The HIPAA Security Rule Online Compliance Workbook Common Questions - April 2005

Listed below are frequently asked questions that we have received from APA members regarding The HIPAA Security Rule Online Compliance Workbook. This Q&A format may be included in an article or posted on your web page. If you receive more detailed questions from your members, please refer them to www.apapractice.org at the APA Practice Organization.

Q. What is The HIPAA Security Rule Online Compliance Workbook?
A. The HIPAA Security Rule Online Compliance Workbook is a comprehensive, easy-to-use online compliance resource to help you comply with the HIPAA Security Rule. The workbook will guide you through:
  • Step-by-step risk analysis for all aspects of your practice
  • Compliance options for each Security Rule requirement
As you fill out the workbook, you will automatically be creating a Policies and Procedures document for your practice that you can customize as needed.
Q. What is the HIPAA Security Rule?
A. The Security Rule sets standards for administrative, physical, and technological safeguards — such as access to offices, computers and files — needed to keep electronic health care information confidential and secure. It is a companion to the HIPAA Privacy Rule. While the Privacy Rule outlines to whom and under what circumstances a psychologist can intentionally disclose patient information, the Security Rule focuses on protecting information from unintended disclosures through breaches of security. This includes any reasonably anticipated threats or hazards and/or an inappropriate uses and disclosures of electronic confidential information.
Q. What triggers the HIPAA Security Rule?
A. The following electronic transactions trigger the Security Rule:
  • Health care claims
  • Health care payment and remittance advice
  • Coordination of benefits
  • Health care claim status, enrollment or disenrollment in a health plan
  • Eligibility for a health plan
  • Health plan premium payments
  • Referral certification and authorization
  • First report of injury
  • Health claims attachments
The Security Rule applies when a psychologist – or an entity, such as a billing service, acting on behalf of the psychologist – transmits health care information in electronic form in connection with any of the transactions listed above. Once a trigger occurs, the Security Rule then applies to all Electronically Protected Health Information (EPHI) within a psychologist’s practice.
Q. Will the HIPAA Security Rule apply to my practice?
A. We have received a number of inquiries from psychologists who want to know if the HIPAA Security Rule will apply to them. Anyone who has determined that they need to be in compliance with the HIPAA Privacy Rule will also need to be in compliance with the Security Rule. In the long run we believe that all psychologists providing health care services will be subject to the Security Rule. We also believe that it is both wise and prudent to prepare to become compliant for the following reasons:
  • Insurance and managed care companies are rapidly moving from paper to electronic online transactions for payment and all health care operations.
  • Circumstances could arise where the need for compliance is triggered by actions over which you may have no control (e.g., a billing service that you use may electronically transmit information about your patient to a third party payer). If this occurs, your entire practice must become HIPAA compliant immediately. After April 20, 2005, there will be no grace period for compliance.
  • If you bill any third-party source (e.g., HMO, PPO, Medicare) you will undoubtedly fall under the HIPAA regulations.
  • The only possible exception to this advice would be the very few psychologists who are on a total cash basis, and/or have no interface at any time, now or in the future, with any insurance carrier, hospital, managed care company, state or federal program, billing service, or other third-party payer that currently or in the future may require some form of electronic transaction.
Q. Am I exempt if I do not use electronic transmissions?
A. You may be exempt currently if you do not submit claims electronically or participate in any third-part payment plans. However, it is unlikely you will be able to avoid all electronic transactions in the future and remain exempt, especially if you or a business associate working on your behalf transacts any health care business electronically (e.g. billing or payment for services, authorization for treatment, utilization review, and verification of coverage, etc.). That is why we recommend that psychologists who provide health care services become HIPAA Security Rule compliant.
Q. What steps will the Security Rule require me to take?
A. The first step in the compliance process involves conducting a “risk analysis” of your practice. This analysis is a thorough assessment of the practice’s potential security risks and vulnerabilities related to EPHI. The process entails reviewing the practice’s established security policies and procedures and it provides the basis for making any appropriate modifications or enhancements to these procedures.
The Security Rule requires health care providers to take steps to ensure:
  • The confidentiality of EPHI
  • The integrity of EPHI, i.e., making sure the information is not changed or altered in storage or transmission
  • The availability of EPHI, i.e., ensuring the information is accessible to the appropriate people when needed
Q. Does the size of my practice affect my compliance with the Security Rule?
A. Yes. As with the Privacy Rule, the Security Rule embodies the concept of “scalability.” This means, for example, that a solo practitioner will not be expected to take the same steps to comply as will a large practice or a health care facility. According to the federal Centers for Medicare and Medicaid Services (CMS), a covered entity such as a health care provider can consider its size, capabilities, and costs in determining what security measures to use.
Q. Who enforces the Security Rule and what are the potential penalties for non-compliance?
A. CMS is responsible for enforcing the Security Rule. The potential penalties range from administrative action to substantial fines and imprisonment, depending on the severity of the violation.
Q. How will practitioners access The HIPAA Security Rule Online Compliance Workbook?
A. The Wookbook is available online at www.apapractice.org.
Q. How can I purchase The HIPAA Security Rule Online Compliance Workbook?
A. The Wookbook can be purchased online at www.apapractice.org.
Q. How much does The HIPAA Security Rule Online Compliance Workbook cost
A. The HIPAA Security Rule Online Compliance Workbook is being offered at prices well below most HIPAA Security Rule resources in the marketplace. The prices are listed below:
APA Special Assessment Payers     $99
Other APA members     $139
Non-APA members     $159
Q. How long with it take me to complete the workbook and create my Policies and Procedures?
A. The time required to complete the Workbook and create Policies and Procedures will vary depending on a practitioner’s knowledge of HIPAA and the complexity of his or her practice. Some have reported completing everything in approximately four hours, while others have taken up to 10 to 12 hours.
Q. Do I have to complete everything in one sitting?
A. No. The workbook has been designed in sections to enable you to complete it over multiple sittings, if desired. You will save all of your work within the workbook and can return at any time to continue or to update previous sections that have been completed. The only exception is if you elect to take the CE test, which must be completed in one sitting (although you are given three opportunities to pass the test.)
Q. Will I be compliant with the Security Rule once I complete the workbook and create my Policies and Procedures?
A. No. You will have completed all of the steps necessary to determine your compliance options and document your decisions, however, you must actually implement the compliance options you selected in order to be compliant.
Q. What if I don’t want to purchase the HIPAA Security Rule Online Compliance Workbook?
A. Purchasing The HIPAA Security Rule Online Compliance Workbook is entirely voluntary. Practitioners may choose to purchase other available products or to conduct their own analysis of the Security Rule and its associated requirements. Whatever option practitioners choose to take, the most important thing is that they become compliant.
© Copyright 2005 APA Practice Organization
Posted 06/0605