Professional Documents
Culture Documents
Module9schumacherhippa Compliant
Module9schumacherhippa Compliant
Module9schumacherhippa Compliant
One part of this rule specifies what code sets are allowable for describing medical data, including
ICD-CM for conditions, NDC for drug names, and CPT/HCPCS for procedures. Another
part then defines and mandates the specific electronic transmission formats that can be used to
convey the encoded data.
Simply pick a modern EHR to use in your practice. They will typically use the correct encoding
and transmission formats automatically, and you can confirm this with the vendor before you
buy anything.
You probably already have an NPI. If you don’t, you can get one through the National Plan and
Provider Enumeration System (NPPES) that HHS runs.
HHS has written an important summary of the Privacy Rule, and it’s worth a read. High-level
points from the summary to internalize:
The Privacy Rule protects all “individually identifiable health information” held or
transmitted by a covered entity or its business associate, in any form or media, whether
electronic, paper, or oral. The Privacy Rule calls this information “PHI.”
A central aspect of the Privacy Rule is the principle of “minimum necessary” use and
disclosure. A [healthcare] entity must make reasonable efforts to use, disclose, and request
only the minimum amount of PHI needed to accomplish [an intended purpose].
Except in certain circumstances, individuals have the right to review and obtain a copy of
their PHI and any of its uses and disclosures. They may also demand corrections to it.
Each [healthcare] entity, with certain exceptions, must provide a notice of its privacy
practices.
HHS states that the Privacy Rule is comprised of 45 CFR Part 160 and Subparts A and E of 45
CFR Part 164, and you can refer to these directly or, at least, to the HHS Privacy Rule
summary to make sure that you are creating and following all of the privacy policies and
procedures that your specific practice needs.
HEALTH INFORMATION 4
Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to PHI that
your practice “receives, maintains or transmits in electronic form.” To comply with the Security
Rule, your organization must adopt an ongoing process of risk analysis that has the following
general form:
1. Assess risks to electronic PHI in your organization, the current state of your security
measures, and any gaps between the two
2. Implement “administrative, technical, and physical safeguards” to address the gaps
3. Document all of steps 1 and 2 and keep the records
4. Repeat steps 1 to 3 on a periodic basis
1. Administrative
2. Physical
3. Technical
. Make sure everything is documented appropriately
. Repeat steps 1 to 3 on a periodic basis
Each HHS document linked above has a reproduction of Appendix A of the actual Security Rule,
which is effectively a checklist of necessary items to consider for the administrative, physical,
and technical safeguards that you need. Some of the documents extend this list with other items,
such as the document linked in step 3 above.
As with the Privacy Rule, it’s important that you read the Security Rule yourself at least one
time. HHS wrote the rules generally so that they could function for organizations of any size,
from one person to thousands, and because of this, only you can decide exactly how your
organization can best comply. Per HHS, “The Security Rule is located at 45 CFR Part 160 and
Subparts A and C of Part 164.”
HEALTH INFORMATION 5
References
David Craig, M. (2016, August). Complete HIPPA Compliance Checklist. Retrieved from
blog.sprucehealth: www.blogsprucehealth.co