1. Disclaimer This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney.

2. HIPAA Health Insurance Portability and Accountability Act or HIPAA

3. Developing the plan and managing the HIPPA “project” from an enterprise view

4. What is HIPAA? Healthcare In Pain And Agony (again)

5. Healthcare Information Sharing Managed care organizations;  Consulting physicians; Health insurance companies  Life insurance companies;  Self-insured employers; Pharmacies;  Pharmacy benefit managers;  Clinical laboratories; State and Federal statistical agencies; and  Medical information bureaus  Accrediting organizations;

6. What is Protected Health Information? Health Information - Is any information gathered by a health care provider, including non-health related data Protected Health Information - Is Health Information that contains data that may be used to directly or indirectly identify the patient  Also Described As: Identifiable Health Information Identifiable Patient Information

7. List of Data Elements that would make Health Information Identifiable! Name Address E-mail address Telephone No. Finger or voice prints Social security number Vehicle/device serial no. Health plan number Certificate/license No. Names of relatives Names of employers Fax number Birth date Photographic images / X-rays Internet (IP) address Medical record number Account Number Web URL

8. PHI is Covered by HIPAA, Regardless of Format Examples:  Database or Computer Stored Files  E-mail  Images or X-rays  Conversations  Word Documents  PDA Stored Information  Hand written notes  Student Logs  Academic Curriculum

9. The eight steps to HIPPA implementation: project sample time frame

10. 1. THINK AND EDUCATE The Big Choices  When to start?  Centralized vs. Decentralized approach?  Sponsorship / Executive Leadership  E-commerce integration?  Compliance vs. compliance plus significant benefits

11. 1. THINK AND EDUCATE Create a HIPAA Vision  Business office  Financial performance  Referral management  Patient relations Billing / collections registration primary statement  Relationship with key trading partners  Define goals

12. 1. THINK AND EDUCATE Proactive Vision  E-commerce based  Significant reduction in Business Office staff  Increased cash flow  Reduced bad debt  User friendly security technologies  HIPAA Security and Privacy aware staff  Collaborative relationship with business partners  Patient/subscriber friendly  Positive consumer public relations  Valued business partner relationships

13. 1. THINK AND EDUCATE Compliance Focused Vision (Provider)  HIPAA claims only transacted, forget the rest  Increasing Business Office Staff  Growing accounts receivable  Increased bad debt  Complex, hard to use security measures that interfere with patient care  Staff have minimal HIPAA security and privacy awareness  Adverse relationship with Business Partners  Inadequate systems and administrative policies to support security and privacy

14. Sponsors / Steering Committee  CEO, CFO, CIO, COO  Compliance Officer  Risk Management  Human Resources  Government Relations  Chief Information Security Officer  General Counsel  Privacy Officer 1. THINK AND EDUCATE

15. Sponsors / Steering Committee  Patient Representative  Security (physical) Officer  E-commerce  Admitting / Registration  Business Office  Medical Records  Workflow / Change Management

16. 1. THINK AND EDUCATE HIPAA Education  High level  Management level  Ongoing through all phases  Three tier strategy In person Internet / Intranet Paper

17. 1. THINK AND EDUCATE Project Management Organization (assume enterprise approach)  Core staff (few or many)  Dedicated project team vs. Shared resources  Mix of staff and consulting resources  Mix of HIPAA and operations knowledge  Independent Verification and Validation (IVV)  Protecting the information Security Protection from discovery

18. 1. THINK AND EDUCATE HIPAA Scope Definition  Suggested Initial Project HIPAA Regulation Scope Standard Transactions Employer (sponsor) Identifier Provider Identifier Payer Identifier Electronic Attachments Security (Privacy)  Business Applications  IS Applications  Key Trading Partner identification

19. HOSPITAL SYSTEMS EFFECTED BY HIPAA Business Applications Laboratory Pharmacy Radiology Registration (ADT) Orders Results Credentialling Data Warehouse Cost Accounting Materials Management Master Person (Patient) Index Patient Accounting Home Care Nursing home Physician practice Human Resources  HIPAA training management

