?

6. Have you designated a contactperson or office for people tocomplain to?

7. How will these individuals beselected and trained?

Page 36: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

36

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Safeguards

45 C.F.R.§164.530(c)

A Covered Entity mustestablish appropriateadministrative, technical,and physical safeguards toprotect the privacy of PHI.

1. Has your entity establishedadministrative safeguards to protectprivacy of health information?

2. Has your entity established anypolicies or procedures to protectprivacy? How are they monitored?Are they actually implemented?

3. How is the privacy of healthinformation protected physically? Seephysical security report

Standard:

Sanctions

45 C.F.R.§164.530(e)

A Covered Entity mustestablish and applyappropriate sanctionsagainst members of itsworkforce who fail to complywith the privacy policies andprocedures of the CoveredEntity, except disclosures bywhistleblowers andworkforce member crimevictims.

1. Does your entity currently have adisciplinary policy regarding thewrongful disclosure of patientinformation?

2. Do you know anyone who hasviolated a patient’s privacy bydisclosing patient health information,(i.e., looked up records on someone,told a friend about a patient’scondition)? Has that person beendisciplined?

3. Who will be responsible fordetermining appropriate sanctions fora wrongful act?

Standard:

Mitigation ofViolations

45 C.F.R.§164.530(f)

A Covered Entity mustmitigate, to the extentpracticable, any harmfuleffect that is known to theCovered Entity of a violationof its privacy policies andprocedures

Does your organization have aprocess in place to handle mitigationefforts required to offset or mitigateany harmful effects of the improperuse and disclosure of PHI?

Page 37: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

37

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Refraining fromIntimidating orRetaliating Acts

45 C.F.R.§164.530(g)

A Covered Entity may notintimidate, threaten, coerce,discriminate against, or takeother retaliatory actionagainst any individuals for(1) exercising their individualrights under theseregulations, (2) filing acomplaint with the entity orthe Secretary of DHHS, (3)testifying, assisting, orparticipating in aninvestigation, compliancereview or proceeding oropposing any act or practicethat he or she reasonablybelieves is unlawful underthese regulations.

1. Have you ever had awhistleblower incident in your entity?If so, how was it handled?

2. Are there policies forbidding theretaliation against whistleblowers?

3. Do you have an anonymoushotline to report problems in yourentity (harassment, fraud and abuse,etc.)? Is it used regularly? Whohandles the reports?

4. Do you have policies regardingthe right of an individual (member ofyour workforce or otherwise) to reportproblems (i.e., talk to designatedperson within the entity beforeseeking outside assistance)? If so,are the policies actuallyimplemented?

5. Who will be responsible fordealing with complaints andinvestigations regarding privacy? Isthis individual a trustworthy personwhom would not retaliate ordiscriminate?

6. Will the prohibition of retaliationbe emphasized in your privacytraining and in your privacy policies?

7. How and where will thisrequirement be documented

Page 38: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

38

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

Standard:

Prohibition onwaiver of rights tofile complaints withHHS

45 C.F.R.§164.530(h)

A Covered Entity may notrequire individuals to waivetheir rights to file a complaintwith the Secretary of HHS,under §160.306 of thissubchapter, as a condition ofthe provision of treatment,payment, enrollment in ahealth plan, or eligibility forbenefits.

1. Does your organization havepolicies and procedures in place thatgovern complaints by individuals tothe HHS?

2. Does your organization’s notice ofprivacy practices contain informationpertaining to an individual’s right tocomplain to HHS?

Standard:

Policies andProcedures

45 C.F.R.§164.530(i)

A Covered Entity mustestablish and implementpolicies and procedures withrespect to PHI designed tocomply with all standards,implementationspecifications, andrequirements under theseregulations, keeping in mindscalability for the size of theentity.

