1. Achieving and Sustaining HIPAA Compliance October 4, 2002 David Swartz George Washington University Melissa Glynn PricewaterhouseCoopers LLP

2. Copyright Statement Copyright Melissa Glynn and David G. Swartz, 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3. Abstract The Health Insurance Portability and Accountability Act (HIPAA) will take effect in 2003. The regulations present institutions with the flexibility to select and implement a compliance approach. George Washington University undertook a structured approach to assess, plan, and implement a compliance program across privacy and security requirements.

4. Presentation Agenda Introduction to HIPAA George Washington University’s HIPAA Compliance Project Project Description Project Approach Privacy Security Cultural Change Questions and Presentation Wrap-Up

5. Introduction to HIPAA The Health Insurance Portability and Accountability Act (HIPAA) requires that institutions which create, use, store and analyze identifiable health information for research, treatment or management functions comply with stringent privacy standards by April 14, 2003. The extent of a compliance effort varies based upon the institution’s status under the regulation. Many academic research institutions will consequently be faced with the task of tending to the implications of the HIPAA standards for research activities. HIPAA will indirectly impact a wider set of institutions, as dependencies with covered entities will have consequences on the transmissions of information and promulgation of increased controls.

6. Introduction Regulation Components and Implementation Deadlines Transaction Codes – October 2002 Privacy – April 2003 Security – expected December 2004

7. Introduction Associated Penalties for Non-Compliance The Department of Health and Human Services Office of Civil Rights is responsible for enforcement of the Privacy Regulations. Penalties for non-compliance include the following: Failure to Comply: $100 per violation $25,000 maximum for all violations for a single requirement Wrongful Disclosure: $50,000 and/or imprisonment for up to 1 year $100,000 and/or imprisonment for up to 5 years if under false pretenses.

8. George Washington University's HIPAA Compliance Project GW’s Environment MFA Covered Entity University’s Business Associate Healthcare Component

9. George Washington University's HIPAA Compliance Project GW’s Project Structure

10. GW's HIPAA Compliance Project Project Phases Phase I – Awareness Phase II – Readiness Assessment Phase III – Remediation Phase IV – Follow Up and Audit

11. GW's HIPAA Compliance Project Project Approach and Definitions Hybrid Entity - HIPAA Privacy regulations can be implemented at the level of the healthcare component instead of at the entire enterprise with proper safeguards. The enterprise itself remains the covered entity but minimizes its risk by isolating the covered functions in the healthcare component. Organized Health Care Arrangement (OHCA) – is a clinically integrated care setting in which more than one covered entity participates. The OHCA permits MFA and GW Clinicians to hold themselves out to the public as participating in a joint arrangement and use information for joint activities. Allows for a joint notice and a joint consent.

12. GW's HIPAA Compliance Project Project Approach and Definitions Establishing Business Associate Relationships - A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of protected health information. A business associate is not a member of the health care provider, health plan, or other covered entity's workforce. A health care provider, health plan, or other covered entity can also be a business associate to another covered entity.

13. GW’s HIPAA Compliance Project Privacy Scope Institutional Review Board & Research Management Graduate Medical Education Clinics Student Health Human Resources and Employee Benefits Compliance Office General Counsel Activities Uses and Disclosures Consents Authorizations Legal / Contract Reviews Project Documentation Training Privacy Officer Designation

14. GW’s HIPAA Compliance Project Security Tell you what to do, not how to do it! General Security Goals -- Confidentiality, Integrity, Availability (CIA) Confidentiality -- authorized access Integrity -- accuracy of data Availability -- need to get to it when you need it Based upon best practices model GW is using National Institute of Standards and Technology (NIST) model Final regulations not listed yet -- expected shortly Main categories to security in HIPAA Administrative procedures Physical safeguards Technical security measures

15. Process People Technology Systems must be built to technically adhere to policy People must understand their responsibilities regarding policy Policies must be developed, communicated, maintained and enforced Processes must be developed that show how policies will be implemented Security Implementation Relies On:

16. NIST – National Institute of Standards and Technology Level 1Documented Policy Level 2Documented Procedures Level 3Implemented Procedures and Controls Level 4Measured Program Level 5Pervasive Program Universities expected to operate at this level Security Assessment Framework:

17. Security Procedures And Controls Are implemented GW HIPAA Security Timeline Some security in place but does not meet Level 1 Criteria Level 0: GW Most Universities Formally documented and Disseminated policy Responsibilities Assigned Compliance Identified Documented procedures for implementing security controls identified in policies Level 1: GW – Achieved Level 2: GW – Jan 03 Level 3: GW – Dec 04 Host/router Security Password Management Central Security Office Compliance Office Policy Manager Virus Filters Incidence Response Data Center Firewalls Security Architecture 3 rd Party Assessment Disaster Recovery Change Control Assignment of Duties Awareness & Training Personal Firewalls Scanning Lab Monitoring Strong Authentication Remote Access - VPN Intrusion Detection Enterprise Firewall NIST: Security Assessment Framework

18. GW’s HIPAA Compliance Project Cultural Changes Area Institutional Review Board & Research Management Clinics Compliance Office Security Impacts Increased monitoring of research protocols, management reviews, audits Standardized processes, documentation and information management approaches Ongoing training requirements, audits and reporting demands Promulgation of standards, monitoring approaches

19. Culture Analogy - Seatbelts “ It should be noted that it took many years to get the seatbelt usage up to its present level, and it takes a heavy hand from the police to persuade the stupid to do the obvious.” — Peter N. Wadham "Out at sea it takes 30 miles for an oil tanker to reverse its direction. It takes time and commitment to change, based on foundational values, principles and quality relationships to positively affect your company's culture -- its way of doing things. " — The Freeman Institute Changing the Culture of Your Organization "Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day." — Frances Hesselbein Key to Cultural Transformation

20. Questions and Presentation Wrap-up Recommended information sources http://www.aamc.org http://www.hhs.gov/topics/privacy.html http://www.hipaadvisory.com http://www.hcfa-1500 forms.com/hipaa/fieldguide.html http://www.hcfa-1500 http://www.pwchealth.com/hipaa.html http://www.cio.gov/documents/info_security assessment_framework_Sept_2000.htmlhttp://www.cio.gov/documents/info_security