NOTICE THAT THIS DOES NOT CONSTITUTE LEGAL ADVICE AND DOCUMENTS PROVIDED BY MINNESOTA COUNTIES ARE SHARED TO THE EXTENT THAT ONE COUNTY’S EXPERIENCE MIGHT HELP SOMEONE ELSE AND IS NOT GUARANTEED TO BE THE SOLUTION FOR ANY OTHER COUNTY, etc.

The following is a resource guide of 'best practices' developed by metro counties who are well on the road to HIPAA compliance. 

Our special thanks to the Metro HIPAA Self-Help Group and, especially, Val Ruedy from Dakota County.

HIPPA rules

Glossary and Clarification of Rules

Getting Started

Policies & Procedures/Forms

The HIPAA Rules

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Centers for Medicare & Medicaid Services (CMS) is responsible for implementing various unrelated provisions of HIPAA.

HIPAA Health Insurance Reform

was enacted in 1996 to protect health insurance coverage for employees and their families when they change or lose their jobs and to protect against lack of health insurance coverage due to preexisting conditions.   

HIPAA Administrative Simplification

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) are the rules counties are currently struggling to interpret and implement.  Adopting national standards for electronic health care transactions and code sets will improve the efficiency and cost effectiveness of the nation's health care system. 

There are 3 main parts to this rule:

Standards for Electronic Transactions 

The Administrative Data Standards and Related Requirements rule was published in the Federal Register on August 17, 2000.  This is the rule that defines the standardization of transactions and code sets required to be effective (after an entity has applied for a one year extension) on Oct. 16, 2003.

CMS has a checklist available to help you determine whether you need to comply and how to proceed with a plan for compliance.

There are a number of implementation guides available that define these new transactions and codes, each one given a form number.  Also, each guide has an addendum which is not yet finalized by CMS, but that are generally accepted corrections to the guides which are also expected to be formally adopted within the next quarter.  All of these implementation guides can be ordered at a cost for bound copies or downloaded with no cost from the Washington Publishing web site.

It is important for \counties to refer to the Minnesota DHS website for information on what the state is doing to comply with HIPAA and especially to learn about changes to state applications, such as MMIS, and to find out about testing of the standard transactions, which is being provided free of charge to counties by the MN HIPAA Collaborative.  The DHS website has information on all of this.

Privacy

For an overview of the privacy rule, which applies to the protection of Individually Identifiable health information by HIPAA covered entities and their business partners, impacts written and spoken information in addition to electronic information.  The basic standards imposed by the privacy rule can also be found at either the CMS HIPAA website or the MN DHS website (both links are provided above).   The final privacy rule was printed in the Federal Register on August 14^th, 2002.

Security (this rule still in draft form, expected to be finalized by April, 2003)

The security rule will become effective 26 months after it is published, so the earliest compliance date for this rule is now April 1^st, 2005.  Click here for a draft of the security rule.

Since it is difficult to implement privacy procedures without providing the security of the data that is the object of those procedures, there are some security requirements in the HIPAA privacy rule.  It would be in everyone’s best interest to keep tabs on the security rule and take whatever steps are reasonably achievable as soon as possible to increase the security of health information.

National Identifiers

The only national identifier rule that has been published is the National Employer Identification rule, which was published in the Federal Register on May 31, 2002. 

HIPAA Administrative Simplification Compliance Deadlines

 Back to top

Glossary and Clarification of Rules

The federal government has released answers to Privacy rule questions:

CMS website

OCR website (OCR is charged with policing HIPAA privacy compliance) has a Guidance document released 12/4/02)

HIPAA Glossary and Acronyms

This glossary began as one published on a number of national HIPAA websites.  Dakota County has added to this glossary with information from the final Privacy Rule,  its preamble and some frequently asked questions and other information posted on the CMS, OCR and DHHS websites.  Originally intended to help ONE person get HIPAA information about a specific subject in one place and not an official publication.

