Disclaimer
This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney.
Healthcare Information Sharing
Managed care organizations; Consulting physicians;
Health insurance companies Life insurance companies; Self-insured employers;
Pharmacies; Pharmacy benefit managers; Clinical laboratories;
State and Federal statistical agencies; and Medical information bureaus Accrediting organizations;
What is Protected Health Information?
Health Information - Is any information gathered by a health care provider, including non-health related data
Protected Health Information - Is Health Information that contains data that may be used to directly or indirectly identify the patientAlso Described As:
Identifiable Health InformationIdentifiable Patient Information
List of Data Elements that would make Health Information Identifiable!
Name Address E-mail address Telephone No. Finger or voice prints Social security number Vehicle/device serial no. Health plan number Certificate/license No.
Names of relatives Names of employers Fax number Birth date Photographic images / X-rays Internet (IP) address Medical record number Account Number Web URL
PHI is Covered by HIPAA, Regardless of Format
Examples: Database or Computer Stored Files E-mail Images or X-rays Conversations Word Documents PDA Stored Information Hand written notes Student Logs Academic Curriculum
The eight steps to HIPPA implementation: project sample time frame
1. Think and Educate 1-3 months
2. Gather Current State Information 2-3 months
3. Risk and Cost/Benefits Analysis 3-6 month
4. Plan 2-3 months
5. Implement 12-24 months
6. Review 2-3 months
7. Certify and Go Live 3-6 months
8. Monitor Ongoing
Total Time 25-48 months
1. THINK AND EDUCATE
The Big ChoicesWhen to start?Centralized vs. Decentralized approach?Sponsorship / Executive LeadershipE-commerce integration?Compliance vs. compliance plus significant benefits
1. THINK AND EDUCATE
Create a HIPAA VisionBusiness officeFinancial performanceReferral managementPatient relations
Billing / collections registration primary statement
Relationship with key trading partners Define goals
1. THINK AND EDUCATE
Proactive Vision E-commerce based Significant reduction in Business Office staff Increased cash flow Reduced bad debt User friendly security technologies HIPAA Security and Privacy aware staff Collaborative relationship with business partners Patient/subscriber friendly Positive consumer public relations Valued business partner relationships
1. THINK AND EDUCATE
Compliance Focused Vision (Provider) HIPAA claims only transacted, forget the rest Increasing Business Office Staff Growing accounts receivable Increased bad debt Complex, hard to use security measures that interfere with
patient care Staff have minimal HIPAA security and privacy awareness Adverse relationship with Business Partners Inadequate systems and administrative policies to support
security and privacy
Sponsors / Steering Committee CEO, CFO, CIO, COO Compliance Officer Risk Management Human Resources Government Relations Chief Information Security Officer General Counsel Privacy Officer
1. THINK AND EDUCATE
1. THINK AND EDUCATE
Sponsors / Steering CommitteePatient RepresentativeSecurity (physical) OfficerE-commerceAdmitting / RegistrationBusiness OfficeMedical RecordsWorkflow / Change Management
1. THINK AND EDUCATE
HIPAA EducationHigh levelManagement levelOngoing through all phasesThree tier strategy
In personInternet / IntranetPaper
1. THINK AND EDUCATE
Project Management Organization (assume enterprise approach)Core staff (few or many)Dedicated project team vs. Shared resourcesMix of staff and consulting resourcesMix of HIPAA and operations knowledgeIndependent Verification and Validation (IVV)Protecting the information
SecurityProtection from discovery
1. THINK AND EDUCATE
HIPAA Scope Definition Suggested Initial Project HIPAA Regulation Scope
Standard Transactions Employer (sponsor) Identifier Provider Identifier Payer Identifier Electronic Attachments Security (Privacy)
Business Applications IS Applications Key Trading Partner identification
HOSPITAL SYSTEMS EFFECTED BY HIPAABusiness Applications
Laboratory Pharmacy Radiology Registration (ADT) Orders Results Credentialling Data Warehouse Cost Accounting
Materials Management Master Person (Patient)
Index Patient Accounting Home Care Nursing home Physician practice Human Resources
HIPAA training management
HOSPITAL SYSTEMS EFFECTED BY HIPAABusiness Applications
Medical Records Coding and Abstracting Chart Tracking Document Imaging
Electronic Medical records
Clinical Data Repository
Demand Management Patient Scheduling Referral Management Other
Not Impacted Payroll General Ledger Accounts Payable
HOSPITAL SYSTEMS EFFECTED BY HIPAABusiness Applications
Department Systems with Patient Specific Information (e.g., Cath lab)
Telecommunication systems that contain patient identifiers, e.g., appointment call system
Any special purpose database or application which includes patient specific information -- e.g. tumor registry
HOSPITAL SYSTEMS EFFECTED BY HIPAAIS Applications
Internet and point-to-point data communications Interface Engine(s) EDI Engine(s) Infrastructure
Firewall Network Security Physical Security Security Policies and Procedures Security Audit Systems Security Technology and Technology Mechanisms
1. THINK AND EDUCATE
Get Involved / Share with PeersHIPAA RegulationsStrategic Implementation Plan (SIP)
Professional AssociationsKey Trading PartnersLocal Networking
2. GATHER CURRENT STATE INFORMATION
Inventory Everything Effected by HIPAA Risk Level Impact Assessment
Categorize risk levelBusiness riskSecurity risk
Flag high cost remediation items
2. GATHER CURRENT STATE INFORMATION
Use Electronic Tools to Document and Manage the ProcessImpact Assessment Inventory databaseTransaction Implementation Guides(Business) Risk / Compliance Management
tracking and documentationProject Management
2. GATHER CURRENT STATE INFORMATION
Cross Reference Regulations Business applications IS applications Work processes Administrative policies and procedures Physical security issues Other
Develop HIPAA Project Plan Eight Steps Develop a mid-level plan with 100-150 tasks Phase by regulation timing Basis for three year plus budget and resources plan
3. RISK AND COST BENEFIT ANALYSIS
Staff Up Technical Legal Workflow Optional development and analysis Change management
Increase Education Activity Think Outside the Box Independent advisors
3. RISK AND COST BENEFIT ANALYSIS
GAP Analysis Quantify Risks
Probability of incidentsImpact per incident
Fines and jail Legal defense/insurance premiums Loss/delayed revenues and staff to rework “Urgent” fix cost and staff time Public image
3. RISK AND COST BENEFIT ANALYSIS
Identify Options to Reduce Each Risk Level of risk reduction (probability) Cost to achieve risk reduction Dependency factors
Cost / Benefit Analysis Identify greatest risk items Identify benefit to cost ratio Analyze items that are interrelated
3. RISK AND COST BENEFIT ANALYSIS
Assess Current Vendors’ HIPAA Readiness Plans and Assurances
Recommendations to Sponsors/Steering Committee Rationale By level of investment
4. PLAN
Develop a Detailed Implementation Plan Include Current HIPAA Knowledge
Internal External
Coordinate with E-Commerce Initiatives Technology Strategy Administrative Strategy
4. PLAN
Issue RFPs to Acquire New Systems if Needed Educate Assure Availability of Implementation Resources Coordinate with Trading Partners
5. IMPLEMENTATION
Implement Changes Transactions and Code Sets Identifiers Security -- Physical Security -- Administrative Security -- Technology and Technology Mechanisms
5. IMPLEMENT
Testing Unit testing Integration testing Testing with trading partners
Document the Risk Mitigation
6. REVIEW
Readiness Review Include Knowledge Gained Since the Plan was
Developed Update to Address Changes in HIPAA Regulations