HIPAA Strategy - PowerPoint PPT Presentation

1 / 40
About This Presentation

HIPAA Strategy


The key to achieving HIPAA compliance is to take it one manageable stage at a time... HIPAA Home Page. http://www.himss.org ... – PowerPoint PPT presentation

Number of Views:205
Avg rating:3.0/5.0
Slides: 41
Provided by: bradp1
Tags: hipaa | capital | home | one | page | strategy


Transcript and Presenter's Notes

Title: HIPAA Strategy

HIPAA Strategy
  • The Planning Process

Presentation Agenda
  • Review of HIPAA Objectives
  • Overview and Update on the Status of HIPAA
  • Components/Objectives of a HIPAA Strategic Plan
  • Detailed Review of Each Planning Component
  • Questions
  • Resources

Review of HIPAA Objectives
Objectives of HIPAA
  • To reduce the administrative costs associated
    with the provision of health care services
  • To make the administration of health care
    services more efficient by
  • Requiring some transactions to be supported
  • Standardizing those transactions
  • To protect individually identifiable health
    information from
  • Physical damage/destruction
  • Unauthorized access
  • Misuse or inappropriate disclosure
  • This is the first step toward a broader
    application of e-commerce in health care

HIPAA Overview
Title I
Title II
Title III
Title IV
Title V
  • Health insurance access, portability and renewal
  • Fraud and Abuse
  • Medical Liability Reform
  • Administrative Simplification
  • Medical Savings Accounts
  • Tax deduction provisions
  • Group health plan provisions
  • Revenue offset provisions
  • For 9 key payor transactions
  • Includes clinical code sets
  • Includes key identifiers

Electronic Transaction Standards (EDI)
Security Standards
  • For protecting electronic health information
  • To spell out permissible uses of patient
    identifiable healthcare information

HIPAA Overview
  • Each component of HIPAA has proceeded
    independently through a development, review and
    approval process
  • The lack of forward movement on any one element
    does not necessarily impede the implementation of

Public Comment Period
Public Input
Review of Existing Regulations Standards
Redraft of Rule
Final Rule Published
Regulations Enacted And Enforced
ProposedRule Released
26 Months from Date of Publication
Still Awaiting Action for Some Elements
  • From the Act Sec 1172(a) Applicability. Any
    standard under this part shall apply, in whole or
    in part, to the following persons
  • A health plan
  • A health care clearinghouse
  • A health care provider who transmits any health
    information in electronic form in connection with
    a transaction referred to in Section 1173(a)91.

Provider Responsibilities
  • Providers governed under HIPAA must
  • Comply with the regulations that impact them no
    later than the published implementation dates for
    those rules
  • Ensure that vendors are prepared to deliver
    applications that support EDI and security
  • Hold those business partners (vendors and others)
    with whom patient-identifiable information is
    shared accountable for complying with the privacy
    and security regulations that apply to the
    covered entity
  • Develop EDI, Privacy and Security policies and
  • Train staff on the Privacy policies and
  • Document compliance with applicable regulations

Status of HIPAA Rules
Status of HIPAA Rules
  • The anticipated dates for HHS issuing new
    proposed or revised final HIPAA rules
  • The final Security Rule is expected to be
    released in August of this year
  • The Employer Identifier final rule has been
    drafted and sent to HHS for final review with
    release expected in June
  • The Provider and Payer Identifier final rules are
    expected around August
  • The Patient Information (Claims Attachment) NPRM
    is expected in August of this year

  • The anticipated dates for HHS issuing new
    proposed or revised final HIPAA rules (cont)
  • A draft regulation for electronic medical records
    is being developed, which should be available for
    public review by the end of 2002
  • The Doctors First Report of Injury NPRM is also
    expected sometime this year
  • An Enforcement NPRM is expected to be released
    some time in 2002
  • Two proposed revisions to the Transaction and
    Code Set standards have been published
  • Changes in the Designated Standard Maintenance
    Organizations or DSMOs and
  • Removal of NDC codes as the standard for

Update Summary
Compliance Date
Proposed Rule
Final Rule
  • Released 5/98
  • Released 5/98
  • Released 6/98
  • Expected 2001
  • Published 8/2000
  • Expected 8/2002
  • Expected 6/2002
  • Expected 8/2002
  • 10/16/2002/03
  • Transactions Code Sets
  • Provider ID
  • Employer ID
  • Payer ID
  • Patient ID

Electronic Transaction Standards (EDI)
  • Released 8/98
  • Expected August 2002

Security Standards
  • 26 months from date final rule is published
  • No action by Congress draft regulation released
  • Published 12/2000
  • Reconfirmed 4/2001
  • 4/14/2003

