1/23/02NC DHHS - HIPAA PMO1 HIPAA, the Health Information Portability and Accountability Act: Bigger...

1/23/02 NC DHHS - HIPAA PMO 1

HIPAA, the Health HIPAA, the Health Information Portability and Information Portability and Accountability Act: Bigger Accountability Act: Bigger

than Y2K?than Y2K?

Presentation forPresentation for

Outlook in the States 2002 ConferenceOutlook in the States 2002 ConferenceJanuary 23, 2002January 23, 2002

Presented By: Sarah Brooks, MPA, RHIA, CPMPresented By: Sarah Brooks, MPA, RHIA, CPM

NC Dept of Health & Human NC Dept of Health & Human ServicesServices

HIPAA Program Management HIPAA Program Management OfficeOffice


HIPAA - Administrative HIPAA - Administrative SimplificationSimplification

Establishes National Standards forEstablishes National Standards for– Electronic Electronic TTransactions and ransactions and CCode Setsode Sets– IIdentifiers (Providers, Payers, Employers, dentifiers (Providers, Payers, Employers,

Individuals) Individuals) – Privacy & ConfidentialityPrivacy & Confidentiality– Security & Electronic SignatureSecurity & Electronic Signature

Provides Patients With Certain RightsProvides Patients With Certain Rights Cuts Administrative CostsCuts Administrative Costs Preempts State Laws, Unless More Preempts State Laws, Unless More

StringentStringent


HIPAA - Administrative HIPAA - Administrative SimplificationSimplification

Regulation Time FramesRegulation Time Frames

– EDI/TCIEDI/TCI Compliance Compliance

10/16/0310/16/03

– PrivacyPrivacy Compliance 4/14/03Compliance 4/14/03

– SecuritySecurity Compliance ? 2004Compliance ? 2004

– National IdentifiersNational Identifiers Compliance ?Compliance ? 20042004


Who is Impacted?Who is Impacted?Covered EntitiesCovered Entities

Health Plan Health Plan (provides or pays the cost of medical (provides or pays the cost of medical care - e.g., Medicaid, HMOs, BC/BS, Medicare, Champus).care - e.g., Medicaid, HMOs, BC/BS, Medicare, Champus).

Health Care Clearinghouse Health Care Clearinghouse (routes electronic (routes electronic data between payers & providers - e.g., billing servicesdata between payers & providers - e.g., billing services ).).

Health Care Provider Health Care Provider who transmits any who transmits any health information in an electronic health information in an electronic transactiontransaction (e.g., Hospitals, Physicians, Public Health (e.g., Hospitals, Physicians, Public Health Departments, Group Homes, Home Health)Departments, Group Homes, Home Health)..


Who is Impacted? Who is Impacted? Business Business

AssociatesAssociates

Definition: Definition: Person who performsPerson who performs a function a function or activity or activity on behalf of a covered entityon behalf of a covered entity, , involving the use and/or disclosure of PHI.involving the use and/or disclosure of PHI.

Must protect PHI and help Covered Must protect PHI and help Covered Entity comply with its obligations under Entity comply with its obligations under the Privacy Rulethe Privacy Rule

DO NOT have to comply with HIPAA DO NOT have to comply with HIPAA Privacy RulesPrivacy Rules


Who is Impacted? Who is Impacted? Hybrid EntityHybrid Entity

Defined as, “a single legal entity that is a Defined as, “a single legal entity that is a covered entity and whose covered functions covered entity and whose covered functions are not its primary functions.” are not its primary functions.”

Most covered government agencies will be Most covered government agencies will be hybridhybrid

Need to identify those health care Need to identify those health care components within the Hybrid Entity that components within the Hybrid Entity that perform covered functions and otherperform covered functions and other components that would normally be a components that would normally be a Business AssociateBusiness Associate


HIPAA vs. Y2KHIPAA vs. Y2K

Y2K impacted all information systems; Y2K impacted all information systems; HIPAA impacts health information systems HIPAA impacts health information systems that contain identifying patient datathat contain identifying patient data

Y2K did not require major business Y2K did not require major business process changes; HIPAA will have major process changes; HIPAA will have major impacts on business practices in the impacts on business practices in the healthcare industryhealthcare industry

Once Y2K issues were resolved, Once Y2K issues were resolved, consumers were not impacted; HIPAA will consumers were not impacted; HIPAA will impact healthcare consumersimpact healthcare consumers


HIPAA Vs. Y2KHIPAA Vs. Y2K

During Y2K, healthcare providers and During Y2K, healthcare providers and payers relied on vendors, contractors or payers relied on vendors, contractors or internal IS staff to resolve the Y2K internal IS staff to resolve the Y2K issues; with HIPAA, the entire issues; with HIPAA, the entire organization will be impacted by organization will be impacted by changes resulting from HIPAA changes resulting from HIPAA implementationimplementation


