the hipaa program reference handbook

EEn

The HIPAA Program Reference Handbook

Back Cover
Copyright Info
CONTRIBUTORS
DEDICATION
TOC
- FOREWORD
- PREFACE
  - THE HIPAA CONFORMANCE CERTIFICATION ORGANIZATION
  - THE VISION
  - THE HCCO MISSION
  - COMMITTEE ORGANIZATION
  - COMMITTEE FOCUS
  - HCCO CCAP Interoperability Testing for HIPAA Compliance
  - HIPAA Test File Programs
  - HCCO Free EDI Testing
  - HCCO HIAA Transaction Certification
  - HCCO Privacy Certification for Business Associates
  - HCCO Security Certification for Vendor Products and Entity Sites
  - HCCO HIPAA Medical Banking Certification Program
  - HCCO Accreditation of Third-Party HIPAA Certifiers
  - HCCO ebXML EDI Interoperability Certification
- ACKNOWLEDGMENTS
- INTRODUCTION
- Part I PROGRAMS AND PROCESSES
  - Chapter 1 THE ROLES AND RESPONSIBILITIES
    - INTRODUCTION
    - SETTING THE RECORD STRAIGHT
    - DEFINING THE ASSET IN QUESTION
    - THE BEGINNING OF ALL THINGS HIPAA
    - THE PRIVACY ROLES: CHIEF PRIVACY OFFICIAL
    - TRAINING REQUIREMENTS
    - TRAINING FOLLOW-THROUGH
    - SAFEGUARDS
    - THE PRIVACY ROLES: PATIENT COMPLAINT OMBUDSMAN
    - THE SECURITY ROLE: THE CHIEF SECURITY OFFICIAL
    - TASKS AND ACTIONS: WHAT THE CSO MUST DO
      - Policy, Process, and Procedure
    - SECURITY MANAGEMENT PROGRAM
      - Step One: Risk Analysis
      - Step Two: Risk Management
    - CONCLUSION
    - BIBLIOGRAPHY
    - GLOSSARY OF DEFINITIONS APPLICABLE TO THE SECURITY FUNCTION IN 45 CFR 164.304:
  - Chapter 2 THE FINAL HIPAA SECURITY RULE IS HERE! NOW WHAT?
    - INTRODUCTION
    - HIPAA ARRIVES ON THE SCENE
    - THE RULE-MAKING PROCESS
    - THE SECURITY OBJECTIVES OF THE FINAL RULE DID NOT CHANGE SUBSTANTIALLY
    - PRIVACY RULE REQUIREMENTS FOR SECURITY
    - THE FINAL HIPAA SECURITY RULE
    - LET'S JUST BE REASONABLE
    - THE SECURITY STANDARDS
    - CHANGES TO THE PROPOSED STANDARDS IN THE FINAL RULE
      - Administrative Safeguards
      - Security Management Process
      - Assigned Security Responsibility
      - Workforce Security
      - Information Access Management
      - Security Awareness and Training
      - Security Incident Procedures
      - Contingency Plan
      - Evaluation
      - Business Associate Contracts and Other Arrangements
      - Physical Safeguards
      - Facility Access Controls
      - Workstation Use
      - Workstation Security
      - Device and Media Controls
      - Technical Safeguards
      - Access Control
      - Audit Controls
      - Integrity (Formerly Data Authentication)
      - Person or Entity Authentication (Combined Authentication Requirements)
      - Transmission Security
      - Documentation and Other Related Standards
    - PRAGMATIC APPROACH
    - RISK, RISK, RISK!
