Contingency Plan: Data Backup-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. How to Do It Covered entities must backup electronic protected health information on a regular basis. When a computer system fails, it may…

READ MORE

Contingency Plan: Sample Policy and Procedures

This is the seventh Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has five implementation specifications: Data backup plan; Disaster recovery plan; Emergency mode operation plan; Testing and revision procedures; and Applications and data criticality analysis. The first three are required; the last two are addressable. Addressable does not mean optional. Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. HIPAA.com will outline What to do and How to do it for each…

READ MORE

5010/D.0 Effective Date Tuesday, March 17, 2009; Compliance Date January 1, 2012

The version modification to the HIPAA Administrative Simplification transaction standards becomes effective Tuesday, March 17, 2009. Here are several critical things to know, drawn directly from the final rule published in the Federal Register on January 16, 2009. The final rule is available for download on the HIPAA.com site. Effective Date: The effective date [March 17, 2009] is the date that the policies set forth in this final rule take effect, and new policies are considered to be officially adopted. [74 Federal Register 3302] Compliance Date: On January 1, 2012, all covered entities will have reached Level 2 compliance, and must be fully compliant in using Versions 5010 and D.0…

READ MORE

Information Access Management-What This HIPAA Security Rule Administrative Safeguard Standard Means

This is the fourth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has three implementation specifications: Isolating Healthcare Clearinghouse Functions; Access Authorization; and Access Establishment and Modification. The first is required; the second and third are addressable. Addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. The covered entity is…

READ MORE

Security Management Process: Risk Management-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Security Management Process).  This implementation specification is required. What to Do Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the security standard as outlined in 45 CFR 306(a).  The general requirements are: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably…

READ MORE

ARRA’s HITECH Privacy Provisions Apply HIPAA Security Rule to Business Associates

President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA) on Tuesday, February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA in Title XIII include important changes in Privacy (Subtitle D). Our focus in this posting is the change related to business associates under HIPAA Administrative Simplification that is specified in Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities. In this section, administrative, physical, and technical safeguards, and policy, procedure, and documentation requirements of the HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the…

READ MORE

Security Management Process: Risk Analysis-What to Do and How to Do It

Security Management Process is the first administrative standard of the Security Rule, and Risk Analysis is the implementation specification.  Each covered entity is required to conduct a risk analysis or assessment to determine vulnerabilities and threats and to identify and put in place risk mitigation measures for safeguarding electronic protected health information.  Electronic protected health information is the content of the HIPAA Administrative Simplification Standard Transactions and of the expected growing adoption of clinically-based electronic health record systems. What to do:  Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. How to…

READ MORE

HIPAA Administrative Simplification: Modifications to Medical Data Code Set Standards to Adopt ICD-10-CM and ICD-10-PCS

Standards. The final rule adopts modifications to two code set standards in the Transactions and Code Sets final rule that required compliance by covered entities on or after October 16, 2003. The new final rule, published in the Federal Register on January 16, 2009, modifies standard medical data code sets for coding diagnoses (ICD-10-CM) and inpatient hospital procedures (ICD-10-PCS). ICD-10-CM means International Classification of Diseases, 10th Revision, Clinical Modification for diagnosis coding, including the Official ICD-10-CM Guidelines for Coding and Reporting, as maintained and distributed by the U.S. Department of Health and Human Services (HHS). ICD-10-PCS means International Classification of Diseases, 10th Revision, Procedure Coding System for inpatient hospital procedure…

READ MORE

New HIPAA Standard Transaction Rules Released

On Friday, January 16, 2009, the Office of the Secretary of the Department of Health and Human Services published in the Federal Register final rules pertaining to: Health Insurance Reform; Modifications to the Health Insurance Portability and Accountability Act (HIPAA) Electronic Transaction Standards (74 Federal Register 3295-3328); and, HIPAA Administrative Simplification: Modifications to Medical Data Code Set Standards to Adopt ICD-10-CM and ICD-10-PCS (74 Federal Register 3328-3362).

Final ICD-10 Rule

DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR Part 162 | [CMS–0013–F] | RIN 0958–AN25 HIPAA Administrative Simplification; Modifications to the Medical Data Code Set Standards to Adopt ICD-10-CM and ICD-10-PCS AGENCY: Office of the Secretary, HHS. ACTION: Final rule. Download (Requires Acrobat Reader)