Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to...
-
Upload
cory-baker -
Category
Documents
-
view
213 -
download
0
Transcript of Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to...
![Page 1: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/1.jpg)
Living with HIPAA:Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices
Presented by HIPAA Pros
5th Annual HIPAA Summit
Baltimore, Maryland
October 31. 2002
![Page 2: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/2.jpg)
2Living with HIPAA Implementation priorities
Assuring money and effort is well spent The three legs of Administrative
Simplification Where to begin?
Identifying “chunks” What is “reasonable?” Who will do the work?
![Page 3: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/3.jpg)
3Experiential Based Rural Hospital Experiences – Best
Practices Community Hospitals: Security Needs Large Health Systems:compliance tracking
tools How to establish priorities Determining “Chunks”
![Page 4: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/4.jpg)
4
LESSONS LEARNEDLESSONS LEARNED
#1
EDI Remains a Major Concern
•Vendor Readiness
• Facility Readiness
![Page 5: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/5.jpg)
5
RECOMMENDATIONRECOMMENDATION
#1EDI Task force working with
vendors and health plans to identify data elements and prepare for testing
by April 14, 2003
![Page 6: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/6.jpg)
6
LESSONS LEARNEDLESSONS LEARNED
#2
Most of HIPAA Compliance comes down to Behavioral Changes
Staff….Physicians….volunteers…etc
![Page 7: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/7.jpg)
7
RECOMMENDATIONRECOMMENDATION
#2
Staff Training
Ongoing
Focused
![Page 8: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/8.jpg)
8
LESSONS LEARNEDLESSONS LEARNED
#3Future Compliance demands solid
Policies
Procedures
Training
![Page 9: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/9.jpg)
9
RECOMMENDATIONRECOMMENDATION
#3
Establish a “HIPAA Coordinators”
Group to Encourage Exchange of
Information
![Page 10: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/10.jpg)
10
LESSONS LEARNEDLESSONS LEARNED
#4
Need to consider
“Contingency Plans”
![Page 11: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/11.jpg)
11
#4
Get Moving
Get Serious
Get Done
RECOMMENDATIONRECOMMENDATION
![Page 12: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/12.jpg)
12Protecting PHI
The end goal: find it, follow it and protect it All the activities basically follow the PHI More than electronic, paper and oral What is it and who controls it?
Surprise: not you It’s everything for all intents and purposes!
![Page 13: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/13.jpg)
13
![Page 14: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/14.jpg)
14
Common Security Common Security Compliance FindingsCompliance Findings
![Page 15: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/15.jpg)
15
Applicable to Community Applicable to Community Hospitals and all Other Hospitals and all Other HIPAA entities (that’s HIPAA entities (that’s
the lesson learned!)the lesson learned!)
![Page 16: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/16.jpg)
16The Proposed HIPAA Security Standards: Subject Areas
Administrative Procedures [45 CFR §142.308(a)]
Physical Safeguards [45 CFR §142.308(b)] Technical Security Services [45 CFR
§142.308(c)] Technical Security Mechanisms [45 CFR
§142.308(d)]
![Page 17: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/17.jpg)
17Administrative Procedures Certification Process and Program Development
[45 CFR §142.308(a)(1)]
Internal or external
Contingency Program Development [45 CFR §142.308(a)(3)]
Must include: Applications and Data Criticality Analysis
Data Backup Plan
Disaster Recovery Plan for the Entire Enterprise
Emergency Mode of Operation
Testing and Revision Procedures
![Page 18: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/18.jpg)
18Administrative Procedures (continued)
Records Processing Policies and Procedures Development [45 CFR §142.308(a)(4)] Receipt, manipulation, storage, dissemination,
transmission, disposal of PHI Information Access Control Policies and
Procedures[45 CFR §142.308(a)(5)] Access Authorization (overall access procedures) Access Establishment (Initial right of access) Access Modification (job change or termination)
![Page 19: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/19.jpg)
19Administrative Procedures (continued)
Security Configuration Management Policies[45 CFR §142.308(a)(8)]
Hardware and software installation and maintenance review and testing
Hardware and software inventory
Security Testing (host and network component penetration testing) Protocols and Services
![Page 20: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/20.jpg)
20Administrative Procedures (continued)
Training Program Development[45 CFR §142.308(a)(12)] Security Awareness Training for ALL
Personnel Periodic Reminders Virus Protection Education Log in Access Education Password Management Education
![Page 21: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/21.jpg)
21Physical Safeguards
Assigned Security Responsibility [45 CFR §142.308(b)(1)] (must understand all aspects of information security)
![Page 22: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/22.jpg)
22Technical Security Systems
Access Control [45 CFR §142.308(c)(1)(i)] Implementation Features - at least one of the
following: Context-based Role-based User-based
Audit controls [45 CFR 42.308(c)(1)(ii)] Mechanisms to record and examine system
activity
![Page 23: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/23.jpg)
23Technical Security Mechanisms
Network Controls [45 CFR §142.308(d)(2)] Alarm (IDS)
![Page 24: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/24.jpg)
24
“The computer expert is here, Mr. Rumson.”