    - CONCLUSION
    - BIBLIOGRAPHY
  - Chapter 3 INCORPORATING HIPAA SECURITY REQUIREMENTS INTO AN ENTERPRISE SECURITY PROGRAM
    - INTRODUCTION
    - MEETING HIPAA SECURITY REQUIREMENTS
    - RISKS OF NONCOMPLIANCE
    - ENTERPRISE SECURITY AND HIPAA
    - THE ROLE OF INDUSTRY STANDARDS
    - A FLEXIBLE APPROACH: GOOD NEWS AND BAD NEWS
    - RISK-BASED SOLUTIONS
    - BUILDING A SECURITY DECISION FRAMEWORK
      - Step 1: Business Requirements Definition
      - Step 2: Business Impact Analysis
      - Step 3: Solution Implementation
      - Step 4: Compliance Monitoring
    - DEPLOYING THE PEOPLE, PROCESSES, AND TECHNOLOGIES
    - MERGING HIPAA INTO YOUR ENTERPRISE SECURITY PROGRAM
    - HIPAA AND A NEW LEVEL OF INFORMATION PROTECTION
    - ACKNOWLEDGMENT
    - NOTE
  - Chapter 4 STEPS TO AN EFFECTIVE DATA CLASSIFICATION PROGRAM
    - INTRODUCTION
    - WHAT IS NEEDED PRIOR TO BEGINNING A DATA CLASSIFICATION PROGRAM?
    - STEP ONE: ASSIGNMENT OF ROLES
    - STEP TWO: ASSIGNMENT OF RESPONSIBILITIES FOR EACH ROLE
      - Department Heads
      - Data Custodians
      - Authorized Requestors
      - Account Managers
    - STEP THREE: DEFINE THE DATA
    - STEP FOUR: FIND AND CLASSIFY DATA
    - STEP FIVE: CREATION OF ACCESS PROFILES USING ROLE- BASED ACCESS
    - STEP SIX: DEVELOPMENT OF A MAINTENANCE PLAN
    - SUMMARY
- Part II STANDARDS AND COMPLIANCE
  - Chapter 5 HIPAA SECURITY AND THE ISO/IEC 17799
    - INTRODUCTION
    - ISO 17799 AND HIPAA
      - ISO/IEC 17799 Standard
      - ISO/IEC 17799 Web Site
      - Approach and Philosophy
      - Security Principles
    - SECURITY POLICY
      - HIPAA Security Policy
        HIPAA Policies and Procedures Standard
        HIPAA Documentation Standard
        Time Limit (Required)
        Availability (Required)
        Updates (Required)
    - SECURITY ORGANIZATION
      - HIPAA Organizational Requirements
        Business Associate Contracts
        Other Arrangements
        Group Health Plan
    - ASSET CLASSIFICATION AND CONTROL
      - HIPAA System Management Process
    - PERSONNEL SECURITY
      - HIPAA Workforce Security
    - PHYSICAL AND ENVIRONMENTAL SECURITY
      - HIPAA Physical Safeguards
    - COMMUNICATIONS AND OPERATIONS MANAGEMENT
      - HIPAA Integrity Controls and Transmission Security
    - ACCESS CONTROL
      - HIPAA Access Controls
    - SYSTEM DEVELOPMENT AND MAINTENANCE
    - BUSINESS CONTINUITY PLANNING
    - HIPAA CONTINGENCY PLAN REQUIREMENTS
    - COMPLIANCE
      - HIPAA Security Core Requirements
      - HIPAA Security Review
      - HIPAA Audit Controls
    - SUMMARY
  - Chapter 6 EXECUTION OF A SELF-DIRECTED RISK ASSESSMENT METHODOLOGY TO ADDRESS HIPAA DATA SECURITY REQUIREMENTS
    - INTRODUCTION
      - Information Security Management Concepts
      - Background on HIPAA Privacy and Security
    - DEVELOPMENT OF A RISK ASSESSMENT METHODOLOGY TO BE USED AS A DECENTRALIZED INFORMATION ASSURANCE DECISION- MAKING TOOL
      - DOD's Health Information Assurance Risk Assessment Methodology
      - Key Characteristics of OCTAVE
    - RESULTS
      - Transitioning the OCTAVE Method to the DOD Healthcare Community
      - Attendees' Evaluation of the OCTAVE Training Seminars
    - CONCLUSION
    - ACKNOWLEDGMENTS
    - REFERENCES
  - Chapter 7 TEN STEPS TO EFFECTIVE WEB-BASED SECURITY POLICY DEVELOPMENT AND DISTRIBUTION
    - INTRODUCTION
    - ENTER THE ELECTRONIC AGE
    - FUNCTIONALITY PROVIDED BY WEB-BASED DEPLOYMENT
    - A PRAGMATIC APPROACH TO SUCCESSFUL E- POLICY DEPLOYMENT
      - Step 1: Issue Request for Proposal
      - Step 2: Establish Security Organization Structure for Policy Review
      - Step 3: Define What Makes a Good Security Policy
      - Step 4: Establish Security Policy Review Process
        A. Policy Need Determined
        B. Create, Modify Existing Policy
        C. Internal Review by Security Department
        D. Security Council Reviews and Recommends Policy
        E. Information Technology Steering Committee Approves Policy
        F. Publish Policy
      - Step 5: Installation and Configuration of Web-Based Policy Distribution Application
