HIPAA 202: Privacy
Download
Report
Transcript HIPAA 202: Privacy
HIPAA 202: Privacy
An Introduction to the HIPAA Privacy
Regulations
©2001 FCG Proprietary and Confidential
Today’s Agenda
HIPAA Overview
Privacy Introduction
Privacy Standards
•
•
•
•
Usage and Disclosure
Notice of Privacy Practices
Patient Rights
Administrative Requirements
Summary
Presentation Objectives
At the end of this presentation, you should:
Understand the intent of the Privacy standards and their
impact on the organization
Understand the “reasonable” application of them in your
organization
Be able to determine your own organizational strategies
and next steps for tackling HIPAA Privacy
Privacy Introduction
Key Definitions
Applicability of Privacy Rule
Intent of Privacy Rule
Approach to Privacy Rule
Key Elements of Privacy Rule
©2001 FCG Proprietary and Confidential
Key Definitions Protected Health Information
Individually Identifiable Health Information (IIHI) is that
information which:
Is created or received by a health care provider, health
plan, employer or health care clearinghouse
Relates to the past, present or future health of an
individual, or the past, present or future payment for the
provision of health care to an individual
Identifies an individual either outright, or could be used
to identify an individual
Key Definitions Protected Health Information (cont.)
Protected Health Information (PHI) is IIHI which:
Is transmitted or is maintained electronically or in any
other form or medium
• Explicitly includes Internet, leased line, dial-up line and
private network transmission
• Includes person to person telephone calls, video
conferencing and voicemail
• Includes information which is stored on paper, read from a
computer screen or discussed orally
Under the Proposed Rule, employment records held by an
entity in its role of employer of the individual would not
be PHI
Key Definitions
Business Associate –
a person, other than a member of the covered entity’s
workforce, or organization who performs or assists in the
performance of a function or activity on behalf of a
covered entity that involves the use or disclosure of
individually identifiable health information
Trading Partner –
a party with whom standard transactions are exchanged
electronically (plans, clearinghouses, banks, employers)
Key Definitions (cont.)
Workforce –
employees, volunteers, trainees, and other persons under
the direct control of a covered entity, including persons
providing labor on an unpaid basis
Transaction –
the transmission of information between two parties to
perform financial or administrative activities related to
health care
Applicability - Covered Entities
The standards in the regulation apply to health plans,
health care clearinghouses, and to any health care
provider who transmits health information in electronic
form in connection with transactions referred to in section
1173 (a)(1) of the Act
Intent of Privacy Rule
The Privacy Rule seeks to:
Protect and enhance the rights of consumers by providing
them access to their health information and controlling
inappropriate use of that information
Improve the quality of health care in the U.S. by restoring
trust in the health care system
Improve the efficiency and effectiveness of health care
delivery by creating a national framework for health
privacy
Approach to Privacy Rule
In developing the Privacy Rule, DHHS:
Sought to balance the interests of multiple industry
constituents – including those of patients
Created a mandatory floor that organizations may exceed
Left state laws in force that are more stringent
Delegated responsibility to the DHHS’s Office of Civil
Rights (OCR) for enforcement
Projected that the extensive costs for implementing the
privacy requirements would be offset by the savings
anticipated in implementing the transaction standards
Key Elements of Privacy Rule
The Privacy Rule:
Gives consumers greater access to, and control over, their
health information
Allows health information to be used and shared for
treatment, payment and health care operations (TPO)
without patient consent (proposed rule)
Requires patient authorization for use and disclosure of
health information for purposes other than TPO, with
specific exceptions
Requires organizations to maintain safeguards for
protecting the confidentiality and integrity of health
information and protect against unauthorized access of
this information (security standards)
Guidance on Government Access
The only new authority the Privacy Rule provides for
government is in its enforcement of the rule itself
The (OCR) has the right to receive enough information to
investigate complaints and ensure compliance
The Guidance also confirms that the Rule does not
require covered entities to send medical information to
the government for a database or similar reason
Police and other law enforcement access to PHI is not
expanded by the Privacy Rule. Access will be more limited
than provided currently; for example, DNA will not be
given to law enforcement without a warrant, and entities
must get permission from victims of domestic abuse
before disclosing their information
Privacy Standards
Use and Disclosure (164.502 - 164.514)
Notice of Privacy Rights (164.520)
Patient Rights (164.522 - 164.528)
Administrative Requirements (164.530)
©2001 FCG Proprietary and Confidential
Organizational Issues
©2001 FCG Proprietary and Confidential
Organizational Requirements
164.504 (a) Affiliated covered entities
Legally separate covered entities who are affiliated may
designate themselves as a single covered entity if all of
