330 likes | 446 Views
West Virginia State Government HIPAA Assessment. Health Insurance Portability and Accountability Act. Additional information can be found on the HIPAA Website at http:/www.wvdhhr.org/hipaa. Sallie Hunt HIPAA Sr. Legal Counsel. WEST VIRGINIA STATE GOVERNMENT
E N D
West Virginia State Government HIPAA Assessment Health Insurance Portability and Accountability Act Additional information can be found on the HIPAA Website at http:/www.wvdhhr.org/hipaa Sallie Hunt HIPAA Sr. Legal Counsel
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE West Virginia State Government HIPAA Assessment Project Charter • HIPAA Overview: • Purpose of HIPAA Title II - Improved efficiency in healthcare delivery by standardizing electronic data interchange (EDI) and mandating the protection of patient confidentiality (privacy) and the security of health data through the setting and enforcing of standards. • Who is affected? –Healthcare providers who transmit administrative or financial transactions electronically that contain health information, health plans and clearing houses. • Sanctions - Sanctions for non-compliance with HIPAA can be both civil and criminal. Fines range from $100 per violation up to $25,000 for multiple violations of the same standard in a calendar year. Additionally, there are fines up to $250,000 and/or imprisonment for up to 10 years for intentional misuse of individually identifiable health information.
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE West Virginia State Government HIPAA Assessment Project Charter • Project Overview: • Background – Governor Wise appointed Sonia Chambers, Chair West Virginia Health Care Authority with Oversight and Coordination. • The HIPAA Executive Committee (HEC) was created to assist WV State Government Executive Branch entities in determining: • If they are covered under HIPAA and subject to its rule • Current State Compliance status with a Gap Analysis • HIPAA-specific tools and training • Strategies for compliance implementation • Remediation Action Plans with costs and timelines • Compliance implementation projects
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE West Virginia State Government HIPAA Assessment Project Charter • Problem Statement: • WV State Government Executive Branch business systems, processes, and policies may not be compliant • Limited resources create an assessment challenge • Timelines for compliance are tight: • October 15, 2002 – Transactions and Code Sets Plan • April 14, 2003 – Privacy Compliance Deadline • October 16, 2003 – Transactions and Code Sets Deadline • Security Mandates TBD
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE West Virginia State Government HIPAA Assessment Project Charter • Project Goals and Objectives: • Evaluate HIPAA impacts on WV State Government Executive Branch agencies • Determine systems, procedures, policies, and contract language requiring change to accomplish compliance • Phase I – Produce Assessment Findings & Remediations Report w/ recommendations, timelines, costs, etc. • Develop Phase II – Implementation Plan / Project Charter
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE West Virginia State Government HIPAA Assessment Project Charter • Project Scope: • Bob Wise, Governor Governor’s Office (FYI purposes only) • Gregory A. Burton, Commissioner Department of Administration • Alisa L. Bailey, Commissioner Bureau of Commerce • Kay Goodwin, Cabinet Secretary Department of Education and the Arts • Robert J. Smith, Commissioner Bureau of Employment Programs • Michael Callaghan, Cabinet Secretary Department of Environmental Protection • Paul L. Nusbaum, Cabinet Secretary Dept. of Health and Human Resources • Sonia D. Chambers, Chair WV Health Care Authority • Joe Martin, Cabinet Secretary Dept. of Military Affairs & Public Safety • Ann M. Stottlemyer, Commissioner Bureau of Senior Services • Brian M. Kastick, Cabinet Secretary Department of Tax and Revenue • Fred VanKirk, P.E., Cabinet Secretary Department of Transportation • Although boards, commissions, and institutions of higher education are not included within the scope, assistance and access to project tools, products, and information will be provided per project resource availability. Additionally, via Education and Outreach, tools, products, lessons learned, best practices, etc. will also be shared with those outside the WV project.