        A. How Are the Individual Users Set Up with the Product?
        B. Is E-Mail Supported?
        C. How Easy Is It to Produce Accurate Compliance Reports?
        D. How Do Users Authenticate to the Tool?
      - Step 6: Pilot Test Policy Deployment Tool with Users
      - Step 7: Provide Training on the Tool
      - Step 8: Rollout Policies in Phases
      - Step 9: Monitor Compliance
      - Step 10: Manage Ongoing Process for Policy Violations
    - WHEW... TEN STEPS AND WE ARE DONE, RIGHT?
    - FINAL THOUGHTS
- Part III ECONOMICS, LEGALITY, AND LIABILITY
  - Chapter 8 HIPAA PRIVACY RULES REQUIRE SECURITY COMPLIANCE
    - INTRODUCTION
    - WHAT IS "REASONABLE" UNDER THE PRIVACY RULES?
    - RISK ANALYSIS, RISK MANAGEMENT, AND A SANCTION POLICY ARE THE FOUNDATION OF SECURITY MANAGEMENT
    - VULNERABILITY TESTING IS REQUIRED
    - HOW FREQUENTLY DO I NEED TO PERFORM VULNERABILITY TESTING?
    - IN CONCLUSION
    - REFERENCES
  - Chapter 9 LEGALITIES AND PLANNING: THE STAKE IS IN THE GROUND
    - INTRODUCTION
    - TAKE MY ADVICE AT YOUR OWN RISK
    - HIPAA RULES
    - HIPAA AND DUE DILIGENCE
    - PENALTIES AND LIABILITY
    - WHAT IS COMPLIANCE?
    - PLANNING SECURITY COMPLIANCE?
      - What Can Be Done?
    - CERTIFICATION OF COMPLIANCE
    - OTHER LEGISLATIONÌS POTENTIAL IMPACT
      - Sarbanes Oxley Act (SOX)
      - Corporate Information Security Accountability Act
      - California's SB1386
      - Future
    - CONCLUSION
- Part IV TRANSACTION AND INTERACTIONS
  - Chapter 10 HIPAA FROM THE PATIENT’S POINT OF VIEW
    - INTRODUCTION
    - OVERVIEW OF HIPAA INSURABILITY PROTECTIONS
      - Understand the Various Types of Health Coverage
      - Types of Coverage
      - Eligibility for HIPAA Protections
      - When the Employee Is Hired for a New Job
      - When an Employee Leaves a Job or Otherwise Loses Group Health Plan Coverage
      - Determine the Impact of Any Preexisting Condition
      - Eligibility to Minimize the Length of the Preexisting Condition Exclusion
        Know the State's Law on Coverage
      - Understand Other Coverage Protections
        Special Enrollment Rights to Other Group Coverage
    - OVERVIEW OF HIPAA PRIVACY AND SECURITY RULES
      - The Privacy Rule
      - The Security Rule
      - Electronic Transactions
        1. Patient is registered by the admitting clerk into the hospitalÌs information database.
        2. The admitting clerk prints the most recent health information about the patient on the emergency department printer.
        3. The admitting clerk enters the patient into the hospitalÌs health information system ( HIS) and the emergency department tracking system, which displays his status on secured monitors.
