1/23/02NC DHHS - HIPAA PMO1 HIPAA, the Health Information Portability and Accountability Act: Bigger...
-
Upload
reynold-owens -
Category
Documents
-
view
213 -
download
0
Transcript of 1/23/02NC DHHS - HIPAA PMO1 HIPAA, the Health Information Portability and Accountability Act: Bigger...
1/23/02 NC DHHS - HIPAA PMO 1
HIPAA, the Health HIPAA, the Health Information Portability and Information Portability and Accountability Act: Bigger Accountability Act: Bigger
than Y2K?than Y2K?
Presentation forPresentation for
Outlook in the States 2002 ConferenceOutlook in the States 2002 ConferenceJanuary 23, 2002January 23, 2002
Presented By: Sarah Brooks, MPA, RHIA, CPMPresented By: Sarah Brooks, MPA, RHIA, CPM
NC Dept of Health & Human NC Dept of Health & Human ServicesServices
HIPAA Program Management HIPAA Program Management OfficeOffice
1/23/02 NC DHHS - HIPAA PMO 2
HIPAA - Administrative HIPAA - Administrative SimplificationSimplification
Establishes National Standards forEstablishes National Standards for– Electronic Electronic TTransactions and ransactions and CCode Setsode Sets– IIdentifiers (Providers, Payers, Employers, dentifiers (Providers, Payers, Employers,
Individuals) Individuals) – Privacy & ConfidentialityPrivacy & Confidentiality– Security & Electronic SignatureSecurity & Electronic Signature
Provides Patients With Certain RightsProvides Patients With Certain Rights Cuts Administrative CostsCuts Administrative Costs Preempts State Laws, Unless More Preempts State Laws, Unless More
StringentStringent
1/23/02 NC DHHS - HIPAA PMO 3
HIPAA - Administrative HIPAA - Administrative SimplificationSimplification
Regulation Time FramesRegulation Time Frames
– EDI/TCIEDI/TCI Compliance Compliance
10/16/0310/16/03
– PrivacyPrivacy Compliance 4/14/03Compliance 4/14/03
– SecuritySecurity Compliance ? 2004Compliance ? 2004
– National IdentifiersNational Identifiers Compliance ?Compliance ? 20042004
1/23/02 NC DHHS - HIPAA PMO 4
Who is Impacted?Who is Impacted?Covered EntitiesCovered Entities
Health Plan Health Plan (provides or pays the cost of medical (provides or pays the cost of medical care - e.g., Medicaid, HMOs, BC/BS, Medicare, Champus).care - e.g., Medicaid, HMOs, BC/BS, Medicare, Champus).
Health Care Clearinghouse Health Care Clearinghouse (routes electronic (routes electronic data between payers & providers - e.g., billing servicesdata between payers & providers - e.g., billing services ).).
Health Care Provider Health Care Provider who transmits any who transmits any health information in an electronic health information in an electronic transactiontransaction (e.g., Hospitals, Physicians, Public Health (e.g., Hospitals, Physicians, Public Health Departments, Group Homes, Home Health)Departments, Group Homes, Home Health)..
1/23/02 NC DHHS - HIPAA PMO 5
Who is Impacted? Who is Impacted? Business Business
AssociatesAssociates
Definition: Definition: Person who performsPerson who performs a function a function or activity or activity on behalf of a covered entityon behalf of a covered entity, , involving the use and/or disclosure of PHI.involving the use and/or disclosure of PHI.
Must protect PHI and help Covered Must protect PHI and help Covered Entity comply with its obligations under Entity comply with its obligations under the Privacy Rulethe Privacy Rule
DO NOT have to comply with HIPAA DO NOT have to comply with HIPAA Privacy RulesPrivacy Rules
1/23/02 NC DHHS - HIPAA PMO 6
Who is Impacted? Who is Impacted? Hybrid EntityHybrid Entity
Defined as, “a single legal entity that is a Defined as, “a single legal entity that is a covered entity and whose covered functions covered entity and whose covered functions are not its primary functions.” are not its primary functions.”
