Review of the health business status in the United States as of July 2013. Brief description of ICD 10 implementation status and potential repercussions and HIPAA Title 2 requirements.
Call Girls Thane Just Call 9910780858 Get High Class Call Girls Service
Healthcare Business: Present and Future Challenges
1. HEALTHCARE BUSINESS: PRESENT
AND FUTURE CHALLENGES
Taino Consultants Inc.
Dr. Jose I. Delgado
www.Tainoconsultants.com
DrDelgado@tainoconsultants.com
2. INTRODUCTION
Healthcare Reform – Status Update
ICD-10 Preparation and need
Compliance
HIPAA Title II
Omnibus Rule
Meaningful Use
4. CALENDAR OF KEY ELEMENTS
CalendarYear 2013
Limit FSA Contribution to $2,500.
Employer deduction for Part D subsidy eliminated.
Increase IRS threshold for itemized deduction for medical expense to
10%.
Increase Medicare payroll tax (additional 0.9%)
Deduction limit of $500,000 will be applied for current and deferred
compensation paid to officers, directors, employees and service providers
of health insurance for taxable years beginning after 2012 with respect to
services performed after 2009.
5. CALENDAR OF KEY ELEMENTS
CalendarYear 2014
Health Care Reform Individual Mandate
State Health Insurance Exchanges Establishment.
Summary of Benefits and Coverage (SBC) required
Employers with more than 200 employees required to automatically enroll new full
time employees.
Plan Design Changes and Benefit Mandates apply:
cost-sharing limits
state requirement to accept and renew coverage
no pre-existing conditions exclusions
no individual health status discrimination
eligibility waiting period of 90 days or less.
Employer Reporting of Minimum Essential Coverage offering to employees.
6. CALENDAR OF KEY ELEMENTS
CalendarYear 2014 - Continuation
Offering of Qualified Health Benefit Plans through Cafeteria Plans.
State Basic Health Plan Option Offering.
Small BusinessTax Credit increase to 50% of employer costs.
PremiumVariation for Participation in Employer - Wellness
Insurance Market Reforms.
Insurer Fees applied to businesses that provide health insurance.
Mental Health and Substance Abuse Benefits Parity.
7. CURRENT TRENDS AND INTERPRETATION
Business Mandate Extended
California exchange experience
Anthem Blue Cross, UnitedHealth and Aetna pulling out
Products offered limited
Meaningful Use
21% of meaningful use physician drops after first year attestation
Accountable Health Organizations
9 out of 32 Pioneer ACOs drop out
8. ICD 10 PREPARATION AND NEED
Recommended Steps
Statistics – Readiness
Business Opportunities
9. STATISTICS - READINESS
Impact Assessment Completion: > 40% unknown
Complete Business Changes: 40% unknown; 20% maybe in 2014
Expected date to begin external testing: 50% unknown
ICD 10 sources to use as guidance/transition
25% use ICD 10 directly to code
> 50% will use crosswalking and direct coding
Note: Based onWEDI’s ltr to HHS Secretary after April 2013 Research
10. ICD 10 BUSINESS CONCERNS
Systems and procedures not ready
Claims to be rejected
EHR notes must match ICD 10
Procedures must match correct ICD 10
Systems must match – different systems may establish different protocols
Providers and Practices downplaying the change
Time frame when ICD 9 and ICD 10 must be used simultaneously
Need for cash reserves (no less than 6 months of operations)
11. RECOMMENDED STEPS
Conduct Internal Audit to identify coding and business practices
Start training staff into implementation and potential changes
Train Providers on proper coding
GET A LINE OF CREDIT
Consider outsourcing coding efforts right now
Look for assistance!!!
Test system and procedures
Study and correct rejected and unpaid claims
15. TITLE II
Preventing health care fraud and abuse;
Administrative simplification;
Medical liability reform
16. TITLE II – PREVENTING
HEALTHCARE FRAUD
Fraud and Abuse Program
Revisions to Current Sanctions
Data Collection
Civil Monetary Penalties
Revisions to Criminal Law
17. MONETARY PENALTIES
• Civil penalties
– $100 for each violation of the law, to a limit of
$1,500,000 per year for violations of the same
requirement.