HIPAA Impact on State HIPAA Impact on State and Local Governmentsand Local Governments

All state and local agencies that provide All state and local agencies that provide or pay for healthcare services need to or pay for healthcare services need to perform impact assessmentperform impact assessment

Government agencies need to Government agencies need to determine most efficient and cost-determine most efficient and cost-effective approach to address HIPAA effective approach to address HIPAA compliancecompliance

Government agencies need to budget Government agencies need to budget HIPAA compliance costsHIPAA compliance costs


HIPAA Impact on HIPAA Impact on NC DHHSNC DHHS

The following NC DHHS agencies will be The following NC DHHS agencies will be impacted by HIPAAimpacted by HIPAA– Public Health (State Lab, 13 state operated Developmental Public Health (State Lab, 13 state operated Developmental

Evaluation Clinics, 86 Local Public Health Departments)Evaluation Clinics, 86 Local Public Health Departments)– Mental Health/Developmental Disabilities/Substance Abuse Mental Health/Developmental Disabilities/Substance Abuse

Services (4 psychiatric hospitals, 5 mental retardation centers, 2 Services (4 psychiatric hospitals, 5 mental retardation centers, 2 alcohol and drug abuse treatment programs, 1 extended care alcohol and drug abuse treatment programs, 1 extended care facility, 38 community-based area programs, 2 SA programs in facility, 38 community-based area programs, 2 SA programs in Division office)Division office)

– Medical Assistance (Medicaid program)Medical Assistance (Medicaid program)– Office of Education (Gov. Morehead School for the Blind) Office of Education (Gov. Morehead School for the Blind) – Social Services (100 County DSS offices)Social Services (100 County DSS offices)– Other divisions in DHHS that provide services on behalf of Other divisions in DHHS that provide services on behalf of

covered agencies (e.g., Controller’s Office, Info Resource Mgmt)covered agencies (e.g., Controller’s Office, Info Resource Mgmt)


NC DHHS Approach to NC DHHS Approach to HIPAAHIPAA

Provide Centralized Management Provide Centralized Management ResponseResponse– Establishment of HIPAA Program Establishment of HIPAA Program

Management Office (PMO)Management Office (PMO) Current PMO staff include 2 state Current PMO staff include 2 state

employees and 12+ consultants/retireesemployees and 12+ consultants/retirees

Appoint HIPAA CoordinatorsAppoint HIPAA Coordinators Designate HIPAA AttorneyDesignate HIPAA Attorney Develop Communications PlanDevelop Communications Plan


NC DHHS Approach to NC DHHS Approach to HIPAAHIPAA

Assess and Implement ChangesAssess and Implement Changes– Business OperationsBusiness Operations– Impacted Information SystemsImpacted Information Systems

Develop Enterprise-wide Policies, Develop Enterprise-wide Policies, Procedures and TrainingProcedures and Training


NC DHHS Approach NC DHHS Approach to HIPAAto HIPAA

Identify Funding SourcesIdentify Funding Sources– No Federal Funds Appropriated for HIPAA No Federal Funds Appropriated for HIPAA

ImplementationImplementation– Submission of Expansion Budget RequestsSubmission of Expansion Budget Requests– Developed Cost Allocation Models to Developed Cost Allocation Models to

Maximize Federal Funding for Maximize Federal Funding for Systems/ProgramsSystems/Programs

– Statewide Assessment required by Statewide Assessment required by legislaturelegislature


North Carolina’s North Carolina’s Statewide InitiativeStatewide Initiative

NC DHHS HIPAA PMO assigned responsibility for NC DHHS HIPAA PMO assigned responsibility for assessing assessing ALLALL state agencies state agencies

Senate Bill 1005 - passed - $15 millionSenate Bill 1005 - passed - $15 million Directed by the Office of State Budget, Planning and Directed by the Office of State Budget, Planning and

Management (OSBPM), Secretary of DHHS, State Management (OSBPM), Secretary of DHHS, State CIOCIO– Identify and Document HIPAA RequirementsIdentify and Document HIPAA Requirements– Perform Statewide Preliminary AssessmentsPerform Statewide Preliminary Assessments– Determine Covered EntitiesDetermine Covered Entities– Establish Timelines and BudgetsEstablish Timelines and Budgets

Develop HIPAA Strategic Plan for State and report to Develop HIPAA Strategic Plan for State and report to General Assembly (Next Steps for Going Forward)General Assembly (Next Steps for Going Forward)


NC DHHS NC DHHS Approach to HIPAAApproach to HIPAA

Partner with Other Organizations/ States to Partner with Other Organizations/ States to Share Information/ DeliverablesShare Information/ Deliverables– NC Healthcare Information and NC Healthcare Information and

