Name the four parts to hipaa's administrative simplification act

Study Guide

HIPAA Compliance By

Jacqueline K. Wilson, RHIA

Reviewed By

Karen J. Fuller

About the Author

Jacqueline K. Wilson is a Registered Health Information

Administrator (RHIA) with more than 13 years of experience

managing, consulting, writing, and teaching in the health care

industry. She’s a professional writer who has authored training

manuals, study guides, and online courses, as well as articles

on a variety of topics. In addition, Ms. Wilson develops curricula

and teaches both traditional and online college courses in health

information technology, anatomy, medical terminology, standards

in health care, and other health care courses. She was previously

included in the distinguished national Who’s Who Among America’s

Teachers.

About the Reviewer

Karen Fuller, an RHIA and graduate in health information manage-

ment, has more than 13 years of experience in the health care

industry. She utilizes the knowledge and experience gained in

various health care settings to write for education companies and

health care corporations. Ms. Fuller works with a leading health

care research and information company where she has received

corporate certification in the areas of HIPAA privacy, security, and

compliance.

Copyright © 2012 by Penn Foster, Inc.

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the copyright owner.

Requests for permission to make copies of any part of the work should be mailed to Copyright Permissions, Penn Foster, 925 Oak Street, Scranton, Pennsylvania 18515.

Printed in the United States of America

All terms mentioned in this text that are known to be trademarks or service marks have been appropriately capitalized. Use of a term in this text should not be regarded as affecting the validity of any trademark or service mark.

INSTRUCTIONS TO STUDENTS 1

LESSON ASSIGNMENTS 5

LESSON 1: UNDERSTANDING HIPAA 7

LESSON 2: IMPLEMENTING AND ENFORCING HIPAA 33

GRADED PROJECT 45

SELF-CHECK ANSWERS 51

iii

C o

n t

e n

t s

C o

n t

e n

t s

INTRODUCTION

Welcome to your HIPAA Compliance course, which provides information that’s essential for working in today’s health care industry. This course covers the basic provisions of the Health Insurance Portability and Accountability Act (HIPAA), including what the act protects, how it affects patients and providers, and how HIPAA is enforced.

OBJECTIVES

When you complete this course, you’ll be able to

n Discuss the main purposes for the passage of the Health Insurance Portability and Accountability Act (HIPAA)

n Identify the key provisions of the HIPAA Administrative Simplification standards

n Describe the health care professionals and facilities that are covered entities under HIPAA

n Describe how health care personnel can comply with HIPAA standards

n Explain the contents of a medical record as the source of health information about patients

n Define protected health information (PHI) and electronic protected health information (ePHI)

n Discuss the required content of the HIPAA Notice of Privacy Practices (NPP)

n Explain patients’ rights regarding the use and disclosure of their PHI

n Describe HIPAA’s administrative, physical, and technical standards for the protection of ePHI

n Explain the purpose of the HIPAA Electronic Health Care Transactions and Code Set standards

n Describe several types of HIPAA transactions

1

In s

tr u

c tio

n s

In s

tr u

c tio

n s

Instructions to Students2

n List the HIPAA standards for medical code sets

n Describe how HIPAA’s rules are enforced

n Name the governmental agencies that are responsible for HIPAA enforcement

YOUR TEXTBOOK

Your textbook, HIPAA for Allied Health Careers, by Cynthia Newby, is the heart of this course. It contains the study material on which your examinations will be based. We’ve divided the textbook material into two lessons.

It’s very important that you read the material in the textbook and study it until you’re completely familiar with it. It’s a good idea to begin by skimming the contents at the front of the book. This will give you an overview of the entire textbook.

Each chapter in your textbook opens with an outline, a list of key terms, and some case examples that illustrate real-life scenarios involving the HIPAA regulations. At the end of each chapter, you’ll find a helpful summary of the information you’ve just read. Use your chapter readings and the objec- tives listed above to judge your understanding of the text material before you take your examinations.

Your textbook also contains many helpful hints, compliance tips, case studies, HIPAA cautions, and Internet resources to further your understanding of the reading. There’s also a glossary, an index, and an appendix of professional resources at the back of the book.

COURSE MATERIALS

You should have received the following learning materials for this course:

n Your textbook, HIPAA for Allied Health Careers, which contains the assigned readings

n This study guide, which will help you to understand the major ideas presented in the textbook in addition to providing background information about specific topics

The study guide also includes

n Self-checks for each lesson

n Answers to the self-checks

A STUDY PLAN

In studying your assignments, be sure to read all of the instructional material in both the textbook and the study guide. Here’s a good plan to follow:

1. Note carefully the page where the assignment begins and the page where it ends. These pages are indicated in the Lesson Assignments section in this study guide.

2. Read the introduction to the assignment in the study guide.

3. Read the designated pages for that assignment in the textbook to get a general idea of their contents. Then study the assignment, paying careful attention to all details, including the compliance tips and HIPAA cau- tions referenced in the text.

4. When you’re comfortable with the material for each assignment, complete the self-check at the end of the assignment in your study guide. When you’ve finished the self-checks, compare your answers with those given at the end of the study guide. If you’ve missed any ques- tions, go back and review the related topic. This review will reinforce your understanding of the material.

5. Complete each assignment in this way.

6. When you feel that you understand all of the material presented in the lesson assignments, you may complete the examination for that lesson.

7. Follow this procedure for both of the two lessons.

8. Complete the Research Project after completing both lessons.

Instructions to Students 3

Remember, at any time, you can contact your instructor for information regarding the materials. The instructor can pro- vide you with answers to any questions you may have about the course or your study materials.

Now you’re ready to begin Lesson 1.

Good luck!

Instructions to Students4

Lesson 1: Understanding HIPAA

For: Read in the Read in study guide: the textbook:

Assignment 1 Pages 8–14 Chapter 1, Pages 1–19

Assignment 2 Pages 16–22 Chapter 2, Pages 25–52

Assignment 3 Pages 24–29 Chapter 3, Pages 59–82

Examination 460809 Material in Lesson 1

Lesson 2: Implementing and Enforcing HIPAA

For: Read in the Read in study guide: the textbook:

Assignment 4 Pages 34–36 Chapter 4, Pages 89–109

Assignment 5 Pages 39–41 Chapter 5, Pages 114–144

Examination 460810 Material in Lesson 2

Graded Project 46081100

5

A s

s ig

n m

e n

ts A

s s

ig n

m e

n ts

Note: To access and complete any of the examinations for this study

guide, click on the appropriate Take Exam icon on your “My Courses”

page. You shouldn’t have to enter the examination numbers. These

numbers are for reference only if you have reason to contact Student

Services.