A Covered Entity is requiredto change its policies andprocedures as necessary tocomply with changes in thelaw, and document suchchanges. If such changeswould affect the entity’snotice of privacy practices, itmay revise its notice,however, if the entity did notreserve the right to changeits notice, PHI alreadycreated and received mustbe maintained in accordance

1. How are policies drafted in yourentity? What is your entity’s currentprocess to get a policy approved?

2. Do you follow certain practicesthat are not in written policy form, butyou feel should be?

3. Have you ever received updatesabout changes in policy (because ofrevisions or changes in the law)?

4. What form are they received inand how timely are updates received?

5. Do you have legal counsel reviewall policies before distribution andimplementation?

6. Do you date all your policies inorder to indicate which version (ifmore than one) is most current?

7. Do workforce members sign yourpolicies?

Page 39: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

39

HIPAA StandardsImplementation

Features

HIPAA Synopsis Assessment Focus and Questions Responses Observation / Gap

with entity’s old policies andprocedures.

8. Where are your policies andprocedures kept (i.e., notebook inoffice, employee manual)?

9. How do you ensure yourworkforce reads your policies? Arethere sanctions prescribed in eachpolicy if a workforce member does notcomply?

10. How and where will all yourprivacy policies and their updates bedocumented and who is responsiblefor doing so?

11. Who will revise your notice ofprivacy practices and promptlydistribute the revised notice?

Page 40: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

40

Gap Analysis GridAccess refers to the ability or the means necessary to read, write, modify, or communicate data/information or otherwise make use of any systemresource.

Access control refers to a method of restricting access to resources, allowing only privileged entities access. Types of access control include, amongothers, mandatory access control, discretionary access control, time-of-day, and classification.

Act means the Social Security Act.

ANSI stands for the American National Standards Institute.

Authentication refers to the corroboration that an entity is the one claimed.

Business associate:(1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a Covered Entity, a person who: (i) On

behalf of such Covered Entity or of an organized health care arrangement (as defined in §164.501 of this subchapter) in which the Covered Entityparticipates, but other than in the capacity of a member of the workforce of such Covered Entity or arrangement, performs, or assists in theperformance of: (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing oradministration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management,and repricing; or (B) Any other function or activity regulated by this subchapter; or (ii) Provides, other than in the capacity of a member of the workforceof such Covered Entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management,administrative, accreditation, or financial services to or for such Covered Entity, or to or for an organized health care arrangement in which theCovered Entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such CoveredEntity or arrangement, or from another business associate of such Covered Entity or arrangement, to the person.

(2) A Covered Entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (I)(i)of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of thisdefinition to or for such organized health care arrangement, does not, simply through the performance of such function or activity or the provision ofsuch service, become a business associate of other Covered Entities participating in such organized health care arrangement.

(3) A Covered Entity may be a business associate of another Covered Entity.

Common control exists if an entity has the power, directly or indirectly, significantly to influence or direct the actions or policies of another entity.

Common ownership exists if an entity or entities possess an ownership or equity interest of 5 percent or more in another entity.

Compliance date means the date by which a Covered Entity must comply with a standard, implementation specification, requirement, or modificationadopted under this subchapter.

Contrary, when used to compare a provision of State law to a standard, requirement, or implementation specification adopted under this subchapter,means:

(1) A Covered Entity would find it impossible to comply with both the State and federal requirements; or

Page 41: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

41

(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C oftitle XI of the Act or section 264 of Pub. L. 104-191, as applicable.

Contingency plan refers to a plan for responding to a system emergency. The plan includes performing backups, preparing critical facilities that can beused to facilitate continuity of operations in the event of an emergency, and recovering from a disaster.

Correctional institution means any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential communityprogram center operated by, or under contract to, the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe,for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other personsheld in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mentalinstitutions through the criminal justice system, witnesses, or others awaiting charges or trial.

Covered entity:(1) A health plan.(2) A health care clearinghouse.(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

Covered functions means those functions of a Covered Entity the performance of which makes the entity a health plan, health care provider, or healthcare clearinghouse.

Data aggregation means, with respect to PHI created or received by a business associate in its capacity as the business associate of a CoveredEntity, the combining of such PHI by the business associate with the PHI received by the business associate in its capacity as a business associate ofanother Covered Entity, to permit data analyses that relate to the health care operations of the respective Covered Entities.