• Criminal sanctions
– $50,000 to $250,000 and one to ten years
imprisonment.
18. DATA BREACHES PENALTY
STRUCTURE
Violation Type Each Repeat/year
Did Not Know $100 – $50,000 $1,500,000
Reasonable Cause $1,000 – $50,000 $1,500,000
Willful Neglect
Corrected
$10,000 – $50,000 $1,500,000
Willful Neglect Not
Corrected
$50,000 $1,500,000
23. HIPAA OMNIBUS RULE
Sep 23, 2013 Compliance Date
Key areas to focus
Privacy, Security, and Breach Notification policies and procedures (and in some cases,
new workflows and forms)
Notice of Privacy Practices
Business Associate (BA) Agreement
Expansion of BA’s obligations
24. MEANINGFUL USE
More than software
Risk Assessment
Stage 2 effective date – Fiscal year 2014
Documentation Requirements – Administration
Audits
25. TC INC. COMPLIANCE SOFTWARE
Module Specific
Dashboard – Messages
Policies
Forms
Quarterly Updates
Resources
26. SUMMARY
Healthcare Reform – Status Update
ICD-10 Preparation and need
Compliance
HIPAA Title II
Omnibus Rule
Meaningful Use
27. SUMMARY
Healthcare Reform – Status Update
ICD-10 Preparation and need
Compliance
Medicare and OIG
HIPAA
28. Dr. Jose I Delgado
DrDelgado@Tainoconsultants.com
www.tainoconsultants.com
Notes de l'éditeur
Flexible Spending Accounts allow employees to sock away tax-free dollars for medical expenses. Flexible spending accounts , or FSAs, allow employees to sock away tax-free dollars that can be used to pay for medical expenses such as drug co-pays, deductibles and treatments not covered by insurance plans. Up until now, there hasn't been an official limit to how much you could contribute to an FSA, although IRS rules dictated that employers create some kind of maximum contribution. Many employers cap the amount in the $2,000 to $5,000 range according to a 2009 report by the Center on Budget and Policy Priorities in Washington, D.C. FSAs will remain " use-it-or-lose-it " accounts. That is, any unused balance for one year can't be used to fund health care spending in the next year. Starting Jan. 1, 2013, FSAs will have annual limits of $2,500 per year. Tax-free contributions to HSAs and Archer MSAs will still be unlimited.
Individual Mandate requiring individuals to obtain minimum essential coverage with penalty for noncompliance being the greater of $95 per individual or 1% of household income over the filing threshold. Summary of Benefits and Coverage (SBC) required to state if the plan provides minimum essential coverage and if the plan’s share of costs is at least 60% of actuarial value. Employers with more than 200 employees that offer health insurance coverage will be required to automatically enroll new full time employees in coverage with the opportunity to opt -out. Plan Design Changes and Benefit Mandates apply: essential benefits, cost -sharing limits, state requirement to accept and renew coverage, no pre-existing conditions exclusions, no individual health status discrimination, eligibility waiting period of 90 days or less, coverage for routine costs for clinical trial participants.
Offering of Qualified Health Benefit Plans through Cafeteria Plans for exchange-eligible employers. State Basic Health Plan Option to offer for people with income above Medicaid eligibility but below 200% of the federal poverty limit, rather than an exchange. Small Business Tax Credit will increase to 50% of employer costs. Premium Variation for Participation in Employer - sponsored Wellness Programs by as much as 30%. Insurance Market Reforms: Uniform application premium rating rules, plans required to contribute to a reinsurance program for individual policies, risk corridors for individual and small group markets. Insurer Fees applied to an entity engaged in business of providing health insurance. Mental Health and Substance Abuse Benefits Parity requires benefits that are at parity with other medical and surgical benefits.