        4. The physician, after examining the patient, orders laboratory testing from the emergency department terminal.
        5. Emergency department software identifies the patient as qualifying for a research study. The research coordinator is notified and arrives in the department to obtain the patientÌs informed consent.
        6. While in the emergency department, hospital accounting contacts the patientÌs insurance company online. The insurance company requests additional information to confirm eligibility.
        7. After the patient has been treated and released, the hospital patient accounting office submits a bill to the patientÌs insurance company.
    - INFORMATICS TECHNOLOGIES IN HEALTHCARE
    - CONCLUSION
    - REFERENCES
  - Chapter 11 INTEROPERABILITY AND BUSINESS CONTINUITY INVOLVING HIPAA EDI TRANSACTIONS
    - INTRODUCTION
    - STRATEGY
    - COMPLIANCE EDIT TESTING
    - CASE STUDIES
    - CONCLUSION
  - Chapter 12 THE ROLE OF DHHS, CMS, OCR, AND OHS
    - INTRODUCTION
    - DEPARTMENT OF HEALTH AND HUMAN SERVICES HAS A LARGE JOB
    - DHHS HIPAA RESPONSIBILITIES
      - Administrative Simplification Rule-Making Process
      - Office of Civil Rights
      - The Privacy Rule Complaint Process
      - Centers for Medicare and Medicaid Services (CMS) Organization
      - CMS and HIPAA
      - CMS Transaction and Code Set Enforcement Approach
      - CMS Office of HIPAA Standards (OHS)
      - CMS Security Standard Approach
      - National Health Information Infrastructure
    - CONCLUSION: DHHS AND THE REST OF US
    - REFERENCES
- Part V SECURITY, PRIVACY, AND CONTINUITY
  - Chapter 13 THE HIPAA SECURITY RISK ANALYSIS
    - INTRODUCTION
    - WHAT IS RISK ANALYSIS?
    - THE "CLASSIC" METHOD OF RISK ANALYSIS
    - RISK ASSESSMENT METHODOLOGY
    - STEPS IN A RISK ASSESSMENT
    - THE VULNERABILITY ASSESSMENT
    - SURVEY QUESTIONS
    - THE TECHNICAL VULNERABILITY ASSESSMENT
    - VULNERABILITY ASSESSMENT RESULTS
    - ENROLLING THE ORGANIZATION IN RISK MANAGEMENT
    - THE COST BENEFIT - ESTABLISHING RETURN-ON-INVESTMENT ( ROI)
    - AUTOMATING THE PROCESS
    - SELECTING AN AUTOMATED RISK ASSESSMENT PACKAGE TO MEET THE RISK ANALYSIS REQUIREMENT OF THE HIPAA FINAL SECURITY RULE
    - RISK ASSESSMENT IS GOOD MANAGEMENT
    - THE FUTURE OF RISK ASSESSMENT
  - Chapter 14 HIPAA SECURITY COMPLIANCE: WHAT IT MEANS FOR DEVELOPERS, VENDORS, AND PURCHASERS
    - INTRODUCTION
    - HIPAA SECURITY RULE: WHAT SOFTWARE DEVELOPERS SHOULD KNOW
      - PHI-Related Software Development
      - Reasonably Anticipated Threat Protection
    - HIPAA SECURITY RULE: HOW VENDORS CAN HELP
      - Impact on System Vendors
      - Scalable Solutions
    - HIPAA SECURITY RULE: MAKING PRODUCT SELECTIONS
    - NOTE
    - BIBLIOGRAPHY
  - Chapter 15 ISSUES AND CONSIDERATIONS FOR BUSINESS CONTINUITY PLANNING UNDER HIPAA
    - INTRODUCTION
    - BCP BEST PRACTICES
    - STEP ONE: INITIATION
    - STEP TWO: BUSINESS IMPACT ANALYSIS
    - STEP THREE: BUSINESS CONTINUITY STRATEGIES
    - STEP FOUR: PLAN CONSTRUCTION
    - STEP FIVE: PLAN EXERCISE AND MAINTENANCE
    - CONCLUSION
- VI APPENDICES
  - Appendix A
    - PART I: A HIPAA GLOSSARY
      - A
        AAHomecare
        Accredited Standards Committee (ASC)
        ACG
        ACH
        ADA
        ADG
        Administrative Code Sets
        Administrative Services Only (ASO)
        Administrative Simplification (A/S)
        AFEHCT
        AHA
        AHIMA
        AMA
        Ambulatory Payment Class (APC)
        Amendment
        Amendments and Corrections
        American Association for Homecare (AAHomecare)
        American Dental Association (ADA)