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE West Virginia State Government HIPAA Assessment Project Charter • Critical Success Factors: • Active and visible Executive-level endorsement • Identified and manageable project scope • Stable and timely project resources • Strong project management and a PMO to: • Serve as a central point of HIPAA and project contact • Develop and maintain project structure • Provide project leadership and coordinate / leverage resources • Facilitate sharing of best-practices • Monitor deliverables and approve project work products • Maintain project plans, status reports, documentation, and audit trail • Represent the project team
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE West Virginia State Government HIPAA Assessment Project Charter • Assumptions: • Project scope will remain consistent • Systems outside the control of WV State Government will not be addressed • The PMO is the central point of HIPAA project contact
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE West Virginia State Government HIPAA Assessment Project Charter Project Organizational Chart:
Legal Team WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Coverage and Survey Instruments • Privacy • TCS • Security • Non-HIPAA State and Federal Laws
Legal Team Process WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Attorneys from probable covered entities identified and asked to participate on team • Kick-off meeting held in May 2002 • Attorneys asked to step forward as team leaders and others to participate on teams • Full team meetings to receive status reports with real work occurring in sub-teams
Legal Team Process WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • At the kickoff meeting in May, everyone was given a team charter which outlined the deliverables for each sub-team • Each team leader prepared a weekly report of status and obstacles and remitted it to the Legal Team Leader by Tuesday of each week • On Wednesday of each week, a full team report was issued, along with a log of issues • Reports were distributed by e-mail and posted to the web
Coverage and Survey Instruments Team WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Developed Covered Entity Assessment Survey • Reviewed other states’ tools – used NC’s as the basis for the model • Found a balance between developing a comprehensive tool and a concise tool • Important to find examples of inclusions and exclusions for the non-HIPAA literate respondent
Coverage and Survey Instruments Team WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Challenge to decide at what level to distribute the survey • Decision made to send the survey to the cabinet secretary of all executive branch agencies • Recognized that each agency is organized differently • Different structures require different distribution decisions, which could only be made by the agency itself
Privacy Team WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Reviewed and revised NCHICA’s HIPAA EarlyView Privacy Assessment Tool • Reviewed and revised questions, clarifications, best practices and glossary • Reviewed and revised tool a second time, taking into consideration the August 14, 2002 Privacy modifications • Recognition that identified gaps will be at a very high level
Security Team WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Even though Security regs are still proposed, implementation is necessary to support Privacy • Reviewed and revised NCHICA’s HIPAA EarlyView Security Assessment Tool • Reviewed and revised 500+ questions and glossary • Attorneys felt outside their comfort zone – felt it was an IT issue
Transactions and Code Sets Team WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Developed the Transactions and Code Sets Assessment Tool • Used North Carolina’s tool as the basis • Reviewed the questions against the regulations • Difficult to interest attorneys in this team • Small team, yet met deliverables
Non-HIPAA State and Federal Laws Team WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Performed state law preemption analysis • Developed a paradigm to be applied with regard to the relationship between HIPAA and other federal laws, such as the Privacy Act, FOIA, FERPA, etc. • Reviewed the Privacy Assessment tool and revised it to reflect the preemption analysis • Will serve as advisor to Privacy Team through implementation
Covered Entity Status Report WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Who are the covered entities within State government? • Who are the providers, plans and clearinghouses? • Who are the business associates, trading partners and chain of trust partners? • Who are WV’s health oversight agencies?
HIPAA’s Organizational Requirements WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • OHCA • ACE • Hybrid entity
Status of Executive Branch HIPAA Compliance WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Transactions and Code Sets • Privacy • Security
Assessment Process for Transactions and Code Sets, Privacy and Security WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Once CE survey was turned into PMO, HEC members met with each agency HIPAA coordinator and gave them TCS survey and trained them on its application and next steps • TCS survey was returned to PMO and input into database • Analysis at component, overall agency and state levels • Same process for Privacy and Security
TCS Model Compliance Plans WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Compliance Plan Requirements - Awareness - Operational Assessment - Development and Testing • Plans filed by WV State Agencies
Privacy Team WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Agency HIPAA Coordinators identified team members from their agencies – attorneys, policy writers, IT, training staff, etc. • Teams formed to: • Review gaps and make enterprise-wide recommendations resulting from assessment • Develop policies and procedures • Develop Business Associate Agreements • Serve as a resource to other teams regarding preemption and other federal laws • Training
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE TBD Security Team
Implementation Design WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Privacy, Security and Transactions and Code Sets Teams • Multi-disciplinary teams • Goal is to seek enterprise-wide solutions to promote efficiencies and economies of scale, while enabling each agency’s HIPAA compliance
Policies and Procedures WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Policy templates were identified and purchased • Training modules for the policy writers were created for each area of the regulations, and an accompanying schedule was outlined for policy development to ensure that the April 2003 compliance deadline will be met • Policy and procedure development, and training will occur simultaneously • Agencies will document their policy development, implementation and training and will submit the documentation to the HEC
Business Associate Agreements WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE • Master Business Associate Agreements will be developed • All contracts requiring BAAs will be identified and amended • Processes for ensuring that all future contracts are screened for BAAs, and where needed, are executed
WEST VIRGINIA STATE GOVERNMENT HIPAA PROJECT MANAGEMENT OFFICE http:/www.wvdhhr.org/hipaa