NOTES

Lesson Assignments6

7

L e

s s

o n

1 L

e s

s o

n 1

Understanding HIPAA

INTRODUCTION

This first lesson is an introduction to the Health Insurance Portability and Accountability Act of 1996, or HIPAA. The provisions of the HIPAA law affect everyone who works in the health care field, so it’s important to understand what the law covers and how you need to comply with it. The lesson contains three reading assignments.

Assignment 1 starts out with a description of the two basic parts of the HIPAA law, Title I and Title II. Title I covers health insurance reform. Title II includes HIPAA’s adminis- tration simplification rules. You’ll learn about the basic goals and objectives of the HIPAA law in this assignment.

Assignment 2 reviews the HIPAA Privacy Standards, which protect patients’ private health information in medical records. A patient’s private health information can be shared or disclosed only under specific circumstances that are explained under the HIPAA rules.

Assignment 3 introduces the HIPAA Security Standards, which describe how electronic information about patients must be protected.

OBJECTIVES

When you complete this lesson, you’ll be able to

n Describe the major provisions of Title I and Title II of HIPAA

n Identify the key provisions of the HIPAA Administrative Simplification standards

n Describe the health care professionals and facilities that are covered entities under HIPAA

n Explain the difference between a covered entity and a business associate

HIPAA Compliance8

n List five responsibilities of covered entities under the HIPAA Privacy Rule

n Define protected health information (PHI) and electronic protected health information (ePHI)

n Discuss the required content of the HIPAA Notice of Privacy Practices (NPP)

n Explain the privacy standards relating to the release of PHI for treatment, payment, and operations (TPO) purposes

n Describe the situations in which authorization for release of PHI must be obtained

n Name several major exceptions to the HIPAA release of information requirements

n Explain patients’ rights regarding the use and disclosure of their PHI

n List the three goals of the HIPAA security standards

n Compare and contrast risk analysis and risk management

n Describe HIPAA’s administrative, physical, and technical standards for the protection of ePHI

ASSIGNMENT 1 Read this introduction to Assignment 1. Then, read Chapter 1, “The Goal of HIPAA: Administrative Simplification,” on pages 1–19 in your textbook HIPAA for Allied Health Careers.

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law on August 21, 1996 by the United States Congress. The main purpose of HIPAA is to increase the efficiency and effectiveness of health care, and to protect patient rights. It’s designed to help people build trust in the health care system.

Lesson 1 9

The law has two important parts, called Title I and Title II. Title I of HIPAA provides a basis for ensuring the portability of health insurance, which means that employees and their families can keep their health insurance when workers change jobs. Title II of HIPAA lays out specific rules that health insurance plans, health care providers, and employers must follow, and defines noncompliance penalties that can be applied when rules are broken. It also contains provisions to protect the privacy and security of people’s health care data.

HIPAA was created to help with several important problem areas within the health care industry. The laws was designed to

n Improve the portability and continuity of health care coverage in insurance markets

n Combat waste, fraud, and abuse in the health care system, and also in the insurance industry

n Improve access to long-term care

n Simplify health insurance administration

n Provide a means to pay for reforms

n Protect the privacy of a patient’s personal information and health care data

n Provide for the electronic and physical security of personal information and health care data

n Simplify billing and other health care transactions

The areas in which the enactment of HIPAA has most affected health care include the following:

n The privacy of health information

n The establishment of standards for electronic transac- tions (such as electronic medical records, insurance claims, and so on)

n The security of electronic health information (such as electronic medical records)

HIPAA Compliance10

HIPAA’s Two Titles

HIPAA is a complex federal legislative act that’s organized into two parts: Title I and Title II. Each part covers different health care topics. Let’s take a closer look at each of these parts now.

HIPAA Title I: Health Insurance Reform

Title I of the HIPAA act provides individuals with rights relat- ing to their insurance portability when they change jobs. Title I also outlines certain requirements for government- based medical coverage (such as Medicare and Medicaid) and private insurance. Under the HIPAA rules, individuals who apply for medical insurance coverage under Medicare can’t be denied insurance because of a preexisting medical condition. Title I of HIPAA also regulates the insurance coverage that’s provided through private insurance compa- nies, such as employer-sponsored group health plans (the insurance people receive through their employers). Federal programs, such as Medicare and Medicaid, are also covered by other federal laws.

Hint: Be sure to review pages 4–5 in your textbook to get a brief overview of the different types of private health insur- ance plans that are available for employees and retired employees.

Employer-sponsored group health insurance plans are regulated by the Employee Retirement Income and Security Act of 1974 (ERISA). Most other health insurance plans (that is, other than employer-sponsored health insurance plans) are regulated by state-based insurance commissions. The state department of insurance agencies creates coverage require- ments for various plans.

The Consolidated Omnibus Budget Reconciliation Act (COBRA) is a law that gives employees who are leaving a job the oppor- tunity to continue their health insurance coverage under their employer’s plan, so that they don’t have a gap in med- ical insurance. Under COBRA, the employee will continue to pay for insurance under the employer’s plan, usually at a

Lesson 1 11

rate higher than the standard employee insurance. However, the rate is still usually lower than they would have to pay for a new individual insurance policy that’s not group-based with the employer.

HIPAA Title II: Administrative Simplification (AS)

The Administrative Simplification (AS) provisions of Title II of the HIPAA act required the United States Department of Health and Human Services (HHS) to establish national stan- dards for the security of electronic health care information. The final rule adopting the HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to assure the confidentiality of electronic protected health information.

The main goal of the Administrative Simplification (AS) provi- sions is to cut costs and reduce administrative overhead in the health care field. In addition, the AS provisions encourage organizations to use electronic data interchange (EDI) trans- actions. EDI is an exchange of information that’s completed through computer transactions using established criteria.

Specifically, Title II gives the Department of Health and Human Services the authority to do the following:

n Mandate the use of standards for the electronic exchange of health care data

n Specify what medical and administrative code sets should be used within those standards

n Require the use of national identification systems for health care patients, providers, payers, and employers

n Specify the types of measures required to protect the security and privacy of individually identifiable health information (IIHI)

It’s important to understand the difference between the terms privacy and security as they relate to health information. You can think of it like a sealed letter that’s kept in a locked mailbox. A sealed envelope will keep the letter private, and prevent people from reading the letter’s contents by accident.

HIPAA Compliance12

However, only the locked mailbox will keep the letter secure, and prevent someone from stealing the letter. When you’re dealing with a person’s sensitive health care details, you need to keep the information private (only the patient and author- ized professionals should be able to see it or hear it) and you need to keep it secure (protect it from being stolen). These are the exact reasons why the HIPAA rules were created.