Most covered government agencies will be Most covered government agencies will be hybridhybrid
Need to identify those health care Need to identify those health care components within the Hybrid Entity that components within the Hybrid Entity that perform covered functions and otherperform covered functions and other components that would normally be a components that would normally be a Business AssociateBusiness Associate
1/23/02 NC DHHS - HIPAA PMO 7
HIPAA vs. Y2KHIPAA vs. Y2K
Y2K impacted all information systems; Y2K impacted all information systems; HIPAA impacts health information systems HIPAA impacts health information systems that contain identifying patient datathat contain identifying patient data
Y2K did not require major business Y2K did not require major business process changes; HIPAA will have major process changes; HIPAA will have major impacts on business practices in the impacts on business practices in the healthcare industryhealthcare industry
Once Y2K issues were resolved, Once Y2K issues were resolved, consumers were not impacted; HIPAA will consumers were not impacted; HIPAA will impact healthcare consumersimpact healthcare consumers
1/23/02 NC DHHS - HIPAA PMO 8
HIPAA Vs. Y2KHIPAA Vs. Y2K
During Y2K, healthcare providers and During Y2K, healthcare providers and payers relied on vendors, contractors or payers relied on vendors, contractors or internal IS staff to resolve the Y2K internal IS staff to resolve the Y2K issues; with HIPAA, the entire issues; with HIPAA, the entire organization will be impacted by organization will be impacted by changes resulting from HIPAA changes resulting from HIPAA implementationimplementation
1/23/02 NC DHHS - HIPAA PMO 9
HIPAA Impact on State HIPAA Impact on State and Local Governmentsand Local Governments
All state and local agencies that provide All state and local agencies that provide or pay for healthcare services need to or pay for healthcare services need to perform impact assessmentperform impact assessment
Government agencies need to Government agencies need to determine most efficient and cost-determine most efficient and cost-effective approach to address HIPAA effective approach to address HIPAA compliancecompliance
Government agencies need to budget Government agencies need to budget HIPAA compliance costsHIPAA compliance costs
1/23/02 NC DHHS - HIPAA PMO 10
HIPAA Impact on HIPAA Impact on NC DHHSNC DHHS
The following NC DHHS agencies will be The following NC DHHS agencies will be impacted by HIPAAimpacted by HIPAA– Public Health (State Lab, 13 state operated Developmental Public Health (State Lab, 13 state operated Developmental
Evaluation Clinics, 86 Local Public Health Departments)Evaluation Clinics, 86 Local Public Health Departments)– Mental Health/Developmental Disabilities/Substance Abuse Mental Health/Developmental Disabilities/Substance Abuse
Services (4 psychiatric hospitals, 5 mental retardation centers, 2 Services (4 psychiatric hospitals, 5 mental retardation centers, 2 alcohol and drug abuse treatment programs, 1 extended care alcohol and drug abuse treatment programs, 1 extended care facility, 38 community-based area programs, 2 SA programs in facility, 38 community-based area programs, 2 SA programs in Division office)Division office)
– Medical Assistance (Medicaid program)Medical Assistance (Medicaid program)– Office of Education (Gov. Morehead School for the Blind) Office of Education (Gov. Morehead School for the Blind) – Social Services (100 County DSS offices)Social Services (100 County DSS offices)– Other divisions in DHHS that provide services on behalf of Other divisions in DHHS that provide services on behalf of
covered agencies (e.g., Controller’s Office, Info Resource Mgmt)covered agencies (e.g., Controller’s Office, Info Resource Mgmt)
1/23/02 NC DHHS - HIPAA PMO 11
NC DHHS Approach to NC DHHS Approach to HIPAAHIPAA
Provide Centralized Management Provide Centralized Management ResponseResponse– Establishment of HIPAA Program Establishment of HIPAA Program
Management Office (PMO)Management Office (PMO) Current PMO staff include 2 state Current PMO staff include 2 state
employees and 12+ consultants/retireesemployees and 12+ consultants/retirees
