Welcome to the "HIPAA Security Compliance: Why Aren't We There Yet?" Audio Conference follow-up Web Forum on lingering Security compliance roadblocks, the risks non-compliance poses to HIPAA's Privacy components, and effective strategies for mitigating risks of non-compliance with both Security and Privacy requirements. Participants of this audio conference may post questions here for our presenter to answer.

Feel free to post any questions you have related to the topic, such as:

• Trends of compliance with Security and Privacy Final rules
• Review of the Security standards that providers find most difficult to implement
• Examples of organizations who have implemented these troublesome Security standards, and how they overcame the obstacles
• Interdependencies between HIPAA's Security and Privacy regulations and other accreditation programs – and the risks posed to organizations who are "out of synch"
• Effective methods of communicating non-compliance to senior management – and strategies for moving forward
• High-level strategies for organizations who haven't started or are nowhere near compliance
• Our HIPAA experts' predictions and caveats for security trends such as radio frequency identification (RFID) devices, increased use of wireless devices, single sign-on, and Security's role in increasing patient safety

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

Participation is limited to registrants of the "HIPAA Security Compliance: Why Aren't We There Yet?" Audio Conference.

Welcome to the "Be Prepared with Security Incident Management" Audio Conference follow-up Web Forum! Participants of this audio conference may post questions here for our presenter to answer.

Feel free to post any questions you have related to the topic, such as:

• The HIPAA Security Rule's requirements for handling security incidents
• The consequences of security incidents
• How to proactively prevent and prepare for security incidents
• The 6 phases of effective security incident management
• How to prioritize security incidents and respond appropriately & reasonably to them
• How security incident management is linked with other HIPAA Security Rule requirements

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

Participation is limited to registrants of the "Be Prepared with Security Incident Management" Audio Conference.

Welcome to the "Fearsome Four of HIPAA Security" Audio Conference follow-up Web Forum! Participants of this audio conference may post questions here for our presenter to answer.

Feel free to post any questions you have related to the topic, such as:

• Understanding risk analysis and risk management as the cornerstones of your Information Security Program
• What to do about systems that do not maintain audit controls
• What information system activity must be reviewed
• Designing automated system activity review to ease the burden
• The key components of a disaster recovery plan
• Steps to ensure that your emergency mode operation plan (downtime procedures) will support your disaster recovery plan
• Why a data backup program is the most vital component of contingency planning
• How to determine the amount of loss data that can occur if disaster strikes your data center

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

Participation is limited to registrants of the "Fearsome Four of HIPAA Security" Audio Conference.

Welcome to the "Countdown for Compliance with the HIPAA Security Rule " Audio Conference follow-up Web Forum! Participants of this audio conference may post questions here for our presenter to answer.

Feel free to post any questions you have related to the topic, such as:

• Understanding what is meant by each of the standards
• How to approach "addressable implementation specifications" to decrease your organizational security risk
• Understanding risk analysis and risk management as critical cornerstones of a sound information security program
• How to assess risks at the application system layer
• Steps that can be taken to supercharge your compliance efforts
• Suggestions for how to identify and avoid implementation barriers
• Consideration of a sample high-level project plan to guide you toward compliance
Guidelines for checking your organization's progress toward compliance

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

Participation is limited to registrants of the Countdown for Compliance with the HIPAA Security Rule Audio Conference.

Welcome to the "e-Health: Leveraging Internet-based Applications in the Healthcare Provider Organization" Audio Conference follow-up Web Forum! Participants of this audio conference may post questions here for our presenter to answer.

Feel free to post any questions you have related to the topic, such as:

• Just what does e-Health mean?
• Industry trends in e-Health
• E-Health innovations
• Who are the targeted end-users for e-Health?
• Critical components of e-Health initiatives
• Understanding the e-Health planning process
• From e-Health to mobile computing
• E-Health and regulatory matters
• Examples of e-Health implementations

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

Participation is limited to registrants of the e-Health Audio Conference.

Welcome to the "Finding the Money" Audio Conference follow-up Web Forum! January audio conference participants may post questions here for our presenter to answer.

Feel free to post any questions you have related to the topic, such as:

• The foundation of the HIPAA-enabled revenue cycle, the full pre-registration model
• Using the 270/271 and 278 transactions in the pre-registered environment to maximize reimbursement dollars
• Using the 276/277 transactions to free up FTEs for other critical revenue cycle tasks
• Using IT to support the operational changes required

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

Participation is limited to registrants of the "Finding the Money" Audio Conference.