        American Health Information Management Association (AHIMA)
        American Hospital Association (AHA)
        American Medical Association (AMA)
        American Medical Informatics Association (AMIA)
        American National Standards (ANS)
        American National Standards Institute (ANSI)
        American Society for Testing and Materials (ASTM)
        AMIA
        ANS
        ANSI
        APC
        A/S, A.S., or AS
        ASC
        ASO
        ASPIRE
        Association for Electronic Health Care Transactions (AFEHCT)
        ASTM
        Automated Clearinghouse (ACH)
      - B
        BA
        BBA
        BBRA
        BCBSA
        Biometric Identifier
        Blue Cross and Blue Shield Association (BCBSA)
        BP
        Business Associate (BA)
        Business Model
        Business Partner (BP)
        Business Relationships
      - C
        Cabulance
        CBO
        CDC
        CDT
        CE
        CEFACT
        CEN
        Centers for Disease Control and Prevention (CDC)
        Center for Healthcare Information Management (CHIM)
        CFR or C.F.R.
        Chain of Trust (COT)
        CHAMPUS
        CHIM
        CHIME
        CHIP
        Claim Adjustment Reason Codes
        Claim Attachment
        Claim Medicare Remark Codes
        Claim Status Codes
        Claim Status Category Codes
        Clearinghouse
        CLIA
        Clinical Code Sets
        CM
        COB
        Code Set
        Code Set Maintaining Organization
        College of Healthcare Information Management Executives (CHIME)
        Comment
        Common Control
        Common Ownership
        Compliance Date
        Computer-Based Patient Record Institute (CPRI)ÛHealthcare Open Systems and Trials (HOST)
        Contrary
        Coordination of Benefits (COB)
        CORF
        Correction
        Correctional Institution
        COT
        Covered Entity (CE)
        Covered Function
        CPRI-HOST
        CPT
        Cross-Over
        Cross-Walk
        Current Dental Terminology (CDT)
        Current Procedural Terminology (CPT)
      - D
        Data Aggregation
        Data Condition
        Data Content
        Data Content Committee (DCC)
        Data Council
        Data Dictionary (DD)
        Data Element
        Data Interchange Standards Association (DISA)
        Data Mapping
        Data Model
        Data-Related Concepts
        Data Set
        DCC
        D-Codes
        DD
        DDE
        DeCC
        Dental Content Committee (DeCC)
        Descriptor
        Designated Code Set
        Designated Data Content Committee or Designated DCC
        Designated Record Set
        Designated Standard
        Designated Standard Maintenance Organization (DSMO)
        DHHS
        DICOM
        Digital Imaging and Communications in Medicine (DICOM)
        Direct Data Entry (DDE)
        Direct Treatment Relationship
        DISA
        Disclosure
        Disclosure History
        DME
        DMEPOS
        DMERC
        Draft Standard for Trial Use (DSTU)
        DRG
        DSMO
        DSTU
      - E
        EC
        EDI
        EDIFACT
        EDI Translator
        Effective Date
        EFT
        EHNAC
        EIN
        Electronic Commerce (EC)
        Electronic Data Interchange (EDI)
        Electronic Healthcare Network Accreditation Commission (EHNAC)
        Electronic Media
        Electronic Media Claims (EMC)
        Electronic Remittance Advice (ERA)
        EMC
        EMR
        EOB
        EOMB
        EPSDT
        ERA
        ERISA
        ESRD
      - F
        FAQ(s)
        FDA
        FERPA
        FFS
        FI
        Flat File
        Format
        FR or F.R.
