Embed Size (px)
DESCRIPTION
HIPAA Strategy. The Planning Process. Presentation Agenda. Review of HIPAA Objectives Overview and Update on the Status of HIPAA Components/Objectives of a HIPAA Strategic Plan Detailed Review of Each Planning Component Questions Resources. Review of HIPAA Objectives. - PowerPoint PPT Presentation
Citation preview
HIPAA StrategyHIPAA Strategy
The Planning Process
2
Presentation Agenda
Review of HIPAA Objectives
Overview and Update on the Status of HIPAA
Components/Objectives of a HIPAA Strategic Plan
Detailed Review of Each Planning Component
Questions
Resources
Review of HIPAA Objectives
4
Objectives of HIPAA
To reduce the administrative costs associated with the provision of health care services
To make the administration of health care services more efficient by: Requiring some transactions to be supported
electronically Standardizing those transactions
To protect individually identifiable health information from: Physical damage/destruction Unauthorized access Misuse or inappropriate disclosure
This is the first step toward a broader application of e-commerce in health care
5
HIPAA Overview
HIPAA
Title I Title II Title III Title IV Title V Health
insurance access, portability and renewal
Fraud and Abuse
Medical Liability Reform
Administrative Simplification
Medical Savings Accounts
Tax deduction provisions
Group health plan provisions
Revenue offset provisions
Electronic Transaction Standards (EDI)
Security Standards
PrivacyStandards
For 9 key payor transactions
Includes clinical code sets
Includes key identifiers For protecting electronic
health information
To spell out permissible uses of patient identifiable healthcare information
6
HIPAA Overview
Each component of HIPAA has proceeded independently through a development, review and approval process
The lack of forward movement on any one element does not necessarily impede the implementation of others
Public Comment
Period
Public Input
Review of Existing
Regulations & Standards
Redraft of Rule
Final Rule Published
Regulations Enacted
AndEnforced
ProposedRule
Released
Still Awaiting Action
for SomeElements
26 Months from Date
of Publicatio
n
7
Applicability
From the Act: “Sec 1172(a) Applicability. Any standard under this part shall apply, in whole or in part, to the following persons: A health plan A health care clearinghouse A health care provider who transmits any health
information in electronic form in connection with a transaction referred to in Section 1173(a)91.”
8
Provider Responsibilities
Providers governed under HIPAA must: Comply with the regulations that impact them no later
than the published implementation dates for those rules Ensure that vendors are prepared to deliver applications
that support EDI and security requirements Hold those business partners (vendors and others) with
whom patient-identifiable information is shared accountable for complying with the privacy and security regulations that apply to the covered entity
Develop EDI, Privacy and Security policies and procedures
Train staff on the Privacy policies and procedures Document compliance with applicable regulations
Status of HIPAA Rules
10
Status of HIPAA Rules
The anticipated dates for HHS issuing new proposed or revised final HIPAA rules The final Security Rule is expected to be released in
August of this year The Employer Identifier final rule has been drafted
and sent to HHS for final review with release expected in June
The Provider and Payer Identifier final rules are expected around August
The Patient Information (Claims Attachment) NPRM is expected in August of this year
11
Updates
The anticipated dates for HHS issuing new proposed or revised final HIPAA rules (con’t) A draft regulation for electronic medical records is
being developed, which should be available for public review by the end of 2002
The Doctors First Report of Injury NPRM is also expected sometime this year
An Enforcement NPRM is expected to be released some time in 2002
Two proposed revisions to the Transaction and Code Set standards have been published:
• Changes in the Designated Standard Maintenance Organizations or DSMOs and
• Removal of NDC codes as the standard for medications
12
Compliance Date
Update Summary
• 7/6/01 received First Guidance (not changes) on the final privacy rule• First proposed changes to the Privacy Rule published on 3/27/02
Proposed Rule
Electronic Transaction Standards (EDI)
Security Standards
PrivacyStandards*
Transactions& Code Sets
Provider ID Employer ID Payer ID Patient ID
FinalRule
Released 5/98
Released 5/98 Released 6/98 Expected 2001 ON HOLD
Released 8/98
No action by Congress; draft regulation released 11/99
Published 8/2000
Expected 8/2002
Expected 6/2002
Expected 8/2002
ON HOLD
Expected August 2002
Published 12/2000
Reconfirmed 4/2001
10/16/2002/03
26 months from date final rule is published
4/14/2003
Components of a HIPAA Strategic Plan
14
Steps to Compliance
• Organizational Structure
• Education