Welcome to the "HIPAA Security Training & Awareness" Audio Conference follow-up Web Forum! Audio conference participants may post questions here for our presenter to answer until December 18, 2003.

Feel free to post any questions you have related to the topic, such as:

• Rule requirements
• Training all workforce members, including management
• Training measures
• Setting up a comprehensive educational structure

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

After Thursday, December 18th, participants will be able to view the archives, but not post new questions. Our speaker will post replies to the questions asked by Wednesday, December 24th. Participation is limited to registrants of the "HIPAA Security Training & Awareness" Audio Conference.

Welcome to the "Testing Your IT Contingency Plan...Before it Tests You" Audio Conference follow-up Web Forum! Audio conference participants may post questions here for our presenter to answer until November 20, 2003.

Feel free to post any questions you have related to the topic, such as:

• What is an IT Contingency Plan
• Contingency Plans vs. Disaster Recovery Plans
• HIPAA and other regulatory requirements for information security
• The role of risk analysis
• Understanding the concept of "reasonable"
• Developing your test plan (scenarios, alternatives, do's & don'ts)
• Considerations re: simulated disasters, "surprise" tests, and testing sites
• Backup plans and data recovery strategies
• Organizational communications about IT
• Contingency Planning

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

After Thursday, November 20, participants will be able to view the archives, but not post new questions. Our speaker will post replies to the questions asked by Tuesday morning, November 25th. Participation is limited to registrants of the "Testing Your IT Contingency Plan...Before it Tests You" Audio Conference.

Welcome to the "Developing & Implementing Your Organizational Policies for HIPAA Security" Audio Conference follow-up Web Forum! Audio conference participants may post questions here for our presenter to answer until 8 AM EDT, Friday, October 31, 2003.

Feel free to post any questions you have related to the topic, such as:

• HIPAA Security Rule expectations for security policies
• What is a security policy
• Benefits of security policies
• Development strategies for security policies
• The development process
• Understanding Implementation Specifications for the Security standards
• Using policy templates
• Strategies for managing the implementation of your security policies
• Training on organizational security policies

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

After October 31st, participants will be able to view the archives, but not post new questions. Our speaker will post replies to the questions asked by Wednesday morning, November 5th. Participation is limited to registrants of the Physical Safeguards & the HIPAA Security Rule Audio Conference.

Welcome to the "Developing TCS Strategies & Contingency Plans: How Providers Can Demonstrate Good Faith Efforts Toward TCS Compliance" Audio Conference follow-up Web Forum! Audio conference participants may post questions here for our presenters to answer until 8 PM EDT, August 20, 2003.

Feel free to post any questions you have related to the topic, such as:

• The TCS guidance and "good faith efforts"
• Contingency planning & developing a "corrective action plan"
• Requirements for the data that must be captured for compliant transactions

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

After 8 PM EDT, August 20, participants will be able to view the archives, but not post new questions. Our speaker will post replies to the questions asked within 3 business days (questions requiring additional research may take a little longer). Participation is limited to registrants of the "Developing TCS Strategies & Contingency Plans" Audio Conference.

Welcome to the "Risk Analysis & Risk Management: The Foundation of Security Management and HIPAA Security Strategies" Audio Conference follow-up Web Forum! Audio conference participants may post questions here for our presenters to answer until 8 PM Eastern time, July 23, 2003.

Feel free to post any questions you have related to the topic, such as:

• How to prioritize your applications
• How to identify threats, vulnerabilities, and options
• Documenting your decisions
• Creating a flexible action plan
• How Risk Analysis/Risk Management techniques assist with
  the HIPAA Security documentation requirement

Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice.

After 8 PM Eastern time, July 23, participants will be able to view the archives, but not post new questions. Our speaker will post replies to the questions asked within 3 business days (questions requiring additional research may take a little longer). Participation is limited to registrants of the "Risk Analysis & Risk Management" Audio Conference.