the covered entities designated are under common
ownership or control
164.504 (b) Business associate contracts
A covered entity may use a business associate to provide
services on its behalf
Organizational Requirements
164.504 (b) Business associate contracts
A contract between the covered entity and a business
associate must:
• Establish the permitted and required uses and disclosures
of PHI by the business associate
• The contract may permit the business associate to provide
data aggregation services relating to the health care
operations of the covered entity
• The contract may permit the business associate to use and
disclose PHI for the proper management and administration
of the business associate functions
Guidance on Business Associates
PHI may be disclosed to business associates only to help
providers and plans complete their health care functions
Members of a provider, health plan, or other covered entity’s
workforce are not considered business associates
Covered entities who exchange PHI for treatment purposes are
not considered business associates, such as physicians who
disclose information to hospitals where they have admitting
privileges
The Privacy Rule doesn’t “pass through” its requirements to
business associates; it has no authority to do so
Covered entities are not liable for privacy violations of business
associates, but if they become aware of a “pattern or practice”
that is a material breach of the business associate’s contract,
they must take “reasonable steps” to correct the problem
Use and Disclosure of PHI
©2001 FCG Proprietary and Confidential
Authorization Required:
Authorizations
164.508 (a) Authorization for Uses and Disclosures
Authorization general rule: A covered entity may not use
or disclose PHI without a valid authorization except:
•
•
•
•
to the patient himself/herself
for purposes of treatment
payment or health care operations (TPO); OR
for other purposes specifically addressed in the Privacy Rule
The Privacy Rule allows “payment” to include disclosures
to consumer reporting agencies
• These are limited to basic non-health information, such as
name, SSN, date of birth, and payment history
• Covered entities may use collection agencies through a
business associate agreement
Authorization Required:
Valid Authorizations
164.508 (b) General Requirements
Valid authorizations
• A valid authorization is a document that contains specified
core elements
• A valid authorization may contain elements or information in
addition to the core, provided that such additional elements
or information are not inconsistent with the core elements
Authorization Required:
Invalid Authorizations
164.508 (b) General Requirements
Invalid authorizations
• An authorization is not valid, if the document submitted has
any of the following defects:
The expiration date has passed, or the expiration event is
known by the covered entity to have occurred
The authorization has not been filled out completely
The authorization is known by the covered entity to have been
revoked
The authorization lacks a required core element
Any material information in the authorization is known by the
covered entity to be false
Authorization Required:
General Requirements
164.508 (b) General Requirements
Compound authorizations:
an authorization for use or disclosure of protected health
information may not be combined with any other document to
create a compound authorization
Prohibition on conditioning of authorization:
a covered entity may not condition the provision to an individual of
treatment, payment, enrollment in the health plan, or eligibility for
benefits on the provision of an authorization
Revocation of authorizations:
an individual may revoke an authorization at any time, provided the
revocation is in writing
Documentation:
a covered entity must document and retain any signed authorization
Authorization Required:
Core Elements and Requirements
164.508 (c) Core Elements and Requirements
A valid authorization must contain the following core
elements:
• A description of the information to be used or disclosed
• The name of the requesting person(s)
• The name of the person(s) to whom the covered entity may
make the requested use or disclosure available
• An expiration date
• A statement of the individual's right to revoke the
authorization
Authorization Required: Core
Elements and Requirements (cont.)
164.508 (c) Core Elements and Requirements
A valid authorization must also contain the following core
elements:
• A statement that information used or disclosed pursuant to
the authorization may be subject to re-disclosure by the
recipient and no longer be protected by this rule
• Signature of the individual and date
• If the authorization is signed by a personal representative
of the individual, a description of such representative's
authority to act for the individual
• Must be written in plain language
Authorization Required:
Internal Use by Covered Entity
164.508 (d) Authorization Requested by a Covered Entity for
its Own Uses and Disclosures
If an authorization is requested by a covered entity for its
own use or disclosure of PHI that it maintains, the
authorization must contain the following elements:
• A statement that the covered entity will not condition
treatment, payment, enrollment in the health plan, or
eligibility for benefits on the individual's providing
authorization for the requested use or disclosure
• A description of each purpose of the requested use or
disclosure
Authorization Required: Internal
Use by Covered Entity (cont.)