Appoint HIPAA CoordinatorsAppoint HIPAA Coordinators Designate HIPAA AttorneyDesignate HIPAA Attorney Develop Communications PlanDevelop Communications Plan
1/23/02 NC DHHS - HIPAA PMO 12
NC DHHS Approach to NC DHHS Approach to HIPAAHIPAA
Assess and Implement ChangesAssess and Implement Changes– Business OperationsBusiness Operations– Impacted Information SystemsImpacted Information Systems
Develop Enterprise-wide Policies, Develop Enterprise-wide Policies, Procedures and TrainingProcedures and Training
1/23/02 NC DHHS - HIPAA PMO 13
NC DHHS Approach NC DHHS Approach to HIPAAto HIPAA
Identify Funding SourcesIdentify Funding Sources– No Federal Funds Appropriated for HIPAA No Federal Funds Appropriated for HIPAA
ImplementationImplementation– Submission of Expansion Budget RequestsSubmission of Expansion Budget Requests– Developed Cost Allocation Models to Developed Cost Allocation Models to
Maximize Federal Funding for Maximize Federal Funding for Systems/ProgramsSystems/Programs
– Statewide Assessment required by Statewide Assessment required by legislaturelegislature
1/23/02 NC DHHS - HIPAA PMO 14
North Carolina’s North Carolina’s Statewide InitiativeStatewide Initiative
NC DHHS HIPAA PMO assigned responsibility for NC DHHS HIPAA PMO assigned responsibility for assessing assessing ALLALL state agencies state agencies
Senate Bill 1005 - passed - $15 millionSenate Bill 1005 - passed - $15 million Directed by the Office of State Budget, Planning and Directed by the Office of State Budget, Planning and
Management (OSBPM), Secretary of DHHS, State Management (OSBPM), Secretary of DHHS, State CIOCIO– Identify and Document HIPAA RequirementsIdentify and Document HIPAA Requirements– Perform Statewide Preliminary AssessmentsPerform Statewide Preliminary Assessments– Determine Covered EntitiesDetermine Covered Entities– Establish Timelines and BudgetsEstablish Timelines and Budgets
Develop HIPAA Strategic Plan for State and report to Develop HIPAA Strategic Plan for State and report to General Assembly (Next Steps for Going Forward)General Assembly (Next Steps for Going Forward)
1/23/02 NC DHHS - HIPAA PMO 15
NC DHHS NC DHHS Approach to HIPAAApproach to HIPAA
Partner with Other Organizations/ States to Partner with Other Organizations/ States to Share Information/ DeliverablesShare Information/ Deliverables– NC Healthcare Information and NC Healthcare Information and
Communications Alliance (NCHICA)Communications Alliance (NCHICA) http://www.nchica.org/http://www.nchica.org/
– Government Information Value Exchange for Government Information Value Exchange for States (GIVES)States (GIVES) http://www.hipaagives.org/http://www.hipaagives.org/
– Southern HIPAA Administrative Regional Southern HIPAA Administrative Regional Process (SHARP)Process (SHARP) http://www.sharpworkgroup.com/http://www.sharpworkgroup.com/
1/23/02 NC DHHS - HIPAA PMO 16
NCHICANCHICA
Membership is from public and private Membership is from public and private sectorssectors
HIPAA Workgroups in areas of Privacy HIPAA Workgroups in areas of Privacy and Confidentiality; Security (data at and Confidentiality; Security (data at rest and data in motion); rest and data in motion); Transactions/Code SetsTransactions/Code Sets
1/23/02 NC DHHS - HIPAA PMO 17
NCHICA DeliverablesNCHICA Deliverables
http://www.nchica.org/HIPAA/HIPAA_intro.htmlhttp://www.nchica.org/HIPAA/HIPAA_intro.html– PresentationsPresentations– HIPAA EarlyView™ Security HIPAA EarlyView™ Security – HIPAA EarlyView™ PrivacyHIPAA EarlyView™ Privacy
The following are under developmentThe following are under development– Security Policy and Procedures MatrixSecurity Policy and Procedures Matrix– Security Training Modules - Core Level in testSecurity Training Modules - Core Level in test– Privacy Models (Notice, Consent, Authorization, Privacy Models (Notice, Consent, Authorization,
Business Associate Agreement)Business Associate Agreement)
1/23/02 NC DHHS - HIPAA PMO 18
NCHICA DeliverablesNCHICA Deliverables
– Minimum Necessary Decision TreeMinimum Necessary Decision Tree– Review of NC StatutesReview of NC Statutes– HIPAA Privacy ChecklistsHIPAA Privacy Checklists
Relationship between NCHICA and Relationship between NCHICA and DHHS DeliverablesDHHS Deliverables– DHHS Staff are working with NCHICA Focus GroupsDHHS Staff are working with NCHICA Focus Groups– DHHS PMO and Divisions will review and revise DHHS PMO and Divisions will review and revise