      - G
        GAO
        GLBA
        Group Health Plan
      - H
        HCFA
        HCFA-1450
        HCFA-1500
        HCFA Common Procedural Coding System (HCPCS)
        HCPCS
        Health and Human Services (HHS)
        Health Care
        Health Care Clearinghouse
        Health Care Code Maintenance Committee
        Health Care Component
        Healthcare Financial Management Association (HFMA)
        Health Care Financing Administration (HCFA)
        Healthcare Information Management Systems Society (HIMSS)
        Health Care Operations
        Health Care Provider
        Health Care Provider Taxonomy Committee
        Health Industry Business Communications Council (HIBCC)
        Health Informatics Standards Board (HISB)
        Health Information
        Health Insurance Association of America (HIAA)
        Health Insurance Issuer
        Health Insurance Portability and Accountability Act of 1996 (HIPAA)
        Health Level Seven (HL7)
        Health Maintenance Organization (HMO)
        Health Oversight Agency
        Health Plan
        Health Plan ID
        HEDIC
        HEDIS
        HFMA
        HHA
        HHIC
        HHS
        HIAA
        HIBCC
        HIMSS
        HIPAA
        HIPAA Data Dictionary or HIPAA DD
        HISB
        HL7
        HMO
        HPAG
        HPSA
        Hybrid Entity
      - I
        IAIABC
        ICD & ICD-n-CM & ICD-n-PCS
        ICF
        IDN
        IG
        IHC
        IIHI
        Implementation Guide (IG)
        Implementation Specification
        Indirect Treatment Relationship
        Individual
        Individually Identifiable Health Information (IIHI)
        Information Model
        Inmate
        International Association of Industrial Accident Boards and Commissions (IAIABC)
        International Classification of Diseases (ICD)
        International Organization for Standardization (ISO)
        International Standards Organization
        IOM
        IPA
        IRB
        ISO
      - J
        JCAHO
        J-Codes
        JHITA
        Joint Commission on Accreditation of Healthcare Organizations (JCAHO)
        Joint Healthcare Information Technology Alliance (JHITA)
      - L
        Law Enforcement Official
        Local Code(s)
        Logical Observation Identifiers, Names and Codes (LOINC)
        LOINC
        Loop
        LTC
      - M
        Maintain or Maintenance
        Marketing
        Massachusetts Health Data Consortium (MHDC)
        Maximum Defined Data Set
        MCO
        M+CO
        Medicaid Fiscal Agent (FA)
        Medicaid State Agency
        Medical Code Sets
        Medical Records Institute (MRI)
        Medicare Contractor
        Medicare Durable Medical Equipment Regional Carrier (DMERC)
        Medicare Part A Fiscal Intermediary (FI)
        Medicare Part B Carrier
        Medicare Remittance Advice Remark Codes
        Memorandum of Understanding (MOU)
        MGMA
        MHDC
        MHDI
        Minimum Scope of Disclosure
        Minnesota Health Data Institute (MHDI)
        Modify or Modification
        More Stringent
        MR
        MRI
        MSP
      - N
        NAHDO
        NAIC
        NANDA
        NASMD
        National Association of Health Data Organizations (NAHDO)
        National Association of Insurance Commissioners (NAIC)
        National Association of State Medicaid Directors (NASMD)
        National Center for Health Statistics (NCHS)
        National Committee for Quality Assurance (NCQA)
        National Committee on Vital and Health Statistics (NCVHS)
        National Council for Prescription Drug Programs (NCPDP)
        National Drug Code (NDC)
        National Employer ID
        National Health Information Infrastructure (NHII)
        National Patient ID
        National Payer ID
        National Provider ID (NPI)
        National Provider File (NPF)
        National Provider Registry
        National Provider System (NPS)
        National Standard Format (NSF)
        National Uniform Billing Committee (NUBC)
        National Uniform Claim Committee (NUCC)
        NCHICA
        NCHS
        NCPDP
        NCPDP Batch Standard
        NCPDP Telecommunication Standard
        NCQA
        NCVHS
        NDC
        NHII
        NOC
        NOI
        Nonclinical or Nonmedical Code Sets
        North Carolina Healthcare Information and Communications Alliance (NCHICA)
        Notice of Intent (NOI)
        Notice of Proposed Rulemaking (NPRM)
        NPF
        NPI
        NPRM
        NPS
        NSF
        NUBC
        NUBC EDI TAG
        NUCC
      - O
        OCR
        Office for Civil Rights
        Office of Management and Budget (OMB)
        OIG
        OMB
        Open System Interconnection (OSI)
        Organized Health Care Arrangement
        OSI
      - P
        PAG
        Payer
        PAYERID
        Payment
        PCS
        PHB
        PHI
        PHS
        PL or P. L.
