Health Insurance Portability and Accountability Act effects on radiology practice

Health Insurance Portability and accountability Act (HIPPA) Effects on Radiology Practice

The paper provides an understanding of Health Insurance Portability and Accountability Act of 1996 and its concerns/effects on Radiology practice. The paper starts with providing background information on the HIPAA. Next the paper moves on to discuss about the objectives and important elements of the Act. After discussing about the objectives and elements of the Act, the paper discusses about the issues associated with the application of HIPAA by the radiologists in their careers. The paper goes on to discuss about the radiologists efforts in their responsibility to safeguard patient privacy and the safety of patient information and make this information known to their patients. The paper then discusses about the ways in which conformity of the HIPAA security norms could be initiated and applied. The paper moves on to make a discussion regarding how accurate and present inventory of all systems that create, disseminate, store or processing of patient information is essential. The paper also discusses how HIPAA conformity officers or their delegates are required to acquaint themselves with all arenas of the medium applied for storing medical records. The paper also discusses as to the way in which devices having high value of data need to be properly protected with regard to confidentiality. The paper then moves over to discuss about the various radiology practice group and their conformity with HIPAA. The paper discusses about simple radiology practice group and complex radiology experience group and their conformity with HIPAA. The paper further discusses that in all of the practices of radiology, those having governance liabilities take multiple forms. The paper then moves over to provide some suggestions to facilitate HIPAA execution. Finally the paper ends with the understanding as to the importance of Radiology to address the issue of HIPAA compared to other professions relating to health care.

Health Insurance Portability and accountability Act (HIPPA) 1996 concerns/effects on Radiology practice

Congress urged upon the Health and Human Services -- HHS Department to provide patient privacy safeguards as being a portion of the Health Insurance Portability and Accountability Act of 1996. ("Protecting the Privacy of Patients' Health Information," n. d.) President Clinton gave his assent to the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA on August 21, 1996. ("HIPAA FAQ's," n. d.) the Health Insurance Portability and Accountability Act was a reaction to a growing necessity to simplify the healthcare industry and react to technological progress. Passed in the year 1996, the Act brought out modification to the Internal Revenue Service Code of 1986, bringing about sweeping variations to all arenas of the healthcare industry, from the level of patient care to that of the administrative information systems. (Feigenbaum, 2007)

The Act is framed to safeguard health insurance coverage for workers as well as their families when they make changes or tend to lose their employment. ("HIPAA FAQ's," n. d.) Also called as the Kennedy Kassebaum Act, the objective of the HIPAA is to avoid the costs and standardize health information in addition to the provision of health insurance portability among the healthcare providers. The explicit growth of healthcare technology, electronic forms of medical records, system automation and digitalization of medical forms are become more feasible and cost effective in the health care industry. The HIPAA targets to standardize and administer rules for promoting safe healthcare it practices, and best practices for employees. (Feigenbaum, 2007) the law thus incorporated provisions aimed at saving money for health care businesses by encouraging electronic methods. ("History: HIPAA General Information. Health Insurance Portability and Accountability Act," n.d.) Hence HIPAA relates to information particularly safeguarded health information - PHI, and the way it is generated, stored, shared, secured as well as destroyed. (Kroken, 2002)

With regard to the HIPAA Act, there are three elements that incorporate necessities unique to health care organizations such as "standards for the Privacy of Individually Identifiable Information, Standards for Electronic Signature and Code Sets and Standards for Security and Electronic Signature." ("Health Insurance Portability and Accountability Act (HIPAA): Comprehensive self-study guide," n. d.) the Standards with regard to the 'Privacy of Individually Identifiable Information' are dependent upon the necessities to safeguard the privacy of the health information of every patient in oral, written, electronic and any other additional form. The standards for Security and Electronic Signature are dependent upon the necessities to insulate the integrity of and to regulate the reach to health information. They are chalked to safeguard information from change, destruction loss and accidental or deliberate revelation to unauthorized individuals. The Standards for Electronic Signature and Code Sets are dependent upon the necessities for health care parameters to transmit effectively with one another for such basic activities such as payment, claims processing, and establishing coverage with regard to a health plan and finding out a patient's standard of eligibility for services. The Medical Practices and Businesses with regard to HIPAA regulations are also known as 'covered entities'. They incorporate healthcare plans, healthcare providers, and the demands of clearinghouses. In accordance with HIPAA the County of Los Angeles is a Hybrid Covered Entity and it incorporates the Department of Mental Health, Kirby Center of the Probation Department and the Department of Health Services. ("Health Insurance Portability and Accountability Act (HIPAA): Comprehensive self-study guide," n. d.)