Covered Entities

Covered entities are all of the organizations that are required to follow HIPAA regulations by state and federal laws. Covered entities provide care to patients during the normal course of business, and they also send protected information electronically. The Administrative Simplification (AS) stan- dards under HIPAA defines covered entities as any of the following:

n A health care provider. Note that a health care provider is any health care professional or organization (such as a doctor, hospital, or clinic) that provides medical and health care to individuals, and that conducts certain transactions in electronic form.

n A health care clearinghouse. A health care clearinghouse is an entity that processes or aids in the processing of information. In simple terms, this means a medical billing service, community health information system, or other similar company.

n A health care plan. A health care plan refers to health insurance coverage by a group, organization, or person that pays for and administers the health insurance.

Many types of health insurance plans are included in the HIPAA regulations, including the following:

n Employer-provided group health plans

n Preferred provider organizations (PPOs)

n Health maintenance organizations (HMOs)

n Federal insurance agencies (Medicare and Medicaid)

Lesson 1 13

n Long-term care insurance plans

n Medicare supplemental insurers

n The TRICARE program (for military personnel)

n The CHAMPVA program (for veterans)

n Indian Health Service programs (for Native Americans)

n Federal Employees Health Benefits (FEHB)

n State-based child health care plans (such as CHIP)

However, there are also some types of medical insurance benefits that fall outside of the HIPAA standards. These types of benefits include disability income, accident income, automobile liability insurance, general liability insurance, workers’ compensation, or medical payments that occur through an automobile insurance policy.

Providers

Under the HIPAA regulations, these covered entities are health care providers who bill for services that are provided to a patient during the normal course of business. A provider submits a claim to the patient’s insurance carrier (such as a private insurance agency, Medicare, or Medicaid) in order to receive payment for the services he or she provided to the patient. The services provided can include an annual checkup, a diagnostic test, a laboratory test, a preventive screening, or a surgical procedure, as well as diagnosis, treatment, and care for an illness. The covered provider entities may be a hospital, skilled nursing facility, outpatient rehabilitation facility, hospice organization, home health organization, pharmacy, physician’s office, dental office, chiropractor, podiatrist, therapist, or laboratory.

HIPAA Compliance14

Business Associates

Sometimes, a covered entity will retain an outside person or business to perform a function on the entity’s behalf, who will also need to have access to the covered entity’s pro- tected health information. According to HIPAA, these outside professionals are called business associates. Some common examples of business associates are the following:

n Medical billing companies

n Law offices

n Accountants

n Information technology (IT) contractors

n Medical transcription companies

n Collection agencies

n Third-party claim administrators (TPAs)

These business associates must follow HIPAA standards in order to do business with a covered entity.

After you’ve carefully read pages 1–19 in the textbook HIPAA for Allied Health Careers, complete Self-Check 1. Check your answers with those provided at the back of this study guide. When you’re sure that you understand the material from Assignment 1, move on to Assignment 2.

Lesson 1 15

Self-Check 1

At the end of each section of HIPAA Compliance, you’ll be asked to pause and check

your understanding of what you’ve just read by completing a “Self-Check” exercise.

Answering these questions will help you review what you’ve studied so far. Please

complete Self-Check 1 now.

Questions 1–8: Indicate whether each statement is True or False.

______ 1. Title II of HIPAA expands the COBRA law with additional continuation of coverage.

______ 2. HIPAA’s Administrative Simplification rules prohibit the use of electronic data

interchange (EDI).

______ 3. Examples of covered entities under HIPAA includes health plans, health care

providers, and health care clearinghouses.

______ 4. Title I of HIPAA covers the Privacy and Security Rules.

______ 5. A health care clearinghouse provides insurance to a patient.

______ 6. If business associates want to do business with a covered entity, they must

follow HIPAA standards.

______ 7. Under the concept of preemption, state laws supersede HIPAA rules in most

situations.

______ 8. The Centers for Medicare and Medicaid Services (CMS) is responsible for enforcing

the HIPAA privacy standards.

(Continued)

HIPAA Compliance16

ASSIGNMENT 2 Read this introduction to Assignment 2. Then, read Chapter 2, “The HIPAA Privacy Standards,” on pages 25–52 in your text- book HIPAA for Allied Health Careers.

The Medical Record

The HIPAA privacy standards include guidelines for electronic medical records. The information in a medical record is the documentation that relates to a patient’s illness, course of

Self-Check 1

Questions 9–12: Select the one best answer to each question.

9. According to HIPAA, home-based medical coders, third-party claim administrators, and medical transcription companies are defined as

a. clearinghouses. c. covered entities. b. health care providers. d. business associates.

10. Which of the following is another name for Title II of HIPAA?

a. Administrative Simplification c. NPRM b. COBRA d. Health Insurance Reform

11. Which of the following is an agency of the HHS that’s charged with enforcing privacy standards?

a. The Office of Management and Budget (OMB) b. The Office of Personnel Management (OPM) c. The Office for Civil Rights (OCR) d. The Office of the Inspector General (OIG)

12. The health care organizations that are required by law to obey the HIPAA regulations are called

a. employers. c. business associates. b. covered entities. d. facility directors.

Check your answers with those on page 51.

Lesson 1 17

treatment, and care. Medical records are considered to be legal documents, and they may be very important documen- tation in court cases (for example, if a physician or a hospital is sued by a patient).

According to state and federal laws, health care professionals are required to include specific information in a patient’s medical record to document every encounter with the patient. An encounter is defined as any patient visit with a physician or other qualified health care provider (such as a nurse practitioner, therapist, or physician assistant) to diagnose a condition or treat an illness or injury.

To document a patient encounter, the provider must include the following information, at a minimum:

n The patient’s name

n The date of the encounter

n The reason for the encounter

n A documented medical history and physical examination

n A review of laboratory and diagnostic tests if performed

n A review of medications, if the patient was prescribed drugs

n A diagnosis

n A plan of care or notes that identifies the procedures and treatments given

n The signature of the provider who saw the patient

HIPAA Compliance18

What Is Protected Health Information?