Designated record set means:(1) A group of records maintained by or for a Covered Entity that is: (i) The medical records and billing records about individuals maintained

by or for a covered health care provider; (ii) The enrollment, payment, claims adjudication, and case or medical management record systemsmaintained by or for a health plan; or (iii) Used, in whole or in part, by or for the Covered Entity to make decisions about individuals.

(2) For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes PHI and ismaintained, collected, used, or disseminated by or for a Covered Entity.

Direct treatment relationship means a treatment relationship between an individual and a health care provider that is not an indirect treatmentrelationship.

Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding theinformation.

Encryption (or encipherment) refers to transforming confidential plaintext into ciphertext to protect it. An encryption algorithm combines plaintext withother values called keys, or ciphers, so the data becomes unintelligible. Once encrypted, data can be stored or transmitted over unsecured lines.Decrypting data reverses the encryption algorithm process and makes the plaintext available for further processing.

Page 42: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

42

Group health plan (also see definition of health plan in this section) means an employee welfare benefit plan (as defined in section 3(1) of theEmployee Retirement Income and Security Act of 1974 (ERISA), 29 U.S.C. 1002(1)), including insured and self-insured plans, to the extent that theplan provides medical care (as defined in section 2791(a)(2) of the Public Health Service Act (PHS Act), 42 U.S.C. 300gg-91(a)(2)), including itemsand services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that:

(1) Has 50 or more participants (as defined in section 3(7) of ERISA, 29 U.S.C. 1002(7)); or(2) Is administered by an entity other than the employer that established and maintains the plan.

HCFA stands for Health Care Financing Administration within the Department of Health and Human Services.

HHS stands for the Department of Health and Human Services.

Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with

respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.

Health care clearinghouse means a public or private entity, including a billing service, repricing company, community health management informationsystem or community health information system, and “value-added” networks and switches, that does either of the following functions:

(1) Processes or facilitates the processing of health information received from another entity in a nonstandard format or containingnonstandard data content into standard data elements or a standard transaction; or

(2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandardformat or nonstandard data content for the receiving entity.

Health care component has the following meaning:(1) Components of a Covered Entity that perform covered functions are part of the health care component.(2) Another component of the Covered Entity is part of the entity’s health care component to the extent that: (i) It performs, with respect to a

component that performs covered functions, activities that would make such other component a business associate of the component that performscovered functions if the two components were separate legal entities; and (ii) The activities involve the use or disclosure of PHI that such othercomponent creates or receives from or on behalf of the component that performs covered functions.

Health care operations means any of the following activities of the Covered Entity to the extent that the activities are related to covered functions, andany of the following activities of an organized health care arrangement in which the Covered Entity participates:

(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, providedthat the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activitiesrelating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health careproviders and patients with information about treatment alternatives; and related functions that do not include treatment;

(2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health planperformance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice orimprove their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

Page 43: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

43

(3) Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance orhealth benefits, and coding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance andexcess of loss insurance), provided that the requirements of §164.514(g) are met, if applicable;

(4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and complianceprograms;

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing andoperating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies;and

(6) Business management and general administrative activities of the entity, including, but not limited to: (i) Management activities relating toimplementation of and compliance with the requirements of this subchapter; (ii) Customer service, including the provision of data analyses for policyholders, plan sponsors, or other customers, provided that PHI is not disclosed to such policy holder, plan sponsor, or customer; (iii) Resolution ofinternal grievances; (iv) Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor ininterest is a Covered Entity or, following completion of the sale or transfer, will become a Covered Entity; and (v) Consistent with the applicablerequirements of § 164.514, creating de-identified health information, fundraising for the benefit of the Covered Entity, and marketing for which anindividual authorization is not required as described in §164.5 14(e)(2).

Health Care Provider means a provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or healthservices (as defined in section 186(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for healthcare in the normal course of business.

Health information means any information, whether oral or recorded in any form or medium, that:(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health

care clearinghouse; and(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or

the past, present, or future payment for the provision of health care to an individual.