  • 7/6/01 received First Guidance (not changes) on
    the final privacy rule
  • First proposed changes to the Privacy Rule
    published on 3/27/02

Components of a HIPAA Strategic Plan
Steps to Compliance
The key to achieving HIPAA compliance is to take
it one manageable stage at a time
Stage 1 Organization and Planning
Stage 2 Assessment and Design
Stage 3 Implementation and Testing
Stage 4 Compliance Monitoring
  • Organizational Structure
  • Education
  • Policies and Procedures
  • Establish Linkages
  • High-level Risk Analysis
  • Quick Hit Identification
  • Detailed Assessment
  • Prioritization
  • Project Definition
  • Budget Development
  • Programming/ System Upgrades
  • Policy/Process Development
  • Contract implementation
  • End User Education
  • System/Process Testing
  • Compliance Audits
  • Quality Assurance
  • Post Implementation Support
  • Regulatory Updates/Changes

We will be discussing these
Elements of a HIPAA Strategic Plan
  • Develop an organizational structure for
    implementing HIPAA
  • Review corporate initiatives in light of HIPAA
  • Educate organizational decision makers on the
    importance of HIPAA and its impact across the
  • Develop policies and procedures for Privacy and
    Security regulations
  • Determine links between HIPAA initiatives and
    organizational strategic initiatives

Elements of a HIPAA Strategic Plan
  • Determine which EDI standards to use
  • Conduct a high level risk analysis
  • Conduct a detailed risk assessment
  • Prioritize and schedule tasks to accomplish
  • Develop a budget for implementing HIPAA
  • Begin the development of policies and procedures
    for EDI

Stage 1 Organizational Structure
  • Appointment of HIPAA coordinator
  • Appointment of Privacy Officer
  • Appointment of individual(s) to be responsible
    for implementing Security regulations
  • Provide staff time to prepare for HIPAA
  • Establish reporting mechanisms to Administration
    and the governing body

Sample HIPAA Governance Structure
HIPAA Coordinator (oversight for assessment,
implementation and ongoing monitoring)
Security Responsibility(Policy
Development Oversight, Training )
Stage 2 Corporate Initiatives
  • Identify strategic initiatives that HIPAA will
  • These initiatives should be divided into two
    primary categories information technology (IT)
    and business initiatives
  • The HIPAA regulations will touch most major
    clinical, financial and administrative areas
    within the health system. As such, most of the
    strategic initiatives will require modification
    or consideration of the new HIPAA regulations
  • Submit request for EDI extension

Stage 3 Education
  • HIPAA 101 - Overview of HIPAA
  • HIPAA 201 - Advanced Topics on EDI, Codes Sets
    and Identifiers
  • HIPAA 202 - Advanced Privacy Course
  • HIPAA 203 - Advanced Security Course

Stage 4 Policies and Procedures
  • Develop policies and procedures for
  • Privacy
  • Material from Michael Best and Friedrich to
  • EDI
  • Dependent upon standard transactions to be used
  • Security
  • Health Future IT task force to develop sample
  • Address HIPAA compliance in organizational HR
  • Background checks
  • Sanctions for non-compliance
  • General policies on confidentiality

Stage 5 Linking Initiatives
  • Identify trading partners/business associates
  • Develop contractual assurances of HIPAA
  • Evaluate vendor preparedness to support HIPAA

Stage 6 Selection of EDI Standards to Implement
  • Develop a plan for transaction implementation
  • Initiate cost/benefit analysis to determine which
    standards will yield most positive results
  • Develop a schedule for implementation
  • Determine resources required for implementation
  • Submit request for EDI extension
  • Prior to October 16, 2002

Stage 7 Risk Assessment
  • Conduct a high level risk analysis and initiate
    quick hit remediation
  • Assign responsibility for EDI, Privacy and
    Security assessments
  • Conduct detailed assessment tool training
  • Perform assessments
  • Define the boundaries of acceptable risk

High-level Risk Analysis
  • A high-level analysis of the current environment
    from an EDI, Privacy, and Security perspective to
    see where the largest gaps are would include
    questions like those below
  • What electronic systems are in place for
    billing/clinical/medical records?
  • How many clearinghouses (if any) are used?
  • Are business associates/trading partners HIPAA
  • Which of the 7 approved standard transactions are
    being done?
  • Will PHI be accessible to physicians off-site?
  • Are security policies in place that meet the
    categories outlined in the proposed rule?
  • How much data sharing is currently allowable in
    the system?
  • Are there system access controls and audit
  • What is the level of complexity of systems across
    the network?
  • Do users have unique IDs and passwords and do
    they share?