According to the Federal government, protected health information (PHI) is defined as “individually identifiable health information maintained in or transmitted by electronic media.” PHI is information that can specifically identify a unique individual, and may include any of the following:

n A person’s name

n Home address

n Names of relatives

n Name of employer

n Date of birth

n Home telephone number or fax number

n Personal e-mail address

n Social Security number

n Medical record number

n Health insurance plan beneficiary number or account number

n Driver’s license number

n Vehicle serial number

n Web site address

n Fingerprints

n Photograph

Protected health information also includes data about sensi- tive health conditions that patients usually want to keep very private, such as alcohol and drug dependence, mental health issues, sexually transmitted diseases, infectious diseases, and HIV or AIDS. A higher standard of privacy applies to these types of conditions under HIPAA’s rules.

Lesson 1 19

Individually identifiable health information may reside on or travel via electronic avenues, such as the Internet, extranets and intranets, leased lines, dial-up lines, private networks, magnetic tape, and compact disk media.

Minimum Necessary Standard

The minimum necessary standard is a component of the HIPAA Privacy Act that attempts to limit the disclosure of protected health information. The standard requires hospitals, insurance plans, health care providers, and other organizations to make as much effort as possible to limit the disclosure of PHI to the “minimum necessary” amount that’s needed for individual employees to do their jobs. For example, in a health clinic, the information in a patient’s electronic medical record would be disclosed only to the doctor providing services and the office employee who’s recording and billing the services. The private health information wouldn’t be provided to all of clinic’s employees. These procedures reduce the risk of someone accessing or disclosing protected health information incorrectly.

Business Associates and PHI

The HIPAA Privacy Rule defines business associates (BA) as individuals or corporations that work with covered entities, such as medical billers, accountants, lawyers, accreditation agencies, and any other independent contractors that provide services. Since these business associates themselves aren’t bound by HIPAA privacy rules, it’s necessary for the covered entity to ensure that patients’ PHI is protected when business associates come into contact with the information.

For example, in the course of preparing tax documents, a physician’s accountant might need to review claims and bills that contain individually identifiable health information. To ensure that the PHI will be held in confidence, the HIPAA Privacy Rule requires that covered entities have contracts with their business associates that cover confidentiality. The Privacy Rule also imposes liability if that confidentiality is breached.

HIPAA Compliance20

Notice of Privacy Practices (NPP)

The Notice of Privacy Practices (NPP) is a document that out- lines the privacy policies and procedures of a physician’s office or hospital. The NPP tells the patient how the facility will use his or her medical information, how it will disclose this information, and how it will protect the information. The NPP also tells patients how they can access their own medical information.

It’s very important that employees receive proper training to ensure that everyone understands the HIPAA rules. Patients must also be informed of the HIPAA rules that protect them. Usually, a doctor’s office will provide each patient with a Notice of Privacy Practices document one time. Then, the patient will be asked to sign a separate form called an Acknowledgment of Receipt of Notice of Privacy Practices. The acknowledgment form states that the patient has read the privacy practices and understands his or her rights regarding the privacy of their health information.

HIPAA requires every health care provider to make a good- faith attempt to have each patient sign the acknowledgment form. The health care provider must

n Provide a full notice of privacy practices (not a summary) to each patient at least once

n Obtain a signed acknowledgment from the patient that he or she received the NPP

n Keep the signed acknowledgment form in the patient record, or a description of a good-faith attempt to get a signed acknowledgment

n Document a patient’s refusal to sign (if the patient refuses) and retain it in the patient record

Most importantly, the provider is not allowed to refuse treat- ment if the patient refuses to sign the acknowledgment.

It’s the responsibility of an organization’s appointed HIPAA officer to ensure that all employees are trained in the HIPAA rules. The HIPAA law states that employee training records must be kept on file for six years. It also mandates that

Lesson 1 21

employers provide annual employee reviews on HIPAA poli- cies and procedures, and periodic retraining for employees (when necessary) to explain new responsibilities.

Disclosure of PHI

The term disclosure refers to the release, transfer, or provi- sion of protected health information to someone outside the entity that holds the information. For example, a doctor’s office would be the entity holding a patient’s private informa- tion, and anyone else who requests to see that information (such as an insurance carrier) would be an outside entity. In some cases, PHI can be released to outside entities with- out special permission; in other situations, the patient must provide a specific authorization for PHI to be disclosed.

In the ordinary process of providing medical care, it’s sometimes necessary for a patient’s private information to be disclosed to others. For example, a doctor’s office may need to provide PHI to a hospital, or to another doctor’s office where a patient is being treated. Or, the patient’s insurance company may need to see a patient’s PHI in order to pay a claim. These necessary, everyday situations are called treatment, payment, and health care operations (TPO) under HIPAA. Disclosures of health information are permitted for TPO without special authorization.

However, there are also some circumstances in which restric- tions will apply to the release of PHI. If PHI is to be released for some purpose other than treatment, payment, or health care operations, the patient must be asked to sign a written authorization to release the information.

An authorization is simply permission to do something. In relation to protected health information, an authorization means that the patient gives permission for his or her PHI to be shared or disclosed for some reason. For example, a patient may give written authorization for PHI to be used in a research study or for marketing purposes, or to be disclosed to relatives or an employer.

HIPAA Compliance22

Your textbook describes a number of situations where a patient’s written authorization will be required to release PHI. It also reviews the rights of patients as related to accessing their own health care information. Be sure to review these concepts carefully.

After you’ve carefully read pages 25–52 the textbook HIPAA for Allied Health Careers, complete Self-Check 2. Check your answers with those provided at the back of this study guide. When you’re sure that you understand the material from Assignment 2, move on to Assignment 3.

Self-Check 2

Questions 1–6: Indicate whether each statement is True or False.

______ 1. The HIPAA Privacy Rule was the first federal law designed to protect the privacy

of health information.

______ 2. A provider isn’t allowed to treat a patient unless he or she signs an Acknowledgement

of Receipt of Notice of Privacy Practices.

______ 3. Protected health information includes any data that can identify a unique individual.

______ 4. A covered entity must have a signed authorization in order to use a patient’s protected

health information for marketing.

______ 5. Patients can file a complaint to the Office for Civil Rights when their privacy has been

violated by a health care provider.

______ 6. A provider can’t send a patient’s PHI to a health insurance plan for payment without

a signed authorization from the patient.

(Continued)

Lesson 1 23

Self-Check 2

Questions 7–12: Select the one best answer to each question.

7. According to HIPAA rules, what is the minimum amount of time that a provider must retain a patient’s signed Acknowledgment of Receipt of Notice of Privacy Practices?

a. 10 years c. 1 year b. 6 years d. 3 years

8. A medical record that’s stored in a combination of paper forms and electronic forms is called a

a. designated record set. c. hybrid record. b. minimum necessary record. d. de-identified record.

9. The release, transfer, provision of access to, or divulging of protected health information outside the entity that holds the information is called

a. authorization. c. documentation. b. incidental use. d. disclosure.