Health insurance issuer (as defined in section 2791(b)(2) of the PHS Act, 42 U.S.C. 300gg-91(b)(2) and used in the definition of health plan in thissection) means an insurance company, insurance service, or insurance organization (including an HMO) that is licensed to engage in the business ofinsurance in a State and is subject to State law that regulates insurance. Such term does not include a group health plan.

Health maintenance organization (HMO) (as defined in section 2791(b)(3) of the PHS Act, 42 U.S.C. 300gg-91(b)(3) and used in the definition ofhealth plan in this section) means a federally qualified HMO, an organization recognized as an HMO under State law, or a similar organizationregulated for solvency under State law in the same manner and to the same extent as such an HMO.

Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or anIndian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of suchpublic agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system(whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civilrights laws for which health information is relevant.

Page 44: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

44

Health plan means an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42U.S.C. 300gg- 91(a)(2)).

(1) Health plan includes the following, singly or in combination:(i) A group health plan, as defined in this section.(ii) A health insurance issuer, as defined in this section.(iii) An HMO, as defined in this section.(iv) Part A or Part B of the Medicare program under title XVIII of the Act.(v) The Medicaid program under title XIX of the Act, 42 U.S.C. 1396, et seq.(vi) An issuer of a Medicare supplemental policy (as defined in section 1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1)).(vii) An issuer of a long-term care policy, excluding a nursing home fixed- indemnity policy.(viii) An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or

providing health benefits to the employees of two or more employers.(ix) The health care program for active military personnel under title 10 of the United States Code.(x) The veterans health care program under 38 U.S.C. chapter 17.(xi) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) (as defined in 10 U.S.C. 1072(4)).(xii) The Indian Health Service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.(xiii) The Federal Employees Health Benefits Program under 5 U.S.C. 8902, et seq.(xiv) An approved State child health plan under title XXI of the Act, providing benefits for child health assistance that meet the

requirements of section 2103 of the Act, 42 U.S.C. 1397, et seq.(xv) The Medicare + Choice program under Part C of title XVIII of the Act, 42 U.S.C. 1395w-21 through 1395w-28.(xvi) A high risk pool that is a mechanism established under State law to provide health insurance coverage or comparable coverage

to eligible individuals.(xvii) Any other individual or group plan, or combination of individual or group plans, that provides or pays for the cost of medical care

(as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)).(2) Health plan excludes:

(i) Any policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in section2791(c)(l) of the PHS Act, 42 U.S.C. 300gg-91(c)(1); and

(ii) A government-funded program (other than one listed in paragraph (1)(i)- (xvi)of this definition): (A) Whose principal purpose isother than providing, or paying the cost of, health care; or (B) Whose principal activity is: (1) The direct provision of health care to persons; or (2) Themaking of grants to fund the direct provision of health care to persons.

Hybrid entity means a single legal entity that is a Covered Entity and whose covered functions are not its primary functions.

Implementation specification means specific requirements or instructions for implementing a standard.

Indirect treatment relationship means a relationship between an individual and a health care provider in which:(1) The health care provider delivers health care to the individual based on the orders of another health care provider; and(2) The health care provider typically provides services or products, or reports the diagnosis or results associated with the health care, directly

to another health care provider, who provides the services or products or reports to the individual.

Page 45: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

45

Individual means the person who is the subject of PHI.

Individually identifiable health information is information that is a subset of health information, including demographic information collected from anindividual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or

the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to whichthere is a reasonable basis to believe the information can be used to identify the individual.

Inmate means a person incarcerated in or otherwise confined to a correctional institution.

Law enforcement official means an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of aState or territory, or an Indian tribe, who is empowered by law to:

(1) Investigate or conduct an official inquiry into a potential violation of law; or(2) Prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

Marketing means to make a communication about a product or service a purpose of which is to encourage recipients of the communication topurchase or use the product or service.

(1) Marketing does not include communications that meet the requirements of paragraph (2) of this definition and that are made by a CoveredEntity: (i) For the purpose of describing the entities participating in a health care provider network or health plan network, or for the purpose ofdescribing if and the extent to which a product or service (or payment for such product or service) is provided by a Covered Entity or included in a planof benefits; or (ii) That are tailored to the circumstances of a particular individual and the communications are: (A) Made by a health care provider toan individual as part of the treatment of the individual, and for the purpose of furthering the treatment of that individual; or (B) Made by a health careprovider or health plan to an individual in the course of managing the treatment of that individual, or for the purpose of directing or recommending tothat individual alternative treatments, therapies, health care providers, or settings of care.

