Tools
Administrative Simplification in the Health Care Industry
Web site
Provides information on the HIPAA Administrative Simplification Standards, including updates and security standards.
AHA Issues: HIPAA
Web site
Provides information on HIPAA transactions, latest news, security and privacy.
Are You a Covered Entity?
Web site
Assists in determining if a natural person, business, or government agency is a covered entity under HIPAA.
CDC/ATSDR Privacy Rule Homepage
Web site
Designed to serve as a basic resource for Privacy Rule information, guidelines and procedures, particularly as they relate to public health practice.
Health Insurance Portability and Accountability Act (HIPAA)
Web site
HRSA's HIPAA website which contains tools, links, and contacts.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Web site
Links to information on HIPAA health insurance reform and Administrative Simplification.
HIPAA 101 (Health Insurance Portability and Accountability Act of 1996): The Basics of HIPAA Administrative Simplification.
Other
Video designed to inform the health care provider community about the Administrative Simplification provisions of HIPAA. Cost is $13.00.
HIPAA Administrative Simplification Glossary
Web site
Explains HIPAA Administrative Simplification terms.
HIPAA Enforcement Overview
Web site
Provides information on HIPAA complaints, civil monetary penalties, and general enforcement information.
HIPAA Frequently Asked Questions
Database
Provides questions and answers pertaining to HIPAA.
HIPAA Privacy Rule: Disclosures for Emergency Preparedness - A Decision Tool
Web site
Presents avenues of information flow that could apply to emergency preparedness activities. A guide in determining how the Privacy Rule applies to the disclosure in question, this tool focuses on the source of the information being disclosed, to whom the information is being disclosed, and the purpose of the information being disclosed.
HIPAA-REGS List
Technical assistance
Provides free listserv to subscribers which contains documents and events related to the HIPAA Administrative Simplification regulations.
HIPAAcomply
Web site
Provides HIPAA news, information, timeline, events, legislation, and related links.
National Provider Identifer (NPI) Information for Medicare Fee-for-Service Providers
Web site
Information on how to apply for a National Provider Identifier (NPI) and links to resources and education materials related to the NPI.
National Provider Identifier Standard (NPI)
Web site
Overview of the National Provider Identifier (NPI) requirement, with links to resources and additional information. The purpose of the National Provider Identifier (NPI) is to uniquely identify a health care provider in standard transactions, such as health care claims.
Office for Civil Rights - HIPAA
Web site
Provides fact sheets, links, educational materials, and background information on HIPAA.
WEDI SNIP Website
Web site
Contains various resources on HIPAA administrative simplification, including a resource directory, general information, and information on code sets and standards.
Regulations, Forms & Other Useful Documents
Am I A Covered Entity ...And Does the Transactions and Code Sets Rule Apply to Me?
Sponsoring organization: Centers for Medicare & Medicaid Services
Explores the issues involved in determining whether you are covered by HIPAA and the requirements for covered standard transactions.
Date: 12 / 2002
Appendix A: Selected Privacy Rule Concepts and Definitions
Sponsoring organization: Centers for Disease Control and Prevention
Lists concepts and definitions adapted from the regulatory language of the Privacy Rule.
Date: 04 / 2003
Appendix B: Sample Text that Can Be Used to Clarify Public Health Issues Under the Privacy Rule
Sponsoring organization: Centers for Disease Control and Prevention
Provides sample letters that may be used to help clarify Privacy Rule issues among covered entities and public health authorities.
Date: 04 / 2003
HIPAA 101 for Health Providers' Offices
Sponsoring organization: Centers for Medicare & Medicaid Services
Informational paper designed to help educate health care professionals with the realities of HIPAA.
Date: 03 / 2003
HIPAA Administrative Simplification: Enforcement; Final Rule
Sponsoring organization: U.S. Department of Health and Human Services
Provides information on the final rules for the imposition of civil money penalties on entities that violate rules adopted by the Secretary to implement the Administrative Simplification
provisions of the HIPAA Act.
Date: 02 / 2006
HIPAA and Health Services Research: Can They Co-Exist?
Sponsoring organization: Changes in Health Care Financing and Organization
Discussion with researchers regarding HIPAA and its effect on the health services research community.
Journal citation: HCFO News & Progress Pages: 3
Date: 01 / 2004
HIPAA Glossary
Sponsoring organization: Workgroup for Electronic Data Interchange
A glossary of HIPAA terms.
Date: 2001
HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services
Author(s): Stephen B. Thacker
Sponsoring organization: Centers for Disease Control and Prevention
Contains information designed to help public health agencies and others understand and interpret their responsibilities under the Privacy Rule.
Date: 04 / 2003
HIPAA Security Standards Final Rule
Sponsoring organization: Centers for Disease Control and Prevention
Contains the final rule, published in the Federal Register, adopting HIPAA standards for the security of electronic health information.
