How to Document Decision Not to Adopt ‘Addressable’ Implementation Specification Insider
Transcription
How to Document Decision Not to Adopt ‘Addressable’ Implementation Specification Insider
J U LY 2 0 0 3 How to Document Decision Not to Adopt ‘Addressable’ Implementation Specification . . . . . . . 1 If you decide not to adopt an addressable implementation specification, you’ll have to document this decision, your reasons for it, and the measures you chose to meet the standard. We’ll tell you how. Example of Documentation of Security Decision (p. 3) In the News . . . . . . . . . . . . . . . . . . . . . . 5 NIST Proposes New Security Standards Capitalize on Your Privacy Efforts to Get Started on Security Compliance . . . . . . . . . . . . . . . . . . . . . . 5 Are you dreading the thought of tackling the security regs? It may not be as bad as you think. We’ll tell you how your privacy compliance efforts will give you a leg up on security compliance. Model Form: Chart Similarities Between Security and Privacy Regulations (p. 7) Ask the Insider . . . . . . . . . . . . . . . . . . . 8 Reporting ‘Encounter Information’ IN FUTURE ISSUES ■ How to Perform a HIPAA Security Risk Analysis ■ Tips on Updating Your Information Systems with Patches ■ How to Test Your Electronic Transactions for TCS Compliance How to Document Decision Not to Adopt ‘Addressable’ Implementation Specification In the April issue of the Insider (p. 1), we explained the difference between the required and addressable implementation specifications in the HIPAA security regulations. You must implement the required specifications, but you may choose not to implement an addressable specification if you determine that it isn’t reasonable or appropriate for your organization and that you’ll still meet the security standard it applies to. If you decide not to implement an addressable specification, the security regulations require you to document this decision and your rationale behind it. Good documentation also shows that your security decisions were sound and reasonable—and this can protect your organization against lawsuits as well as compliance problems, says health information attorney Susan Miller. We’ll explain what the HIPAA security regulations’ documentation requirement involves, and how to meet it. We’ve also given you an example of how you would document your decision not to implement an addressable implementation specification (see p. 3). You can use this example as a basis when you document your own decisions. What the Regulations Say The security regulations require you to implement certain standards and set implementation specifications for most of those standards. But if an implementation specification for a particular standard is addressable, you don’t have to implement the specification if it isn’t reasonable or appropriate for your organization—and if you’ll still meet the standard. If you decide not to implement an addressable specification, the security regulations require you to document your decision. In that case, the regulations give two choices: You must either: ■ Adopt an alternative measure “that accomplishes the same end.” For example, say a small practice keeps all its electronic protected health information (EPHI) on-site. The access control standard in the regulations includes encryption as an addressable implementation specification. Instead of implementing this specification, the practice could opt to keep its computers in a secure area and restrict access through user IDs and passwords; or ■ Adopt neither the specification nor an alternative if you find that neither is reasonable or appropriate. For example, say a sole practitioner has one desktop computer. The practitioner may think it’s unreasonable to encrypt (continued on p. 2) 2 HIPAA SECURITY COMPLIANCE INSIDER JULY 2003 ADDRESSABLE IMPLEMENTATION SPECIFICATION (continued from p. 1) BOARD OF ADVISORS M. Peter Adler, Esq., LLM, CISSP Foley & Lardner Washington, DC Margret Amatayakul, RHIA, CHPS, FHIMss Margret\A Consulting, LLC Schaumburg, IL Reece Hirsch, Esq. Sonnenschein, Nath & Rosenthal San Francisco, CA Gwen Hughes, RHIA Care Communications Chicago, IL Chris Apgar, CISSP Sybil Ingram-Muhammad, MBA, PhD Providence Health Plan Beaverton, OR Intellimark Stone Mountain, GA Peter Bartoli, CTO Robert P. Laramie Alphafight Heavy Industries New Tech Consultancy, Inc. San Diego, CA N. Andover, MA Joan Boyle Richard D. Marks, Esq. TriZetto Group, Inc. Newport Beach, CA Davis Wright Tremaine LLP Washington, DC Michael Ebert, CPA, CISA Susan A. Miller, Esq. NCO Group Horsham, PA HIPAA Certified, LLC Concord, MA. Steven M. Fleisher, Esq. Miriam Paramore Fleisher & Associates Alamo, CA E-Commerce for Healthcare Louisville, KY Tom Hanks Harry E. Smith, CISSP PricewaterhouseCoopers LLP Chicago, IL PrivaPlan Associates, Inc. Lakewood, CO Robert M. Tennant Medical Group Mgmt. Assn. Washington, DC Editor: Amy E. Watkins, Esq. Executive Editors: David B. Klein, Esq., Nicole R. Lefton, Esq., Susan R. Lipp, Esq., Janet Ray Senior Editors: Nancy Asquith, Heather Ogilvie Copy Editors: Cynthia Gately, Graeme McLean Proofreader: Lorna Drake Production Director: Mary V. Lopez Senior Production Associate: Sidney Short Production Associate: Jennifer Chen Director of Planning: Glenn S. Demby, Esq. New Projects Editor: Rebecca L. Margulies, Esq. Dir. of Ref./Information Development: John D. Boyd Marketing Director: Peter Stowe Associate Marketing Director: Ellen Teatsorth Director, List Services: Denise M. Fisher Marketing Mgrs.: Christine Chan, Michael F. Sherman, Stephen Sullivan Data Processing Manager: Rochelle Boorstein Sales Manager: Joyce Lembo Customer Service Reps.: B. Maslansky, H. Therezo Director of Operations: Michael Koplin Fulfillment Supervisor: Edgar A. Pinzón Financial Manager: Janet Urbina Asst. Office Manager: Maria Safina Publisher: George H. Schaeffer, Esq. Owners: Andrew O. Shapiro, Esq., John M. Striker, Esq. Subscriptions: HIPAA Security Compliance Insider is published monthly. Subscription rate: $297 for 12 monthly issues. Address all correspondence to: Brownstone Publishers, Inc., 149 Fifth Ave., New York, NY 10010-6801. Tel.: 1-800-643-8095 or (212) 473-8200; fax: (212) 473-8786; e-mail: awatkins@brownstone.com Disclaimer: This publication provides general coverage of its subject area. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional advice or services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The publisher shall not be responsible for any damages resulting from any error, inaccuracy, or omission contained in this publication. © 2003 by Brownstone Publishers, Inc. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without written permission from the publisher. information or use password protection to make sure that only authorized people have access to EPHI. Instead, he may decide that he has met the standard by simply locking his office door and keeping the computer away from public access. Whether you implement an alternative or not, you’ll need to document your decision, notes Miller. What You Should Document According to the preamble to the security regulations, what you document depends on the scenario: Alternative measure. If you decide to implement an alternative measure instead of the addressable implementation specification, you must document: ■ The decision not to implement the addressable implementation specification; ■ The rationale behind this decision—that is, why it wouldn’t be reasonable or appropriate for your organization to implement the specification; and ■ The alternative measure you did implement, and how it will help your organization meet the particular security standard. No specification or alternative. If you decide to implement neither the addressable implementation specification nor an alternative measure, you must document: ■ The decision not to implement the addressable implementation specification; ■ The rationale behind rejecting the specification—that is, why you considered the measure unreasonable or inappropriate; and ■ How your organization is meeting the particular standard. When to Document Documentation isn’t something you can provide after the fact. It needs to be part of the decision-making process, Miller advises. For example, during formal board meetings, your board of directors may make decisions about implementing addressable specifications. Your minutes could note the discussion, and you could then attach the appropriate documentation to the minutes. “Trying to go back later to reconstruct a documentary record of the process and resulting decision would be extremely difficult,” cautions Miller. What Information to Include Your documentation must capture all the information the HIPAA security regulations require. Our example shows how to do this. It deals with encryption, which is an addressable implementation specification under the transmission security standard. This standard requires organizations to “implement technical security measures to guard against unauthorized access to” EPHI transmitted over an electronic communications network. (continued on p. 4) © 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com JULY 2003 HIPAA SECURITY COMPLIANCE INSIDER 3 Example of Documentation of Security Decision Here’s an example of the documentation you might use to back up your decision to reject an addressable (that is, not required) implementation specification. This example deals with encryption, which comes under HIPAA’s security regulations’ transmission security standard. That standard requires you to implement technical security measures to guard against unauthorized access to electronic protected health information (EPHI) that’s being transmitted over an electronic communications network. The example documents what criteria you used to assess compliance with the standard, any gaps you found in your current security, the risks of those gaps, your options for addressing the risks, and the decision you made. ENCRYPTION CURRENT STATE ASSESSMENT CRITERIA To ensure: 1. That EPHI that is transmitted electronically is not vulnerable to interception by unauthorized persons; and 2. That XYZ Insurance Company’s policies and procedures address HIPAA security requirements. CURRENT STATE SECURITY