        Plan Administration Functions
        Plan ID
        Plan Sponsor
        Policy Advisory Group (PAG)
        POS
        PPO
        PPS
        PRA
        PRG
        Pricer or Repricer
        PRO
        Protected Health Information (PHI)
        Provider Taxonomy Codes
        Psychotherapy Notes
        Public Health Authority
      - R
        RA
        Regenstrief Institute
        Relates to the Privacy of Individually Identifiable Health Information
        Required by Law
        Research
        RFA
        RVS
      - S
        SC
        SCHIP
        SDO
        Secretary
        Segment
        Self-Insured
        Small Health Plan
        SNF
        SNOMED
        SNIP
        Sponsor
        SOW
        SSN
        SSO
        Standard
        Standard-Setting Organization (SSO)
        Standard Transaction
        Standard Transaction Format Compliance System (STFCS)
        State
        State Law
        State Uniform Billing Committee (SUBC)
        Statement of Work (SOW)
        STFCS
        Strategic National Implementation Process (SNIP)
        Structured Data
        SUBC
        Summary Health Information
        SWG
        Syntax
      - T
        TAG
        TG
        Third-Party Administrator (TPA)
        TPA
        Trading Partner Agreement (TPA)
        Transaction
        Transaction Change Request System
        Translator
        Treatment
      - U
        UB
        UB-82
        UB-92
        UCF
        UCTF
        UHIN
        UN/CEFACT
        UN/EDIFACT
        Uniform Claim Task Force (UCTF)
        United Nations Centre for Facilitation of Procedures and Practices for Administration, Commerce, and Transport (UN/CEFACT)
        United Nations Rules for Electronic Data Interchange for Administration, Commerce, and Transport (UN/EDIFACT)
        UNSM
        Unstructured Data
        UPIN
        UR
        USC or U.S.C
        Use
        Utah Health Information Network (UHIN)
      - V
        Value-Added Network (VAN)
        Virtual Private Network (VPN)
        VPN
      - W
        Washington Publishing Company (WPC)
        WEDI
        WG
        WHO
        Workforce
        Workgroup for Electronic Data Interchange (WEDI)
        World Health Organization (WHO)
        WPC
      - X
        X12
        X12/PRB
        X12 Standard
        XML
    - PART II: CONSOLIDATED HIPAA ADMINISTRATIVE SIMPLIFICATION FINAL RULE DEFINITIONS
      - 45 CFR 160.103 Definitions [from the Final Privacy Rule]
        Business associate:
      - 45 CFR 162.103 Definitions [ from the Final Transactions & Code Sets Rule]
      - 45 CFR 164.504 Uses and Disclosures: Organizational Requirements
    - PART III: PURPOSE AND MAINTENANCE
      - Purpose
      - Maintenance
  - Appendix B
    - HIPAA Security Rule Standards, Implementation Specification, and NIST Resource Guide for Implementing
  - Appendix C POLICY EXAMPLES
    - APPENDIX C.1
      - PURPOSE
      - POLICY
        User Responsibilities
        Prohibited Uses
        Ownership and User Privacy of E-Mail
        Confidentiality of Electronic Mail
        Retention of Electronic Mail
        Provider/Patient Use of E-mail
        Compliance
      - DEFINITIONS
      - REFERENCES/RELATED POLICIES
      - POLICY DEVELOPMENT
      - POLICY APPROVAL
      - REVIEWS
    - APPENDIX C.2
      - PURPOSE
      - POLICY
      - DEFINITIONS
      - REFERENCES/RELATED POLICIES
      - POLICY DEVELOPMENT
      - POLICY APPROVAL
      - REVIEWS
    - APPENDIX C.3
      - PURPOSE
      - POLICY
      - Password Policy
        PURPOSE
        POLICY
    - APPENDIX C.4
      - eHealth Code of Ethics
        Vision Statement
        Introduction
