Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

West Virginia State Government HIPAA Assessment Project Charter

advertisement 
Health
Insurance
Portability and
Accountability
Act
West Virginia
State Government
Additional
information can
be found on the
HIPAA Website
at
http:/www.wvd
hhr.org/hipaa
HIPAA
Assessment
Sallie Hunt
HIPAA Sr. Legal Counsel
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
HIPAA Overview:
Purpose of HIPAA Title II - Improved efficiency in healthcare
delivery by standardizing electronic data interchange (EDI) and
mandating the protection of patient confidentiality (privacy) and
the security of health data through the setting and enforcing of
standards.
Who is affected? –Healthcare providers who transmit
administrative or financial transactions electronically that
contain health information, health plans and clearing houses.
Sanctions - Sanctions for non-compliance with HIPAA can be
both civil and criminal. Fines range from $100 per violation up
to $25,000 for multiple violations of the same standard in a
calendar year. Additionally, there are fines up to $250,000 and/or
imprisonment for up to 10 years for intentional misuse of
individually identifiable health information.
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Project Overview:
Background – Governor Wise appointed Sonia Chambers, Chair
West Virginia Health Care Authority with Oversight and
Coordination.
The HIPAA Executive Committee (HEC) was created to assist
WV State Government Executive Branch entities in determining:
• If they are covered under HIPAA and subject to its rule
• Current State Compliance status with a Gap Analysis
• HIPAA-specific tools and training
• Strategies for compliance implementation
• Remediation Action Plans with costs and timelines
• Compliance implementation projects
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Problem Statement:
• WV State Government Executive Branch business systems,
processes, and policies may not be compliant
• Limited resources create an assessment challenge
• Timelines for compliance are tight:
• October 15, 2002 – Transactions and Code Sets Plan
• April 14, 2003 – Privacy Compliance Deadline
• October 16, 2003 – Transactions and Code Sets Deadline
• Security Mandates TBD
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Project Goals and Objectives:
• Evaluate HIPAA impacts on WV State Government Executive
Branch agencies
• Determine systems, procedures, policies, and contract
language requiring change to accomplish compliance
• Phase I – Produce Assessment Findings & Remediations
Report w/ recommendations, timelines, costs, etc.
• Develop Phase II – Implementation Plan / Project Charter
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Project Scope:
Bob Wise, Governor
Governor’s Office (FYI purposes only)
Gregory A. Burton, Commissioner
Department of Administration
Alisa L. Bailey, Commissioner
Bureau of Commerce
Kay Goodwin, Cabinet Secretary
Department of Education and the Arts
Robert J. Smith, Commissioner
Bureau of Employment Programs
Michael Callaghan, Cabinet Secretary Department of Environmental Protection
Paul L. Nusbaum, Cabinet Secretary Dept. of Health and Human Resources
Sonia D. Chambers, Chair
WV Health Care Authority
Joe Martin, Cabinet Secretary
Dept. of Military Affairs & Public Safety
Ann M. Stottlemyer, Commissioner Bureau of Senior Services
Brian M. Kastick, Cabinet Secretary Department of Tax and Revenue
Fred VanKirk, P.E., Cabinet Secretary Department of Transportation
Although boards, commissions, and institutions of higher education are
not included within the scope, assistance and access to project tools,
products, and information will be provided per project resource availability.
Additionally, via Education and Outreach, tools, products, lessons learned,
best practices, etc. will also be shared with those outside the WV project.
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Critical Success Factors:
• Active and visible Executive-level endorsement
• Identified and manageable project scope
• Stable and timely project resources
• Strong project management and a PMO to:
•Serve as a central point of HIPAA and project contact
• Develop and maintain project structure
• Provide project leadership and coordinate / leverage resources
• Facilitate sharing of best-practices
• Monitor deliverables and approve project work products
• Maintain project plans, status reports, documentation, and audit trail
• Represent the project team
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Assumptions:
• Project scope will remain consistent
• Systems outside the control of WV State Government will not be
addressed
• The PMO is the central point of HIPAA project contact
HIPAA Project Plan
Task Name
ADMINISTRATIVE PHASE :
(DELIVERABLE I: ESTABLISH PMO)
PMO Structure and Resources
Pre-project GOT Research
Establish Executive Sponsorship
Define Project Scope
Designate Project Manager (PM)
Establish HIPAA Executive Committee (HEC)
HEC Meetings
Define HEC Charter
Identity Additional Resources (Teams)
Legal Team
IT Team
Duration Start
Finish % Complete
356 days? 08/09/01 12/19/02
99%
356 days?