HIPAA is aimed at ensuring patient confidentiality with regard to all health care associated information. ("HIPAA FAQ's," n. d.) the Privacy Rule in HIPAA's Administrative Simplifications, institutes suitable measures and regulations in application and exposure of safeguarded health information -- PHI. The Privacy Rule in general strives to promote the safeguard of health information by not only providing systems for the control of it, but privileges of both patients and entities in application of PHI. The Privacy Rule states for the appointment of a Chief Privacy Officer, whose primary responsibilities are to foster and carry out policies to help in the adherence with the regulations stated. The Chief Privacy Officer also addresses direct complains as well as concerns with privacy from the client to the employee. Covered entities are required to detect all PHI applied within the entity's operations, and those who have reach to it. Policy states that records need to have standard form, and should be exposed to patients on request. (Feigenbaum, 2007)

Particular control in the Privacy Rule administers suitable exposure of PHI. In the entire Rule, a general existent concept is minimum essential exposure, wherein the Rule indicates that providers are required only to reveal the absolute minimum level of patient information required for the service or care so as to minimize illegal disclosure of PHI. Unique issues also incorporate regulations administering the suitable disclosure of PHI to commercial associates, hybrid entities, and for application in marketing, research and philanthropy. At last the Privacy Rules indicate important controls with regard to staff training and response. Privacy Officers and administrators are necessary for generating, disseminating and monitoring a 'Notice of Privacy Practices'. Formulated in plain language and highlighting the privileges of both patients as well as entities, the Notice emphasizes the liability of the employee to maintain rights of the patients, indicates allowable paths wherein PHI might be applicable and revealed by employees, and mentions patient capabilities to forbid revealing of their information. (Feigenbaum, 2007)

HIPAA further emphasizes more than just the privacy of individually known health information. HIPAA also authorizes specific identifiers for health care providers, health plans, employers as well as individuals. A rule formulated in January 23, 2004 and which came into force from May 23, 2005 applies the National Provider Identifier as being the standard specific health identifier with regard to health care providers. While the National Provider Identifier is executed, entities incorporated in HIPAA will make usage of only the National Provider Identifier to detect health care providers in all transaction levels. (Schoppmann www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CWD-4DDNR0X-8&_user=5715998&_coverDate=10%2F01%2F2004&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000068197&_version=1&_urlVersion=0&_userid=5715998&md5=537f150d0b174e0e135401492463e356;Sanders, 2004)

As necessitated by HIPAA, the final propositions include health plans, health care clearinghouses, and health care providers who perform some financial as well as administrative transactions digitally. HIPAA particularly deals with the Protected Health Information- PHI of the patients. Additionally, it entails patients having increased reach to and amendment of their medical records. Before offering services to the patient, the Covered Entity is required to first acquire the consent of the patient to share PHI with organizations such as the billing firm, insurance, and physicians as well as organizations wherein a patient might be referred. ("History: HIPAA General Information. Health Insurance Portability and Accountability Act," n.d.) the necessities of the HIPAA are applicable to any entity maintaining and/or disseminating patient identifiable information with regard to digital form. This influences practically all the health care organizations from the level of physicians and insurance companies to that of the health care support organizations. ("HIPAA FAQ's," n. d.)

Health care clearinghouses, health plans, and the health care providers who perform some financial as well as administrative transactions, such as admission, accounting and digital eligibility scrutiny are necessary to adhere to the Privacy Rule provisions. ("Protecting the Privacy of Patients' Health Information," n. d.) the variations HIPAA necessitates would be sufficient and the changes would be accompanied by remarkable uneasiness in several respects. Functioning in the type of high-security setting visualized by the proposed HIPAA security regulations would imply functioning under regular surveillance and with concentration to making medical record information as being secure. Whether in relation to paper or electronic form, information relating to medical record could not be any longer be left unprotected, wherein a normal observer, a thief or a snoop, could have reach to it. ("History: HIPAA General Information. Health Insurance Portability and Accountability Act," n.d.)