Based on the survey results, health plans appear to have made some progress from early 2012 to early 2013, but many vendors and providers have not. Provider readiness appears to be a major concern in meeting the 2014 compliance deadline. Unless more providers move quickly forward with their implementation efforts, there will be significant disruption on Oct 1, 2014. Also, there will not be enough time to do proper end to end testing in the CMS suggested timeframes (starting Oct 1, 2013), as the industry would not be ready for that step. April 11, 2013 The Honorable Kathleen Sebelius Secretary Department of Health and Human Services 200 Independence Avenue, S.W. Washington, D.C. 20201 RE: Workgroup for Electronic Data Interchange ICD - 10 Survey Results
The Health Insurance Portability and Accountability Act of 1996 ( HIPAA ; Pub.L. 104-191 , 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It was sponsored by Sen. Nancy Kassebaum ( R - Kan. ). Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers
Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the health care system. [9] [10] [11] However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information. Title II addresses the security and privacy of health data. When Congress adopted HIPAA in 1996, the law included a provision mandating the Department of Health and Human Services to promulgate standards to ensure the privacy of personally identifiable health information if Congress had failed to act by 1999. Congress did not act, and thus HHS issued proposed rules on privacy and several other standards. While much of the focus has been on the privacy standards, there are actually four sets of standards: Privacy Electronic Transactions Security Unique Identifiers What entities are covered by these standards? Before getting involved in all of the deadlines imposed by the HIPAA Standards, the first question is whether the university is covered by the standards at all, in other words, are you a covered entity? In general, the standards apply to all health care providers that conduct certain transactions in electronic form; health care clearinghouses, and health care plans. Unfortunately, there is no quick and easy way to determine if you are indeed a covered entity. This decision requires either some heavy reading, or consultation with an outside attorney. However, the key questions are 1. Are there health care services provided? and 2. Do you engage in standard electronic transactions with third party payors? If a student health center posts a bill to a student's online account, which will ultimately be paid by the student or his/her parent, this is not a standard electronic transaction with a third party payor. Once you have determined you are a covered entity, or a hybrid entity (this is a special designation for those whose primary business is not health care, see 45 CFR § 164.504(a)) then you must decide what your obligations are under the law. Final regulations have been issued for the privacy and transaction standard sections of the law. The final privacy regulations can be found at 67 Fed. Reg. 53181 , Aug. 14, 2002. Compliance with the privacy regulations must occur by April 14, 2003. The final transaction standards are online at 65 Fed. Reg. 50312 , Aug. 17, 2000, and final modifications to the Electronic Data Transaction Standards and Code Sets are published at 68 Fed. Reg. 8381 (Feb. 20, 2003). Compliance with the transaction standards was set for Oct. 16, 2002, but covered entities may delay compliance until Oct. 16, 2003 if they have filed for an extension by Oct. 16, 2002. ( Public Law 107-105) See 67 Fed. Reg. 18216 (April 15, 2002) for further information on filing for an extension, and a sample model compliance plan. Security Regs Final rules for the Security Standards are published at 68 Fed. Reg. 8333 (Feb. 20, 2003). The FERPA exception to the definition of protected health information was added to this rule. Page 8342 of the rule states the following : 1. Scope of Health Information Covered by the Rule [Sec. 164.306(a)]. We proposed to cover health information maintained or transmitted by a covered entity in electronic form. We have modified, by narrowing, the scope of health information to be safeguarded under this rule from that which was proposed. The statute requires the privacy standards to cover individually identifiable health information. The Privacy Rule covers all individually identifiable information except for: (1) Education records covered by the Family and Educational Rights and Privacy Act (FERPA); (2) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (3) employment records. (see the Privacy Rule at 65 FR 82496 and 67 FR 53191 through 53193 ). The scope of information covered in the Privacy Rule is referred to as "protected health information.'' Based upon the comments we received, we align the requirements of the Security and Privacy Rules with regard to the scope of information covered, in order to eliminate confusion and ease implementation. Thus, this final rule requires protection of the same scope of information as that covered by the Privacy Rule, except that it only covers that information if it is in electronic form. We note that standards for the security of all health information or protected health information in nonelectronic form may be proposed at a later date. The final security rule states that covered entities, with the exception of small health plans, must comply with the requirements of this final rule by April 21, 2005. Small health plans must comply with the requirements of the final rule by April 21, 2006. The security regs provide for certain required implementation specifications and otherwise set forth implementation specifications and standards to be addressed by each covered entity, allowing flexibility in the means and methods by which covered entities