Welcome to the "HIPAA Privacy in the Real World" Audio Conference follow-up Web Forum! Audio conference participants may post questions here for our presenters to answer until 8 PM Eastern time, June 11, 2003. Please feel free to post any questions about the dilemmas we have presented and creative solutions considered. Please note, however, that we are unable to answer questions related to an organization's specific situations or provide any responses that could be construed as legal advice

After 8 PM Eastern time, June 11, participants will be able to view the archives, but not post new questions. Our speakers will post replies to the questions asked within 3 business days (questions requiring additional research may take a little longer). Participation is limited to registrants of the "HIPAA Privacy in the Real World" Audio Conference.

Welcome to the "HIPAA Business Associates: A Fresh Look" follow-up Web Forum! Audio conference participants may post questions here for our presenters to answer until 8 PM Eastern time, April 2, 2003. Please feel free to post any questions you may have related to the topics discussed, including:

• The definition (and redefinitions) of a Business Associate
• Who is, and is not considered a business associate
• Common myths and frequently asked questions surrounding business associate agreements
• Effective Business Associate agreements
  • Required components
  • Integration into existing service contracts
  • Where to find examples
• Your responsibilities regarding use of your PHI by your Business Associates
• Creating an inventory of your vendor contracts
  • Deadlines for establishing agreements with vendors, and
  • The transition period for vendor contracts
• Exceptions to the standard

After 8 PM Eastern time, April 2, participants will be able to view the archives, but not post new questions. Our speaker will post replies to the questions asked within 4 days(questions requiring additional research may take a little longer). Participation is limited to registrants of the "HIPAA Business Associates: A Fresh Look" AudioConference.

Welcome to the "Securely HIPAA: Understanding the Final Security Rule" follow-up Web Forum! Audio conference participants may post questions here for our presenters to answer until 8 PM Eastern time, March 5, 2003. Please feel free to post any questions you may have related to the topics discussed, including:

• The "required" and "addressable" implementation specifications
• How to approach addressable specifications to decrease your security risk
• How to avoid the major opportunity for compliance risk that the "addressable" specifications create
• Risk Analysis and Risk Management, the foundation of any solid Information Security Program and basis of the final Security Rule
• The new requirements including:
• Policies and procedures
• Documentation
• Items that have been removed (and why you may still need to worry about them).

After 8 PM Eastern time, March 5, participants will be able to view the archives, but not post new questions. Our speaker will post replies to the questions asked by March 13th. Participation is limited to registrants of the "Securely HIPAA: Understanding the Final Security Rule" AudioConference.

Welcome to the "Creative 11th Hour HIPAA: Meeting the Deadlines When You Haven’t Started" follow-up Web Forum! Audio conference participants may post questions here for our presenters to answer until 8 PM Eastern time, January 30, 2003. Please feel free to post any questions you may have related to the topics discussed, including:

• The Rapid HIPAA Implementation Process for HIPAA: What it consists of, and how you use it
• How to use the Rapid Implementation Process to go from zero to HIPAA Privacy compliance in 60 days
• How to use the Rapid Implementation Process to jumpstart your HIPAA Transactions effort and be ready for testing in April
• Details on the critical management and leadership aspects of the Rapid Implementation Process that can make or break the effort.

After 8 PM Eastern time, January 30, participants will be able to view the archives, but not post new questions. Participation is limited to registrants of the "11th Hour HIPAA: Meeting the Deadlines When You Haven’t Started" AudioConference.

Welcome to the "Creative HIPAA Education Strategies: Training Approaches that Work Part 2" follow-up Web Forum! Here, you may post questions for our presenter to answer until 8 PM Eastern time, December 18, 2002. Please feel free to post any comments or questions you may have. These topics include:

• Understanding current trends in HIPAA training activities
• Designing the Project Plan for HIPAA Training
• Case Study A: Traditional Classroom Training for HIPAA in the Community Hospital
• Case Study B: Train-the-Trainer Approach for HIPAA Education
• Case Study C: Meeting the HIPAA training challenge with Distance Learning
• Comparison of training models: The Good, the Bad and the Ugly
• The Blended Solution for HIPAA training

After 8 PM Eastern time, December 18, participants will be able to view the archives, but not post new questions. Participation is limited to registrants of the "Creative HIPAA Education Strategies: Training Approaches that Work Part 2" AudioConference.