The Health Insurance Portability and Accountability Act -- HIPAA indicate to be one of the most confronting functional initiatives most radiologists would confront in their careers. The anticipations of HIPAA are very large and the results of failure to agree continue beyond the related financial penalties. Not similar to the fraud and abuse compliance programs, that are considered to be voluntary, HIPAA is compulsory for groups utilizing electronic data transmissions, having stringent time stipulations and penalties for non-consonance. But HIPAA is most of the time vague, basically because the controls were being written for such a broad arena of health care such as insurance firms and the big health care systems within the country to the small medical or the dental practices. Attaining the required amount of cultural variations is prone to be HIPAA's largest challenge as about 200 new policies and practices are initiated and a new mode of thinking about work is required. For such practices which have not yet started working with regard to their compliance plans, the weeks as well as months forward would be tense and taxing to staff morale. Groups which have started functioning with regard to their compliance plans have revealed their frustration that go together with solving one problem only to find three more in the process. The initiation of the Privacy Standards continues to be particularly challenging, because they identify the first initiation to the new world of HIPPA and they are complicated, not suited well to radiology functions, and would be problematic for the staff to recollect. (Kroken, 2002) significant element of HIPAA, the security norms, strive to safeguard the safety of health information in digital form, in contrast to the privacy standards, that is applicable to PHI in all kinds -- electronic, oral and written. The security norms adopt national standards for protection to safeguard the secrecy, integrity and accessibility of digital PHI. The ultimate norms were brought out on February 20, 2003. Security is chalked out to deal with protections and set minimum, uniform standard levels for digital concerns such as authorization of accessibility, data backup and storage; catastrophe revival strategies; encryption and decryption; capability safety strategies; emergency functions; maintaining records; safety recollections; managing password; personnel security; termination processes, and safe forms of disposal. (Schoppmann www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CWD-4DDNR0X-8&_user=5715998&_coverDate=10%2F01%2F2004&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000068197&_version=1&_urlVersion=0&_userid=5715998&md5=537f150d0b174e0e135401492463e356;Sanders, 2004)

In this manner the liability that physicians have to safeguard their patients from damage gives rise to the liability to safeguard patient secrecy and information. The change from paper and film oriented medical records towards electronic ones brings about supplementary challenges and liabilities to the healthcare providers. The radiologists make participation in this responsibility to safeguard patient privacy and the safety of patient information, particularly in acquiring, storage as well as delivery of medical images and associated reports. It is pertinent for radiologists to meticulously record their privacy and security policies and make this information known to their patients. The liability to safeguard patient secrecy and to make patient data secure from loss or corruption is an important necessity for the providing of medical care by a radiologist. ("Practice Guideline for Electronic Medical Information Privacy and Security," 2004)

The conformity of the HIPAA security norms initiates then, with a survey and evaluation of risk, utilizing the standards and specifications relating to the security standards as being the guide. The decision making need to be reinforced by means of probable responsibilities, results, practice size and resources, technical capacity and the expenses of executing the probable security remedies. (Schoppmann www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CWD-4DDNR0X-8&_user=5715998&_coverDate=10%2F01%2F2004&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000068197&_version=1&_urlVersion=0&_userid=5715998&md5=537f150d0b174e0e135401492463e356;Sanders, 2004) to begin with, an accurate and present inventory of all systems that create, disseminate, store or processing of patient information is essential. but, only understanding what and where is not adequate. HIPAA conformity officers or their delegates are required to acquaint themselves with all arenas of the medium applied for storing medical records incorporating but definitely not confined to "(1) Internet Protocol -- IP Address as well as Domain Name System -- DNS name; (2) Operating system, version, as well as vulnerabilities; (3) Needed processes as well as their vulnerabilities; (4) Any un-required services processed on the computer, (5) Auditing or accessing abilities of each system is required to incorporate as to what an individual had made accessibility and who have was able to access a particular record; (6) All outside points of accessibility from the Internet like modems or edge routers; (7) Organizational levels that cater to a virtual private network -- VPN, and the security capacities of each; (8) Firewalls location in the architecture and security level capacities of each; (9) if the interference recognition is applied and what its abilities are (10) Wireless accessibility points and level of securities imposed; (11) Network policies and written system that are being enforced." ("Practice Guideline for Electronic Medical Information Privacy and Security," 2004)

Once finished, the inventory survey could be applied to conduct the risk analysis. Performing this exercise assists the HIPAA compliance officer make prioritization of the departmental procedure. A couple of crucial terms to remember are the comparative significance of the device, and the sensitivity of the data on it. An important device like a Radiology Information System -- RIS need to have high amount of fault tolerance. A scanner, alternatively, might have a large number of support systems; therefore the fear of loss might not be so grave. Contrary to this the lengths to that one is required to safeguard data is required to be something associated with the sensitivity of that data. A device which has only patient names as well as examination accessibility numbers, example, a procedure function list client is not as crucial to have compromised as that of a Hospital Information system -- HIS or Electronic Medical Record -- EMR that includes all data on a patient. ("Practice Guideline for Electronic Medical Information Privacy and Security," 2004)

