HIPAA Strategy Overview - Association of Washington Public

advertisement
HIPAA Strategy
Methodologies and Tools
Presentation Agenda
 Review of HIPAA Objectives
 Overview and Update on the Status of HIPAA
 Components/Objectives of a HIPAA Strategic Plan
 Detailed Review of Each Planning Component
 Questions
 Resources
1
Review of HIPAA Objectives
Objectives of HIPAA
 To reduce the administrative costs associated with the
provision of health care services
 To make the administration of health care services more
efficient by:
 Requiring some transactions to be supported electronically
 Standardizing those transactions

To protect individually identifiable health information
from:
 Physical damage/destruction
 Unauthorized access
 Misuse or inappropriate disclosure
 This is the first step toward a broader application of e-
commerce in health care
3
HIPAA Overview
HIPAA
Title I
 Health
insurance
access,
portability and
renewal
Title II
 Fraud and Abuse
 Medical Liability
Reform
 Administrative
Simplification
Title III
Title IV
Title V
 Medical Savings
 Group health
 Revenue
Accounts
 Tax deduction
provisions
Electronic
Transaction
Standards (EDI)
Security
Standards
Privacy
Standards
4
plan
provisions
 For 9 key payor
transactions
 Includes clinical code sets
 Includes key identifiers
 For protecting electronic
health information
 To spell out permissible
uses of patient identifiable
healthcare information
offset
provisions
HIPAA Overview
 Each component of HIPAA has proceeded independently
through a development, review and approval process
Review of
Existing
Regulations
& Standards
Pu
blic
Inp
ut
Proposed
Rule
Released
Public
Com
ment
Perio
d
Red
raft
of
Rule
Final
Rule
Publis
hed
Still
Awaiting
Action
for Some
Elements
Regulatio
ns
Enacted
And
Enforced
26 Months
from Date
of
Publication
 The lack of forward movement on any one element does
not necessarily impede the implementation of others
5
Applicability
 From the Act: “Sec 1172(a) Applicability. Any standard
under this part shall apply, in whole or in part, to the
following persons:
 A health plan
 A health care clearinghouse
 A health care provider who transmits any health
information in electronic form in connection with a
transaction referred to in Section 1173(a)91.”
6
Provider Responsibilities
 Providers governed under HIPAA must:
 Comply with the regulations that impact them no later than
the published implementation dates for those rules
 Ensure that vendors are prepared to deliver applications
that support EDI and security requirements
 Hold those business partners (vendors and others) with
whom patient-identifiable information is shared accountable
for complying with the privacy and security regulations that
apply to the covered entity
 Develop EDI, Privacy and Security policies and procedures
 Train staff on the Privacy policies and procedures
 Document compliance with applicable regulations
7
Status of HIPAA Rules
Status of HIPAA Rules
 The anticipated dates for HHS issuing new proposed or
revised final HIPAA rules
 The final Security Rule is expected to be released in August
of this year
 The Employer Identifier final rule has been drafted and sent
to HHS for final review with release expected in June
 The Provider and Payer Identifier final rules are expected
around August
 The Patient Information (Claims Attachment) NPRM is
expected in August of this year
9
Updates
 The anticipated dates for HHS issuing new proposed or
revised final HIPAA rules (con’t)
 A draft regulation for electronic medical records is being
developed, which should be available for public review by
the end of 2002
 The Doctors First Report of Injury NPRM is also expected
sometime in 2002
 An Enforcement NPRM is expected to be released some
time in 2002
 Two proposed revisions to the Transaction and Code Set
standards are expected any time now
• Changes in the Designated Standard Maintenance
Organizations or DSMOs and
• Removal of NDC codes as the standard for medications
10
Update Summary
Proposed
Rule
Electronic
Transaction
Standards
(EDI)





Security
Standards
Privacy
Standards*
Transactions
& Code Sets
Provider ID
Employer ID
Payer ID
Patient ID
Final
Rule

Released 5/98

Published 8/2000



Released 5/98
Released 6/98
Expected 2001
ON HOLD
Expected 8/2002
Expected 6/2002
Expected 8/2002
ON HOLD