ASSESSMENT Readily available network access to claims information by clearinghouses and health care providers is a benefit to XYZ Insurance Company and its insureds, as well as the organizations that do business with them. It promotes good business relations and serves as a cost-efficient tool that allows the company’s customer service department to be dedicated to more specific and unique tasks. The following gaps in security have been observed: ■ There is no organization-wide policy governing access to PHI by health care clearinghouses and providers. Sometimes information is e-mailed to other organizations, other times the organizations are given access to the private value-added network containing EPHI and claims information; ■ Right now, e-mail transmissions of EPHI over the Internet to clearinghouses and providers are not protected and could be intercepted by unauthorized users. RISK ASSESSMENT The risk of interception of claims information by unauthorized users over an open network is high, and the consequences of that interception are substantial. E-mail transmissions can be intercepted, allowing others to gain access to EPHI. XYZ Insurance Company has no way of knowing who has intercepted the e-mail transmission and gained access to EPHI. Intercepted information substantially increases the risk of wrongful disclosure of customer health information. Improperly secured information subjects XYZ Insurance Company to penalties, possible civil and/or criminal action, including imprisonment, and irreparable harm to its reputation and public sense of trust. OPTIONS AND CONSEQUENCES and providers. Consequence: Information is protected if it is intercepted, but computer response time slows down considerably as a result of each claim that needs to be encrypted. Option #2 (Alternative): Limit electronic communications involving EPHI to the existing value-added Web link for each clearinghouse and provider, which permits unencrypted information to flow only to that organization. Clearinghouses and providers will be given authentication codes to ensure that they are entitled to access and receive claims information. Consequence: Unauthorized third parties will not have access to information if it is intercepted, and computer systems remain at optimum speed. DECISION To comply with HIPAA and protect the security of EPHI, XYZ Insurance Company must implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights. XYZ Insurance Company’s board of directors has decided to adopt Option #2 as an alternative to the implementation specification in HIPAA’s security regulations suggesting encryption as a method of access control. Option #2 establishes reasonable and appropriate measures and demonstrates XYZ Insurance Company’s commitment to protect against unauthorized access to EPHI. Specifically, Option #2 allows access of EPHI to only those organizations that are authorized to receive it and allows XYZ Insurance Company to meet its legal and business obligations to keep EPHI secure. Encrypting the information as outlined in Option #1 is not reasonable or appropriate. The slowed computer time is prohibitive and would have a negative impact on XYZ Insurance Company’s ability to operate at an effective level. While encrypting information pursuant to Option #1 over an open or closed network would provide a higher degree of protection from unauthorized access to EPHI, such instances of unauthorized access are unlikely to occur, and the measures outlined in Option #1 would amount to overkill. The small likelihood of unauthorized access through a closed network would not justify the negative business effects associated with encryption. Option #1 (Implementation Specification): Encrypt all information made available to clearinghouses © 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com 4 HIPAA ADDRESSABLE IMPLEMENTATION SPECIFICATION (continued from p. 2) In our example, a health care insurer considers how to provide clearinghouses or providers with the necessary access to claims information. The insurer already has a private “value added” network in place that includes access controls such as authentication, but it also regularly e-mails information over the Internet. Our documentation example shows how the insurer would document its decision to limit electronic communications involving EPHI to the private network connection, instead of meeting the standard by encrypting information transmitted over an open network. Like our example, your documentation should cover the following points: Assessment criteria. List the criteria you’re using to assess your current degree of compliance with a particular standard—in this case, transmission security. Our example’s assessment criteria are ensuring that EPHI transmitted electronically isn’t vulnerable to interception, and that the organization’s policies and procedures address HIPAA security requirements. Gaps found. Next, assess your organization’s compliance with the standard in light of the criteria, and document any problems or security gaps you identified. For instance, our example says that two gaps in transmission security were