164.508 (d) Authorization Requested by a Covered Entity for
its Own Uses and Disclosures
The authorization must also contain a statement that the
individual may:
• Inspect or copy the PHI to be used or disclosed
• Refuse to sign the authorization
The covered entity must provide the individual with:
• A covered entity must provide the individual with a copy of
the signed authorization
• Disclosure of whether or not use or disclosure of the PHI to
a third party may result in direct or indirect remuneration to
the covered entity
Authorization Required:
Disclosure to Others
164.508 (e) Authorizations Requested by a Covered Entity
for Disclosures by Others
If an authorization is requested by a covered entity for
another covered entity to disclose PHI, the authorization
must contain the following elements:
• A description of each purpose of the requested disclosure
• A statement that the covered entity will not condition
treatment, payment, enrollment in the health plan, or
eligibility for benefits on the individuals providing
authorization for the requested use or disclosure
• A statement that the individual may refuse to sign the
authorization
A covered entity must provide the individual with a copy
of the signed authorization
Agree or Object Opportunity
Required: Facility Directories
164.510 (a) Facility directories
A covered entity may use or disclose PHI without the
written consent or authorization of the individual to
maintain a directory of patients in its facility
• Provided that the individual is informed in advance of the
use or disclosure and has the opportunity to agree to,
prohibit or restrict the disclosure
• The covered entity may inform the individual orally and
obtain the individual's oral agreement
Agree or Object Required:
Exceptions
164.512 (a) Required by law
164.512 (b) Public health activities
164.512 (c) Disclosures about victims of abuse, neglect or
domestic violence
164.512 (d) Health oversight activities
164.512 (e) Judicial and administrative proceedings
164.512 (f) Law enforcement purposes
164.512 (g) Decedents
164.512 (h) Cadaveric organ, eye or tissue donation purposes
164.512 (i) Research purposes
164.512 (j) Aversion of a serious threat to health or safety
164.512 (k) Specialized government functions
164.512 (l) Workers' compensation
Agree or Object Required:
Exceptions (cont.)
164.510 (b) Involvement in the Individual’s Care and
Notification Purposes
Disclosure of PHI by a covered entity to persons involved
with the individuals care or payment is permitted in
certain circumstances
• When individual is present:
Agreement must be obtained, or an opportunity to object must
be offered
Professional judgment that is in the best interest of the patient
should be exercised
• When individual is not present:
Emergency situations, including disaster relief efforts
Professional judgment that is in the best interest of the patient
should be exercised
Guidance on Parents and Minors
A parent or guardian of a minor is considered the
“personal representative” of his or her minor child, and
has the right to see the child’s PHI except in the
following cases:
• If a minor consents to services where parental consent is
not required by state or other law
• When a parent agrees to a confidential relationship
between the child and the physician
• If a covered entity believes the child is an abuse or
neglect victim, or may be endangered by the parent or
guardian
The Proposed Rule modifies the Current Rule by
clarifying that state law governs disclosures in which a
provider has discretion to determine whether a
disclosure should be made to a parent
De-identification of PHI
164.514 (a) De-identified health information
Health information for which there is no reasonable basis
to believe that the information can be used to identify an
individual
The covered entity does not have actual knowledge that
the information could be used alone or in combination
with other information to identify an individual who is a
subject of the information
164.514 (b) Re-identification
A covered entity may assign a code or other means of
record identification to allow de-identified information to
be re-identified by the covered entity
De-identification of PHI
Records can be de-identified by removing 19 elements
outlined in the Rule, such as name, address, phone
number, social security number, etc.
Under the proposed rule, requests comments on a
possible alternative approach to de-identification that
would allow the use and disclosure of a limited data set
that would include certain identifiers to be used for
research, public health and health care operations
Verification Requirements
164.514 (h) Verification requirements
Prior to any disclosure, a covered entity must verify the
identity and authority of any person requesting PHI, if the
identify and/or authority are unknown
Minimum Necessary
Covered entities must make all reasonable efforts to limit
a use or disclosure to the “minimum (amount of PHI)
necessary to accomplish the intended purpose of the use,
disclosure or request”
Exceptions to the standard:
•
•
•
•
•
Disclosures to or requests by a provider for treatment
Disclosures made to the individual
Disclosures authorized by the individual
Required disclosures to DHHS and required by law
Disclosures to comply with the Privacy Rule
Minimum Necessary (cont.)
