Ascension Health HIPAA Web Site
Maintained by Don Stry, Information Services Division
(812) 228-2131; Email: dstry@ascensionhealth.org

---

Section: Getting Started

An Organizational Checklist to Assess Your HIPAA Readiness and Develop Your Plan
Summarized from: http://www.ahima.org/publications/2a/pract.brief.499.html; Prepared by Sandra Fuller, MA, RRA,
vice president of practice leadership, and Julie J. Welch, RRA, HIM practice manager; Issued April 1999)

Updated 02/09/00

As healthcare professionals await final regulations, what can organizations do to prepare? Following is an organizational checklist to assess your readiness and develop your plan.

General | Standardization of Code Sets | Healthcare Identifiers | Claims Transactions | Information Security | Electronic Signature

General

• Assign responsibility for tracking the progress of regulations as they develop

• Continue to inform key internal stakeholders about HIPAA and its impact on your information systems and processes

• Seek current information on the industry's approach to HIPAA compliance
  
  
• Develop resources (publications, seminars, Web sites, professional networking, etc.)
  
  
• to facilitate development of your approach to HIPAA requirements
  
  
• Plan internal educational programs to describe HIPAA requirements to those responsible for implementing the changes



• Obtain and read copies of the proposed rules from the Federal Register, which can be accessed via HCFA's Web site at http://www.hcfa.gov
  
  
• Read the reports and recommendations from the National Committee on Vital and Health Statistics (NCVHS). The NCVHS serves as the statutory public advisory body to the Secretary of Health and Human Services in the area of health data and statistics (The reports and recommendations can be accessed via the NCVHS Web site at http://aspe.os.dhhs.gov/ncvhs through NCVHS Reports and Recommendations.)
  
  
• Obtain and read a copy of the Internet Security Policy from HCFA's Web site http://www.hcfa.gov



• Meet with key staff in information services to discuss the requirements, identify the people who need to be involved, and develop a plan of action Share sections of the Federal Register with individuals who need to be involved in preparing for the regulations
  
  
• Perform a gap analysis of your existing policies and procedures compared to the requirements of the proposed standards
  
  
• Have individuals who need to be involved send you copies of their policies and procedures that address the requirements
  
  
• Develop a checklist to help identify those policies and procedures that you will need

return to top

Standardization of Code Sets

• Monitor payer compliance with official coding guidelines
  
  
• Perform regular coding quality control studies
  
  
• Provide feedback on documentation issues that have an impact on the quality of coded data
  
  
• Routinely train coding staff on current coding practice
  
  
• Provide access to resources available on coding guidelines and best practices
  
  
• Efficiently update the ICD-9-CM codes in October and the CPT-4 codes (for both transaction and analysis systems)
  
  return to top

Healthcare Identifiers

• Become familiar with the Notice of Proposed Rule Making for the employer identifier number (EIN), the taxpayer identification number for employees that is assigned by the Internal Revenue Service
  
  
• Read the Notice of Proposed Rule Making for the national provider identifier (NPI)
  
  
• Assess the quality of your master person index (MPI)
  
  
• Perform required cleanup and eliminate duplications in your MPI
  
  
• Institute procedures to maintain the integrity of your MPI
  
  
• Train staff on the importance of data quality in an MPI
  
  
• Make necessary data quality improvements in registration systems
  
  
• Assign responsibility for the maintenance of MPI data integrity
  
  
• Perform routine data integrity checks on the provider database
  
  
• Develop effective procedures to maintain provider tables
  
  
• Integrate or interface provider tables with necessary systems
  
  
• Monitor data quality for unique personal identification numbers (UPINs) on billing documents
  
  
• Provide easy access to UPIN tables
  
  
• Maintain current, complete payer tables
  
  
• Perform data quality checks on payer data entry
  
  
• Develop feedback loops from the billing process to data collection processes regarding payer data

  return to top

Claims Transactions

• Maintain effective communication regarding claims processing with all affected parties
  
  
• Perform routine maintenance on your charge master
  
  
• Perform routine maintenance on your charge master
  
  
• Utilize electronic claims processing and electronic data interchange
  
  
• Explore the feasibility of converting to electronic claims processing or outsourcing that function
  
  
• Have comprehensive documentation of claims processing
  
  
• Routinely monitor remittance information against claims data
  
  
• Have an effective process for handling rejected claims
  
  
• Aggregate data about rejected claims to improve claims processing
  
  
• Become familiar with transaction standards and standards development organizations

return to top

Information Security

• Review the proposed standards and assess your organization's level of compliance by performing gap analysis
  
  
• Become familiar with the information security standards and standards development organizations
  
  
• Identify existing organizational structures to aid development and implementation of an information security program
  
  
• Ensure that policies exist to control access to, and release of, patient-identifiable health information
  
  
• Ensure that users of electronic health information have unique access codes
  
  
• Ensure that each user's access is restricted to the information needed to do his or her job
  
  
• Outline physician responsibilities for protecting the confidentiality of health information in the medical staff bylaws or rules and regulations
  
  
• Outline employee responsibilities for protecting the confidentiality of health information in the employee handbook
  
  
• Train everyone with access to health information about confidentiality and their responsibilities regarding confidentiality
  
  
• Review vendor contracts for outsourcing of health information to ensure that they include provisions regarding confidentiality and information security
  
  
• Ensure that system managers, network managers, and programmers do not have unlimited and unrecorded access to patient information
  
  
• Monitor access to information and put corrective action plans in place for violation of organization policy
  
  
• Perform risk assessments to prioritize and continually improve the security of the systems
  
  
• Maintain current knowledge of information security issues and industry response to these issues (read books, publications, attend seminars, etc.)

  return to top

Electronic Signature

• Identify the use of the electronic signature in your organization
  
  
• Perform a gap analysis for electronic signature applications to assess compliance with proposed standards for electronic signatures
  
  
• Become familiar with the electronic signature standards and standards development organizations
  
  
• Discuss the proposed requirements with current vendors who may be supporting your organization's information systems
  
  
• Familiarize yourself and employees with new and emerging information security technologies
  
  
• Research various certificate authorities to determine costs and identify a potential candidate
  
  return to top

<<Back

(From: http://www.ahima.org/publications/2a/pract.brief.499.html; Prepared by Sandra Fuller, MA, RRA, vice president of practice leadership, and Julie J. Welch, RRA, HIM practice manager; Issued April 1999)