Disclaimer This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney.
HIPAA Health Insurance Portability and Accountability Act or HIPAA
Developing the plan and managing the HIPPA “project” from an enterprise view
What is HIPAA? Healthcare In Pain And Agony (again)
Healthcare Information Sharing Managed care organizations; Consulting physicians; Health insurance companies Life insurance companies; Self-insured employers; Pharmacies; Pharmacy benefit managers; Clinical laboratories; State and Federal statistical agencies; and Medical information bureaus Accrediting organizations;
What is Protected Health Information? Health Information - Is any information gathered by a health care provider, including non-health related data Protected Health Information - Is Health Information that contains data that may be used to directly or indirectly identify the patient Also Described As: Identifiable Health Information Identifiable Patient Information
List of Data Elements that would make Health Information Identifiable! Name Address address Telephone No. Finger or voice prints Social security number Vehicle/device serial no. Health plan number Certificate/license No. Names of relatives Names of employers Fax number Birth date Photographic images / X-rays Internet (IP) address Medical record number Account Number Web URL
PHI is Covered by HIPAA, Regardless of Format Examples: Database or Computer Stored Files Images or X-rays Conversations Word Documents PDA Stored Information Hand written notes Student Logs Academic Curriculum
The eight steps to HIPPA implementation: project sample time frame
1. THINK AND EDUCATE The Big Choices When to start? Centralized vs. Decentralized approach? Sponsorship / Executive Leadership E-commerce integration? Compliance vs. compliance plus significant benefits
1. THINK AND EDUCATE Create a HIPAA Vision Business office Financial performance Referral management Patient relations Billing / collections registration primary statement Relationship with key trading partners Define goals
1. THINK AND EDUCATE Proactive Vision E-commerce based Significant reduction in Business Office staff Increased cash flow Reduced bad debt User friendly security technologies HIPAA Security and Privacy aware staff Collaborative relationship with business partners Patient/subscriber friendly Positive consumer public relations Valued business partner relationships
1. THINK AND EDUCATE Compliance Focused Vision (Provider) HIPAA claims only transacted, forget the rest Increasing Business Office Staff Growing accounts receivable Increased bad debt Complex, hard to use security measures that interfere with patient care Staff have minimal HIPAA security and privacy awareness Adverse relationship with Business Partners Inadequate systems and administrative policies to support security and privacy
Sponsors / Steering Committee CEO, CFO, CIO, COO Compliance Officer Risk Management Human Resources Government Relations Chief Information Security Officer General Counsel Privacy Officer 1. THINK AND EDUCATE
Sponsors / Steering Committee Patient Representative Security (physical) Officer E-commerce Admitting / Registration Business Office Medical Records Workflow / Change Management
1. THINK AND EDUCATE HIPAA Education High level Management level Ongoing through all phases Three tier strategy In person Internet / Intranet Paper
1. THINK AND EDUCATE Project Management Organization (assume enterprise approach) Core staff (few or many) Dedicated project team vs. Shared resources Mix of staff and consulting resources Mix of HIPAA and operations knowledge Independent Verification and Validation (IVV) Protecting the information Security Protection from discovery
1. THINK AND EDUCATE HIPAA Scope Definition Suggested Initial Project HIPAA Regulation Scope Standard Transactions Employer (sponsor) Identifier Provider Identifier Payer Identifier Electronic Attachments Security (Privacy) Business Applications IS Applications Key Trading Partner identification
HOSPITAL SYSTEMS EFFECTED BY HIPAA Business Applications Laboratory Pharmacy Radiology Registration (ADT) Orders Results Credentialling Data Warehouse Cost Accounting Materials Management Master Person (Patient) Index Patient Accounting Home Care Nursing home Physician practice Human Resources HIPAA training management
HOSPITAL SYSTEMS EFFECTED BY HIPAA Business Applications Medical Records Coding and Abstracting Chart Tracking Document Imaging Electronic Medical records Clinical Data Repository Demand Management Patient Scheduling Referral Management Other Not Impacted Payroll General Ledger Accounts Payable
HOSPITAL SYSTEMS EFFECTED BY HIPAA Business Applications Department Systems with Patient Specific Information (e.g., Cath lab) Telecommunication systems that contain patient identifiers, e.g., appointment call system Any special purpose database or application which includes patient specific information - - e.g. tumor registry
HOSPITAL SYSTEMS EFFECTED BY HIPAA IS Applications Internet and point-to-point data communications Interface Engine(s) EDI Engine(s) Infrastructure Firewall Network Security Physical Security Security Policies and Procedures Security Audit Systems Security Technology and Technology Mechanisms
1. THINK AND EDUCATE Get Involved / Share with Peers HIPAA Regulations Strategic Implementation Plan (SIP) Professional Associations Key Trading Partners Local Networking
2. GATHER CURRENT STATE INFORMATION Inventory Everything Effected by HIPAA Risk Level Impact Assessment Categorize risk level Business risk Security risk Flag high cost remediation items
2. GATHER CURRENT STATE INFORMATION Use Electronic Tools to Document and Manage the Process Impact Assessment Inventory database Transaction Implementation Guides (Business) Risk / Compliance Management tracking and documentation Project Management
2. GATHER CURRENT STATE INFORMATION Cross Reference Regulations Business applications IS applications Work processes Administrative policies and procedures Physical security issues Other Develop HIPAA Project Plan Eight Steps Develop a mid-level plan with tasks Phase by regulation timing Basis for three year plus budget and resources plan
3. RISK AND COST BENEFIT ANALYSIS Staff Up Technical Legal Workflow Optional development and analysis Change management Increase Education Activity Think Outside the Box Independent advisors
3. RISK AND COST BENEFIT ANALYSIS GAP Analysis Quantify Risks Probability of incidents Impact per incident Fines and jail Legal defense/insurance premiums Loss/delayed revenues and staff to rework “Urgent” fix cost and staff time Public image
3. RISK AND COST BENEFIT ANALYSIS Identify Options to Reduce Each Risk Level of risk reduction (probability) Cost to achieve risk reduction Dependency factors Cost / Benefit Analysis Identify greatest risk items Identify benefit to cost ratio Analyze items that are interrelated
3. RISK AND COST BENEFIT ANALYSIS Assess Current Vendors’ HIPAA Readiness Plans and Assurances Recommendations to Sponsors/Steering Committee Rationale By level of investment
4. PLAN Develop a Detailed Implementation Plan Include Current HIPAA Knowledge Internal External Coordinate with E-Commerce Initiatives Technology Strategy Administrative Strategy
4. PLAN Issue RFPs to Acquire New Systems if Needed Educate Assure Availability of Implementation Resources Coordinate with Trading Partners
5. IMPLEMENTATION Implement Changes Transactions and Code Sets Identifiers Security -- Physical Security -- Administrative Security -- Technology and Technology Mechanisms
5. IMPLEMENT Training Independent Assessment of ongoing project Budget Timeliness Goal achievement
5. IMPLEMENT Testing Unit testing Integration testing Testing with trading partners Document the Risk Mitigation
6. REVIEW Readiness Review Include Knowledge Gained Since the Plan was Developed Update to Address Changes in HIPAA Regulations
7. CERTIFY AND GO LIVE Independent Review Certification Likely Only for Some Components
8. MONITOR HIPAA Regulations New Revisions Security Audit and Monitoring Business Risk Monitoring Measure Goal Achievements Feedback to Phase 3 Report to Leadership Measure Business Partner Relationships