Must identify persons in the workforce who need access
to PHI to carry out their duties, and for each such person
or class
• Identify the category or categories of PHI to which access
is needed
• Identify any conditions appropriate to such access
The covered entity may rely on a requested disclosure
as the minimum necessary from another covered entity,
professional member of its workforce, or a business
associate
Minimum Necessary (cont.)
Policies and procedures are needed to define minimum
necessary for routine disclosures
Criteria must be developed to limit the non-routine
disclosure of PHI to the information reasonably necessary
to accomplish the purpose for which it is sought and must
review requests for disclosure on an individual basis in
accordance with such criteria
The Guidance clarifies that the standard is a
“reasonableness” standard, not a strict one – which
enables a best practices approach consistent with existing
professional standards
Proposed Rule: Minimum Necessary
The scope of permitted uses and disclosures would be
amended to include incidental disclosures, with certain
conditions
The term “reasonably ensure” will be deleted from the
language of the implementation guidelines to clarify that
DHHS desires the minimum necessary standard to be
flexible and not imply that an “absolute strict standard”
applies
Uses and disclosures made pursuant to any authorization
would be added to the list of uses and disclosures
excepted from the minimum necessary standard
Marketing
Marketing is defined as a communication about a product
or service, a purpose of which is to encourage recipients
of the communication to purchase or use the product or
service. This definition does not limit the type or means
of communication that are considered marketing
Exceptions to this definition include:
• Describing participating providers or plans in a network or
the services or benefits they provide
• Using the communication to provide, manage, or further
patient treatment
Marketing (cont.)
If a communication is considered marketing, PHI may be
used or disclosed only in these cases:
• During a face-to-face encounter
• Concerning products or services of nominal value
• Concerning the health related products and services of the
covered entity
• When individuals have been told why they are being targeted
• They are marketing-related disclosures made to business
associates only to support the covered entity’s marketing
activities
The exceptions above do not apply if the covered entity is
compensated by a third party
In all other instances, a covered entity may not use or
disclose PHI without an authorization
Proposed Rule: Marketing
Under the current rule, individuals must “opt-out” in order to
not receive marketing communications
Under the Proposed Rule, individuals must “opt-in” to receive
further communications about health products or services
If the covered entity expects to be remunerated for
marketing, the authorization must disclose that fact
The definition of marketing would be revised so that a
determination of whether a communication is marketing
would turn on the effect of the communication rather than the
intent of the person making the communication
Health care communications such as disease management,
prescription refill reminders and appointment notifications are
exempt from the definition of marketing
Fundraising
Fundraising on behalf of a covered entity is a health care
operation
A covered entity may use or disclose to a business
associate or to an institutionally related foundation
certain PHI for the purpose of raising funds for its own
benefit, without an authorization (name, address, phone
number, date of episode)
Fundraising materials must explain how the individual
may opt-out of any further fundraising communications,
and covered entities must honor those requests
Notice of Privacy Practices
©2001 FCG Proprietary and Confidential
Notice of Privacy Practices
164.520 (a) Notice of Privacy Practices
Right to Notice
• An individual has the right to have adequate notice of uses
and disclosures of PHI
• Covered entity’s legal duties with respect to protected
health information
Exception for Inmates
• The requirements of this section do not apply to
correctional institutions
• An inmate does not have the right to notice under this
section
Notice of Privacy Practices
164.520 (b) Content of Notice
Must provide written notice in plain language that
contains:
• Header: “This notice describes how medical information
about you may be used and disclosed and how you can get
access to this information. Please review it carefully.”
• Uses and disclosures (i.e., treatment, third-party audits and
special studies)
• Separate statements for certain uses or disclosures
• Individual’s rights
• Covered entity’s duties
Notice of Privacy Practices (cont.)
