They’re coming: the Ides of March (the 14th); NCAA Basketball Tournament Announcement (the 15th); St. Patrick’s Day (the 17th); and 5010/D.0 Final Rule Effective Date (the 17th). If you are a covered entity, Level 1 testing begins Tuesday, March 17, 2009. Here are five things you need to do to start. Conduct a Gap Analysis. What do I need to do to become compliant on January 1, 2012? That date sounds far off, but it will be here before you know it. Unlike previous transaction contingency periods for covered entities and their trading partners, HHS has indicated that there will be no tolerance for those not ready. Read the final…
Author: Ed Jones
CMS Confirms 5010 and ICD-10 Rules’ Effective Dates
In notification to the U.S. House and Senate on Thursday, March 5, 2009, Don Johnson, Acting Director, Office of Legislation of the Centers for Medicare & Medicaid Services (CMS), notified the Congress that “[i]n accordance with the White House Chief of Staff’s memorandum of January 20, 2009 entitled ‘Regulatory Review,’ a determination has been made that the effective date will not be extended and the comment period will not be reopened for either of these rules.” The effective date for each of the rules is March 17, 2009. The memorandum CMS sent to Congress follows. Beginning next Monday, March 9, HIPAA.com will have a posting daily through March 17, 2009,…
Security Incident Procedures Response and Reporting: What to Do and How to Do It
This is the sixth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. This is its one implementation specification, Response and Reporting, which is required for compliance. As we have noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (“ARRA”) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do This standard requires that the covered entity implement response and reporting policies to address security incidents. A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system…
Is Your Covered Entity Preparing for 5010/D.0 Testing? Part 2: Level 2 Testing
On March 17, 2009, the Final Rules for Modifications to the Health Insurance Portability and Accountability Act (HIPAA) become effective. HIPAA.com has available for download the final rules for 5010/D.0 as published in the Federal Register on January 16, 2009 (pp.3295-3328). The effective date is “the date that the policies set forth in this final rule take effect, and new policies are considered to be officially adopted.” [p.3302]. All covered entities are to be in compliance with 5010/D.0 on January 1, 2012. Testing can occur “from the date of the final rule until the compliance date for Versions 5010 and D.0.” [p. 3306] The Final Rules outline two levels of…
Security Incident Procedures: What This HIPAA Security Rule Administrative Safeguard Standard Means
This is the sixth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. It has one implementation specification: Response and Reporting, which is required for compliance. As we have noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (“ARRA”) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. This safeguard standard and its implementation specification require covered entities to establish policies and procedures to respond to security incidents and to report them. A security incident is defined as “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information…
Is Your Covered Entity Preparing for 5010/D.0 Testing? Part 1: Level 1 Testing
On March 17, 2009, the Final Rules for Modifications to the Health Insurance Portability and Accountability Act (HIPAA) become effective. HIPAA.com has available for download the final rules for 5010/D.0 as published in the Federal Register on January 16, 2009 (pp.3295-3328). The effective date is “the date that the policies set forth in this final rule take effect, and new policies are considered to be officially adopted.” [p.3302]. All covered entities are to be in compliance with 5010/D.0 on January 1, 2012. Testing can occur “from the date of the final rule until the compliance date for Versions 5010 and D.0.” [p. 3306] The Final Rules outline two levels of…
Information Access Management: Access Establishment and Modification-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the third implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we have noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Implement policies and procedures that, based upon the covered entity’s…
Effective Dates for Modified HIPAA Administrative Simplification Transaction and Code Set Rules Coming in March
In less than three weeks, HIPAA Version 5010/D.0 transaction and ICD-10 code set rules become effective, and the clock starts running on testing in preparation for compliance several years hence. Next Monday, March 2, 2009, HIPAA.com will outline Level 1 testing requirements and opportunities for the 5010/D.0 transaction rule, and on Tuesday, March 3, 2009, outline testing requirements for ICD-10. Sign up for HIPAA.com email reminders for these and other HIPAA Administrative Simplification standards postings, as well as postings relating to the new Health Information Technology for Economic and Clinical Health Act and Medicare and Medicaid Health Information Technology (“HITECH Act”) provisions of the American Recovery and Reinvestment Act (“ARRA”)…
Information Access Management: Access Authorization-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is addressable. Remember, addressable does not mean “optional.” Rather, an addressable implementation specification means that a covered entity must use reasonable and appropriate measures to meet the standard. Further, as we have noted in a posting last week, with enactment of the American Recovery and Reinvestment Act of 2009 on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Implement policies and procedures for granting access to electronic protected…
Information Access Management: Isolating Healthcare Clearinghouse Functions-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the first implementation specification for the Administrative Safeguard Standard (Information Access Management). This implementation specification is required. What to Do If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Remember, a clearinghouse is defined as a covered entity, but also can serve in the role of a business associate to other covered entities, namely a health plan or healthcare provider. How to Do It This implementation specification is required, but is not likely…