Welcome to the "Creative HIPAA Education Strategies: Training Approaches that Work Part 1" follow-up Web Forum! Here, you may post questions for our presenter to answer until 8 PM Eastern time, December 11, 2002. Please feel free to post any comments or questions you may have. These topics include:

• Understanding the regulation for HIPAA training
• Stating your organizational commitment to HIPAA
• Developing training plans with a “need to know” focus
• Creating organizational communication plans
• Establishing productive training schedules
• Selecting effective trainers for HIPAA
• Matching learning styles with training methodologies
• Appreciating the dynamics of organizational culture change
• Addressing the HIPAA educational challenge through non-traditional means
• Designing mechanisms for tracking training compliance
• Continuing Education for HIPAA

After 8 PM Eastern time, December 11, participants will be able to view the archives, but not post new questions. Participation is limited to registrants of the "Creative HIPAA Education Strategies: Training Approaches that Work Part 1" AudioConference.

Welcome to the "Hands-On-HIPAA: Testing Your Transactions and Code Sets" follow-up Web Forum! Here, you may post questions for our presenter to answer until 8 PM Eastern time, October 29, 2002. Please feel free to post any comments or questions you may have. These topics include:

• Detailing and implementing your plan;
• Timelines;
• Levels of testing;
• Resources required;
• ID transactions to be tested;
• ID applications to be tested;
• Data Content (Code Sets, Identifiers);
• Vendor readiness;
• Data content;
• Payer readiness; and
• Clearinghouse readiness.

After 8 PM Eastern time, October 29, participants will be able to view the archives, but not post new questions. Participation is limited to registrants of the "Hands-On-HIPAA: Testing Your Transactions and Code Sets" AudioConference.

Welcome to the "Putting the Privacy Changes to Work: A 'How-To' Guide to the August 2002 Privacy Rule Modifications" follow-up Web Forum! Here, you may post questions for our presenter to answer until 8 PM Eastern time, September 25, 2002. Please feel free to post any comments or questions you may have. These topics include:

• The effect on your overall HIPAA plans of the elimination of mandatory consents for treatment, payment, and operations.
• The new changes you must integrate into providing a Notice of Privacy Practices, and how obtaining and documenting receipt acknowledgements will affect your operations.
• Changes to the authorization process, and the effects of combining three separate authorization requirements into one.
• The highly beneficial changes to the disclosure rule that now allow you to make disclosures to other entities for payment & operations.
• Changes in Business Associate Requirements and how they should impact your short-term and long-term Business Associate management strategies.
• The new "Limited Data Set": how it differs from de-identified information, when you can (and should) use it, and how to manage its use.
• The modified marketing rule, and how to apply and manage both the features that are more restrictive, and those that are less so.
• How to integrate other significant changes including:
• changes in the minimum necessary rule,
• incidental disclosures,
• research,
• hybrid entities,
• unemancipated minors,
• and the treatment of employment records.

Welcome to the "HANDS-ON HIPAA: A Professional Approach to Costing Your HIPAA Remediation Project" follow-up Web Forum! Here, you may post questions for our presenter to answer until 8 PM Eastern time, August 21, 2002. Please feel free to post any comments or questions you may have. These topics include:

• Costing guidance for each major remediation activity, including: rules of thumb for HIPAA cost estimation, key HIPAA cost drivers and strategies for addressing them, lessons learned from real-world HIPAA implementations, factors in minimizing costs without losing compliance effectiveness, and timelines of key compliance activities to guide the budget process;
• Cost ranges for major expenditures, for guidance and comparison; and
• Cross-industry comparison and analysis of covered entity budgets.

Welcome to the "Preparing for the Unthinkable: Contingency Planning and Disaster Recovery Under HIPAA" follow-up Web Forum! Here, you may post questions for our presenter to answer until 8 PM Eastern time, May 2, 2002. Please feel free to post any comments or questions you may have. These topics include:

• HIPAA's contingency planning and disaster recovery requirements;
• Leveraging Joint Commission requirements for Contingency Planning and Disaster Recovery into a solid foundation that meets HIPAA requirements;
• Developing a practical, risk-based, cost-effective disaster and contingency planning framework for the health care organization; and
• Strategies leading to the operationalization of business continuity planning;

Welcome to the "The Practical Art of Managing Your Business Associates" follow-up Web Forum! Here, you may post questions for our presenter to answer until 8 PM, April 3, 2002. Please feel free to post any comments or questions you may have. These topics include:

• Identifying your Business Associates;
• Setting up a database of the critical information needed to manage your BA program;
• Inventorying and evaluating existing BA agreements;
• Crafting a model contract as the basis for all your final BA contracts;
• Developing a work plan for updating and negotiating amendments to existing agreements; and
• Developing a plan for ongoing management of your business associate relationships, including termination;

This session, sponsored by HRET, provided participants with a thorough understanding of practical information security in the healthcare organization, and a detailed understanding of the requirements of the HIPAA security rule This forum provides participants to ask follow-up questions of the presenter.