identified: ■ The lack of an organizationwide policy governing access to SECURITY COMPLIANCE INSIDER claims information by clearinghouses and providers; and ■ Possible interception of data transmitted via an open network like the Internet. Risk assessment. Then, identify the risks created by the security gaps you found. For instance, our example says that the organization determined that the risk of interception by unauthorized persons of e-mails containing EPHI is high and that this risk must be addressed to meet the transmission security standard. Options and consequences. List the various security options available to you to address the security risks you’ve found. You should include the consequences of each option, as well as the cost. One of these options should be the addressable implementation specification listed in the security regulations. So our example considers encryption but notes that it would slow up the computer system unnecessarily. Next, our example documents an alternative: to limit electronic communications that include EPHI to the closed network and allow access only to authorized individuals. Decision. Finally, indicate your decision, and explain why you determined the addressable implementation specification would be an unreasonable and/or inappropriate security measure. Don’t just say that you rejected the specification because it was too difficult or expensive to adopt. Explain why you reached that conclusion. If you choose to implement an alternative security measure, describe JULY 2003 it and explain why it was more reasonable and appropriate for your organization, and how it will help you meet the security standard in question. In our example, the board determined that encryption wasn’t appropriate because limiting access to EPHI was sufficient. A closed network link between the insurance company and the clearinghouse or provider would provide the control the insurance company needed over its data while allowing a limited set of outsiders to access it, but only after the outsider’s identity had been authenticated. Encryption would be overkill. “You don’t need to implement every addressable specification,” says Harry Smith, a HIPAA consultant. “But if you don’t, you’d better have a good reason for it.” According to Smith, encryption would be appropriate to protect a transmission link that you can’t control or to make data unreadable in the event of media theft, like a stolen laptop. But it’s inappropriate and unnecessary for closed networks that have access control. You should also attach to your documentation, copies of any letters or other documents you get from an attorney or consultant who gives you advice about your options. That could help you argue that you relied on expert advice. Get your attorney’s approval, though, before attaching any letters or documents, since they could affect your legal rights in the future. ■ Insider Sources Susan Miller, Esq.: Vice President, HIPAA Certified, LLC, 276 Harrington Ave., Concord, MA 01742. Harry Smith, CISSP: Vice President of Product Development, PrivaPlan Assocs., Inc., 10300 W. 23rd Ave., Lakewood, CO 80215. © 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com JULY 2003 HIPAA SECURITY I N COMPLIANCE T H E 5 INSIDER N E W S NIST Proposes New Security Standards The National Institute of Standards and Technology (NIST) recently released a draft Federal Information Processing Standards Publication entitled Standards for Security Categorization of Federal Information and Information Systems (FIPS Pub 199). The draft defines the minimum criteria that federal agencies must use to categorize information and information systems according to a range of risk levels. The draft establishes and defines three potential levels of risk (low, moderate, and high) for commonly recognized objectives (confidentiality, integrity, and availability) relevant to securing federal information and information systems. It also discusses risk assessments and their purpose, and could be used as a “best practices” standard for your security compliance efforts. Why should you care about this development? Because the HIPAA security regulations refer to NIST publications as guidelines for implementing the regulations’ requirements. In the preamble to the HIPAA security regulations, HHS encourages health care organizations to monitor NIST activities and provide comments and suggestions when NIST requests them. Comments on the draft are due by Aug. 14 and can be e-mailed to fips.comments@nist.gov. Insider Says: You can find draft FIPS Pub 199 at www. csrc.nist.gov/publications/drafts/FIPS-PUB-199-ipd.pdf. ■ Capitalize on Your Privacy Efforts to Get Started on Security Compliance After sorting through the maze of HIPAA privacy regulations, the idea of tackling the HIPAA security regulations may seem overwhelming. But it might not be as bad as you think. “There’s a lot of overlap between the privacy and security regulations,” says health information security attorney M. Peter Adler. For example, both sets of regulations require health care organizations to have security measures in place to protect the