Gap Assessment and Risk Analysis

1
Gap Assessment and Risk Analysis

• Lewis Lorton, DDS, MSD
• Lewis.Lorton_at_hipaadocs.com
• 301-621-5060

2
Support Documents

• A list of privacy and security standards
• The WEDI white paper on small business
  implementation
• 2 page extract from the WEDI small business
  implementation

3
What do the HIPAA regulations require?

• Understanding the rights of the patient
• Changes in office policies and procedures to
  support those rights

4
What are the risks for non-compliance?

• Fines
• Loss of business partner confidence
• Loss of patient confidence
• Increased liability to litigation

5
What does Gap Assessment and Risk Analysis mean?
6
Why should Gap Assessment be done?

• As in health care, the history and examination is
  crucial to a correct diagnosis and treatment.
• Knowledge of the current operating procedures and
  assessment of the gaps between those procedures
  and requirements is crucial to improvement.
• The review for Gap Assessment will often bring to
  light poor and/or inconsistent practices that
  hurt the organization.

7
Why should your organization do a gap assessment
of your environment?. . . Why not just get a set
of compliant policies and procedures?

• The regulations require it
• It makes sense
• It will mitigate your risks

8
Who should do this assessment and under what
circumstance?

• Designate responsible party (ies)
• Give authority along with responsibility
• Encourage group participation

9
How should a gap assessment be done for HIPAA in
large organizations?

• http//www.hipaadvisory.com/action/Compliance/gapa
  ssessment.htm

10
How to perform a gap analysis?

• Understand the scope of requirements
• Understand the flow of data
• Evaluate the facts against the requirements of
  HIPAA.
• Decide what should be done to mitigate any risk
  of loss or breach- Risk Analysis
• Implement those decisions- implementation plan
• Document all the activities
• Periodically re-audit not only the gaps but the
  performance

11
Understand the scope

• Direct interaction with patients and patient
  information
• Office management and physical security
• Printed materials
• Computer security

12
Direct Interaction

• patient sign in sheets must include only limited
  information
• leaving medical charts around the office site
  and use of clear plastic chart holders on exam
  room doors
• posting of patient schedules
• holding confidential conversations where they can
  be easily overheard by third parties

13
Office management and physical security

• computer screens not in plain view
• staff regularly changing passwords
• safeguarding access to work areas
• information accessible only to authorized staff,
  including medical records, lab reports, and
  faxes
• controlled disclosure of information directly,
  email, fax

14
Printed Materials

• HIPAA complaint, confidentiality statements and
  written privacy policies
• documented policies and procedures when
  employment terminated, including return of all
  keys, cards, and change codes and locks
• employee handbook/documentation HIPAA compliant
  with respect to security training, termination
  policies and procedures, etc.
• documented procedures to protect confidential
  information, if office equipment or files are
  taken from the premises
• policies, procedures and training in place for
  off-site functions, e.g., transcription,
  accounting or claims filing

15
Computer Security

• inventory of computer systems, and software
• regular virus check and mitigation program in
  place
• disaster plan to include contingency plans in
  event of systems failure
• confidential information stored electronically,
  with appropriate safeguards and backups
• Internet and phone transmissions secure
• protection of e-mail communications that contain
  confidential information.

16
Understand your organization

• Using your understanding of the scope of HIPAA
• Gather written policies and procedures
• Get input on unwritten policies and procedures
• Survey the office for data flow
• Understand how information gets into and out of
  and how patient information is used within the
  organization

17
Compare the office processes against the standards

• Using audit tools (such as in WEDI SNIP white
  papers (http//snip.wedi.org/public/articles/index
  .cfm?Cat17), commercial gap assessment tools or
  the regulations themselves, compare what your
  organization does with the requirements.

18
Example

• 3. all confidential conversations take place to
  the maximum extent possible in areas that cannot
  be overheard by other patients or non-staff -
  True _____ False ______.
• Intent
• Extention
• (from the WEDI SNIP small organization manual)

19
Example

• we need to move our conversations with patients
  out of the hallways into treatment rooms
• we need a standard way of confirming
  appointments on the phone to peoples work
• we need to keep our office conversation about
  patients anonymous.

20
Risk Assessment,Implementation and Documentation

• Document and define the gaps
• Decide on what actions to take both in real terms
  and in the written policies
• Plan how to implement the required changes
• Implement and document

21
Audit Routinely
22
Resources

• Workgroup for Electronic Data Interchange (WEDI)
  www.wedi.org
• WEDI SNIP snip.wedi.org
• American Health Information Management
  Association (AHIMA) www.ahima.org
• Computer-based Patient Records Institute for CPRI
  Tool Kit Version 3 - www.cpri-host.org
• Designated Standard Maintenance Organizations -
  www.hipaa-dsmo.org/
• Georgetown Health Privacy Project
  www.healthprivacy.org

23
Resources

• Health and Human Services (HHS) Administrative
  Simplification http//aspe.os.dhhs.gov/admnsimp
  
• Health Information Management (himinfo)
  www.himinfo.com
• Healthkey - www.healthkey.org/
• HIPAAdvisory www.hipaadvisory.com
• Office of Civil Rights - www.hhs.gov/ocr/hipaa/
• Public Law 104-191- aspe.hhs.gov/admnsimp/pl104191
  .htm
• Strategic National Implementation Process (SNIP)
  snip.wedi.org
• The Electronic Healthcare Network Accreditation
  Commission - www.ehnac.org/stfcs.asp
• The North Carolina Healthcare Information and
  Communications Alliance - www.nchica.org/
• Washington Publishing Company for implementation
  guides - www.wpc-edi.com/HIPAA/

24
What your organization will get out of this?

• Better professional business processes
• Accountability
• Efficiency
• Risk Mitigation

25
Summary

• GA/RA is the absolute key to any business process
  change
• Implementing change, or trying to, just by
  dropping a set of policies on an unprepared
  organization will rarely work.
• While the doctor may not be actually be doing the
  ga/ra or the actual work involved, the doctor is
  ultimately responsible and must understand and
  support the changes.