164.520 (b) Content of Notice
Optional requirement to elect to limit the uses of
disclosures
• May describe its more limited uses or disclosures in its
notice
Revisions to the notice
• Must promptly revise and distribute notice whenever there
is a material change to the uses and disclosures
Notice of Privacy Practices
Right to notice must be made available upon request
Covered entities must:
• Provide notice no later than the date of the first service
delivery
• Provide notice as soon as reasonably practical in an emergency
• Have notice available at the physical delivery site
• Post notice in a clear and prominent location
• Make notice available upon revision
Electronic Notice:
• E-mail notification is probably acceptable
• If covered entity knows the e-mail failed, a paper copy of
notice must be provided
Proposed Rule
Covered entities must use a “good faith effort to obtain a
written acknowledgement of receipt”
If an acknowledgment is not obtained, the covered entity
must document its good faith effort and the reason why
the acknowledgment was not obtained
The covered entity must document compliance with the
Notice requirement by maintaining any written
acknowledgments of receipt of notice and any
documentation regarding unsuccessful good faith efforts
to obtain acknowledgment
Joint Notices of Privacy Practices
Covered entities who participate in an organized health
care arrangement may comply with provision of notice by
a joint notice provided they:
• Abide by the terms of the notice with respect to PHI created
or received by the covered entity
• Provide notice of revisions
• Must describe the covered entities to which the joint notice
applies
Patient Rights
©2001 FCG Proprietary and Confidential
Access of Individuals to PHI
164.524 (a) Access to Protected Health Information
Right of access to inspect and obtain a copy of PHI in a
designated record set
Grounds for denial
Review of a denial
Procedure for complaints
164.524 (b) Requests for Access and Timely Action
Action must be taken on request within 30 days
Access of Individuals to PHI (cont.)
164.524 (c) Provision of Access
Notify individual of the decision to provide access
Perform any steps necessary to fulfill the request
Provide information requested
Facilitate the process of inspection and copying right of
access to inspect and obtain a copy of PHI in a
designated record set
Provide access by inspection, copying, or both
May charge reasonable fees
Access of Individuals to PHI (cont.)
164.524 (d) Denial of Access
Basis of denial
Procedure for complaints
164.524 (e) Documentation
Providers must retain documentation of designated
record sets are subject to access and
The titles of the persons or offices responsible for
receiving and processing
Amendment of PHI
164.526 (a) Patients Right to Request Amendments to PHI
164.526 (b) Response required within 60 days
164.526 (c) Accepting the amendment – Notify others
164.526 (d) Denying the amendment – Must give reason
and statement of disagreement and complaint
process
164.526 (e) Actions of notices of amendment – make
changes
164.526 (f) Documentation – titles or offices that receive
and process amendments
Accounting of Disclosures of PHI
164.526 (a) Right to request an amendment of PHI
Applies to PHI in records or a designated record set for
as long as it is maintained in a designated record set
Request may be denied if the covered entity didn’t
created the PHI, would not be available for inspection or
copying under 164.514, or the PHI is deemed accurate
and complete
164.526 (b) Response required within 60 days – 30 day
written notice for delays required with reason for delay
164.526 (c) If the amendment is accepted, the requested
changes must be made, and others who need to know
about the amendment must be notified
Accounting of Disclosures of PHI
164.528 (d) Denial of the request for amendment
Plain language written statement of reason for denial
How a written statement of disagreement can be made
How to make a complaint to the Secretary of DHHS
164.528 (e) Documentation
The information required to be in the accounting
The written accounting
The titles of persons of offices responsible for receiving
and processing requests for accounting
Administrative
Requirements
©2001 FCG Proprietary and Confidential
Administrative Requirements:
Personnel Issues
164.530 (a) Personnel Designations
Privacy official
Must document other personnel designations
164.530 (b) Training
Must train all members of its workforce on the policies
and procedures with respect to PHI
Training must take place no later than the compliance
date of the covered entity
All training must be documented
Administrative Requirements:
Safeguards
164.530 (c) Safeguards
Administrative: policies and procedures
Technical: passwords
Physical safeguards: office locks, access areas
Must reasonably safeguard PHI from any intentional or
unintentional use or disclosure
Administrative Requirements:
Complaints to Covered Entity
164.530 (d) Complaints to the Covered Entity
Process for individuals to make complaints
Document complaints received and their disposition
Complaint procedure must be in place regarding covered
entity’s policies and procedures
No private right to action
Administrative Requirements:
Sanctions and Mitigation