Communications Alliance (NCHICA)Communications Alliance (NCHICA) http://www.nchica.org/http://www.nchica.org/

– Government Information Value Exchange for Government Information Value Exchange for States (GIVES)States (GIVES) http://www.hipaagives.org/http://www.hipaagives.org/

– Southern HIPAA Administrative Regional Southern HIPAA Administrative Regional Process (SHARP)Process (SHARP) http://www.sharpworkgroup.com/http://www.sharpworkgroup.com/


NCHICANCHICA

Membership is from public and private Membership is from public and private sectorssectors

HIPAA Workgroups in areas of Privacy HIPAA Workgroups in areas of Privacy and Confidentiality; Security (data at and Confidentiality; Security (data at rest and data in motion); rest and data in motion); Transactions/Code SetsTransactions/Code Sets


NCHICA DeliverablesNCHICA Deliverables

http://www.nchica.org/HIPAA/HIPAA_intro.htmlhttp://www.nchica.org/HIPAA/HIPAA_intro.html– PresentationsPresentations– HIPAA EarlyView™ Security HIPAA EarlyView™ Security – HIPAA EarlyView™ PrivacyHIPAA EarlyView™ Privacy

The following are under developmentThe following are under development– Security Policy and Procedures MatrixSecurity Policy and Procedures Matrix– Security Training Modules - Core Level in testSecurity Training Modules - Core Level in test– Privacy Models (Notice, Consent, Authorization, Privacy Models (Notice, Consent, Authorization,

Business Associate Agreement)Business Associate Agreement)


NCHICA DeliverablesNCHICA Deliverables

– Minimum Necessary Decision TreeMinimum Necessary Decision Tree– Review of NC StatutesReview of NC Statutes– HIPAA Privacy ChecklistsHIPAA Privacy Checklists

Relationship between NCHICA and Relationship between NCHICA and DHHS DeliverablesDHHS Deliverables– DHHS Staff are working with NCHICA Focus GroupsDHHS Staff are working with NCHICA Focus Groups– DHHS PMO and Divisions will review and revise DHHS PMO and Divisions will review and revise

various deliverables to better meet DHHS needsvarious deliverables to better meet DHHS needs– AG Office review when necessaryAG Office review when necessary


GIVESGIVES

HIPAA Program / Project Managers and HIPAA Program / Project Managers and Staff from State Governments, including:Staff from State Governments, including:– Alabama, Alaska, Arizona, Arkansas, California, Alabama, Alaska, Arizona, Arkansas, California,

Colorado, Connecticut, Florida, Georgia, Hawaii, Colorado, Connecticut, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, Michigan, Minnesota, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, New New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virginia, Washington, WisconsinUtah, Vermont, Virginia, Washington, Wisconsin


GIVES GoalsGIVES Goals

Establish an information clearinghouse via a Establish an information clearinghouse via a national web site for exchanging individual national web site for exchanging individual state deliverables for HIPAA-related projects, state deliverables for HIPAA-related projects, such as:such as:

Position DescriptionsPosition Descriptions Scope DocumentsScope Documents

RFP SamplesRFP Samples PMO Organizational StructuresPMO Organizational Structures

Budget FrameworksBudget Frameworks Assessment ToolsAssessment Tools

Work Plan TemplatesWork Plan Templates Sample Policies and ProceduresSample Policies and Procedures

Provide a forum via conference calls for states Provide a forum via conference calls for states to discuss and resolve issues related to HIPAA to discuss and resolve issues related to HIPAA implementationimplementation


Understanding HIPAA

Baselining the Organization

Planning ComplianceStrategies

Remediating the Organization

ValidatingCompliance

• What is HIPAA

• Why do HIPAA

• What are the HIPAA requirements?

• Where do we stand vs. these requirements? (i.e., what needs fixing?)

• How do we close the gaps?

• Let’s go fixing • How do we know we’re compliant?

Key considerations

• Who’s covered?

• Which policies?

• Which procedures?

• Which tools and systems?

• Which people?

Key considerations

• Enterprise vs. local fixes

• Risk and cost/benefit analysis

• $how me the money

Process and Tools

Master Plan

Roles & Responsibilities

BIFA

EDI/TCI assessments

Security/Privacy assessments

Process and Tools

Enterprise & Individual Compliance Strategies

Technical infrastructure

Change management process & procedures

Roles & responsibilities

Scope matrix

Detailed Work-plans

Key considerations

• Who needs what information?

• Develop SME’s on HIPAA

• Compliance plans needed

• Who is doing what?

