Hands-On Steps
1. From your computer workstation, create a new text document called HIPAA Lab #3.
2. Review the following scenario:
Your manager has asked you to identify information and resources in the health care industry that
address what laws, rules, and guidelines your health care organization needs to follow. Your health
care organization is to have an audit so you need to gather information for the upcoming audit,
which will be more stringent than any that have been done before. The health care organization
that employs you believes it is necessary to conduct a review of its HIPAA compliance (or lack of
compliance) and put the gathered information into a report to show all the requirements the organization
faces. Your manager has asked you to perform this function knowing that your work has been
above reproach. He expects a summary of the HIPAA requirements the organization needs to comply
with and any financial regulatory acts for which it might also be held liable. With your previous
experience researching the financial sector and Sarbanes-Oxley, you will need to dig deeper into the
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and Security Rule.
You can use resources from HHS.gov, the U.S. Department of Health and Human Services’ website, to
evaluate the HIPAA Privacy and Security rules.
3. Launch your Web browser. Type the Web address http://www.himss.org/ASP/index.asp. This is the
Healthcare Information and Management Systems Society (HIMSS) website. Review the website.
4. On the left side of the HIMSS website, click the Healthcare Reform link. Review some of the documents.
Then, in the upper right corner, type the words Health Information Technology in the Search box.
Review the information you find. In your text document, note what you learn about the HIMSS
website and how it helps companies and organizations address health care issues.
5. In your browser address bar, type the following Web address: http://csrc.nist.gov/
news_events/HIPAA-May2010_workshop/presentations/2-3-logging-auditing-mcmillan-cynergistek.pdf.
Review the following sections:
a. Logging & Audit Requirements
b. Privacy vs. Security
c. Challenges & Barriers
In your text document, note the information you can gather from these sections of the document.
6. In your Web browser, type the following Web address: http://healthit.hhs.gov/portal/server.pt?open=51
2&objID=1147&parentname=CommunityPage&parentid=8&mode=2&in_hi_userid=11673&cached=true.
Browse the Privacy and Security section of The Office of the National Coordinator for Health
Information Technology and review the available information and resources provided. In your text
document, note the types of information you can gather from The Office of the National Coordinator
for Health Information Technology.
7. In your Web browser, type the Web address www.HHS.gov. Review HIPAA’s main points and requirements.
In your text document, discuss these requirements.
8. Review the HHS.gov website’s information on the HIPAA Security Rule and Privacy Rule. First, review
the HIPAA Security Rule at the following address: http://www.hhs.gov/ocr/privacy
/hipaa/understanding/srsummary.html. In your text document, discuss these topics:
a. Who is covered by the Security Rule?
i. Health plans
ii. Health care clearinghouses
iii. Any health care provider who transmits health information in electronic form in connection
with a transaction for which the secretary of HHS has adopted standards under HIPAA
b. What information is protected?
i. Protected health information (PHI)
ii. De-identified health information
c. General rules
d. Risk analysis and management
e. Administrative, physical, and technical safeguards
i. Security management process
ii. Facility access and control
iii. Access, audit, and integrity controls
iv. Transmission security
f. Policies, documentation, and penalty enforcements
9. Review the HIPAA Privacy Rule at the following address: http://www.hhs.gov/ocr/privacy/hipaa/understanding/
summary/index.html. In your text document, discuss these topics:
a. General principle for uses and disclosures
b. Permitted vs. authorized uses and disclosures to the individual
i. Treatment, payment, health care operations
ii. Opportunity to agree or object
iii. Incidental use and disclosure
iv. Public interest
c. Limiting disclosure and notifications
d. Policies, documentation, and penalty enforcements
i. For violations occurring prior to 2/18/2009
ii. Penalty amount: Up to $100 per violation
iii. For violations occurring on or after 2/18/2009
iv. Calendar year cap respectively: $25,000 and $1,500,000
10. In your text document, write an executive summary that defines a process for obtaining and
documenting information needed to perform a HIPAA compliancy audit.
11. Submit the text document to your instructor as a deliverable for this lab.
20 Lab #3 | Define a Process for Gathering Information Pertaining to a HIPAA Compliance Audit
38412_
0 comments