        Definitions
        Responsible Partnering
        Accountability
    - APPENDIX C.5
      - Chain of Trust Agreement
      - 1. CONFIDENTIALITY
      - 2. TERM
      - 3. DISCLOSURES REQUIRED BY LAW
      - 4. STATE AND FEDERAL STATUTE COMPLIANCE
      - 5. POLICY AND PROCEDURE REVIEW
      - 6. REPORT OF IMPROPER DISCLOSURE or SYSTEMS COMPROMISE
      - 7. RETURN OF MATERIALS
      - 8. SUB-CONTRACTORS
      - 9. AGENCY RELATIONSHIP
      - 10. TERMINATION
      - 11. GOVERNMENT ACCESS TO RECORDS
      - 12. ADDITIONAL ACCESS TO INFORMATION
      - 13. INJUNCTIVE RELIEF
      - 14. THIRD PARTY BENEFICIARIES
      - 15. SEVERABILITY
      - 16. CONSTRUCTION OF AGREEMENT
      - 17. HOLD HARMLESS
      - 18. GOVERNMENT HEALTHCARE PROGRAM REPRESENTATIONS
      - 19. ENTIRE AGREEMENT; AMENDMENTS; NO WAIVER
      - 20. AUTHORITY
      - 21. GOVERNING LAW
  - Appendix D GUIDE TO HIPAA SECURITY ASSESSMENT
    - THE SECURITY REQUIREMENTS OF HIPAA
      - Requirements for Security Administration
        SEC.01 Certification .308(a)(1)
        Explanation of HIPAA Regulation
        Key Issues
        Actions required to address these
        Actions highly recommended to address these
        Roadblocks
        Comments
        SEC.02 Chain of Trust Partner Agreement .308(a)(2)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.03 Contingency Planning .380 (a)(3)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.04 Formal Mechanism for Processing Records .308(a)(4)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.05 Information Access and Control .308(a)(5)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.06 Internal Audit .308(a)(6)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.07 Personnel Security .308(a)(7)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.08 Security Configuration Management .308(a)(8)
        HIPAA Requirement
        Explanation of HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.09 Security Incident Procedures .308(a)(9)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.10 Security Management Process .308(a)(10)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.11 Termination Procedures .308(a)(11)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.12 Security Training .308(a)(12)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
      - Requirements for Physical Safeguards
        SEC.13 Assigned Security Responsibility .308(b)(1)
        HIPAA Requirement
        Key Issues
        Roadblocks
        SEC.14 Media Controls .308(b)(2)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.15 Physical access controls .308(b)(3)
        HIPAA Requirement
        Roadblocks
        SEC.16 Policy/guideline on workstation use .308(b)(4)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.17 Secure work station location .308(b)(5)
        HIPAA Requirement
        Key Issues
        Comments
        SEC.18 Security Awareness training .308(b)(6)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
      - Requirements for Technical Security Services and Mechanisms
        SEC.19 Access Control .308©(1)(i)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.20 Audit Controls .308©(1)(ii)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
        SEC.21 Authorization Control .308 ©(3)
        HIPAA Requirement
        Roadblocks
        Comments
        SEC.22 Data Authentication .308 ©(4)
        HIPAA Requirement
        Key Issues
        SEC.23 Entity Authentication .308 ©(5)
        HIPAA Requirement
        Key Issues
        Comments
        SEC.24 Communications/network controls .308(d)
        HIPAA Requirement
        Key Issues
        Roadblocks
        Comments
- Index