address that latter category of specifications. The State of New York HIPAA Security Matrix is an incredible resource in this regard. The security rule applies to electronic PHI, i.e. PHI that is transmitted by or maintained in electronic media. This definition includes storage media such as hard drives, magnetic tape or disks, and digital memory cards, and it also includes transmission media such as the Internet, extranets, leased lines, dial-up lines, private networks, and the physical movement of electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission. Electronic PHI may be shared with a business associate only if a business associate contract exists that specifically addresses the security rule. This can be done by a new contract or amending an existing contract. The general requirements of the security rule require covered entities to do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of the rule. (4) Ensure compliance with this subpart by its workforce. Electronic PHI may only be disclosed to the Plan Sponsor when the electronic protected health information disclosed to a plan sponsor is summary health information or enrollment or disenrollment information as provided for by Sec. 164.504(f). If more than the above is disclosed, then the plan documents of the group health plan must be amended to incorporate provisions to require the plan sponsor to-- (i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan; (ii) Ensure that the adequate separation required by Sec. 164.504(f)(2)(iii) is supported by reasonable and appropriate security measures; (iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and (iv) Report to the group health plan any security incident of which it becomes aware. Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Subtitle A--Fraud and Abuse Control Program Sec. 201. Fraud and abuse control program. Sec. 202. Medicare integrity program. Sec. 203. Beneficiary incentive programs. Sec. 204. Application of certain health antifraud and abuse sanctions to fraud and abuse against Federal health care programs. Sec. 205. Guidance regarding application of health care fraud and abuse sanctions. Subtitle B--Revisions to Current Sanctions for Fraud and Abuse Sec. 211. Mandatory exclusion from participation in Medicare and State health care programs. Sec. 212. Establishment of minimum period of exclusion for certain individuals and entities subject to permissive exclusion from Medicare and State health care programs. Sec. 213. Permissive exclusion of individuals with ownership or control interest in sanctioned entities. Sec. 214. Sanctions against practitioners and persons for failure to comply with statutory obligations. Sec. 215. Intermediate sanctions for Medicare health maintenance organizations. Sec. 216. Additional exception to anti-kickback penalties for risk- sharing arrangements. Sec. 217. Criminal penalty for fraudulent disposition of assets in order to obtain Medicaid benefits. Sec. 218. Effective date. Subtitle C--Data Collection Sec. 221. Establishment of the health care fraud and abuse data collection program. Subtitle D--Civil Monetary Penalties Sec. 231. Social Security Act civil monetary penalties. Sec. 232. Penalty for false certification for home health services. Subtitle E--Revisions to Criminal Law Sec. 241. Definitions relating to Federal health care offense. Sec. 242. Health care fraud. Sec. 243. Theft or embezzlement. Sec. 244. False statements. Sec. 245. Obstruction of criminal investigations of health care offenses. Sec. 246. Laundering of monetary instruments. Sec. 247. Injunctive relief relating to health care offenses. Sec. 248. Authorized investigative demand procedures. Sec. 249. Forfeitures for Federal health care offenses. Sec. 250. Relation to ERISA authority.
One-time violations stay under $50k, but repeat violations within the same year can hold a fine of $1.5 million across all HIPAA violation categories, up substantially from the previous $250k minimum. The new penalty structure for healthcare data breaches aligns with recent data from the Ponemon Institute that found recurring healthcare data breaches are increasing among respondents, with 45 percent (up from 29 percent in 2010) reporting more than five incidents in the last two years. The average economic impact of healthcare data breaches has also increased by $400k to a total of $2.4 million since 2010. In addition to federal fines, investigation, legal, business downtime and decreased credibility all contribute to the economic loss suffered by businesses undergoing such healthcare data breaches. The increase in HIPAA violation fines are a direct response to the epidemic of repeat healthcare data breaches and the rising costs to the healthcare industry. What is essential to understand is that HIPAA’s standards and monetary penalties now apply to a wide range of healthcare vendors and their subcontractors. Even if you didn’t know you were violating HIPAA, you can still be penalized and charged accordingly. This means that if you support the healthcare industry or deal with patient data in any way, you should be up on the requirements of HIPAA to avoid significant government fees. In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Due Diligence An organization is in violation, but they have taken every possible step they could have foreseen to prevent that. Reasonable Cause The steps have been taken, but something was not addressed. For example, a company went into a HIPAA audit and provided a gap analysis, but something wasn’t addressed yet. The violation is due to reasonable cause and not willful neglect. Willful Neglect The first is when a company clearly ignores the HIPAA law but corrects their mistake within the given amount of time. The second type of willful neglect is when a company ignores the HIPAA law and does not correct their mistake.