Devices having high value of data need to be properly protected with regard to confidentiality, whereas those items which are crucial is required to be significantly fault lenient. As soon as the inventory is recognized and the liability is evaluated, an execution strategy making comparisons of the present state of equipment to that of the desired ultimate state is essential. The distinction between what is presently in place and what is required to term the 'gap'. The gap study strives to carry out the execution plan and the financial budget. To illustrate, a present teleradiology system might transmit images unencrypted through the Internet. HIPAA rules necessitates a system that could detect users, audit their activities, and safeguard the exams from view by unauthorized third persons. Hence a simple list to cater to this gap and create a budget would be (1) an up-gradation to the present level of operating system. (2) a tele-radiology which provides user auditing; (3) Hardware -- or software focused public important encryption. The other sub-sections utilize the present HIPAA rules to attain recommended policies as well as processes for compliance- thereby indicating the ultimate objective for analysis of the gap. ("Practice Guideline for Electronic Medical Information Privacy and Security," 2004)

The radiologists are hence to make certain the compliance with applied provisions of the Health Insurance Portability and Accountability Act of 1996 that associates processes dealing with the safeguard, usage and disclosure of Protected Health Information-PHI, record of displays, accessibility by individuals as well as third parties to PHI, safeguard of PHI by contractors, business associate agreements as well as training of employees. Radiologists in consonance with the Health Insurance Portability and Accountability Act of 1996 are to consider personal information securely as well as secretly. The radiologists are to confine accessibility to personal information to only such individuals who require recognizing that information to offer support services to clients. They have to be skilled with regard to the significance of protecting this information and are required to be in agreement with the processes and applicable laws. Radiologists have to cater to stringent physical, electronic as well as procedural safety norms to safeguard personal information and keep up internal systems to foster the integrity and accuracy relating to that information. ("HIPAA policy: Radiology Contractors," n. d.)

Practices relating to Radiology that have performed their job of implementing of the privacy norms would stay ahead of the security game since the privacy standards already necessitate that a covered entity have in place, "suitable technical, administrative and physical protections to safeguard the privacy relating to safeguarded health information." (Schoppmann www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CWD-4DDNR0X-8&_user=5715998&_coverDate=10%2F01%2F2004&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000068197&_version=1&_urlVersion=0&_userid=5715998&md5=537f150d0b174e0e135401492463e356;Sanders, 2004) Majority of the radiology practices, have already addressed with the safety responsibilities and resolutions around the use of technology within the medical practice and the safeguard of health information. As that of the privacy norms, however, most of the conformity with the security norms is considered to be procedural and not technical. It is compulsory then, that the risk evaluation, the decision-making processes, and the execution of the methods for confirming with the several specifications of the security standards are recorded. (Schoppmann www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CWD-4DDNR0X-8&_user=5715998&_coverDate=10%2F01%2F2004&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000068197&_version=1&_urlVersion=0&_userid=5715998&md5=537f150d0b174e0e135401492463e356;Sanders, 2004)

There is no terminology for a peculiar radiology group and hence, no cookie reform remedy for conformity. The complicacy of execution would differ with size and configuration of the specific practice and the radiologist has the issue of confronting across a complex trend of processes and indicating the manner relating to how and where they are required to be adapted to confirm with HIPAA. HIPAA influences practically each field of the radiology experience, incorporating hospital/radiology group communications, imaging center functions, patient communications incorporating those through the website, billing as well as collections, design of facility, record and tele-radiology inclusion. Due to the varied contractual association of a radiology group, it is sometimes problematic to indicate who assumes basic liability for HIPAA compliance in specific situations or processes. Who paves the way and who tends to follow? One of the first job then is to indicate the configuration and initiation of the group to interact with the other entities to clarify the expectations and liabilities like (a) when is the group responsible fro improving the conformity plan and when would it rather be anticipated to confirm to the components of the plans of another entity (b) in which circumstances is basic liability for HIPAA not significant? - What types of communication mechanisms are required to be instituted between the parties for HIPAA associated difficulties? (d) When does the relationship of a business associate prevail between the parties? (Kroken, 2002)

