Red Flag Rules EFFECTIVE 6-1-2010
that NEW compliance date is June 1, 2010 - 4th extension):
Basic information and
explanation (includes info on on-line seminar): http://www.coloradochiropractic.org/headlines/files/RedFlagsRule5_09infoandseminar.pdf
Info brochure from
information (see pages 63773-63774 for program development) :
SAMPLE program from
the Wisconsin Chiropractic Association:
Purchase a Manual for
FREE HIPAA Training
available through 3DGrid www.3dgrid.com or 866-334-7431
to Latest and
Final HIPAA Enforcement and Fines 2-16-06
(courtesy of NACA -
Association of Chiropractic Attorneys)
This Final Rule (45
pages) adopts the complete regulatory structure for implementing the
civil money penalty authority of the Administrative Simplification part
of HIPAA (SSA, section 1176), completing the structure begun when the
Privacy Rule was issued in 2000 and expanded by the interim final
procedural enforcement rules issued in 2003. The Final Rule
covers the enforcement process from its beginning, which will usually
be a complaint or a complicance review, through its conclusion. A
complaint or compliance review may result in informal resolution, a
finding of no violation, or a finding of a violation. If a
finding of a violation is made, a civil money penalty will be sought
for the violation, which can be challenged by the covered entity
through a formal hearing and appellate review process.
This rules apply to
covered entities who violate any of the rules implementing the
Adminstrative Simplificiation provisions of HIPAA.
You may register for a HIPAA regulations list serve by visiting: http://aspe.hhs.gov/admnsimp/lsnotify.htm
ON CCA WEB Updated August 6, 2003
Health Insurance Portability and Accountability Act of 1996, is a
law which sets guidelines for health care providers (and others) for
transactions AND protecting patient privacy and security. It
electronic transmission of claims and medical records privacy.
CCA apologizes for any confusion regarding HIPAA guidelines. We
used several sources for information; this information has been
and confusing. This current information is the best we have at
time. There are no simple answers or solutions to HIPAA.
are many detailed definitions and exceptions. We suggest that you
consult with your legal counsel about the impact of the requirements to
is a possiblity that insurance companies and managed care organizations
could require (with only a 30 day notice) contracted health care
to comply with the electronic (part one) & privacy requirements
two) of HIPAA, even if the health care provider is NOT doing electronic
National electronic standards were developed to improve effectiveness
the health care system. The definition of Electronic Data
is “the exchange of computer-processable data in a standardized format
between two entities.” Electronic transactions are defined as
transmitted via the Internet, extranet, leased line, dial-up line,
network, transactions sent via magnetic tape, disk – including
If your office does not do electronic transactions but your business
does (clearinghouse/billing service) you must comply with HIPAA
Transactions covered by HIPAA include:
Enrollment in or disenrollment
in a health plan.
Eligibility for a
plan or benefits.
Health care claims
Health care payments
and remittance advice.
Health care claim
If your practice uses
a billing service, and they do electronic billing for you, you must
Coordination of benefits.
FAX generated by computer.
If you conduct ONE
electronic transaction, you must comply with HIPAA guidelines.
with the electronic transaction standards by October 15, 2002. The
compliance deadline for electronic transactions was extended – BUT YOU
MUST have SUBMITTED A PLAN BY OCTOBER 15, 2002, STATING HOW COMPLIANCE
WILL BE ACHIEVED to receive the extension to October 15, 2003.
the HIPAA definitions for electronic transactions are very
If you did not submit or mail your extension form by the deadline - you
are not in compliance and may be subject to fines and/or you may get
from Medicare. Call the HIPAA Hotline at (866) 282-0659 if you
not file an extension form.
Privacy: Effective April 14, 2003
standards for privacy of individual health information. The
rule creates national standards to protect individuals’ medical records
and other personal health information. Although there may be RARE
exceptions, the CCA recommends that ALL DOCTORS comply with these
Keep in mind that as these guidelines are adopted by other health care
professionals, patients will expect the same from you and your clinic's
This section includes:
Education of employees
about “patient health information.”
to patients about their privacy rights.
Establish office procedures.
Secure patient records
Designate an individual
responsible for privacy procedures for your practice.
Patients must have
access to their files.
Patients must be informed
of their privacy rights and how their information can be used.
Employees must be
trained regarding privacy procedures.
must be secure so that only employees needing this information will
access to this information.
Patients may request
changes to their records.
Patients may request
restrictions on disclosures.
review what patient health information (PHI) they
who has access to it, what security they have now to deny others access
to the PHI, what security is required under HIPAA, develop a compliance
plan on how they will comply with HIPAA security rules, implement those
changes, develop a privacy notice, get authorization (if required) from
a patient for use of PHI, develop and enter into business associate
with any entity they deal with that receives PHI from them.
The final HIPAA security rule was released on 2-13-03. The
rules works hand-in-hand with the HIPAA privacy rule. While the
rule sets standards for how protected health information can be used,
it can be disclosed, and what rights patients have regarding their
the security standards "define administraive, physical, and technical
to protect the confidentiality, integrity, and availability of
protect health information." To read
the security rule, visit the CMS web site.
to use common sense when dealing with patient information. Use at
least the "minimum necessary standards" to ensure files, records, and
- DOCUMENT - DOCUMENT: The CCA suggest that you keep a log in
each patients' file of where and when and to whom records are
In addition, keep a log of the dates and types of all staff training
AND of all efforts you've made to comply with HIPAA rules.
Below is privacy
standard information verified with Jeff Selmandow (303-844-7841) in the
Denver Office of Civil Rights (local branch of a FEDERAL office):
SHEETS: It was NOT the intention of HIPAA privacy standards
include office sign-in sheets. Names may be listed and announced
in the office; HOWEVER, you should take reasonable care in protecting
on your sign-in sheets (for example: DO NOT have the patient list
"complaint" or "illness" on the sign-in sheet).
ROOMS: It is NOT necessary to retrofit your office for
rooms. Again, you should take reasonable care in protecting
privacy by having a private area to discuss diagnosis and treatment
the patient - however, treatment rooms may have curtains or short
Discuss personal information where other people cannot hear.
Other patients/people SHOULD NOT have access to patient files.
DO NOT leave patient files out on a counter or desk where other
may have access to them.
BOARDS: You should have approval from the patient to place
name on a referral board in your office.
will be available in the future and another CCA HIPAA Seminar will be
in early 2003. Check our Upcoming
Events page for classes. Call the Office for Civil Rights for
more on privacy standards at (866) 627-7748.