Disclaimer This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not

Disclaimer

This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney.

HIPAA

Health Insurance Portability and Accountability Act

or HIPAA

Developing the plan and managing the HIPPA

“project” from an enterprise view

What is HIPAA?

HealthcareInPain AndAgony (again)

Healthcare Information Sharing

Managed care organizations; Consulting physicians;

Health insurance companies Life insurance companies; Self-insured employers;

Pharmacies; Pharmacy benefit managers; Clinical laboratories;

State and Federal statistical agencies; and Medical information bureaus Accrediting organizations;

What is Protected Health Information?

Health Information - Is any information gathered by a health care provider, including non-health related data

Protected Health Information - Is Health Information that contains data that may be used to directly or indirectly identify the patientAlso Described As:

Identifiable Health InformationIdentifiable Patient Information

List of Data Elements that would make Health Information Identifiable!

Name Address E-mail address Telephone No. Finger or voice prints Social security number Vehicle/device serial no. Health plan number Certificate/license No.

Names of relatives Names of employers Fax number Birth date Photographic images / X-rays Internet (IP) address Medical record number Account Number Web URL

PHI is Covered by HIPAA, Regardless of Format

Examples: Database or Computer Stored Files E-mail Images or X-rays Conversations Word Documents PDA Stored Information Hand written notes Student Logs Academic Curriculum

The eight steps to HIPPA implementation: project sample time frame

1. Think and Educate 1-3 months

2. Gather Current State Information 2-3 months

3. Risk and Cost/Benefits Analysis 3-6 month

4. Plan 2-3 months

5. Implement 12-24 months

6. Review 2-3 months

7. Certify and Go Live 3-6 months

8. Monitor Ongoing

Total Time 25-48 months

1. THINK AND EDUCATE

The Big ChoicesWhen to start?Centralized vs. Decentralized approach?Sponsorship / Executive LeadershipE-commerce integration?Compliance vs. compliance plus significant benefits


Create a HIPAA VisionBusiness officeFinancial performanceReferral managementPatient relations

Billing / collections registration primary statement

Relationship with key trading partners Define goals


Proactive Vision E-commerce based Significant reduction in Business Office staff Increased cash flow Reduced bad debt User friendly security technologies HIPAA Security and Privacy aware staff Collaborative relationship with business partners Patient/subscriber friendly Positive consumer public relations Valued business partner relationships


Compliance Focused Vision (Provider) HIPAA claims only transacted, forget the rest Increasing Business Office Staff Growing accounts receivable Increased bad debt Complex, hard to use security measures that interfere with

patient care Staff have minimal HIPAA security and privacy awareness Adverse relationship with Business Partners Inadequate systems and administrative policies to support

security and privacy

Sponsors / Steering Committee CEO, CFO, CIO, COO Compliance Officer Risk Management Human Resources Government Relations Chief Information Security Officer General Counsel Privacy Officer



Sponsors / Steering CommitteePatient RepresentativeSecurity (physical) OfficerE-commerceAdmitting / RegistrationBusiness OfficeMedical RecordsWorkflow / Change Management


HIPAA EducationHigh levelManagement levelOngoing through all phasesThree tier strategy

In personInternet / IntranetPaper


Project Management Organization (assume enterprise approach)Core staff (few or many)Dedicated project team vs. Shared resourcesMix of staff and consulting resourcesMix of HIPAA and operations knowledgeIndependent Verification and Validation (IVV)Protecting the information

SecurityProtection from discovery


HIPAA Scope Definition Suggested Initial Project HIPAA Regulation Scope

Standard Transactions Employer (sponsor) Identifier Provider Identifier Payer Identifier Electronic Attachments Security (Privacy)

Business Applications IS Applications Key Trading Partner identification

HOSPITAL SYSTEMS EFFECTED BY HIPAABusiness Applications

Laboratory Pharmacy Radiology Registration (ADT) Orders Results Credentialling Data Warehouse Cost Accounting

Materials Management Master Person (Patient)

Index Patient Accounting Home Care Nursing home Physician practice Human Resources

HIPAA training management


Medical Records Coding and Abstracting Chart Tracking Document Imaging

Electronic Medical records

Clinical Data Repository

Demand Management Patient Scheduling Referral Management Other

Not Impacted Payroll General Ledger Accounts Payable


Department Systems with Patient Specific Information (e.g., Cath lab)

Telecommunication systems that contain patient identifiers, e.g., appointment call system

Any special purpose database or application which includes patient specific information -- e.g. tumor registry

HOSPITAL SYSTEMS EFFECTED BY HIPAAIS Applications

Internet and point-to-point data communications Interface Engine(s) EDI Engine(s) Infrastructure

Firewall Network Security Physical Security Security Policies and Procedures Security Audit Systems Security Technology and Technology Mechanisms


Get Involved / Share with PeersHIPAA RegulationsStrategic Implementation Plan (SIP)

Professional AssociationsKey Trading PartnersLocal Networking

2. GATHER CURRENT STATE INFORMATION

Inventory Everything Effected by HIPAA Risk Level Impact Assessment

Categorize risk levelBusiness riskSecurity risk

Flag high cost remediation items


Use Electronic Tools to Document and Manage the ProcessImpact Assessment Inventory databaseTransaction Implementation Guides(Business) Risk / Compliance Management

tracking and documentationProject Management


Cross Reference Regulations Business applications IS applications Work processes Administrative policies and procedures Physical security issues Other

Develop HIPAA Project Plan Eight Steps Develop a mid-level plan with 100-150 tasks Phase by regulation timing Basis for three year plus budget and resources plan

3. RISK AND COST BENEFIT ANALYSIS

Staff Up Technical Legal Workflow Optional development and analysis Change management

Increase Education Activity Think Outside the Box Independent advisors


GAP Analysis Quantify Risks

Probability of incidentsImpact per incident

Fines and jail Legal defense/insurance premiums Loss/delayed revenues and staff to rework “Urgent” fix cost and staff time Public image


Identify Options to Reduce Each Risk Level of risk reduction (probability) Cost to achieve risk reduction Dependency factors

Cost / Benefit Analysis Identify greatest risk items Identify benefit to cost ratio Analyze items that are interrelated


Assess Current Vendors’ HIPAA Readiness Plans and Assurances

Recommendations to Sponsors/Steering Committee Rationale By level of investment

4. PLAN

Develop a Detailed Implementation Plan Include Current HIPAA Knowledge

Internal External

Coordinate with E-Commerce Initiatives Technology Strategy Administrative Strategy

4. PLAN

Issue RFPs to Acquire New Systems if Needed Educate Assure Availability of Implementation Resources Coordinate with Trading Partners

5. IMPLEMENTATION

Implement Changes Transactions and Code Sets Identifiers Security -- Physical Security -- Administrative Security -- Technology and Technology Mechanisms

5. IMPLEMENT

Training Independent Assessment of ongoing project

Budget Timeliness Goal achievement

5. IMPLEMENT

Testing Unit testing Integration testing Testing with trading partners

Document the Risk Mitigation

6. REVIEW

Readiness Review Include Knowledge Gained Since the Plan was

Developed Update to Address Changes in HIPAA Regulations

7. CERTIFY AND GO LIVE

Independent Review Certification Likely Only for Some Components

8. MONITOR

HIPAA Regulations New Revisions

Security Audit and Monitoring Business Risk Monitoring Measure Goal Achievements Feedback to Phase 3 Report to Leadership Measure Business Partner Relationships