Date: 02 / 2003
How HIPAA is Reshaping the Way We Do Business: The Benefits and Challenges of Implementing the Administrative Simplification Standards Along the HIPAA Highway
Sponsoring organization: Centers for Medicare & Medicaid Services
Discusses the benefits of implementing HIPAA as well as highlights regarding hurdles encountered.
Date: 12 / 2003
Information Management for State Health Officials: HIPAA Privacy Rule Implementation in State Public Health Agencies - Successes, Challenges, and Future Needs
Sponsoring organization: Association of State and Territorial Health Officials
Results of a survey which evaluated states' experiences with the HIPAA Act. Presents survey results, how states have classified themselves under the Privacy Rule, their achievements, implementation barriers, and how those barriers have been overcome.
Date: 2005
Privacy, Security, and HIPAA: What is Means for Rural HIT
Author(s): Randy Sermons
Session from the September 2006 conference titled Health Information Technology: A Rural Provider's Roadmap to Quality. Discusses current privacy and security issues from a multitude of perspectives (provider, patient, health information exchange) and what is on the horizon. Speaks to rural challenges and opportunities in security and privacy, and how to meld HIPAA and HIT.
Date: 09 / 2006
Privacy, Security, and the Regional Health Information Organization
Author(s): Sheera Rosenfeld, Shannah Koss, Sharon Siler
Sponsoring organization: California HealthCare Foundation
Examines key privacy and security issues that RHIOs encounter, the policies and practices they adopt to manage these issues, and common emerging strategies.
Date: 06 / 2007
Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
Sponsoring organization: U.S. Department of Health and Human Services
Provides researchers with an understanding of the Privacy Rule and how it may affect health research.
Date: 04 / 2003
Protecting Your Civil Rights in Health Care and Social Services and Your Health Information Privacy Rights
Sponsoring organization: U.S. Department of Health and Human Services
Provides information on violation of privacy rights and how to file a complaint with the Office of Civil Rights.
Date: 04 / 2006
Public Law 104-191: Health Insurance Portability and Accountability Act of 1996
Contains the entire HIPAA law of August 21, 1996.
Date: 08 / 1996
Rural Hospital HIPAA Readiness and Resource Needs
Author(s): J. Patrick Hart, Wanqing Zhang, Jane L. Meza, Keith J. Mueller
Sponsoring organization: RUPRI Center for Rural Health Policy Analysis
Presents survey of rural hospitals regarding
the extent of their preparation for HIPAA
requirements and their need for resources to implement HIPAA requirements. Results shown by hospital size. Also includes information on financial and staff commitment levels.
Journal citation: RUPRI Rural Policy Brief Volume 8 Issue 6
Date: 05 / 2003
Rural Hospitals' Strategies for Achieving Compliance with HIPAA Privacy Requirements
Sponsoring organization: NORC Walsh Center for Rural Health Analysis
Discusses a survey of hospital administrators in rural areas regarding the Health Insurance Portability and Accountability Act (HIPAA). Includes an overview of HIPAA compliance efforts in rural hospitals, as well as examples of specific strategies to meet HIPAA requirements.
Date: 03 / 2004
Summary of the HIPAA Privacy Rule
Sponsoring organization: U.S. Department of Health and Human Services
Provides a summary of the key elements of the HIPAA Privacy Rule.
Date: 05 / 2003
Terms & Acronyms
Access Ability or the means necessary to read, write, modify or communicate data/information or otherwise make use of any system resource.
Access Control Method of restricting access to resources, allowing only privileged entities access. Types of access control include mandatory access control, discretionary access control, time-of-day control, and classification.
American National Standards Institute (ANSI) United States government body responsible for approving U.S. standards in many areas, including computers and communications.
Authentication Confirmation that a fact or statement is true.
Authorization Document that allows use and disclosure of protected health information for purposes other than treatment, payment, or health care operations.
Business Associate (BA) Those systems impacted by HIPAA regulations but not directly regulated. Third parties who perform a function or activity involving the use or disclosure of individually identifiable information or provides certain services to or for a covered entity, where the services involve the covered entity disclosing protected information to the third party.
Business Associate Agreement (BAA) Contract or other arrangement between the covered entity and the business associate that establishes the permitted and required uses and disclosures of protected information by the business associate.
Certification Technical evaluation performed as part of, and in support of the accreditation process that establishes the extent to which a particular computer system or network design and implementation meet a pre-specified set of security requirements. This evaluation may be performed internally or by an external accrediting agency.
Clearinghouse Public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.
CMS (Centers for Medicare and Medicaid Services) Federal agency responsible for the Medicare and Medicaid programs. Part of the U.S. Department of Health & Human Services.