![Page 25: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/25.jpg)
25
Do Not DelayDo Not Delay
![Page 26: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/26.jpg)
26LARGE IDS
Multiple Acute Care Hospitals Long-term Care Facilities Health Plan Clinics Dental Clinics Faculty Practice Plans
![Page 27: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/27.jpg)
27HIPAA Implementation Situation
Organize HIPAA implementation for a large, urban single entity healthcare system with 130 facilities ranging from large acute care to small clinics.
Track and monitor implementation progress throughout a diverse, distributed entity.
![Page 28: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/28.jpg)
28HIPAA Implementation Tasks
Create an implementation plan for 7,500 HIPAA recommendations and findings.
Organize and coordinate central and local implementation teams.
Manage and track compliance implementation as findings are addressed in an auditable manner.
![Page 29: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/29.jpg)
29HIPAA Implementation Plan
Perform Analysis Design Implementation Projects Formulate Organization Structure &
Operating Processes Formulate Organizational Roles and
Responsibilities Create and Deploy Implementation Tools
![Page 30: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/30.jpg)
30Analysis
Recommendations and findings were extracted from reports and categorized with 25 unique identifiers that include regulation paragraph number and section, implementation workgroup, and action required for implementation.
![Page 31: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/31.jpg)
31Projects
Projects were formulated based on type of action required on recommendations and findings.
Projects were prioritized based on the regulatory risk profile of the entity.
![Page 32: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/32.jpg)
32Organization
Structure was designed to include executive management, privacy officer, compliance directors, implementation workgroups and consultant subject matter experts.
Process for organizational behavior was pre-defined to ease information and workflow during implementation.
Roles & responsibilities were defined within process to assist team behavior and function.
![Page 33: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/33.jpg)
33Tools
Compliance tracking database was design and developed to house recommendations, work groups and projects.
Tool enables users to monitor their area of responsibility for HIPAA implementation.
Tool provides compliance audit trail for regulatory enforcement inquiries.
![Page 34: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/34.jpg)
34Compliance Tracking Tool Features:
My Dashboard, for executive level compliance tracking
My Recommendations, for manager level tracking of activity by recommendation and finding
Projects, for project creation, maintenance and tracking
Recommendations, for user designed query searches of recommendation database, and recommendation management.
![Page 35: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/35.jpg)
35Compliance Tracking Tool
![Page 36: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/36.jpg)
36Compliance Tracking Tool
![Page 37: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/37.jpg)
37Compliance Tracking Tool
![Page 38: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/38.jpg)
38Compliance Tracking Tool
![Page 39: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/39.jpg)
39Compliance Tracking Tool
![Page 40: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/40.jpg)
40Compliance Tracking Tool
![Page 41: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/41.jpg)
41Compliance Tracking Tool
![Page 42: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/42.jpg)
42Summary
Use of an implementation partner has distinct advantages to the organization: Available implementation tools. Proven HIPAA implementation management
methods and techniques. Regulatory subject matter expertise built
through training and experience.
![Page 43: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/43.jpg)
43Where to start? Assuming a work plan exists from the initial baseline
assessment, it is clear that providers must first address “HIGH” risk areas
“Typical” high risk areas include: Vendor readiness Health Plan directives Lack of Compliance Plan components (required) Training, training and more training Business Associates Physical Security Records management
![Page 44: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/44.jpg)
44Setting Priorities
Infrastructure issues Firewalls Protecting the network Access controls
Patient rights HIPAA is a patient-centric set of regulations
and the patient rights (Notice of Privacy Practices, handling disclosures) documentation of decisions is a critical step
![Page 45: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/45.jpg)
45Manageable “Chunks”
Working in the above priorities, define chunks of tasks that can be delegated to the work groups all designed to address the high priority areas Security in the systems: effected by decisions already
made to address the EDI concerns EDI task forces: focus is on meeting testing parameters
and assuring the system (whether computerized or manual) allows all components of your HIPAA Covered Entity to capture the required data elements
Privacy projects: awareness training, formation of compliance office, documents, management of patient rights and Business Associates
![Page 46: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/46.jpg)
46
“And now, let’s determine if we are a covered entity, affiliated single covered entity, hybrid covered entity or organized health care arrangement.”
![Page 47: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/47.jpg)
47Covered Entity Decisions
Single entity Affiliated Single entity Hybrid entity Organized health care arrangement
Considerations Pros/Cons documentation
![Page 48: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/48.jpg)
48Improving Cash Flow
EDI standards require uniform
codes for all payers Uniformity = Cost
Savings This is the bottom line!
![Page 49: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/49.jpg)
49
Question & Answer
![Page 50: Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.](https://reader035.fdocuments.us/reader035/viewer/2022062806/56649d935503460f94a7ad3f/html5/thumbnails/50.jpg)
50Contacts Janet Himmelreich
215.517.4920 [email protected]
John Whitman 215.517.4985 [email protected]
Martin Rogers 703.927.4205 [email protected]
Melissa Campbell [email protected]