confidentiality of health information. And both regulations allow a health care organization to scale its compliance efforts to the organization’s individual size and complexity, says HIPAA consultant Tom Hanks. There are differences. For example, the security regulations are much more specific than the privacy regulations about the types of security measures that health care organizations must implement. And the security regulations apply only to protected health information (PHI) that’s elec- tronic—EPHI. But if your organization has complied with all of the privacy regulations’ requirements, you’re closer to complying with the security regulations than you think. We’ll explain some of the key similarities between the HIPAA privacy and security regulations. And on p. 7, we’ve given you a Model Form that shows these similarities. Use it to pinpoint where the hard work your organization has already done on HIPAA privacy compliance can give you a head start on complying with the security regulations. According to Hanks, organizations that have complied with the privacy regulations will already have done much of what the security regulations require. Key Similarities Between Privacy and Security Regs Here’s a list of some of the main similarities between the privacy and security regulations. We also point out some areas where your organization’s previous privacy compliance efforts can help ease its security compliance burden. Compliance officer. Like the privacy regulations, the security regulations require your organization to identify one individual to be responsible for the development and implementation of policies and procedures to comply with the regulations. In some organizations, especially larger ones, this responsibility for the security regulations will fall on the chief security officer, or someone who oversees all aspects of physical, administrative, and technical security. But the privacy officer might also take on this responsibility, especially in smaller organizations where the privacy officer is familiar with, or has even created, many of the security policies and procedures, says Hanks. ‘Minimum necessary’ access. The HIPAA security regulations require you to implement workforce (continued on p. 6) © 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com 6 HIPAA SECURITY COMPLIANCE (continued from p. 5) procedures ensuring appropriate access to EPHI. You also have to have access controls in place to prevent unauthorized users from obtaining access to EPHI. This is very similar to the HIPAA privacy regulations’ “minimum necessary” requirements, which bar an organization from using or disclosing more PHI than is necessary for an authorized business purpose, says Adler. Many organizations we looked at have already created data access policies to comply with the privacy regulations’ minimum necessary requirements. These policies restrict employees’ access to only the PHI they need to perform their jobs. If your organization has created these policies—and you’ve put into place the safeguards required by the privacy regulations—you’ve already started to meet the security regulations’ requirements. Policies and procedures. Both the privacy and security regulations require organizations to implement written policies and procedures to protect the confidentiality of health information. And even though the security regulations apply only to EPHI, experts agree that as a practical matter, you should also have security policies in place to protect all PHI to meet the privacy regulations. “You can’t have privacy without security,” says Hanks. If you want to keep your PHI private, you’re going to have to put some security measures in place to protect it, like installing locks, restricting access, and using passwords. Example: The security regulations require organizations to implement facility access controls to limit physical access to EPHI and the facility that houses it. But to meet the privacy regulations, you should already have controls in place that limit access to SECURITY COMPLIANCE INSIDER your facility and PHI. By limiting access to all PHI, you’re already limiting access to EPHI. Insider Says: Even though the privacy and security regulations have many similarities, go through each standard in the security regulations to make sure you’re meeting the entire standard. The security regulations have specific security requirements that the privacy regulations don’t include. Also, the privacy regulations focus on limiting access, not granting it, says Hanks. For instance, the facility access control standard not only requires that you limit access to your facility, it also requires you to ensure that authorized access is granted. This means that you can’t just put a lock on your door that keeps all users—even authorized ones—out of your facility. And if your lock is electronic, you must have a way of ensuring access in the event of, say, a power failure, or if a physician forgets his key. Retention policy. Both sets of regulations require you to retain your policies and procedures—and documentation of most communications and activities required by each