To improve the effectiveness and efficiency of the nation’s healthcare system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 includes a series of “administrative simplification” provisions requiring HHS to adopt national standards for electronic healthcare transactions. By ensuring consistency throughout the industry, the national standards will make it easier for health care organizations to process transactions electronically. The law also requires the adoption of privacy and security standards in order to protect individually identifiable health information. HIPAA requires that “covered entities” e.g. health plans, healthcare clearinghouses, and those healthcare providers conducting electronic financial and administrative transactions (such as eligibility, referral authorizations, and claims) comply with each set of standards. Other businesses may choose to comply with the standards, but the law does not mandate that they do so.
The EDI rule is very technical and based on the X12N EDI data transmission protocol standard. Although rare allowances are made, the rule requires that any covered entity who electronically transmits data must use this, and only this format in doing so. The EDI rule is a set of data transmission specifications that strictly govern the way data is electronically transferred from one computer to another. The rule specifically defines the different types of transactions that are covered under HIPAA and stipulates the exact format for each transaction record. Electronic transactions such as health care claims, claims status and remittance advices (RA), eligibility verifications and responses, referrals and authorizations, and coordination of benefits (COB) among others are included in the rule. Its intent is to reduce the hundreds of health care data formats to just one that is universally implemented throughout the health care industry. The objective is to greatly increase the portability and accessibility of this information and to decrease the administrative overhead associated with the management of the process. Unique Identifiers Rule (National Provider Identifier) HIPAA covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans, must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions
The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.) By regulation, the Department of Health and Human Services extended the HIPAA privacy rule to independent contractors of covered entities who fit within the definition of "business associates". ] PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of an individual's medical record or payment history. Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law such as reporting suspected child abuse to state child welfare agencies. A covered entity may disclose PHI (Protected Health Information) to facilitate treatment, payment, or health care operations without a patient's express written authorization. Any other disclosures of PHI (Protected Health Information) require the covered entity to obtain written authorization from the individual for the disclosure. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose. The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals. For example, an individual can ask to be called at his or her work number instead of home or cell phone numbers. The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures. They must appoint a Privacy Official and a contact person responsible for receiving complaints and train all members of their workforce in procedures regarding PHI.
The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. Some privacy advocates have argued that this "flexibility" may provide too much latitude to covered entities. The standards and specifications are as follows: Administrative Safeguards – policies and procedures designed to clearly show how the entity will comply with the act Covered entities (entities that must comply with HIPAA requirements) must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. The policies and procedures must reference management oversight and organizational buy-in to compliance with the documented security controls. Procedures should clearly identify employees or classes of employees who will have access to electronic protected health information (EPHI). Access to EPHI must be restricted to only those employees who have a need for it to complete their job function. The procedures must address access authorization, establishment, modification, and termination. Entities must show that an appropriate ongoing training program regarding the handling of PHI is provided to employees performing health plan administrative functions. Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place. A contingency plan should be in place for responding to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedures in place. The plan should document data priority and failure analysis, testing activities, and change control procedures. Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits. Audits should be both routine and event-based. Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations. A Nurse shredding papers in order to be compliant with the physical safeguard section of HIPAA's privacy rule. Physical Safeguards – controlling physical access to protect against inappropriate access to protected data Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.) Access to equipment containing health information should be carefully controlled and monitored. Access to hardware and software must be limited to properly authorized individuals. Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts. Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public. If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities. Technical Safeguards – controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional. Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity. Covered entities must also authenticate entities with which they communicate. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems. Covered entities must make documentation of their HIPAA practices available to the government to determine compliance. In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing. Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)