Let us at present comprehend HIPAA in respect of the simple radiology practice group. An illustration of a simple radiology experience might associate a hospital-dependent group serving one hospital and making use of a billing service. If the group is in conformity to the plan of the hospital and the billing service includes the security of PHI during the billing as well as the collection processes, does the group still require its own HIPAA conformity plan? As per the legal experts, the reply is yes, because the group still is required to reveal its conformity with the HIPAA controls. Again, HIPAA necessitates the record of normal policies as well as processes so that the group cannot simply indicate it functions within the conformity plans of the other entities. The practice then operationally is required to comply with the manner and when it is anticipated to function within the hospital norms. It would also require functioning with the hospital to formulate a joint Notice of Privacy Practices, which is permitted when included entities are portion of an Organized Health Care Arrangement -- OHCA. (Kroken, 2002)

Alternatively, the billing service is liable for confirming to the HIPAA norms for digital transactions, in addition with the privacy as well as security of the information applied in the billing process. Questions evolve but in terms of which of the processes are incorporated with regard to the billing service contract and which of the elements would not be included. Several billing services have pronounced they do not prioritize to incorporate the HIPAA compliance of the group in their general sphere of services. In certain circumstances, the billing service might charge a supplementary fee for HIPAA compliance services and in others, would anticipate the experience to assume liability. It is significant to indicate and record each of such details in the HIPAA plan. (Kroken, 2002)

Let us now comprehend HIPAA in respect of complex radiology experience group. Instead of assuming only the big radiology groups in the nation would categorize as complicated practices, the designation rather concentrates on the amount of locations, contractual relations and procedures associated. To illustrate, a complicated group sometimes embrace multiple hospitals, at times in various health care systems, and, to extend complex things, those hospitals might be in various states. It is also not abnormal for coverage to embrace a wide geographic arena, as in a rural regional health care environment, with inclusion offered through teleradiology for smaller hospital locations that are not able to suggest a full-time radiologist. The group might own its own imaging center(s) or have partnership with a hospital or other ownership entity, keeping contracts for both professional interaction and management. Alternatively, the group offers professional services for an independent diagnostic testing facility -- IDTF and might have medical director or management roles in such environments. The complicated group might also have an inbuilt accounting sector and infrequently, provide accounting services to other health care entities also. (Kroken, 2002)

As anticipated the flow of PHI and liability for making certain its safeguard become more problematic as the configuration of the experience extends to incorporate several legal entities, sites of services, and operational fields. In certain cases, several parties are liable for overlapping procedures and it would not always be clear who is required to take the lead. To illustrate, let us think that the IDTF has an on-site transcriber but contracts to apply the dictation system of the radiology group. Reports are being sent to the radiologists for approval and digital signature on remote workstations because their schedule revolves them via facilities. Preliminary as well as final report copies are being auto-faxed to the concerned physicians by the transcriber. The responsibility for making certain the safeguard of PHI is hence shared by the two legal entities and several employees associated. Instead of each assuming the other has confirmed to the HIPAA norms, it would be significant for them to come across, walk via the processes, agree on the processes, and record their assumptions as well as conclusions in their concerned HIPAA strategies. (Kroken, 2002)

Since the communications requirements of such practices are more complicated, they are more prone to depend upon communications networks that associate image transmission technology, billing software and radiology information systems. The group is also more prone to depend upon "digital claims submission and transmission, hospital demographic downloads; remote referring physician or patient reach to information through web sites and auto-fax efficacies." (Kroken, 2002) While dealing with the confrontations of maintaining eligible personnel and regulating administrative expenses, they also are prone to seek innovative staffing solutions by outsourcing operations and/or providing employees the opportunity to operate from home. In the complicated pattern of practice, the procedures of recording information flow can alone be intimidating while PHI flows among legal entities, location of service as well as departments. HIPAA tend to be not only an intellectual practice, but also a test of will. (Kroken, 2002)

In all of the practices of radiology, those having governance liabilities take multiple forms; hence the execution committee is more with regard to making sure the representation of operational arenas instead of job titles or even the employee status. To illustrate a billing service might offer contracting; authenticating and documentation retention operations for a group that has no non-physician personnel. The group might also outsource management operations and lease personnel for an imaging center or to offer some support services. Starting with our early assumption that there is no peculiar radiology group, the HIPAA team would be accumulated from several resources, but should make sure the incorporation of important operational fields that incorporate but are not confined to, the following "(a) Governance / management: (b) Accounting and receipt; - site managers; (d) Technologists; (e) Medical directors; (f) Information services; (g) Non-management staff members." (Kroken, 2002)