10. Patients who observe privacy problems in their provider’s offices can complain to the

a. Office for Civil Rights (OCR). b. Department of Health and Human Services (HHS). c. National Center for Health Statistics. d. Office of the Inspector General (OIG).

11. A correction of a finalized entry in a medical record that has been identified as incorrect is called a(n)

a. incident. c. complaint. b. disclosure. d. amendment.

12. According to the HIPAA Privacy Rule, which of the following is considered to be a part of a designated record set?

a. Requests for lab tests c. Appointment schedules b. Billing records d. Birth records

Check your answers with those on page 51.

HIPAA Compliance24

ASSIGNMENT 3 Read this introduction to Assignment 3. Then, read Chapter 3, “The HIPAA Security Standards,” on pages 59–82 in your text- book HIPAA for Allied Health Careers.

The HIPAA Security Rule

This part of your textbook reviews the details of the HIPAA Security Rule, which describes the administrative, physical, and technical safeguards that are needed to keep protected health information safe, and prevent unintended disclosures. According to the HIPAA Security Rule, covered entities must have security standards in place to protect PHI that’s stored or transmitted in electronic form (that is, on computer sys- tems) from improper usage and disclosure.

Administrative safeguards include establishing office security policies and procedures, and training staff on how to access information securely.

Physical safeguards include limiting the physical access to the computer systems on which electronic PHI is stored.

Technical safeguards focus on the policies and procedures for accessing PHI data, including the restriction of access through the use of passwords and other individual authenti- cation methods.

Electronic Protected Health Information

One important point about the HIPAA Security Rule is that it focuses on electronic health information, and doesn’t deal with the security of paper medical records or documents. (In contrast, the HIPAA Privacy Rule protects health information in any format, whether it’s paper information or electronic information.)

Lesson 1 25

Remember that a patient’s protected health information (PHI) includes any individually identifiable information in any form, including name, address, Social Security number, birth date, telephone number, e-mail address, and hospital admission number (or patient number).

The main purposes of the HIPAA security standards are to

n Ensure the confidentiality of electronic patient health information

n Ensure the integrity of electronic patient health information

Note that the HIPAA security standards don’t outline specific actions that a covered entity must take to protect electronic patient information. Instead, the standards provide goals and examples that organizations can follow to protect health information. Individual covered entities are allowed to have different security policies and procedures that are appropri- ate for their size and the type of care they provide.

Threats to Information Security

Even though patient information is probably safer when stored in an electronic medical record than in paper form, it doesn’t mean that the information can’t be damaged or lost. Computers and other electronic storage media are vulnerable to a number of different threats that can damage or destroy stored information. The following are some of the common ways in which the security of protected health infor- mation can be threatened:

n Natural disasters, such as fires, floods, earthquakes, and explosions

n Power loss or utility outages

n Malware (such as computer viruses) or computer hacking

n Problems during computer updates or upgrades

n Deliberate theft or sabotage by employees or contractors

HIPAA Compliance26

Note that malware is any type of harmful computer program that can be transmitted into a computer system, typically through e-mail attachments or Internet downloads. Malware can damage or destroy the data that’s stored on a computer or a connected storage device. A covered entity can protect stored electronic health information by installing antivirus software on individual employees’ computers and on the organization’s network. Antivirus software is able to find and remove viruses from the computer system before any damage occurs to the stored data.

Important data may be damaged or lost during computer updates or upgrades, or when new computers or software programs are installed. Therefore, it’s very important that established procedures be followed carefully at all times.

An additional threat can come from the unauthorized access of data by employees or others who have access to computer systems. For example, someone may attempt to access data for the purposes of identity theft. In hospitals or doctor’s offices that service celebrity patients, employees may try to obtain information to disclose or sell to the media. Or, a disgruntled employee may access patient information or cause damage to the organization’s computerized data to seek revenge on the employer.

Because of these internal and external threats to computer systems, it’s critical to ensure that patient information is kept secure. One way to do this is to appoint a security officer who will be responsible for developing security plans and evaluating their effectiveness.

Your textbook describes a variety of methods that can be used to protect stored computer data, including firewalls, passwords, encryption, locks, and antivirus software. Be sure to review these carefully.

Lesson 1 27

Administrative Standards

A large part of the HIPAA Security Rule covers administrative standards for protecting electronic health information. The administrative standards describe policies and procedures that covered entities must implement in the workforce to protect patients’ private information. The administrative standards include the following nine key requirements:

1. The covered entity must perform a risk analysis, and then develop a plan to manage the risk.

2. The covered entity must appoint a security officer to manage security policies.

3. Each employee must be allowed only the minimum necessary access to PHI.

4. Employees must have authorization to access information.

5. Employees must receive security training.

6. A procedure must be prepared to address security incidents.

7. The covered entity must have a contingency plan to protect PHI in a disaster.

8. The covered entity must periodically evaluate and update its security procedures.

9. If the covered entity has any business associates, there must be wording in their contracts that require HIPAA compliance.

This is only a brief summary of the nine main provisions of the HIPAA administrative standards. Your textbook describes these topics in much greater detail, so be sure to examine this information carefully.

Physical Standards

Physical security refers to the protection of the environment where PHI is stored. This includes the building, rooms, equipment, and computer hardware where a covered entity keeps its records. The physical safeguards that are used to

HIPAA Compliance28

protect information at a doctor’s office, hospital, or insurance company are the same things that would be used to protect expensive merchandise in a retail store (such as diamonds in a jewelry shop), and may include

n Locks on doors

n Alarm systems

n Video surveillance monitors

n Fire detection equipment

n Patrolling security guards

It’s important to remember that while PHI must be protected from unauthorized access, there will also be times when employees will need to access the information for regular treatment, payment, and health care operations. Thus, there must be a careful balance between allowing appropriate access and limiting improper access. The patients’ private information must be protected, but at the same time, you can’t make it so difficult to access information that the daily office activities are slowed to a crawl.

The HIPAA physical security standards include the following four main provisions:

1. Only authorized persons should be allowed to enter the building.

2. The access to PHI on workstations should be limited to “minimum necessary.”

3. Workstations must be protected from theft or removal.

4. The use of devices, such as backup tapes and flash drives, must be controlled.

Technical Standards

Technical safeguards refer to the procedures and policies for using technology, and the related control of access to data. The HIPAA standards don’t require that any specific methods be used; they simply provide security guidelines.