Stage 8 Preliminary Budget
  • Summarize compliance gaps identified through the
    risk assessment
  • Develop operating budget for incremental labor
    costs and savings
  • Develop capital budget for HIPAA compliance

Stage 9 Project Definition
  • Review results of the assessment
  • Prioritize tasks to achieve compliance
  • Assign responsibility for compliance projects

Stage 1 - Project Timeline

Corporate Initiatives
Policies and Procedures
Establish Linkages
Transaction Selection
Risk Assessment
Project Definition
Initiate Prioritization
How to Prioritize HIPAA Initiatives
  • HIPAA activities need to be prioritized using
    several factors, for example
  • Compliance deadlines
  • Potential for enforcement
  • Budget constraints (cost/benefit)
  • Resource constraints/requirement for external
  • Organizational readiness
  • Organizational impact
  • Integration with other projects
  • Enterprise-wide importance

Sample Immediate Initiatives
  • HIPAA Governance Model
  • Solidify organizational responsibility for the
    development of regulatory policies and
    procedures, approval processes, enforcement and
    oversight of all organizational HIPAA initiatives
  • Policy and Procedure Documentation
  • Initiate the development of, and update policies
    and procedures to meet HIPAA requirements and
    establish the organizations defensible
  • Business Associates and Trading Partners
  • Inventory contracts and identify organizations
    that are business associates and trading partners
    with whom protected health information is shared

Sample High Priority Initiatives
  • Implement/Update Standard Transaction Sets
  • Transition to HIPAA-compliant versions of those
    transactions being performed electronically today
  • Implement/Update Standard Code Sets
  • Clean-up proprietary clinical codes to align with
    HIPAA code sets
  • Purchase additional code sets if needed
  • Remediate Applications
  • Remediate applications to HIPAA compliant versions

Sample Medium Priority Initiatives
  • Staff Education
  • Conduct general and detailed HIPAA education
  • Privacy Documentation Requirements
  • Develop documents required to comply with Privacy
  • Utilize documents developed by the WSHA and other
    business partners that are recommended for use
  • Focused Strategy Assessment
  • Determine strategic approach to HIPAA and
    complete focused HIPAA assessments to determine
    compliance gaps and scope implementation efforts
  • Communication Plan
  • Establish communication methods and begin to
    conduct HIPAA education and distribute

Ranking Definitions
Initiatives Prioritization Matrix
Questions and Discussion
Association for Electronic Health Care Transactions (AFEHCT) Impacts of HIPAA (particularly EDI) Security Self-Evaluation Checklist http//www.afehct.org
American Health Information Management Association (AHIMA) Benchmark information and case studies Interim Steps for Getting Started http//www.ahima.org/hipaa.html
American Society for Testing and Materials (ASTM) Standards guides for security http//www.astm.org
Center for Healthcare Information Management (CHIM) Up-to-date industry perspective on proposed rules and their status http//www.chim.org
Computer-Based Patient Record Institute (CPRI) CPRI Security Toolkit http//www.cpri-host.org
Department of Health and Human Services HIPAA Administrative Simplification Latest News on Regulations Current proposed and final rules http//aspe.hhs.gov/admnsimp/index.htm
Electronic Healthcare Network Accreditation Commission (EHNAC) Certification Program for HIPAA Compliance (under development) http//www.ehnac.org
Resources (cont.)
For the Record Protecting Electronic Health Information (National Academy Press, 1997) 800-624-6242 Full Report http//www.nap.edu
Health Privacy Forum Comparison of Privacy proposed and final rules Comparison of state privacy laws http//www.healthprivacy.org
HIMSS Protecting the Security and Confidentiality of Healthcare Information (Volume 12, Number 1, Spring 1998) Articles http//www.himss.org
HIPAA Home Page http//www.hcfa.gov/hipaa/hippahm.htm
HIPAA Transaction Implementation Guides from the Washington Publishing Company http//www.wpc-edi.com
Joint Healthcare Information Technology Alliance (JHITA) Summary of Privacy rules Upcoming HIPAA conferences http//www.jhita.org
Links to other HIPAA sites http//www.hcfa.gov/medicare/edi/hipaaedi.htm
Medicare EDI http//www.hcfa.gov/medicare/edi/edi.htm
Resources (cont.)
National Uniform Billing Committee http//www.nubc.org
National Uniform Claims Committee http//www.nucc.org
Washington Publishing Company ANSI ASC X12N HIPAA Implementation Guides http//www.wpc-edi.com/hipaa
Subscribe to email release of HIPAA documents (such as notice of proposed rule making) http//www.hcfa.gov/medicare/edi/admnlist.htm
Workgroup for Electronic Data Interchange (WEDI) Details of SNIP effort (Strategic National Implementation Pilot) http//www.wedi.org
Write a Comment
User Comments (0)
About PowerShow.com