various deliverables to better meet DHHS needsvarious deliverables to better meet DHHS needs– AG Office review when necessaryAG Office review when necessary
1/23/02 NC DHHS - HIPAA PMO 19
GIVESGIVES
HIPAA Program / Project Managers and HIPAA Program / Project Managers and Staff from State Governments, including:Staff from State Governments, including:– Alabama, Alaska, Arizona, Arkansas, California, Alabama, Alaska, Arizona, Arkansas, California,
Colorado, Connecticut, Florida, Georgia, Hawaii, Colorado, Connecticut, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, New New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, WisconsinUtah, Vermont, Virginia, Washington, Wisconsin
1/23/02 NC DHHS - HIPAA PMO 20
GIVES GoalsGIVES Goals
Establish an information clearinghouse via a Establish an information clearinghouse via a national web site for exchanging individual national web site for exchanging individual state deliverables for HIPAA-related projects, state deliverables for HIPAA-related projects, such as:such as:
Position DescriptionsPosition Descriptions Scope DocumentsScope Documents
RFP SamplesRFP Samples PMO Organizational StructuresPMO Organizational Structures
Budget FrameworksBudget Frameworks Assessment ToolsAssessment Tools
Work Plan TemplatesWork Plan Templates Sample Policies and ProceduresSample Policies and Procedures
Provide a forum via conference calls for states Provide a forum via conference calls for states to discuss and resolve issues related to HIPAA to discuss and resolve issues related to HIPAA implementationimplementation
1/23/02 NC DHHS - HIPAA PMO 21
Understanding HIPAA
Baselining the Organization
Planning ComplianceStrategies
Remediating the Organization
ValidatingCompliance
• What is HIPAA
• Why do HIPAA
• What are the HIPAA requirements?
• Where do we stand vs. these requirements? (i.e., what needs fixing?)
• How do we close the gaps?
• Let’s go fixing • How do we know we’re compliant?
Key considerations
• Who’s covered?
• Which policies?
• Which procedures?
• Which tools and systems?
• Which people?
Key considerations
• Enterprise vs. local fixes
• Risk and cost/benefit analysis
• $how me the money
Process and Tools
Master Plan
Roles & Responsibilities
BIFA
EDI/TCI assessments
Security/Privacy assessments
Process and Tools
Enterprise & Individual Compliance Strategies
Technical infrastructure
Change management process & procedures
Roles & responsibilities
Scope matrix
Detailed Work-plans
Key considerations
• Who needs what information?
• Develop SME’s on HIPAA
• Compliance plans needed
• Who is doing what?
Process and Tools
HIPAA Web Site
Awareness training
Participation in external organizations
Expansion Budget
Strategic Plan
Process and Tools
Self-certification Techniques
3rd party certifications
quality assurance reviews
Process and Tools
Testing Strategies
Privacy related business templates
Enterprise privacy & security policies/proc
Privacy & security related policy/proc templates
Key considerations
• Enterprise strategies
• Thorough testing
• Mandated deadlines
NC DHHS HIPAA Compliance ProcessMaintainingCompliance
• How do we stay compliant?
Key considerations
• Self-certification techniques
• Certification of EDI transactions
• Security certifications
Key considerations
• Ongoing training
• Educating future new DHHS employees
• Will need ongoing auditing & certification practices
• Change Management Process and Tools
Security/privacy maintenance plans
Enterprise Training Plans
Templates
1/23/02 NC DHHS - HIPAA PMO 22
Understanding HIPAAUnderstanding HIPAA
Key ConsiderationsKey Considerations
– Who needs what information? Who needs what information?
– Develop Subject Matter Develop Subject Matter Experts (SMEs) on HIPAAExperts (SMEs) on HIPAA
– Compliance plans neededCompliance plans needed
– Who is doing what?Who is doing what?
Process and ToolsProcess and Tools
HIPAA Web SiteHIPAA Web Site
Awareness trainingAwareness training
Participation in external organizationsParticipation in external organizations
Expansion BudgetExpansion Budget
Strategic PlanStrategic Plan
• What is HIPAA?• Why do HIPAA?