164.530 (e) Sanctions
Must have and apply sanctions against members of its
workforce
All sanctions that are applied must be documented
164.530 (f) Mitigation
A covered entity must mitigate to the extent practicable,
any harmful effect known to the covered entity of a use
or disclosure of PHI in violation of its policies and
procedures
Administrative Requirements:
Other Issues
164.530 (g) Refraining From Intimidating or Retaliatory Acts
A covered entity must not intimidate, threaten, coerce,
discriminate against or take other retaliatory action against:
• Individuals for the exercise by the individual of any right
under or for participation by the individual
• Individuals and others for filing a complaint, testifying,
assisting or participating in an investigation or compliance
review
164.530 (h) Waiver of Rights
A covered entity may not require individuals to waive their
rights as a condition of the provision of treatment, payment,
enrollment in health plan, or eligibility for benefits
Administrative Requirements:
Policies, Procedures, & Documentation
164.530 (i) Policies and Procedures
Must implement policies and procedures with respect to
protected health information
Changes in law must be promptly documented within
covered entity’s policies and procedures
164.530 (j) Documentation
Maintain the policies and procedures provided for in
written or electronic form
Must retain copy of the documentation for six years from
the date of its creation or when it was last effective
Summary
Summary
Likely Cost Impacts
The Bottom Line
Questions
©2001 FCG Proprietary and Confidential
Summary
The biggest areas of impact of HIPAA Privacy on an
organization are expected to be:
•
•
•
•
•
•
Development and documentation of policies and procedures
Verifying compliance with policies and procedures
Designation of a privacy official
Identifying and contracting with business associates
Development and distribution of patient notice
Training workforce members who have access to patient
identifiable information
• Altering the oral communication culture of the organization
Likely Cost Impacts
Developing policies and procedures
Updating current policies and software
Processing and reviewing individual complaints
Training staff on privacy, policies, and procedures
Producing notice of privacy practices and authorization
forms
The Bottom Line
Compliance will be required by April 14, 2003
Civil monetary and criminal penalties for breach of privacy
• If knowingly providing information
$50,000 and/or up to 1 year imprisonment
• Under false pretenses
$100,000 and/or up to 5 years imprisonment
Delegated responsibility to the DHHS’s Office of Civil
Rights
• Includes responsibility for enforcement
• Comprehensive Enforcement Rule still expected,
encompassing all of the Administrative Simplification
provisions
Questions and Discussion
? ??
? ?
?? ?
©2001 FCG Proprietary and Confidential
Resources
©2001 FCG Proprietary and Confidential
Resources
Association for Electronic Health Care Transactions (AFEHCT):
http://www.afehct.org
•Impacts of HIPAA (particularly EDI)
•Security Self-Evaluation Checklist
American Health Information Management Association (AHIMA):
http://www.ahima.org/hipaa.html
•Benchmark information and case studies
•Interim Steps for Getting Started
American Society for Testing and Materials (ASTM):
http://www.astm.org
•Standards guides for security
Center for Healthcare Information Management (CHIM):
http://www.chim.org
•Up-to-date industry perspective on proposed rules and their status
Computer-Based Patient Record Institute (CPRI):
http://www.cpri-host.org
•CPRI Security Toolkit
Department of Health and Human Services HIPAA Administrative
Simplification:
http://aspe.hhs.gov/admnsimp/index.htm
•Latest News on Regulations
•Current proposed and final rules
Electronic Healthcare Network Accreditation Commission (EHNAC):
•Certification Program for HIPAA Compliance (under development)
http://www.ehnac.org
Resources (cont.)
For the Record: Protecting Electronic Health Information (National
Academy Press, 1997) 800-624-6242
http://www.nap.edu
•Full Report
Health Privacy Forum
http://www.healthprivacy.org
•Comparison of Privacy proposed and final rules
•Comparison of state privacy laws
HIMSS: Protecting the Security and Confidentiality of Healthcare
Information (Volume 12, Number 1, Spring 1998)
http://www.himss.org
•Articles
HIPAA Home Page
http://www.hcfa.gov/hipaa/hippahm.htm
HIPAA Transaction Implementation Guides from the Washington
Publishing Company
http://www.wpc-edi.com
Joint Healthcare Information Technology Alliance (JHITA)
http://www.jhita.org
•Summary of Privacy rules
•Upcoming HIPAA conferences
Links to other HIPAA sites
http://www.hcfa.gov/medicare/edi/hipaaedi.htm
Medicare EDI
http://www.hcfa.gov/medicare/edi/edi.htm
Resources (cont.)
National Uniform Billing Committee
http://www.nubc.org
National Uniform Claims Committee
http://www.nucc.org
Washington Publishing Company
http://www.wpc-edi.com/hipaa
•ANSI ASC X12N HIPAA Implementation Guides
Subscribe to email release of HIPAA documents (such as notice of
proposed rule making)
http://www.hcfa.gov/medicare/edi/admnlist.htm
Workgroup for Electronic Data Interchange (WEDI):
http://www.wedi.org
•Details of SNIP effort (Strategic National Implementation Pilot)