There are some suggestions to facilitate HIPAA execution; (1) Induce the staff to practice HIPAA by making them aware what is ahead and ensuring them to be more vigilant of their functions, interactions with the patients, and where they visualize the difficulties to occur. Ensuring comments as well as observations are incorporated in regular personnel meetings and start the educational processes before the conformation date; (2) Initiate strategy of plan as they are executed. Being patient to remain till the plan is completed and initiating it at once at or near the conformity deadline would enhance employee frustration and enhance the liability of errors and patient complaints. (3) Ensure those authorized liability for plan development have the resources they require, if that implies scheduling unaffected blocks of time every day, hiring supplementary personnel, sanctioning of buying resources materials, or outsourcing elements of the plan that necessitate specific skills and/or offer for adding of support of the temporary staff. (4) Acknowledge that HIPAA would go ahead to evolve. Remedies which are relevant presently may be varied with new guidelines to suite tomorrow. HIPAA compliance would require that we are followers of the rules and evolving interpretations, so the requirement for suitable resources is not seen to complete once the plan is recorded and in proper place. (5) Make sure transparent lines of interactions once the plan has been initiated. We are confronting several years of variation and it is human nature to oppose and seek solace in the traditional manner of functioning. Everyone in the experience would require being capable of discussing their frustrations, initiate new questions and attain support. (Kroken, 2002)

To conclude, it may be said that as a medical specialization, radiology is very fast compared to other fields to cover new advanced technology and diagnostic improvements. Radiology has been an environment of variation for a prolonged period and in this regard, should be better prepared to address the HIPAA compared to other colleagues in the profession relating to health care. Some of us would be bearing a cost for postponement at this time; however we have gathered and attained the requirement for variation in other fields, hence there is no cause to understand that HIPAA as exceeding our skill.

Works Cited Feigenbaum, Jonathan. (2007, May) "Health Insurance Portability and Accountability Act: The Impact of HIPAA on Pharmacy and Emerging Compliant Pharmacy Information Technology." Retrieved 30 September, 2007 at http://citebm.business.uiuc.edu/TWC%20Class/Project_reports_Spring2007/HIPAA/feigenba/feigenba.pdf Kroken, Patricia. (2002, Dec) "HIPAA and the Radiology Practice" Retrieved 30 September, 2007 at http://www.imagingeconomics.com/issues/articles/2002-12_07.asp N.A. (n. d.) "Health Insurance Portability and Accountability Act (HIPAA): Comprehensive self-study guide" Harbor-UCLA Medical Center and Coastal Cluster Health Centers. Retrieved 30 September, 2007 at http://www.harboruclasurgery.labiomed.org/users/HIPAASelf-StudyGuide.pdf N.A. (n. d.) "HIPAA FAQ's" Retrieved 30 September, 2007 at http://www.hipaacomply.com/faqs.htm#What%20exactly%20is%20HIPAA? N.A. (n. d.) "HIPAA policy: Radiology Contractors" Retrieved 30 September, 2007 at http://www.radiologycontractors.com/hipaa.htm N.A. (n. d.) "History: HIPAA General Information. Health Insurance Portability and Accountability Act" Retrieved 30 September, 2007 at http://www.divrad.com/hipaa_history.php N.A. (2004) "Practice Guideline for Electronic Medical Information Privacy and Security." ACR Practice Guideline. pp: 759-765. N.A. (n. d.) "Protecting the Privacy of Patients' Health Information" March 12, 2007. Retrieved 30 September, 2007 at http://www.hhs.gov/news/facts/privacy.html N.A. (2003, Sept) "Safeguarding Private Information: Family Educational Rights and Privacy Act of 1974 (FERPA), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act of 1999 (GLBA)" Presented by General Counsel HIPAA Privacy and Security Officers Internal Auditing and the Records Office. Retrieved 30 September, 2007 at http://www.eiu.edu/~auditing/privacy.ppt. Schoppmann www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CWD-4DDNR0X-8&_user=5715998&_coverDate=10%2F01%2F2004&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000068197&_version=1&_urlVersion=0&_userid=5715998&md5=537f150d0b174e0e135401492463e356, Michael J; Sanders, Denise L. (2004, Oct) "HIPAA compliance: The law, reality, and recommendations. Journal of the American College of Radiology, vol. 1, no. 10, Pages 728-733. HIPPA 1996