regulation—for six years from the date of creation or the date last in effect, whichever is later, says Adler. So you can probably just amend your retention policy that you created to comply with the privacy regulations so that it refers to your security policies and procedures, he adds. Training and awareness. The security regulations require you to implement a “security awareness and training program” for all members of your workforce, including management. The privacy regulations go a little further, says Adler, requiring you to train your workforce on your actual privacy policies and procedures. Basically, it’s the same thing, he explains. “You need to ensure compliance with JULY 2003 both sets of regulations. And you can’t do that unless you train your employees about your privacy and security policies and procedures.” If you’re in compliance with the privacy regulations, you’ve already established a mechanism to train the members of your workforce on your privacy policies and procedures. As you go through your security policies and amend them or adopt new ones to comply with the security regulations, you can just incorporate those topics into your existing training routine, suggests Hanks. Sanctions. Both sets of regulations require you to apply sanctions against members of your workforce who fail to comply with your policies and procedures implementing the regulations. To meet the security regulations’ requirements, you can use the sanctions policy created to comply with the privacy regulations, says Adler. But be sure to review the sanctions policy and revise it, if necessary, to meet the security regulations’ requirements. For example, the security regulations require your organization to identify and respond to suspected or known security incidents, says Adler. But you can’t respond to an incident that you don’t know about. So you should require members of your workforce to inform you of these security incidents, and sanction them if they don’t. “For example, if an employee becomes aware of password sharing, then you need to have a process and procedure in place to report the incident,” says Hanks. Business associate agreements. The privacy and security regulations each require organizations to obtain satisfactory assurances—primarily through a business associate agreement—that the people with whom they do business will appropriately safeguard their customers’ health © 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com JULY 2003 HIPAA information. Both sets of regulations are very specific about what must be included in the business associate agreement, says Hanks. But the security regulations apply only to business associates who deal with EPHI. To meet the privacy regulations, you should already have created contracts for business associates who deal with all types of PHI. This should make it easy to figure out which agreements now need to be revised to comply with the security regulations. SECURITY COMPLIANCE 7 INSIDER Make a list of business associates and then place a checkmark next to the persons or organizations who create, receive, maintain, or transmit EPHI— as opposed to just PHI—from you. Those are the contracts that you’ll need to amend by April 21, 2005— the security regulations’ compliance date—to meet the additional requirements of the security regulations. Insider Says: Don’t let the similarities between HIPAA’s privacy and security regulations lull you into a false sense of security, warns Adler. The security regulations require you to conduct a risk analysis, which weighs the potential risks to your EPHI and the benefits of possible safeguards against the costs and difficulties of imposing the safeguards. To conduct a meaningful risk analysis, you must look at each standard in the security regulations, as well as each required and addressable implementation specification. “If your risk (continued on p. 8) MODEL FORM Chart Similarities Between Security and Privacy Regulations Here’s a Model Form that charts some of the key similarities between HIPAA’s privacy and security regulations. We’ve left the last column blank so that you can write in the privacy meas- ures you’ve already taken that will help you now comply with the HIPAA security regulations. Use this as your first step to make sure you’re in compliance with the security regulations. SIMILAR PRIVACY AND SECURITY REQUIREMENTS PRIVACY REQUIREMENT COMPARABLE SECURITY REQUIREMENT Designate privacy officer Identify security officer Establish minimum necessary criteria for access to PHI Establish appropriate controls for access to EPHI Implement policies and procedures to protect the privacy of PHI Implement policies and procedures ensuring the confidentiality, integrity, and availability of EPHI Retain HIPAA documentation for 6 years from date of creation or date last in effect, whichever is later Retain HIPAA documentation for 6 years from date of creation or date last in effect, whichever is later Train all workforce members on privacy policies and procedures Implement training awareness program for all members of workforce, including management Apply appropriate sanctions