Lesson 1 29

Some of the key provisions of the technology safeguards include the following requirements:

n Individuals must be authorized to access PHI.

n Covered entities must preserve the integrity of PHI by preventing its alteration or destruction.

n Authentication must be provided to prove that an individual has the right to access data.

n Covered entities must use secure transmission systems or encryption to protect private information that’s trans- mitted electronically (for example, by e-mail).

n Covered entities must use audit controls to monitor security breaches.

Note that authentication is the process of proving who you are before you can access private information on a computer sys- tem. Authentication can be provided by password, a unique possession such as a key or ID card, or through a biometric feature (fingerprint, voice pattern, or eye pattern). Unique user identification is required for every employee who needs access to PHI.

If an outside entity needs to access data on an organization’s computer system over a network or through an Internet connection, the outside entity can be required to provide a digital certificate for identification. A digital certificate is an electronic file that certifies the identity of the individual or organization that’s requesting information access.

Audit controls are devices or software that monitor security breaches. Audit controls establish audit trails that log employees’ identification numbers when they access certain parts of the electronic medical record.

After you’ve carefully read pages 59–82 in the textbook HIPAA for Allied Health Careers, complete Self-Check 3. Check your answers with those provided at the back of this study guide. When you’re sure that you understand the material from these three assignments, complete the examination for Lesson 1.

HIPAA Compliance30

Self-Check 3

Questions 1–10: Indicate whether each statement is True or False.

______ 1. Under HIPAA, computer passwords are examples of administrative safeguards that

protect ePHI.

______ 2. The process of creating policies and procedures to protect ePHI is called risk analysis.

______ 3. The process of ensuring that someone is in fact who he or she claims to be is called

authentication.

______ 4. The HIPAA Security Rule covers any PHI that’s in an electronic format.

______ 5. Locks on the doors to the computer room are examples of technical safeguards

that protect ePHI.

______ 6. Security includes planning for threats or hazards that haven’t yet happened.

______ 7. The three goals of the HIPAA security standards are to ensure the confidentiality,

integrity, and availability of ePHI.

______ 8. The protection of information by transferring it into an unreadable format before

it’s distributed is called authorization.

______ 9. A type of software that scans a computer system for malware is called a digital

certificate.

______ 10. Policies and procedures are examples of physical safeguards that protect ePHI

under HIPAA.

(Continued)

Lesson 1 31

Self-Check 3

Questions 11–16: Select the one best answer to each question.

11. According to the HIPAA security standards for electronic protected health information, issues such as access controls, audit controls, integrity, and authentication are covered under

a. physical standards. c. technical standards. b. administrative standards. d. organizational standards.

12. One of the goals of the HIPAA security standards is to ensure the _______ of electronic protected health information, which means that the information is shared only among authorized individuals and organizations.

a. integrity c. accuracy b. availability d. confidentiality

13. To protect electronic health information, _______ is used to prevent unauthorized entry into a computer network, to prevent unauthorized data from exiting the network, and to control what users can access on the Internet.

a. a firewall c. antivirus software b. encryption d. role-based authorization

14. Under the HIPAA Security Standards, according to the category of _______ standards, covered entities are required to implement policies and procedures that limit unauthorized access to facilities and computer systems where electronic protected health information is stored.

a. physical c. technical b. administrative d. emergency

15. To protect electronic health care data from serious threats such as computer software or hardware failures, fires, earthquakes, floods, or terrorist acts, a covered entity must have a(n)

a. firewall. c. antivirus program. b. disaster recovery plan. d. security incident procedure.

16. Appointing a security official for a newly opened health clinic is an example of satisfying

a. a technical security standard. b. a physical security standard. c. an administrative security standard. d. an implementation specification.

Check your answers with those on page 52.

HIPAA Compliance32

NOTES

33

L e

s s

o n

2 L

e s

s o

n 2

Implementing and Enforcing HIPAA

INTRODUCTION

The first part of this lesson contains an introduction to the electronic data interchange (EDI) requirements that are specified by HIPAA. Under the HIPAA rules, all health care transactions must follow certain standards. You’ll learn about these standards and how to comply with them. The second part of the lesson covers the enforcement of HIPAA rules, and how workers can comply with the rules to prevent fraud and abuse in the health care industry.

OBJECTIVES

When you complete this lesson, you’ll be able to

n Explain the purpose of the HIPAA Electronic Health Care Transactions and Code Sets standards

n Name eight types of HIPAA transactions

n Identify the key purpose of the Administrative Simplification Compliance Act

n List the HIPAA standards for medical code sets

n Compare and contrast the ICD-9-CM diagnosis codes, CPT and HCPCS procedure and supply codes, and ICD-9-CM Volume 3 procedure codes

n Explain the purpose of the HIPAA final enforcement rule

n Distinguish between civil and criminal cases

n Describe the roles of the Office for Civil Rights (OCR) and the Department of Justice (DOJ) in the enforcement of the HIPAA privacy standards

HIPAA Compliance34

n Describe the roles of the Centers for Medicare and Medicaid Services (CMS) in the enforcement of the HIPAA security, transactions, code sets, and identifiers standards

n Describe the civil case procedure followed by OCR and CMS

ASSIGNMENT 4 Read this introduction to Assignment 4. Then, read Chapter 4, “The HIPAA Transactions, Code Sets, and National Identifier Standards,” on pages 89–109 in your textbook HIPAA for Allied Health Careers.

The Administrative Simplification Provisions

HIPAA has defined a number of requirements for electronic data interchange (EDI), which is the transfer of health care data between providers, insurance plans, and clearinghouses. The goal of HIPAA’s administrative simplification rules is to make the exchange of health care and billing information faster, more efficient, and more accurate. By standardizing the format of electronic transactions, communication between organizations becomes easier.

Standard Transactions

HIPAA requires that every provider who uses electronic data interchange must use the same health care transactions, code sets, and identifiers.

A transaction is an exchange of electronic information between two parties, and is the equivalent of a business document. HIPAA requires covered entities to use certain standards for every transaction.

Lesson 2 35

Under HIPAA, there are eight types of mandated transactions:

1. Health plan premium payments

2. Enrollment or disenrollment in a health plan

3. Eligibility inquiries

4. Referral certification and authorization

5. Claims

6. Payment with an explanation

7. Claim status inquiries

8. Coordination of benefits

Each of these transactions is assigned a specific name and number for use in electronic data exchanges.

Standard Code Sets

Code sets are alphanumeric codes (groups of letters and numbers) that are used to encode data elements. Medical code sets are used to identify specific diagnosis and clinical procedures on claims and encounter forms. Administrative code sets are used to encode general business information, such as a state abbreviation, zip code, or an explanations why a claim was denied by an insurance company.