• Policies and Procedures
• Establish Linkages
• High-level Risk Analysis
• Quick Hit Identification
• Detailed Assessment
• Prioritization
• Project Definition
• Budget Development
• Programming/ System Upgrades
• Policy/Process Development
• Contract implementation
• End User Education
• System/Process Testing
• Compliance Audits
• Quality Assurance
• Post Implementation Support
• Regulatory Updates/Changes
Stage 1:Organization and Planning
Stage 2:Assessment and Design
Stage 3:Implementati
on and Testing
Stage 4:Compliance Monitoring
The key to achieving HIPAA compliance is to take it one manageable stage at a time…
We will be discussing these…
15
Elements of a HIPAA Strategic Plan
Develop an organizational structure for implementing
HIPAA
Review corporate initiatives in light of HIPAA
Educate organizational decision makers on the
importance of HIPAA and its impact across the
organization
Develop policies and procedures for Privacy and
Security regulations
Determine links between HIPAA initiatives and
organizational strategic initiatives
16
Elements of a HIPAA Strategic Plan
Determine which EDI standards to use electronically
Conduct a high level risk analysis
Conduct a detailed risk assessment
Prioritize and schedule tasks to accomplish
Develop a budget for implementing HIPAA
Begin the development of policies and procedures for EDI
17
Stage 1 – Organizational Structure
Appointment of HIPAA coordinator Appointment of Privacy Officer Appointment of individual(s) to be responsible for
implementing Security regulations Provide staff time to prepare for HIPAA Establish reporting mechanisms to Administration
and the governing body
18
Sample HIPAA Governance Structure
Information Systems(Policy and Procedure
Web Based Distribution)
Privacy Officer(Policy DevelopmentOversight, Training )
HIM(Regulation Impact
Analysis)
Security Responsibility(Policy DevelopmentOversight, Training )
HR(Policy Development
Oversight, Enforcement)
Legal (Policy Development,
“source of truth”)
HIPAA Coordinator(oversight for assessment, implementation and ongoing monitoring)
HIPAA Coordinator(oversight for assessment, implementation and ongoing monitoring)
Compliance(Compliance Monitoring
and Coordination)
Others(Other Departments
or Functions)
External Stakeholders(Trading Partners &Business Associates)
19
Stage 2 – Corporate Initiatives
Identify strategic initiatives that HIPAA will impact These initiatives should be divided into two primary
categories; information technology (IT) and business initiatives
The HIPAA regulations will touch most major clinical, financial and administrative areas within the health system. As such, most of the strategic initiatives will require modification or consideration of the new HIPAA regulations
Submit request for EDI extension
20
Stage 3 – Education
HIPAA 101 - Overview of HIPAA HIPAA 201 - Advanced Topics on EDI, Codes Sets
and Identifiers HIPAA 202 - Advanced Privacy Course HIPAA 203 - Advanced Security Course
21
Stage 4 – Policies and Procedures
Develop policies and procedures for: Privacy
• Material from Michael Best and Friedrich to customize EDI
• Dependent upon standard transactions to be used Security
• Health Future IT task force to develop sample policies Address HIPAA compliance in organizational HR
policies• Background checks• Sanctions for non-compliance• General policies on confidentiality
22
Stage 5 – Linking Initiatives
Identify trading partners/business associates Develop contractual assurances of HIPAA
compliance Evaluate vendor preparedness to support HIPAA
23
Stage 6 – Selection of EDI Standards to Implement
Develop a plan for transaction implementation Initiate cost/benefit analysis to determine which
standards will yield most positive results Develop a schedule for implementation Determine resources required for implementation
Submit request for EDI extension Prior to October 16, 2002
24
Stage 7 – Risk Assessment
Conduct a high level risk analysis and initiate “quick hit” remediation
Assign responsibility for EDI, Privacy and Security assessments
Conduct detailed assessment tool training Perform assessments Define the boundaries of “acceptable risk”
25
High-level Risk Analysis
A high-level analysis of the current environment from an EDI, Privacy, and Security perspective to see where the largest gaps are would include questions like those below:
What electronic systems are in place for billing/clinical/medical records?
How many clearinghouses (if any) are used? Are business associates/trading partners HIPAA compliant? Which of the 7 approved standard transactions are being done? Will PHI be accessible to physicians off-site? Are security policies in place that meet the categories outlined in
the proposed rule? How much data sharing is currently allowable in the system? Are there system access controls and audit functions? What is the level of complexity of systems across the network? Do users have unique ID’s and passwords and do they share?