145 days
1 day
117 days
1 day
1 day
186 days
5 days
115 days
50 days
105 days
08/09/01
08/09/01
02/27/02
03/07/02
03/14/02
03/21/02
04/04/02
08/26/02
03/21/02
03/21/02
04/04/02
12/19/02
02/27/02
02/27/02
08/16/02
03/14/02
03/21/02
12/19/02
08/30/02
08/28/02
05/29/02
08/28/02
98%
100%
100%
100%
100%
100%
71%
100%
100%
100%
100%
HIPAA Project Plan
Task Name
Define Phase I Roles & Responsibilities
Draft Project Charter
Establish Physical PMO
Hire PMO Admin Asst
Project Tools, Processes and Reports
Develop PMO Workbook
Deliverable Approvals
Project Charter
Project Plan
PMO Workbook
Deliverable 1: Establish PMO - Completed
Duration
107 days
9 days
7 days
15 days?
128 days
32 days
46 days
5 days
1 day
1 day
0 days
Start
04/04/02
07/22/02
08/15/02
08/19/02
04/04/02
08/19/02
08/01/02
08/01/02
10/03/02
10/03/02
10/03/02
Finish % Complete
08/30/02 100%
08/01/02 100%
08/26/02 100%
09/06/02 100%
09/30/02 100%
10/01/02 100%
10/03/02 100%
08/07/02 100%
10/03/02 100%
10/03/02 100%
10/03/02 100%
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Milestones
Governor Appointed HIPAA Sponsor
Definition of Project Scope
HIPAA Executive Committee (HEC) Formed
Technical Advisory Groups Initiated
Project Charter Approved
Project Plan Developed
Covered Entity Assessment Survey Distributed
Covered Entity Status Report
TCS Impact Determination Questionnaire Distributed
WV Pre-emption Analysis Report
TCS Gap Analysis Report
Privacy Impact Determination Questionnaire Distributed
Security Impact Determination Questionnaire Distributed
TCS Extension Plan(s) Due
Privacy Gap Analysis Report
Security Gap Analysis Report
Privacy Remediation Recommendations
Security Remediation Recommendations
Phase II Implementation Plans
Training
Project Management Office
Privacy Implementation Deadline
TCS Testing to Begin Deadline
* On-going - distributed as CE surveys received
Planned Completion Date
02/27/02
03/07/02
03/21/02
04/04/02
04/04/02
04/11/02
07/31/02
09/06/02
09/09/02
09/20/02
09/30/02
10/11/02
10/11/02
10/15/02
10/31/02
10/31/02
11/15/02
11/15/02
12/02/02
On-going
On-going
4/14/2003
4/16/2003
Revised Date
Actual
02/17/02
08/16/02
03/21/02
04/04/02
08/07/02
08/13/02
08/19/02
09/30/02
09/09/02*
10/04/02
10/15/02
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Project Organizational Chart:
Sonia Chambers
Chair, WVHCA
HIPAA Sponsor
HIPAA Executive Committee (HEC)
Sallie Hunt
HEC
Sr. Legal Counsel
Privacy Team Leader
John Wagner
HEC
HIPAA IT Team Lead
Coverage and Survey Instruments
Privacy
POC/ Project IT Support
Privacy IT
TCS
Security
Non-HIPAA State &
Federal Laws
Tracy Christofero
HEC
PMO
Project Manager
John Biancone
HEC
DHHR HIPAA Coordinator
Marsha Dadisman
HEC
Education and Outreach
Team Lead
Project Management
Office Assistant
Behavioral Health & Health Facilities
Bureau for Children and Families
Security IT
TCS TAG
Bureau for Medical Services
Management Information Services
Office of Inspector General
Office of Operations
Finance
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Legal Team
•
•
•
•
•
Coverage and Survey Instruments
Privacy
TCS
Security
Non-HIPAA State and Federal Laws
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Legal Team Process
• Attorneys from probable covered entities
identified and asked to participate on team
• Kick-off meeting held in May 2002
• Attorneys asked to step forward as team
leaders and others to participate on teams
• Full team meetings to receive status reports
with real work occurring in sub-teams
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Legal Team Process
• At the kickoff meeting in May, everyone was
given a team charter which outlined the
deliverables for each sub-team
• Each team leader prepared a weekly report of
status and obstacles and remitted it to the Legal
Team Leader by Tuesday of each week
• On Wednesday of each week, a full team report
was issued, along with a log of issues
• Reports were distributed by e-mail and posted to
the web
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Coverage and Survey Instruments Team
• Developed Covered Entity Assessment Survey
• Reviewed other states’ tools – used NC’s as the
basis for the model
• Found a balance between developing a
comprehensive tool and a concise tool
• Important to find examples of inclusions and
exclusions for the non-HIPAA literate respondent
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Coverage and Survey Instruments Team
• Challenge to decide at what level to distribute the
survey
• Decision made to send the survey to the cabinet
secretary of all executive branch agencies
• Recognized that each agency is organized
differently
• Different structures require different distribution
decisions, which could only be made by the
agency itself
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Privacy Team
• Reviewed and revised NCHICA’s HIPAA