The health care industry is made up of many different parties (such as patients, providers, health care plans, clearinghouses, employers, and so on) who must communi- cate with one another. In years past, there was very little standardization in the sending and receiving of health care data. However, the creation of standardized code sets has greatly streamlined the exchange of data, resulting in

n Exchanges of information that take a much shorter amount of time

n A reduction in errors, such as mistaken identities

n A reduction in printing and mailing costs, since data can be sent electronically

HIPAA Compliance36

National Identifiers

An identifier is a number of a specific structure and length, such as a Social Security number, that uniquely identifies an individual. HIPAA has required the development of national identifier numbers for employers, health care providers, and health care plans. These numbers are used for identification in electronic transactions.

The national provider identifier (NPI) is used in HIPAA trans- actions to uniquely identify a health care provider, such as a physician who has provided services to a patient. The NPI is a ten-digit number that’s specific to that provider, and not to any hospital or clinic the provider works for. All providers who send in electronic claims to an insurance carrier must include their NPI number on the electronic claim.

Another rule that HIPAA has established is the requirement that employer identification numbers and national provider identifiers be placed on claim forms that are submitted by providers to payers (insurance companies).

After you’ve carefully read pages 89–109 in the textbook HIPAA for Allied Health Careers, complete Self-Check 4. Check your answers with those provided at the back of this study guide. When you’re sure that you understand the material from Assignment 4, move on to Assignment 5.

Lesson 2 37

Self-Check 4

Questions 1–8: Indicate whether each statement is True or False.

______ 1. The HIPAA transaction number for a health plan enrollment is 278.

______ 2. CPT Category I codes have five digits.

______ 3. HIPAA legislation mandates that ePHI transmissions must comply with ASC X12

standards.

______ 4. The HIPAA transaction number for a referral authorization is 820.

______ 5. NDC is the HIPAA-mandated code set for dental procedures.

______ 6. The HIPAA transaction number for a health care claim status inquiry/response is

276/277.

______ 7. The standard for the identification of providers for HIPAA transactions is the National

Provider Identifier (NPI).

______ 8. The NPPES is a coding system that’s used to describe products, supplies, and services

that aren’t covered in the CPT codes.

Questions 9–12: Select the one best answer to each question.

9. Which of the following is an organization responsible for maintaining HIPAA standards for EDI transactions and code sets?

a. Centers for Medicare and Medicaid b. The ANSI Committee c. Designated Standard Maintenance Organizations d. The World Health Organization

10. The _______ provides detailed technical information and correct formats for preparing each mandated HIPAA transaction.

a. status response c. remittance advice b. claim status inquiry d. implementation guide

(Continued)

HIPAA Compliance38

Self-Check 4

11. Under HIPAA, any group of codes used for encoding data elements is called a

a. national identifier. c. claim. b. code set. d. referral authorization.

12. Which of the following organizations lists the national provider identifier numbers on their Web site?

a. The Designated Standard Maintenance Organization (DSMO) b. The Department of Health and Human Services (HHS) c. The World Health Organization (WHO) d. The National Plan and Provider Enumeration System (NPPES)

13. Unique numbers of predetermined length and structure, such as Social Security numbers, that can be used in electronic transactions are called

a. referral certifications. c. identifiers. b. implementation guides. d. CPT codes.

14. On a HIPAA 277 transaction, a claim status code of “F” indicates that

a. the claim has been finalized. b. the claim has been received. c. an error occurred in the transmission of the claim. d. a request for more information has been sent.

15. If a HIPAA transaction name contains two numbers,

a. the first number refers to the insurance company, and the second number refers to the patient.

b. the first number is from the provider to the plan, and the second number is from the plan back to the provider.

c. the numbers describe where the claim is in processing. d. the claim is missing HIPAA standard codes.

16. Under HIPAA, which of the following is a set of codes that’s used to identify alternative medicine procedures and services?

a. CDT-4 c. ICD-9-CM b. The ABC Code Set d. The National Drug Code

Check your answers with those on page 52.

Lesson 2 39

ASSIGNMENT 5 Read this introduction to Assignment 5. Then, read Chapter 5, “HIPAA Enforcement,” on pages 114–144 in your textbook HIPAA for Allied Health Careers.

HIPAA Enforcement

Enforcement of the HIPAA rules is carried out by several different agencies, including the Office for Civil Rights (OCR), the Department of Justice (DOJ), the Centers for Medicare and Medicaid Services (CMS), and the Office of the Inspector General (OIG). Violators of the HIPAA rules can have civil or criminal charges brought against them. A civil penalty is generally a monetary fine that’s assessed for violating a provision of the law. A criminal penalty is brought by the government (on behalf of the people) for wrongdoing that’s detrimental to society, and may include a monetary fine as well as imprisonment.

The HIPAA final enforcement rule can impose civil monetary penalties of not more than $100 per violation, and not more than $25,000 for all similar violations per calendar year.

Even though severe penalties may be imposed on HIPAA violators, the foremost enforcement goal of the Office for Civil Rights (OCR) is to work to help correct problems before imposing those penalties.

Enforcement of Transactions and Code Sets

Your textbook explains how the Department of Health and Human Services (HHS) originally created an Office of HIPAA Standards (OHS) to oversee and enforce transactions and code sets. The OHS provided a written form to use for com- plaints about HIPAA transactions.

HIPAA Compliance40

This complaint form was set up to hear feedback about transactions and codes sets from

n Health care providers

n Clearinghouses

n Any others using transactions and code sets

In May 2005, the OHS was expanded and is now called t he Office of E-Health Standards and Services (OESS) to reflect the expanding responsibilities of e-health. The OESS is responsible for enforcing the Administrative Simplification portion of HIPAA. Complaints that are covered by the HIPAA Privacy Rule are enforced by the Office for Civil Rights.

The OESS uses a computer application called the Administrative Simplification Enforcement Tool (ASET)

that allows individuals or organizations to file complaints against HIPAA violators. The ASET application can be found at the OESS Web site.

Preventing Fraud and Abuse

The National Health Care Anti-Fraud Association has determined that 3% to 10% of health care spending is lost annually because of fraud and abuse, contributing to unnecessary costs in the health care system.

Fraud is an intentional act of deception to obtain a financial benefit. An example would be a physician who sends a claim to Medicare, billing an office visit for a patient who doesn’t exist.

In contrast, abuse is any action that improperly uses an entity’s resources. An example of abuse is billing for services that aren’t medically necessary. Abuse may occur uninten- tionally as a result of ignorance of billing rules or the use of an inaccurate medical code.