26
Stage 8 – Preliminary Budget
Summarize compliance gaps identified through the risk assessment
Develop operating budget for incremental labor costs and savings
Develop capital budget for HIPAA compliance
27
Stage 9 – Project Definition
Review results of the assessment Prioritize tasks to achieve compliance Assign responsibility for compliance projects
28
Stage 1 - Project Timeline
May
Establish Linkages
June July August Oct
Sept Nov Dec
Risk Assessment
Budget
Project Definition
Education
Transaction Selection
Corporate Initiatives
Policies and Procedures
Initiate Prioritization
30
How to Prioritize HIPAA Initiatives
HIPAA activities need to be prioritized using several factors, for example: Compliance deadlines Potential for enforcement Budget constraints (cost/benefit) Resource constraints/requirement for external
resources Organizational readiness Organizational impact Integration with other projects Enterprise-wide importance
31
Sample Immediate Initiatives
HIPAA Governance Model Solidify organizational responsibility for the
development of regulatory policies and procedures, approval processes, enforcement and oversight of all organizational HIPAA initiatives
Policy and Procedure Documentation Initiate the development of, and update policies and
procedures to meet HIPAA requirements and establish the organization’s “defensible position”
Business Associates and Trading Partners Inventory contracts and identify organizations that
are business associates and trading partners with whom protected health information is shared
32
Sample High Priority Initiatives
Implement/Update Standard Transaction Sets Transition to HIPAA-compliant versions of those
transactions being performed electronically today Implement/Update Standard Code Sets
Clean-up proprietary clinical codes to align with HIPAA code sets
Purchase additional code sets if needed Remediate Applications
Remediate applications to HIPAA compliant versions
33
Sample Medium Priority Initiatives
Staff Education Conduct general and detailed HIPAA education
Privacy Documentation Requirements Develop documents required to comply with Privacy
regulations Utilize documents developed by the WSHA and other
business partners that are recommended for use statewide
Focused Strategy & Assessment Determine strategic approach to HIPAA and complete
focused HIPAA assessments to determine compliance gaps and scope implementation efforts
Communication Plan Establish communication methods and begin to
conduct HIPAA education and distribute documentation
34
Ranking Definitions
35
Initiatives Prioritization Matrix
36
Questions and Discussion
?????
???
Resources
38
Resources
Association for Electronic Health Care Transactions (AFEHCT):Impacts of HIPAA (particularly EDI)Security Self-Evaluation Checklist
http://www.afehct.org
American Health Information Management Association (AHIMA):Benchmark information and case studiesInterim Steps for Getting Started
http://www.ahima.org/hipaa.html
American Society for Testing and Materials (ASTM):Standards guides for security
http://www.astm.org
Center for Healthcare Information Management (CHIM):Up-to-date industry perspective on proposed rules and their status
http://www.chim.org
Computer-Based Patient Record Institute (CPRI):CPRI Security Toolkit
http://www.cpri-host.org
Department of Health and Human Services HIPAA Administrative Simplification:
Latest News on RegulationsCurrent proposed and final rules
http://aspe.hhs.gov/admnsimp/index.htm
Electronic Healthcare Network Accreditation Commission (EHNAC):
Certification Program for HIPAA Compliance (under development)
http://www.ehnac.org
39
Resources (cont.)
For the Record: Protecting Electronic Health Information (National Academy Press, 1997) 800-624-6242
Full Report
http://www.nap.edu
Health Privacy ForumComparison of Privacy proposed and final rulesComparison of state privacy laws
http://www.healthprivacy.org
HIMSS: Protecting the Security and Confidentiality of Healthcare Information (Volume 12, Number 1, Spring 1998)
Articles
http://www.himss.org
HIPAA Home Page http://www.hcfa.gov/hipaa/hippahm.htm
HIPAA Transaction Implementation Guides from the Washington Publishing Company
http://www.wpc-edi.com
Joint Healthcare Information Technology Alliance (JHITA)
Summary of Privacy rulesUpcoming HIPAA conferences
http://www.jhita.org
Links to other HIPAA sites http://www.hcfa.gov/medicare/edi/hipaaedi.htm
Medicare EDI http://www.hcfa.gov/medicare/edi/edi.htm
40
Resources (cont.)
National Uniform Billing Committee http://www.nubc.org
National Uniform Claims Committee http://www.nucc.org
Washington Publishing CompanyANSI ASC X12N HIPAA Implementation Guides
http://www.wpc-edi.com/hipaa
Subscribe to email release of HIPAA documents (such as notice of proposed rule making)
http://www.hcfa.gov/medicare/edi/admnlist.htm
Workgroup for Electronic Data Interchange (WEDI):Details of SNIP effort (Strategic National Implementation Pilot)
http://www.wedi.org