• What are the HIPAA Requirements?
1/23/02 NC DHHS - HIPAA PMO 23
DHHS HIPAA WebsiteDHHS HIPAA Website
http://dirm.state.nc.us/hipaa/http://dirm.state.nc.us/hipaa/– Attorney General OpinionsAttorney General Opinions– Assessment ToolsAssessment Tools– FAQsFAQs– Calendar of EventsCalendar of Events– PresentationsPresentations– Resources/LinksResources/Links– DeliverablesDeliverables
1/23/02 NC DHHS - HIPAA PMO 24
Baselining the Baselining the OrganizationOrganization
Key ConsiderationsKey Considerations
– Who’s covered?Who’s covered?
– Which policies?Which policies?
– Which procedures?Which procedures?
– Which tools and systems?Which tools and systems?
– Which people?Which people?
Process and ToolsProcess and Tools
Master Plan Master Plan
Roles & ResponsibilitiesRoles & Responsibilities
BIFABIFA
EDI/TCI assessmentsEDI/TCI assessments
Security/Privacy assessmentsSecurity/Privacy assessments
Where Do We Stand Where Do We Stand vs.vs. These Requirements These Requirements (i.e., What Needs Fixing)(i.e., What Needs Fixing)??
1/23/02 NC DHHS - HIPAA PMO 25
Planning Planning Compliance Compliance StrategiesStrategies
Key ConsiderationsKey Considerations
– Enterprise vs. Local FixesEnterprise vs. Local Fixes
– Risk and Cost/Benefit Risk and Cost/Benefit AnalysisAnalysis
– $how Me the Money$how Me the Money
Process and ToolsProcess and Tools
Enterprise & Individual Compliance Strategies Enterprise & Individual Compliance Strategies
Technical InfrastructureTechnical Infrastructure
Change Management Process & ProceduresChange Management Process & Procedures
Roles & ResponsibilitiesRoles & Responsibilities
Scope MatrixScope Matrix
Detailed WorkplansDetailed Workplans
How Do We Close the Gaps?How Do We Close the Gaps?
1/23/02 NC DHHS - HIPAA PMO 26
Remediating the Remediating the OrganizationOrganization
Key ConsiderationsKey Considerations
– Enterprise StrategiesEnterprise Strategies
– Thorough TestingThorough Testing
– Mandated DeadlinesMandated Deadlines
Process and ToolsProcess and Tools
Testing StrategiesTesting Strategies
Privacy Related Business TemplatesPrivacy Related Business Templates
Enterprise Privacy & Security Enterprise Privacy & Security Policies/ProceduresPolicies/Procedures
Privacy &Security Related Privacy &Security Related Policy/Procedure Templates Policy/Procedure Templates
Let’s Go FixingLet’s Go Fixing
1/23/02 NC DHHS - HIPAA PMO 27
Validating Validating ComplianceCompliance
Key ConsiderationsKey Considerations
– Self-Certification TechniquesSelf-Certification Techniques
– Certification of EDI Certification of EDI TransactionsTransactions
– Security CertificationSecurity Certification
Process and ToolsProcess and Tools
Self-Certification TechniquesSelf-Certification Techniques
3rd Party Certifications3rd Party Certifications
Quality Assurance ReviewsQuality Assurance Reviews
How Do We Know We’re Complaint?How Do We Know We’re Complaint?
1/23/02 NC DHHS - HIPAA PMO 28
Maintaining Maintaining ComplianceCompliance
Key ConsiderationsKey Considerations
– Ongoing TrainingOngoing Training
– Educating Future New DHHS Educating Future New DHHS EmployeesEmployees
– Will Need Ongoing Auditing & Will Need Ongoing Auditing & Certification PracticesCertification Practices
– Change ManagementChange Management
Process and ToolsProcess and Tools
Security/Privacy Security/Privacy Maintenance PlansMaintenance Plans
Enterprise Training plansEnterprise Training plans
TemplatesTemplates
How Do We Stay Complaint?How Do We Stay Complaint?
1/23/02 NC DHHS - HIPAA PMO 29
QuestionsQuestions
??????????????