EarlyView Privacy Assessment Tool
• Reviewed and revised questions, clarifications,
best practices and glossary
• Reviewed and revised tool a second time, taking
into consideration the August 14, 2002 Privacy
modifications
• Recognition that identified gaps will be at a very
high level
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Security Team
• Even though Security regs are still proposed,
implementation is necessary to support Privacy
• Reviewed and revised NCHICA’s HIPAA
EarlyView Security Assessment Tool
• Reviewed and revised 500+ questions and
glossary
• Attorneys felt outside their comfort zone – felt it
was an IT issue
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Transactions and Code Sets Team
• Developed the Transactions and Code Sets
Assessment Tool
• Used North Carolina’s tool as the basis
• Reviewed the questions against the
regulations
• Difficult to interest attorneys in this team
• Small team, yet met deliverables
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Non-HIPAA State and Federal Laws Team
• Performed state law preemption analysis
• Developed a paradigm to be applied with regard to
the relationship between HIPAA and other federal
laws, such as the Privacy Act, FOIA, FERPA, etc.
• Reviewed the Privacy Assessment tool and
revised it to reflect the preemption analysis
• Will serve as advisor to Privacy Team through
implementation
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Covered Entity Status Report
• Who are the covered entities within State
government?
• Who are the providers, plans and
clearinghouses?
• Who are the business associates, trading
partners and chain of trust partners?
• Who are WV’s health oversight agencies?
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
HIPAA’s Organizational Requirements
• OHCA
• ACE
• Hybrid entity
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Status of Executive Branch HIPAA
Compliance
• Transactions and Code Sets
• Privacy
• Security
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Assessment Process for Transactions and
Code Sets, Privacy and Security
• Once CE survey was turned into PMO, HEC
members met with each agency HIPAA
coordinator and gave them TCS survey and
trained them on its application and next steps
• TCS survey was returned to PMO and input
into database
• Analysis at component, overall agency and
state levels
• Same process for Privacy and Security
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
TCS Model Compliance Plans
• Compliance Plan Requirements
- Awareness
- Operational Assessment
- Development and Testing
• Plans filed by WV State Agencies
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Privacy Team
• Agency HIPAA Coordinators identified team
members from their agencies – attorneys, policy
writers, IT, training staff, etc.
• Teams formed to:
– Review gaps and make enterprise-wide
recommendations resulting from assessment
– Develop policies and procedures
– Develop Business Associate Agreements
– Serve as a resource to other teams regarding
preemption and other federal laws
– Training
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
TBD
Security Team
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Implementation Design
• Privacy, Security and Transactions and
Code Sets Teams
• Multi-disciplinary teams
• Goal is to seek enterprise-wide solutions to
promote efficiencies and economies of
scale, while enabling each agency’s HIPAA
compliance
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Policies and Procedures
• Policy templates were identified and purchased
• Training modules for the policy writers were
created for each area of the regulations, and an
accompanying schedule was outlined for policy
development to ensure that the April 2003
compliance deadline will be met
• Policy and procedure development, and training
will occur simultaneously
• Agencies will document their policy development,
implementation and training and will submit the
documentation to the HEC
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Business Associate Agreements
• Master Business Associate Agreements will
be developed
• All contracts requiring BAAs will be
identified and amended
• Processes for ensuring that all future
contracts are screened for BAAs, and where
needed, are executed
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
http:/www.wvdhhr.org/hipaa
Related documents
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
CARDIOLOGY ASSOCIATES OF PRINCETON, PA
“You have the Right”
“You have the Right”
Presentation Slides
Presentation Slides
HIPAA Steering Committee - East Carolina University
HIPAA Steering Committee - East Carolina University
Communication, Teamwork, and Compliance
Communication, Teamwork, and Compliance
the HIPAA quiz
the HIPAA quiz
Download
advertisement