(2) A communication described in paragraph (1) of this definition is not included in marketing if: (i) The communication is made orally; or(ii) The communication is in writing and the Covered Entity does not receive direct or indirect remuneration from a third party for making thecommunication.

Modify or modification refers to a change adopted by the Secretary, through regulation, to a standard or an implementation specification.

More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adoptedunder subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:

(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosureotherwise would be permitted under this subchapter, except if the disclosure is: (i) Required by the Secretary in connection with determining whethera Covered Entity is in compliance with this subchapter; or (ii) To the individual who is the subject of the individually identifiable health information.

(2) With respect to the rights of an individual who is the subject of the individually identifiable health information of access to or amendment ofindividually identifiable health information, permits greater rights of access or amendment, as applicable; provided that, nothing in this subchapter maybe construed to preempt any State law to the extent that it authorizes or prohibits disclosure of PHI about a minor to a parent, guardian, or personacting in loco parentis of such minor.

Page 46: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

46

(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use,a disclosure, rights, and remedies, provides the greater amount of information.

(4) With respect to the form or substance of an authorization or consent for use or disclosure of individually identifiable health information,provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reducethe coercive effect of the circumstances surrounding the authorization or consent, as applicable.(5) With respect to record keeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailedinformation or for a longer duration.

(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiablehealth information.

Organized health care arrangement means:(1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider;(2) An organized system of health care in which more than one Covered Entity participates, and in which the participating Covered Entities:

(i) Hold themselves out to the public as participating in a joint arrangement; and (ii) Participate in joint activities that include at least one of thefollowing: (A) Utilization review, in which health care decisions by participating Covered Entities are reviewed by other participating Covered Entitiesor by a third party on their behalf; (B) Quality assessment and improvement activities, in which treatment provided by participating Covered Entities isassessed by other participating Covered Entities or by a third party on their behalf, or (C) Payment activities, if the financial risk for delivering healthcare is shared, in part or in whole, by participating Covered Entities through the joint arrangement and if protected health information created orreceived by a Covered Entity is reviewed by other participating Covered Entities or by a third party on their behalf for the purpose of administering thesharing of financial risk.

(3) A group health plan and a health insurance issuer or HMO with respect to such group health plan, but only with respect to PHI created orreceived by such health insurance issuer or HMO that relates to individuals who are or who have been participants or beneficiaries in such grouphealth plan;

(4) A group health plan and one or more other group health plans each of which are maintained by the same plan sponsor; or(5) The group health plans described in paragraph (4) of this definition and health insurance issuers or HMOs with respect to such group

health plans, but only with respect to PHI created or received by such health insurance issuers or HMOs that relates to individuals who are or havebeen participants or beneficiaries in any of such group health plans.

Password refers to confidential authentication information composed of a string of characters.

Payment means:(1) The activities undertaken by: (i) A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of

benefits under the health plan; or (ii) A covered health care provider or health plan to obtain or provide reimbursement for the provision of health care;and

(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:(i) Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication orsubrogation of health benefit claims; (ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics; (iii) Billing,claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of lossinsurance), and related health care data processing; (iv) Review of health care services with respect to medical necessity, coverage under a healthplan, appropriateness of care, or justification of charges; (v) Utilization review activities, including precertification and preauthorization of services,

Page 47: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

47

concurrent and retrospective review of services; and (vi) Disclosure to consumer reporting agencies of any of the following PHI relating to collection ofpremiums or reimbursement: (A) Name and address; (B) Date of birth; (C) Social security number; (D) Payment history; (E) Account number; and (F)Name and address of the health care provider and/or health plan.

Plan administration functions means administration functions performed by the plan sponsor of a group health plan on behalf of the group health planand excludes functions performed by the plan sponsor in connection with any other benefit or benefit plan of the plan sponsor.