One of the responsibilities that employees have in any organi- zation is to protect the dollars that are spent for health care. Employees can do this by identifying and reporting situations where they see fraud and abuse occurring.

Lesson 2 41

Government health care agencies must train their employees and business partners to understand, identify, and report fraud and abuse. Also, there are important laws and regula- tions that cover these issues, including the following:

n The Antikickback Act of 1986, which makes it illegal to offer incentives to induce referrals for services paid for by government agencies (such as Medicare or Medicaid)

n The Stark Laws, which prevent physicians from making self-referrals (referrals to entities with which the physi- cian has a financial relationship)

n The Sarbanes-Oxley Act, which requires publicly traded corporations to have sound financial management

n The Deficit Reduction Act of 2005

Your textbook reviews these laws in detail, so be sure to read this information carefully.

After you’ve carefully read pages 114–144 in the textbook HIPAA for Allied Health Careers, complete Self-Check 5. Check your answers with those provided at the back of this study guide. When you’re sure that you understand the material from these two assignments, complete the examination for Lesson 2.

HIPAA Compliance42

Self-Check 5

Questions 1–8: Indicate whether each statement is True or False.

______ 1. A formal examination or review of health care records is called a code of conduct.

______ 2. The Department of Justice prosecutes criminal violations of HIPAA’s privacy standards.

______ 3. The Deficit Reduction Act encourages states to pass their own false health care

claim acts.

______ 4. The Centers for Medicare and Medicaid Services (CMS) is responsible for enforcing

HIPAA privacy violations.

______ 5. The Office for Civil Rights (OCR) is the federal government’s main law enforcement

division.

______ 6. Actions that misuse government money (such as Medicare finds) and that aren’t

sound medical, business, or fiscal practices are referred to as abuses.

______ 7. A top compliant reported by the Office for Civil Rights is insufficient safeguards

to protect PHI data.

______ 8. The Stark laws are designed to protect whistle-blowers in health care fraud cases.

(Continued)

Lesson 2 43

Self-Check 5

Questions 9–14: Select the one best answer to each question.

9. A formal examination or review that attempts to discover whether a health care organization’s staff members comply with HIPAA coding and billing regulations is called a(n)

a. benchmark. c. compliance plan. b. audit. d. corporate integrity agreement.

10. _______ is defined as any action that improperly uses government monies (for example by billing for services that weren’t medically necessary) and may be the result of incorrect coding or ignorance of billing rules.

a. Abuse c. Qui tam b. Fraud d. Benchmarking

11. _______ is defined as an intentional act of deception that’s intended to obtain a financial benefit (for example, billing a federal insurance program for medical services that weren’t provided).

a. Abuse c. Fraud b. Qui tam d. Benchmarking

12. Which of the following laws protects individuals who are identified as whistle-blowers, that is, people who report suspected health insurance fraud?

a. The Antikickback Act of 1986 c. The False Claims Act b. The Sarbanes-Oxley Act d. The Deficit Reduction Act

13. A person who makes an accusation of suspected health care fraud is called a(n)

a. self-referrer. c. excluded party. b. advisor. d. relator.

14. A written document created by a health care provider that outlines ethical practices for the members of its organization is called a(n)

a. compliance plan. c. audit report. b. OIG Work Plan. d. code of conduct.

Check your answers with those on page 53.

HIPAA Compliance44

NOTES

INTRODUCTION

This graded project is a research paper that you’ll complete and submit to the school for grading. In your paper, you’ll apply what you learned about HIPAA to an actual situation in which a health care organization violated HIPAA regulations.

YOUR ASSIGNMENT

Health care organizations must know and follow the regula- tions that are set forth by HIPAA, or be held accountable for their failure to follow the rules. For this assignment, you’ll need to find three real-life examples of HIPAA viola- tions; that is, violations of HIPAA’s privacy or security laws that occurred in the United States since the passage of the HIPAA law (after 1996). Each violation described should be serious, and one that resulted in a fine or penalty for the individual or company involved.

You can find real-life examples of HIPAA violations in news reports, medical journals, professional health care publications, and other similar reliable factual sources. For each example violation, you should provide the following information:

n A complete, descriptive summary of the case

n Important facts that relate to the case, such as the names of the company or individual involved, the date of the violation, and the city and state where the incident occurred

n An explanation of the HIPAA rules that were violated

Be sure to answer these questions when writing your summaries:

n How did the HIPAA violation occur?

n What policies (if any) did the organization have in place to protect against the violation?

n What was the penalty for the violation (fine, prison term, termination of employment, etc)?

45

G ra

d e

d P

ro je

c t

G ra

d e

d P

ro je

c t

Finally, describe three ways in which the organization could have prevented the violation.

Organize your three case examples into a 750-word paper.

Research Instructions

To write your paper, you may use journal articles, textbook material, case studies, and Web site information. The Web site information must come from reputable and verifiable sources, such as the United States Department of Health and Human Services, the American Medical Association, profes- sional or business organizations, or articles published by major news organizations.

To get started on finding a real-life case example that you’re interested in, you can use an Internet search engine such as Google. Try entering keywords such as “HIPAA violation” under the “News” section. Or, go to your local library and perform a search in the medical journals or professional publications they have on file.

Writing Guidelines

1. Type your submission, double-spaced, in a standard print font, size 12. Use a standard document format with 1-inch margins. (Do not use any fancy or cursive fonts.)

2. Read the assignment carefully, and follow the instructions.

3. Be sure to include the following information at the top of your paper:

n Your name

n Your student number

n The course title (HIPAA Compliance)

n Graded project number (46081100)

n The date

4. Be specific. Limit your submission to the issues covered by your chosen topic.

Graded Project46

5. Include a reference page in either APA or MLA style. On this page, list Web sites, books, journals, and all other references used in preparing the submission.

6. Proofread your work carefully. Check for correct spelling, grammar, punctuation, and capitalization.

Grading Criteria

Your project will be based on the following criteria:

Content 80%

Written communication 10%

Format 10%

Here’s a brief explanation of each of these points.

Content

The student must

n Provide a clear discussion of the chosen topic

n Address the topic in complete sentences

n Support his or her research by citing specific information from the textbook, Web sites, and any other references, and by using correct APA or MLA guidelines for citations and references

n Stay focused on the chosen topic

n Write in his or her own words and use quotation marks to indicate direct quotations

Written Communication

The student must

n Discuss the topic in complete paragraphs that include an introductory sentence, at least four sentences of explana- tion, and a concluding sentence

n Use correct grammar, spelling, punctuation, and sen- tence structure