20. HOSPITAL SYSTEMS EFFECTED BY HIPAA Business Applications Medical Records  Coding and Abstracting  Chart Tracking  Document Imaging  Electronic Medical records Clinical Data Repository Demand Management Patient Scheduling Referral Management Other Not Impacted  Payroll  General Ledger  Accounts Payable

21. HOSPITAL SYSTEMS EFFECTED BY HIPAA Business Applications Department Systems with Patient Specific Information (e.g., Cath lab) Telecommunication systems that contain patient identifiers, e.g., appointment call system Any special purpose database or application which includes patient specific information - - e.g. tumor registry

22. HOSPITAL SYSTEMS EFFECTED BY HIPAA IS Applications Internet and point-to-point data communications Interface Engine(s) EDI Engine(s) Infrastructure  Firewall  Network Security  Physical Security  Security Policies and Procedures  Security Audit Systems  Security Technology and Technology Mechanisms

23. 1. THINK AND EDUCATE Get Involved / Share with Peers HIPAA Regulations Strategic Implementation Plan (SIP)  Professional Associations  Key Trading Partners  Local Networking

24. 2. GATHER CURRENT STATE INFORMATION Inventory Everything Effected by HIPAA Risk Level Impact Assessment  Categorize risk level Business risk Security risk  Flag high cost remediation items

25. 2. GATHER CURRENT STATE INFORMATION Use Electronic Tools to Document and Manage the Process  Impact Assessment Inventory database  Transaction Implementation Guides  (Business) Risk / Compliance Management tracking and documentation  Project Management

26. 2. GATHER CURRENT STATE INFORMATION Cross Reference Regulations  Business applications  IS applications  Work processes  Administrative policies and procedures  Physical security issues  Other Develop HIPAA Project Plan  Eight Steps  Develop a mid-level plan with 100-150 tasks  Phase by regulation timing  Basis for three year plus budget and resources plan

27. 3. RISK AND COST BENEFIT ANALYSIS Staff Up  Technical  Legal  Workflow  Optional development and analysis  Change management Increase Education Activity Think Outside the Box Independent advisors

28. 3. RISK AND COST BENEFIT ANALYSIS GAP Analysis Quantify Risks  Probability of incidents  Impact per incident Fines and jail Legal defense/insurance premiums Loss/delayed revenues and staff to rework “Urgent” fix cost and staff time Public image

29. 3. RISK AND COST BENEFIT ANALYSIS Identify Options to Reduce Each Risk  Level of risk reduction (probability)  Cost to achieve risk reduction  Dependency factors Cost / Benefit Analysis  Identify greatest risk items  Identify benefit to cost ratio  Analyze items that are interrelated

30. 3. RISK AND COST BENEFIT ANALYSIS Assess Current Vendors’ HIPAA Readiness Plans and Assurances Recommendations to Sponsors/Steering Committee  Rationale  By level of investment

31. 4. PLAN Develop a Detailed Implementation Plan Include Current HIPAA Knowledge  Internal  External Coordinate with E-Commerce Initiatives Technology Strategy Administrative Strategy

32. 4. PLAN Issue RFPs to Acquire New Systems if Needed Educate Assure Availability of Implementation Resources Coordinate with Trading Partners

33. 5. IMPLEMENTATION Implement Changes  Transactions and Code Sets  Identifiers  Security -- Physical  Security -- Administrative  Security -- Technology and Technology Mechanisms

34. 5. IMPLEMENT Training Independent Assessment of ongoing project  Budget  Timeliness  Goal achievement

35. 5. IMPLEMENT Testing  Unit testing  Integration testing  Testing with trading partners Document the Risk Mitigation

36. 6. REVIEW Readiness Review Include Knowledge Gained Since the Plan was Developed Update to Address Changes in HIPAA Regulations

37. 7. CERTIFY AND GO LIVE Independent Review Certification Likely Only for Some Components

38. 8. MONITOR HIPAA Regulations  New  Revisions Security Audit and Monitoring Business Risk Monitoring Measure Goal Achievements Feedback to Phase 3 Report to Leadership Measure Business Partner Relationships