Plan sponsor is defined as defined at section 3(16)(B) of ERISA, 29 U.S.C. 1002(16)(B).

Protected health information (PHI) means individually identifiable health information:(1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in any medium described

in the definition of electronic media at § 162.103 of this subchapter; or (iii) Transmitted or maintained in any other form or medium.(2) Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family

Educational Right and Privacy Act, as amended, 20 U.S.C. 1232g; and (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv).

Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzingthe contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest ofthe individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, themodalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, thetreatment plan, symptoms, prognosis, and progress to date.

Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indiantribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such publicagency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its officialmandate.

Relates to the Privacy of individually identifiable health information means, with respect to a State law, that the State law has the specific purpose ofprotecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way.

Required by law means a mandate contained in law that compels a Covered Entity to make a use or disclosure of PHI and that is enforceable in acourt of law. Required by law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grandjury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information, a civil or an authorizedinvestigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes orregulations that require the production of information, including statutes or regulations that require such information if payment is sought under agovernment program providing public benefits.

Research means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute togeneralizable knowledge.

Page 48: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

48

Role-based access control (RBAC) is an alternative to traditional access control models (e.g., discretionary or non-discretionary access controlpolicies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization'sstructure and business activities. With RBAC, rather than attempting to map an organization's security policy to a relatively low-level set of technicalcontrols (typically, access control lists), each user is assigned to one or more predefined roles, each of which has been assigned the various privilegesneeded to perform that role.

Secretary means the Secretary of Health and Human Services or any other officer or employee of HHS to whom the authority involved has beendelegated.

Small health plan means a health plan with annual receipts of $5 million or less.

Standard means a rule, condition, or requirement:(1) Describing the following information for products, systems, services or practices: (i) Classification of components; (ii) Specification of

materials, performance, or operations; or (iii) Delineation of procedures; or (2) With respect to the privacy of individually identifiable health information.

Standard setting organization (SSO) means an organization accredited by the American National Standards Institute that develops and maintainsstandards for information transactions or data elements, or any other standard that is necessary for, or will facilitate the implementation of, this part.

State refers to one of the following:(I) For a health plan established or regulated by Federal law, State has the meaning set forth in the applicable section of the United States

Code for such health plan.(2) For all other purposes, State means any of the several States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin

Islands, and Guam.

State law means a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law.

Summary health information means information, that may be individually identifiable health information, and:(1) That summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided

health benefits under a group health plan; and(2) From which the information described at § 164.514(b)(2)(i) has been deleted, except that the geographic information described in § 164.5

14(b)(2)(i)(B) need only be aggregated to the level of a five digit zip code.

Token refers to a physical item necessary for user identification when used in the context of authentication. For example, an electronic device that canbe inserted in a door or a computer system to obtain access.

Trading partner agreement means an agreement related to the exchange of information in electronic transactions, whether the agreement is distinct orpart of a larger agreement, between each party to the agreement. (For example, a trading partner agreement may specify, among other things, theduties and responsibilities of each party to the agreement in conducting a standard transaction.)

Page 49: Laidlaw Inc. HIPAA Privacy Standards Assessment …hcca-info.org/Portals/0/PDFs/Resources/library/HIPAA-Privacy...6 HIPAA Standards Implementation Features HIPAA Synopsis Assessment

49

Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care. Itincludes the following types of information transmissions:

(1) Health care claims or equivalent encounter information.(2) Health care payment and remittance advice.(3) Coordination of benefits.(4) Health care claim status.(5) Enrollment and disenrollment in a health plan.(6) Eligibility for a health plan.(7) Health plan premium payments.(8) Referral certification and authorization.(9) First report of injury.(10) Health claims attachments.(11) Other transactions that the Secretary may prescribe by regulation.

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including thecoordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient;or the referral of a patient for health care from one health care provider to another.

Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis ofsuch information within an entity that maintains such information.

User-based access refers to a security mechanism used to grant users of a system access based upon the identity of the user.

Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a Covered Entity, is under thedirect control of such entity, whether or not they are paid by the Covered Entity.