Process and Tools

HIPAA Web Site

Awareness training

Participation in external organizations

Expansion Budget

Strategic Plan

Process and Tools

Self-certification Techniques

3rd party certifications

quality assurance reviews

Process and Tools

Testing Strategies

Privacy related business templates

Enterprise privacy & security policies/proc

Privacy & security related policy/proc templates

Key considerations

• Enterprise strategies

• Thorough testing

• Mandated deadlines

NC DHHS HIPAA Compliance ProcessMaintainingCompliance

• How do we stay compliant?

Key considerations

• Self-certification techniques

• Certification of EDI transactions

• Security certifications

Key considerations

• Ongoing training

• Educating future new DHHS employees

• Will need ongoing auditing & certification practices

• Change Management Process and Tools

Security/privacy maintenance plans

Enterprise Training Plans

Templates


Understanding HIPAAUnderstanding HIPAA

Key ConsiderationsKey Considerations

– Who needs what information? Who needs what information?

– Develop Subject Matter Develop Subject Matter Experts (SMEs) on HIPAAExperts (SMEs) on HIPAA

– Compliance plans neededCompliance plans needed

– Who is doing what?Who is doing what?

Process and ToolsProcess and Tools

HIPAA Web SiteHIPAA Web Site

Awareness trainingAwareness training

Participation in external organizationsParticipation in external organizations

Expansion BudgetExpansion Budget

Strategic PlanStrategic Plan

• What is HIPAA?• Why do HIPAA?

• What are the HIPAA Requirements?


DHHS HIPAA WebsiteDHHS HIPAA Website

http://dirm.state.nc.us/hipaa/http://dirm.state.nc.us/hipaa/– Attorney General OpinionsAttorney General Opinions– Assessment ToolsAssessment Tools– FAQsFAQs– Calendar of EventsCalendar of Events– PresentationsPresentations– Resources/LinksResources/Links– DeliverablesDeliverables


Baselining the Baselining the OrganizationOrganization


– Who’s covered?Who’s covered?

– Which policies?Which policies?

– Which procedures?Which procedures?

– Which tools and systems?Which tools and systems?

– Which people?Which people?


Master Plan Master Plan

Roles & ResponsibilitiesRoles & Responsibilities

BIFABIFA

EDI/TCI assessmentsEDI/TCI assessments

Security/Privacy assessmentsSecurity/Privacy assessments

Where Do We Stand Where Do We Stand vs.vs. These Requirements These Requirements (i.e., What Needs Fixing)(i.e., What Needs Fixing)??


Planning Planning Compliance Compliance StrategiesStrategies


– Enterprise vs. Local FixesEnterprise vs. Local Fixes

– Risk and Cost/Benefit Risk and Cost/Benefit AnalysisAnalysis

– $how Me the Money$how Me the Money


Enterprise & Individual Compliance Strategies Enterprise & Individual Compliance Strategies

Technical InfrastructureTechnical Infrastructure

Change Management Process & ProceduresChange Management Process & Procedures

Roles & ResponsibilitiesRoles & Responsibilities

Scope MatrixScope Matrix

Detailed WorkplansDetailed Workplans

How Do We Close the Gaps?How Do We Close the Gaps?


Remediating the Remediating the OrganizationOrganization


– Enterprise StrategiesEnterprise Strategies

– Thorough TestingThorough Testing

– Mandated DeadlinesMandated Deadlines


Testing StrategiesTesting Strategies

Privacy Related Business TemplatesPrivacy Related Business Templates

Enterprise Privacy & Security Enterprise Privacy & Security Policies/ProceduresPolicies/Procedures

Privacy &Security Related Privacy &Security Related Policy/Procedure Templates Policy/Procedure Templates

Let’s Go FixingLet’s Go Fixing


Validating Validating ComplianceCompliance


– Self-Certification TechniquesSelf-Certification Techniques

– Certification of EDI Certification of EDI TransactionsTransactions

– Security CertificationSecurity Certification


Self-Certification TechniquesSelf-Certification Techniques

3rd Party Certifications3rd Party Certifications

Quality Assurance ReviewsQuality Assurance Reviews

How Do We Know We’re Complaint?How Do We Know We’re Complaint?


Maintaining Maintaining ComplianceCompliance


– Ongoing TrainingOngoing Training

– Educating Future New DHHS Educating Future New DHHS EmployeesEmployees

– Will Need Ongoing Auditing & Will Need Ongoing Auditing & Certification PracticesCertification Practices

– Change ManagementChange Management


Security/Privacy Security/Privacy Maintenance PlansMaintenance Plans

Enterprise Training plansEnterprise Training plans

TemplatesTemplates

How Do We Stay Complaint?How Do We Stay Complaint?


QuestionsQuestions

??????????????

1/23/02NC DHHS - HIPAA PMO1 HIPAA, the Health Information Portability and Accountability Act: Bigger...

Documents

Transcript of 1/23/02NC DHHS - HIPAA PMO1 HIPAA, the Health Information Portability and Accountability Act: Bigger...