Minnesota DHS has been working on a Privacy Rule Matrix, which looks at privacy rules in HIPAA, Minnesota Data Practices and other applicable rules.  The matrix can be found on the DHS HIPAA website.

Back to top

Getting Started

There are a number of HIPAA websites (thousands!) that provide checklists, project plans, tasks lists, and other tools to help you get started on HIPAA compliance.  Below is a list with a few that MN counties have submitted as their favorites.

If you browse the internet for information on HIPAA, you can narrow your search considerably by remembering a few key points:

• The public sector is always a bit different from the private sector, so it’s often helpful to stick with the advice of those in the public sector or that know the public sector

• In Minnesota government, we already have very stringent privacy laws in our Data Practices legislation.  One reason the DHS website is important to monitor is that they have links to the MGDPA or data practices act along with some information to help with issues of preemption, or trying to determine how Data Practices (and other pertinent laws) work in concert with HIPAA. 

•  Look at the published dates of the materials.  There are a lot of old, outdated documents posted on websites nationwide.  If you see information on the privacy rule, for instance, that was published before the final Privacy rule was released on Aug. 14^th, 2002, it is likely outdated.  If the  privacy rule information you’re reading mentions a requirement for written consent for treatment, payment or operations, it is based on a proposed version of the privacy rule, not the final rule. 

What is HIPAA:

HIPAA Primer from Anoka County

HIPAA Compliance Checklists:

DHS

List of privacy rule tasks (unknown source)

Covered Entity Assessment, Surveys Work Plans, Assorted Tools:

Federal (CMS)

California Healthcare Foundation

Dakota County Survey to identify PHI

MN DHS survey to identify PHI

Gap analysis (unknown source)

State of Maryland privacy work plan

State of Colorado grid of PHI uses and disclosures

North Carolina guide to identifying designated record sets

Recent Wedi-Snip disclosure grid

Plan for HIPAA Security Rule Compliance

Back to top

There are many vendors that offer sets of HIPAA policies and procedures to companies at a price; in fact, all major health care consulting firms are likely to have a HIPAA team and a set of policies & procedures for sale.  There are also many providers, states and local governments that have posted their HIPAA policies and procedures online, which many of us with little or no budget for HIPAA compliance are finding useful in guiding us toward the development of our own policies and procedures.  Many MN Counties are also building on HIPAA as an opportune time to fine-tune and retrain on their Data Practices policies and procedures. 

Some favorite websites for policies and procedures are:

Oregon DHS

HIPAACow (HIPAA Collaborative of Wisconsin)

Ohio Mental Health

U of TX Medical Branch (Private sector)

These sites have also posted templates for their Notice of Privacy Practices, Business Associate Agreement, and sometimes their Trading Partner Agreement.

Minnesota counties should also consider the Minnesota DHS forms and contracts, since most of us contract with many of the same providers as DHS and they will be more comfortable with forms that look and feel similar. 

Workforce Training

One important source for HIPAA 101 training will be coming to Minnesota counties free of charge from DHS.  They are currently working on a web-based training tool that will provide both HIPAA 101 and Data Practices 101 training that they will post on their website and allow counties to download.  The project has been a joint effort between DHS and Ramsey County and is expected to be completed before March 1^st, 2003. 

HIPAACOW (Wisconsin) has a HIPAA 101 Powerpoint available online for introductory HIPAA training as well.  The introduction to this presentation says, “This presentation is designed to help your organization meet the basic HIPAA workforce training requirement. Topics focus on privacy issues, security safeguards and electronic transactions and is intended for all staff including medical staff (physicians, practitioners, medical students), clinical staff (nurses, therapists, pharmacy, laboratory) and ancillary staff (payers/insurers, administrative, clerical, dietary, housekeeping, visiting clergy). Please feel free to tailor this presentation to your facility and audience.” 

You will need to consider customized training for your own covered workforce that goes beyond these beginning classes and includes training on your new policies and procedures, forms, and limitations. 

Back to top