Transactions

Claims I 837

Claims P 837

Claims D 837

Remittance 835

Eligibility Inquiry

Eligibility Response

Claims Status Inquiry

Claims Status Response

Referrals 278

Claims I 837 System data

Claims P 837 System data

Claims D 837 System data

Remittance 835 System data

Eligibility Inquiry System data

Eligibility Response System data

Claims Status Inquiry System data

Claims Status Response System data

Referrals 278 System data

Security

Administrative Procedures

Certification

Chain of Trust Partner Agreement

Contingency plan

Applications and data criticality analysis

Data backup plan

Disaster recovery plan

Emergency mode operation plan

Testing and revision

Formal mechanism for processing records

Information access control

Access authorization

Access establishment

Access modification

Internal Audit

Personnel security

Maintenance of record of access authorizations

Personnel clearance procedure

Personnel security policy/procedure

Comprehensive written personnel security policy

Written notice to all new temporary personnel

Written notice to all medical and nursing staff

Annual review of the Security Policy-required by everyone

Written acknowledgement (signature) by everyone

Procedures in place to enforce and monitor the Security Policy

Tracking system operational to track and report Security notice deficiencies

System users, including maintenance personnel, trained in security

Security configuration management

Documentation

Hardware and software installation and maintenance review and testing for security features

Inventory

Security testing

Virus testing

Security incident procedures

Report procedures

Response procedures

Security management process

Risk analysis

Risk management

Sanction policy

Security policy

Termination procedures

Combination locks changed

Removal from access lists

Removal of user account(s)

Turn in keys, token or cards that allow access

Training

Awareness training for all personnel

Periodic security reminders

User education concerning virus protection

User education in monitoring log in success/failure, and how to report discrepancies

User education in password management

Other Administrative Procedures

Physical Safeguards

Assign security responsibility

Does the Security Officer have CISSP or equivalent training/experience?

Security Officer issues an Annual Report

Media controls

Access control

Broad definition of media; including: disks, tapes, CDs, printouts, source documents, PDA’s, wireless devices, digital pagers

Written policies in place concerning unauthorized software and data; e.g., unlicensed software, games, etc.

Enforcement provisions in place to support the media control policies

Accountability (tracking mechanism)

Data backup

Data storage

Disposal

Physical access control (limited access)

Disaster recovery

Emergency mode operation

Equipment control (into and out of site)

Facility security plan

Procedures for verifying access utilizations prior to physical access

Maintenance records

Sign-in for visitors and escort

Testing and revision

Policy/guideline on work station use

Secure work station location

Security awareness training

Other Physical Safeguards

Technical Security Services

Access control

Context-based access

Encryption

Procedure for emergency access

Role-based access

User-based access

Audit controls

Authorization Control

Role-based access

User-based access

Data Authentication

Entity Authentication

Automatic logoff

Biometric

Password

PIN

Telephone callback

Token

Unique user identification

Other Technical Security Services

Technical Security Mechanisms

Communications/network controls

Access controls

Alarm

Audit trail

Encryption

Entity authorization

Event reporting

Integrity controls

Message authentication

Other Technical Security Mechanisms

Privacy

Uses and disclosures:  general

Use or disclosure prohibited except as permitted or required

Minimum necessary information

Uses and disclosures subject to agreed upon restriction

Provision for de-identified information

Business Associates requirement to assure safeguards

Deceased individuals receive same protection

Personal representative treated as the individual specified

Support alternative means or locations to receive confidential communications

Uses and disclosures consistent with notice

Whistle blower and work force member crime victim disclosure exemption

Uses and disclosures:  organizational requirements

Requirements apply to the healthcare component of a hybrid entity affiliated covered entities may designate themselves as a single covered entity

Business Associate contract terms and enforcement to support permitted and required uses and disclosures

Requirements for group health plans that restrict disclosure to plan sponsor supported by plan documents

Multiple covered functions that apply to a combination of plan, provider, and combination of plan, provider, and clearinghouse

Consent for uses or disclosures to carry out treatment, payment, or healthcare operations

Obtain documentation of individual's consent

Managed information disclosure in accordance with more restrictive of conflicting consents

Utilization and support for joint consent, where applicable

Uses and disclosures for which authorization is required

Uses and disclosures requiring an opportunity for individual to agree or object

Maintain records of restrictions on consenter authorization for facility directories and others who ask for the individual by name

Disclosure to family member or others identified by individual information relevant to involvement and care or payment

Uses of disclosures for which consent, authorization or opportunity to agree or object is not required

De-identification of protected health information

Disclosure of minimum necessary information

Restrictions on user disclosure of information for marketing

Prohibition on the use of information for fundraising

Information for underwriting

Verification requirements for release prior to disclosure

Notice of Privacy practices for protected health        information

Individual's right to notice of privacy practices

Rights to request privacy protection for protected health information

Confidential communications delivery by/at alternative means/sites

Access of individuals to protected health information

Provision to respond and document response to individuals right of access

Re-viewable grounds for denial including written documentation for the basis of the denial; review rights, if applicable; how to file a complaint; and contact information

Review of denial of access as a right of individual it must be performed by an individual not directly involved in the denial

Amendment of protected health information

Request for amendment

Process for accepting amendment

Process for denying amendment

Accounting of disclosures of protected health information

Content of accounting:  disclosures, dates, name of entity, etc.

Provision of accounting within 60 days plus one 30 day delay

Documentation of accounting

Administrative requirements

Designation of a privacy official

Privacy training

Safeguards to protect privacy of information

Process for individuals to make complaints

Provision and application sanctions

Mitigation of harmful effect known of use or disclosure of information action

Policies and procedures to comply with privacy regulation

Mechanism to change policies and procedures to do changes in law written form with documentation

Group health plans exemption from some administrative standards

Effective prior consents and authorizations