Released 8/98

Expected August
2002

No action by
Congress; draft
regulation
released 11/99

Published 12/2000
Reconfirmed
4/2001






Compliance
Date

10/16/2002/03

26 months from
date final rule is
published

4/14/2003
• 7/6/01 received First Guidance (not changes) on the final privacy rule
• First proposed changes to the Privacy Rule published on 3/27/02
11
Components of a HIPAA
Strategic Plan
Steps to Compliance
The key to achieving HIPAA compliance is to take it one
manageable stage at a time…
Stage 1:
Organization
and Planning
Stage 2:
Assessment and
Design
• Organizational
Structure
• Detailed
Assessment
• Programming/
System Upgrades
• Education
• Prioritization
• Policies and
Procedures
• Project Definition
• Policy/Process
Development
• Establish Linkages
• Budget
Development
• High-level Risk
Analysis
• Quick Hit
Identification
We will be discussing these…
13
Stage 3:
Implementation
and Testing
• Contract
implementation
• End User
Education
• System/Process
Testing
Stage 4:
Compliance
Monitoring
• Compliance Audits
• Quality Assurance
• Post
Implementation
Support
• Regulatory
Updates/Changes
Elements of a HIPAA Strategic Plan
 Develop an organizational structure for implementing
HIPAA
 Review corporate initiatives in light of HIPAA
 Educate organizational decision makers on the importance
of HIPAA and its impact across the organization
 Develop policies and procedures for Privacy and Security
regulations
 Determine links between HIPAA initiatives and
organizational strategic initiatives
14
Elements of a HIPAA Strategic Plan
 Determine which EDI standards to use electronically
 Conduct a high level risk analysis
 Conduct a detailed risk assessment
 Prioritize and schedule tasks to accomplish
 Develop a budget for implementing HIPAA
15
Stage 1 – Organizational Structure
 Appointment of HIPAA coordinator
 Appointment of Privacy Officer
 Appointment of individual(s) to be responsible for
implementing Security regulations
 Provide staff time to prepare for HIPAA
 Establish reporting mechanisms to Administration and the
governing body
16
Sample HIPAA Governance Structure
HIPAA Coordinator
(oversight for assessment, implementation and ongoing monitoring)
17
Legal
(Policy Development,
“source of truth”)
Privacy Officer
(Policy Development
Oversight, Training )
Security Responsibility
(Policy Development
Oversight, Training )
HIM
(Regulation Impact
Analysis)
HR
(Policy Development
Oversight, Enforcement)
Information Systems
(Policy and Procedure
Web Based Distribution)
Compliance
(Compliance Monitoring
and Coordination)
External Stakeholders
(Trading Partners &
Business Associates)
Others
(Other Departments
or Functions)
Stage 2 – Corporate Initiatives
 Identify strategic initiatives that HIPAA will impact
 These initiatives should be divided into two primary
categories; information technology (IT) and business
initiatives
 The HIPAA regulations will touch most major clinical,
financial and administrative areas within the health
system. As such, most of the strategic initiatives will
require modification or consideration of the new HIPAA
regulations
 Develop a plan for transaction implementation
 Initiate cost/benefit analysis to determine which standards
will yield most positive results
 Determine resources required for implementation
 Submit request for EDI extension
18
Stage 3 – Education
 HIPAA 101 - Overview of HIPAA
 HIPAA 201 - Advanced Topics on EDI, Codes Sets and
Identifiers
 HIPAA 202 - Advanced Privacy Course
 HIPAA 203 - Advanced Security Course
19
Stage 4 – Policies and Procedures
 Develop policies and procedures for:
 Privacy
• Material from Michael Best and Friedrich to customize
 EDI
• Dependent upon standard transactions to be used
 Security
• Health Future IT task force to develop sample policies
 Address HIPAA compliance in organizational HR policies
• Background checks
• Sanctions for non-compliance
• General policies on confidentiality
20
Stage 5 – Linking Initiatives
 Identify trading partners/business associates
 Develop contractual assurances of HIPAA compliance
 Evaluate vendor preparedness to support HIPAA
21
Stage 6 – Selection of EDI Standards
to Implement
 Develop a plan for transaction implementation
 Initiate cost/benefit analysis to determine which standards
will yield most positive results
 Develop a schedule for implementation
 Determine resources required for implementation
 Submit request for EDI extension
 Prior to October 16, 2002
22
Stage 7 – Risk Assessment
 Conduct a high level risk analysis and initiate “quick hit”
remediation
 Assign responsibility for EDI, Privacy and Security
assessments
 Conduct detailed assessment tool training
 Perform assessments
 Define the boundaries of “acceptable risk”
23
High-level Risk Analysis
 A high-level analysis of the current environment from
an EDI, Privacy, and Security perspective to see
where the largest gaps are would include questions
like those below:
 What electronic systems are in place for billing/clinical/medical
records?
 How many clearinghouses (if any) are used?
 Are business associates/trading partners HIPAA compliant?
 Which of the 7 approved standard transactions are being done?
 What is the make-up of the IT infrastructure?
 Are security policies in place that meet the categories outlined in
the proposed rule?
 How much data sharing is currently allowable in the system?
 Are there system access controls and audit functions?
 What is the level of complexity of systems across the network?
 Do users have unique ID’s and passwords and do they share?
24
Stage 8 – Preliminary Budget
 Summarize compliance gaps identified through the risk
assessment
 Develop operating budget for incremental labor costs and
savings
 Develop capital budget for HIPAA compliance
25
Stage 9 – Project Definition
 Review results of compliance assessment
 Prioritize tasks to achieve compliance
 Assign responsibility for compliance projects
26
Stage 1 - Project Timeline
May
June
July
August
Sept
Oct
Nov
Dec
Education
Corporate Initiatives
Policies and Procedures
Establish Linkages
Transaction Selection
Risk Assessment
Budget
Project Definition
27
Initiate Prioritization
How to Prioritize HIPAA Initiatives
 HIPAA activities need to be prioritized using several
factors, for example:








29
Compliance deadlines
Potential for enforcement
Budget constraints (cost/benefit)
Resource constraints/requirement for external resources
Organizational readiness
Organizational impact
Integration with other projects
Enterprise-wide importance
Sample Immediate Initiatives
 HIPAA Governance Model
 Solidify organizational responsibility for the development of
regulatory policies and procedures, approval processes,
enforcement and oversight of all organizational HIPAA
initiatives
 Policy and Procedure Documentation
 Initiate the development of, and update policies and
procedures to meet HIPAA requirements and establish the
organization’s “defensible position”
 Business Associates
 Inventory contracts and identify organizations that are
business associates and trading partners with whom
protected health information is shared
30
Sample High Priority Initiatives
 Implement/Update Standard Transaction Sets
 Transition to HIPAA-compliant versions of those transactions
being performed electronically today
 Implement/Update Standard Code Sets
 Clean-up proprietary Clinical Codes to align with HIPAA
code sets
 Purchase additional code sets if needed
 Remediate Applications
 Remediate applications to HIPAA compliant versions
31
Sample Medium Priority Initiatives
 Staff Education
 Conduct general and detailed HIPAA education
 Privacy Documentation Requirements
 Develop documents required to comply with Privacy
regulations
 Utilize documents developed by the WSHA and other
business partners that are recommended for use statewide
 Focused Strategy & Assessment
 Determine strategic approach to HIPAA and complete
focused HIPAA assessments to determine compliance gaps
and scope implementation efforts
 Communication Plan
 Establish communication methods and begin to distribute
HIPAA education and strategic documentation
32
Ranking Definitions
33
Initiatives Prioritization Matrix
34
Questions and Discussion
? ??
??
?
? ?
35
Resources
Resources
37
Association for Electronic Health Care Transactions (AFEHCT):
Impacts of HIPAA (particularly EDI)
Security Self-Evaluation Checklist
http://www.afehct.org
American Health Information Management Association (AHIMA):
Benchmark information and case studies
Interim Steps for Getting Started
http://www.ahima.org/hipaa.html
American Society for Testing and Materials (ASTM):
Standards guides for security
http://www.astm.org
Center for Healthcare Information Management (CHIM):
Up-to-date industry perspective on proposed rules and their
status
http://www.chim.org
Computer-Based Patient Record Institute (CPRI):
CPRI Security Toolkit
http://www.cpri-host.org
Department of Health and Human Services HIPAA Administrative
Simplification:
Latest News on Regulations
Current proposed and final rules
http://aspe.hhs.gov/admnsimp/index.htm
Electronic Healthcare Network Accreditation Commission (EHNAC):
Certification Program for HIPAA Compliance (under development)
http://www.ehnac.org
Resources (cont.)
For the Record: Protecting Electronic Health
Information (National Academy Press, 1997) 800-
http://www.nap.edu
624-6242
Full Report
Health Privacy Forum
http://www.healthprivacy.org
Comparison of Privacy proposed and final rules
Comparison of state privacy laws
HIMSS: Protecting the Security and Confidentiality of
Healthcare Information (Volume 12, Number 1,
Spring 1998)
http://www.himss.org
Articles
HIPAA Home Page
http://www.hcfa.gov/hipaa/hippahm.htm
HIPAA Transaction Implementation Guides from the
Washington Publishing Company
http://www.wpc-edi.com
Joint Healthcare Information Technology Alliance
(JHITA)
http://www.jhita.org
Summary of Privacy rules
Upcoming HIPAA conferences
38
Links to other HIPAA sites
http://www.hcfa.gov/medicare/edi/hipaaedi.htm
Medicare EDI
http://www.hcfa.gov/medicare/edi/edi.htm
Resources (cont.)
National Uniform Billing Committee
http://www.nubc.org
National Uniform Claims Committee
http://www.nucc.org
Washington Publishing Company
http://www.wpc-edi.com/hipaa
ANSI ASC X12N HIPAA Implementation Guides
Subscribe to email release of HIPAA documents (such as notice
of proposed rule making)
http://www.hcfa.gov/medicare/edi/a
dmnlist.htm
Workgroup for Electronic Data Interchange (WEDI):
http://www.wedi.org
Details of SNIP effort (Strategic National Implementation Pilot)
39
Download