• key requirements of the HIPAA privacy rule and their impact on the HIM interface between patients and providers.
• key implementation options that meet HIPAA requirements and also redefine the patient/provider interface to the benefit of the organization.
• strategic concepts of value-driven planning and implementation

• Objectives of Public Law 107-105 (Administrative Simplification Compliance Act)
• Requirements to apply for an extension to the Transaction and Code Set (TCS) Rule
• When your systems must be ready to send and receive standard transactions
• Major issues that your organization must address as part of the extension decision process

• How to structure the planning process.
• Who should contribute to the process?
• What materials feed into the planning process?
• How to reach agreement on priorities.
• What are the key elements of a good plan?
• Determining who owns the plan.

• The HIPAA Security Rule Goals of the Rule
  • Required Controls and Safeguards
  • Myth Busting: What the Rule DOESN'T Require
• Building your HIPAA Security Team Team Goals and Responsibilities
  • Who Should be on the Team -- and Why
• The HIPAA Security Assessment: Gap Analysis: What Is It, and What's Involved
  • Risk Assessment - Threats, Vulnerability and Risk
  • Risk Mitigation & Recommendations in the HIPAA Environment
  • Making HIPAA-Based Risk Decisions

• Administrative Components of Security Policy & Procedures
• Technical Aspects of HIPAA Security Compliance
  • Evaluating and Adopting Technology in a HIPAA Context
  • Understanding Common Technologies
  • Technologic Response to the Internet
  • Security ASP's

• What Policies and Procedures does HIPAA Require?
• Who is Affected and How?
• What Are the Components of Compliant, Effective Policies and Procedures?
• How Do I Evaluate Current Policies and Procedures?
• How Do I Implement Security/Privacy Policies and Procedures?

• Required Elements of Valid Patient Consent
• Compound Consents & Conflicting Consents
• Consent Vs. Authorization
• Compound Authorization & Prior Consents and Authorization
• Other Uses & Disclosures - Marketing, Fundraising and Research

Please feel free to post any comments or questions you may have about the HIPAA-in-the-Trenches, Part I material. These topics include:

• In-depth discovery of Unique Identifiers and Privacy and Security regs as they relate to specific departments
• Identify business implications and opportunities
• Identify impact to organizations
• Provide an action plan for your organization
• Project management and structure ideas

Please feel free to post any comments or questions you may have about the HIPAA-in-the-Trenches, Part I material. These topics include:

• Transactions, Code Sets, and Security regs as they relate to specific departments
• Business implications and opportunities
• Impact to organizations
• Action plan for your organization
• Insights on where other organizations are today with compliance

Please feel free to post any comments or questions you may have about the HIPAA Today Teleworkshop material. These topics include:

• HIPAA Project Management
• HIPAA Project Plan
• Cost and Return of Compliance

Please feel free to post any comments or questions you may have about the Privacy Teleworkshop material. The topics include:

• Status of Rule
• Review of Final Rule
• Common Compliance Gaps
• Practical Next Steps

Please feel free to post any comments or questions you may have about the Transactions Teleworkshop material. These topics include:

• Intent of HIPAA Transactions, Code Sets, and
• Identifiers Standards
• Review of Final and Proposed Rules
• Compliance Gaps
• Planning for Implementation and Compliance

Please feel free to post any comments or questions you may have about the Executive's Essential HIPAA material. These topics include:

• Overview of HIPAA
• Update on current timetable
• Business implications and opportunities
• Impact to organization
• Where organizations are today with compliance
• High level next steps

Please feel free to post any comments or questions you may have about the Transactions Teleworkshop material. These topics include:

• Status of Regulations
• Integration of the Regulations
• Practical Next Steps
• Lessons Learned to Date

Please feel free to post any comments or questions you may have about the HIPAA Today Teleworkshop material. These topics include:

• Status of Regulations
• Development of Business Case for Compliance
• Practical Next Steps
• Lessons Learned to Date