Consent Document signed by an individual that allows use and disclosure of the individuals protected health information for treatment, payment, and health care operations, only. The consent allows use and disclosure of protected health information only by the Covered Entity seeking the consent, not by other parties.
Contingency Plan Plan for responding to a system emergency. Includes performing backups, preparing critical facilities that can be used to facilitate the continuity of operations in the event of an emergency, and recovering from a disaster.
Covered Entity Those systems covered by the HIPAA regulations. Examples are Health Plans, Health Care Clearinghouses, and Health Care Providers who transmit any health information in electronic form in connection with a covered transaction. Health care providers who do not submit HIPAA transactions may be covered entities when other entities, such as a billing service, transmit standard electronic transactions on their behalf.
Department of Health and Human Services (DHHS) The United States government's principal and largest grant-making agency, including more than 300 programs. Often referred to as HHS.
Designated Record Sets Group of records maintained by or for a covered entity. Examples are the medical records and billing records about individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health care plan; or records used in whole or in part by or for the covered entity to make decisions about individuals.
Designated Standard Maintenance Organization (DSMO) Category for organizations that agree to maintain the national standards adopted in the final HIPAA rule titled "Standards for Electronic Transactions."
Direct Treatment Relationship Treatment relationship between an individual and a health care provider that is not an indirect treatment relationship.
Disaster Recovery Plan Part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of a fire, vandalism, natural disaster, or system failure.
Disposal Final disposition of electronic data and/or the hardware on which the electronic data is stored.
Electronic Data Interchange (EDI) Inter-company, computer-to-computer direct transmission of business information in a standard format.
Electronic File Interchange (EFI) Also referred to as "bulk enumeration," is a process by which a health care provider or group of providers can have a particular organization apply for National Provider Identifiers on their behalf.
Emergency Mode Operation Plan Part of an overall contingency plan that contains a process enabling an enterprise to continue to operate in the event of a fire, vandalism, natural disaster, or system failure.
Encryption Transforming confidential plaintext into ciphertext to protect it so the data becomes unintelligible. Once encrypted, data can be stored or transmitted over unsecured lines.
Health Care Care, services or supplies related to the health of an individual. Examples of health care are preventive, diagnostic, therapeutic, rehabilitative, maintenance palliative care, counseling, sale or dispensing of a drug or other device in accordance with a prescription.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA is a privacy rule that creates national standards to protect individuals' medical records and other personal health information.
Health Plan An individual or group plan that provides, or pays the cost of, medical care.
Indirect Treatment Relationship Relationship between an individual and a health care provider in which the health care provider delivers health care to the individual based on the orders of another health care provider and the health care provider provides services or products or reports the diagnosis or results associated with the health care directly to another health care provider, who provides the services or products or reports to the individual.
Individually Identifiable Health Information (IIHI) Information that is a subset of health information, including demographic information collected from an individual.
Minimum Necessary When using or disclosing protected health information or when requesting protected health information from another covered entity, efforts must be made to limit this information to the minimum necessary to accomplish the intended purpose.
National Council for Prescription Drug Programs (NCPDP) Creates standards for the pharmacy services sector of the health care industry.
National Drug Code (NDC) Standard medical data code set for reporting drugs and biologics.
National Provider Identifiers (NPI) Numeric identifiers required for use by all health care providers under HIPAA's Administrative Simplification regulations.
Office for Civil Rights (OCR) Agency of the Department of Health and Human Services charged with enforcing HIPAA civil penalties and handling complaints. The agency to contact regarding discrimination complaints associated with federal health care and social service programs, and LEP services.
Password Confidential authentication information composed of a string of characters.
Personal Identifiable Information (PII) Any confidential or sensitive information that can be related to an individual. Examples are name, address, email address, social security number, passwords, bank account information, credit card information, or any combination of data such as birth date, zip code, and gender.
Privacy Officer (PO) Has the responsibility for the creation, implementation and maintenance of the company's privacy compliance related activities.
Protected Health Information (PHI) All individually identifiable health information that is transmitted or maintained regardless of form or medium.
Right of Privacy The claim of individuals to determine for themselves when, how and to what extent information about them is communicated, such as what kind of information is being given out, how it's used, and who it's being shared with.
Small Health Plan Health plan with annual receipts of $5 million or less.
Standard Rule, condition or requirement.
Transaction Transmission of information between two parties to carry out activities related to health care. Examples are health care claims information, health care payment advice, coordination of benefits, enrollment and disenrollment in a health plan, health plan eligibility, health care premium payments, and first report of injury.
Transactions and Code Sets Assessments (T&CS) Standardized code sets used for encoding data elements. Examples are health care claims or equivalent encounter information, health care payment and remittance advice, benefit coordination, enrollment and disenrollment in health plan, eligibility for a health plan, health plan premium payments, first report of injury, and health claims attachments.
Treatment Provision, coordination, or management of health care and related services by one or more health care providers.