against workforce members who fail to comply with privacy policies and procedures Apply appropriate sanctions against workforce members who fail to comply with security policies and procedures Obtain satisfactory assurances that business associates will safeguard PHI Obtain satisfactory assurances that business associates will safeguard EPHI PRIVACY STEPS THAT APPLY TO SECURITY COMPLIANCE © 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com 8 HIPAA SECURITY COMPLIANCE (continued from p. 7) analysis concludes that the safeguards you’ve already taken to comply with the privacy regulations are sufficient, you won’t need to do anything further,” says Adler. “But if the risk analysis demonstrates that the SECURITY COMPLIANCE INSIDER safeguards aren’t sufficient, you’ll have to take additional steps,” he cautions. Next month, we’ll tell you how to conduct a HIPAA security risk analysis. ■ A S K T H E JULY 2003 Insider Sources M. Peter Adler, Esq., LLM, CISSP: Partner, Foley & Lardner, 3000 K St. NW, Ste. 500, Washington, DC 20007-5101; padler@foley law.com. Tom Hanks: Director, Integration Solutions, Health Care Practice, PriceWaterHouse Coopers LLP, One N. Wacker, Chicago, IL 60606; Tom.Hanks@pwcglobal.com. I N S I D E R The Insider welcomes questions from subscribers. You can 1) send your questions to HIPAA Security Compliance Insider, Brownstone Publishers, Inc., 149 Fifth Ave., 16th Fl., New York, NY 10010-6801; 2) call (908) 757-2843, and speak with the editor; 3) fax (908) 757-2844; or 4) e-mail awatkins@brownstone.com Reporting ‘Encounter Information’ The payor for a number of health plans that my organization has contracted with just told me that we must submit a standard claim form not only for all of our health care claims but also for “encounter information.” What’s encounter information, and do HIPAA’s transactions and code sets (TCS) standards require us to report it? Q Encounter information is information regarding a provider’s encounter with the patient, says Kelly Partin, HIPAA compliance coordinator and privacy officer for a health plan. You already report encounter information—such as date of patient visit and treatment provided—with each claim form you submit to your payor. But many HMOs also require health care providers to report encounter information even if they’re not seeking payment for the encounter—especially if a capitation arrangement exists between the HMO and the provider. A In a capitation arrangement, the HMO pays the provider a set amount each month, based on the number of HMO members who are the provider’s patients. The provider gets paid the same amount for each patient every month, regardless of the number of times the provider sees the patient during that month, Partin explains. “So you could see a patient 10 times during one month or not at all, and you would still get $100 or whatever rate you agreed upon,” she says. HIPAA’s TCS standards allow, but don’t require, health care providers to submit electronic claims forms with encounter information, even when the provider doesn’t expect reimbursement from the HMO. Sending the claim with encounter information and a $0 claim amount lets the HMO know that you saw the patient but that you don’t expect to get paid for the visit. According to Partin, there are at least three advantages to sending encounter information to your HMO: Quality incentive bonuses. The HMO may offer quality incentives for every service you perform. For example, even though your payment arrangement has been capitated, you may be entitled to a bonus for each immunization you perform. You send a $0 claim with encounter information, and the HMO logs the visit and pays you the immunization bonus. “You would be amazed at the number of providers who aren’t aware of this and don’t send in the encounter information, even though the bonus is spelled out in the contract,” says Partin. Reimbursement outside scope of capitation arrangement. Some services may fall outside the HMO’s capitation arrangement and merit additional reimbursement, says Partin. For example, giving a flu shot may be a covered service, but not one of the capitated services. If you submit the encounter information, you should get your capitation check plus reimbursement for the flu shot. Avoid inspections. If you don’t submit the encounter information, the HMO will be required by its accreditation agency and/or regulatory body to inspect your patient records to make sure your patients are receiving quality care. “That means the HMO is going to come in and go through its members’ records to make sure each member received his immunizations, blood pressure check, or some other service,” says Partin. That’s a hassle for you and the HMO. By reporting each encounter as it occurs, you’ll avoid the HMO inspection and intrusion at your office. ■ Insider Source Kelly Partin: HIPAA Compliance Coordinator and Privacy Officer, Botsford Health Plan, 28050 Grand River, Farmington Hills, MI 48336; 1-800479-5122. © 2003 by Brownstone Publishers, Inc. Any reproduction is strictly prohibited. For more information call 1-800-643-8095 or visit www.brownstone.com