One Academic Medical Center’s Response to HIPAA

1. One Academic Medical Center’s Response to HIPAA David McKelvey DUHS January 12, 2001

2. Education • Goal: Learn the material. • Regulations in the Federal Register • Expert analyses / interpretations • Conferences • NCHICA HIPAA HealthKey • WEDI conference • INfoSec 2000 • GG/healthcare symposium • HIPAA National Summit in DC • AMC HIPAA Workshop AwarenessOrientationIdentificationOrganizationTechnologyNormalizeContacts

3. HIPAA security training sessions • Goal: Introduce HIPAA to the organization and stimulate planning required to become compliant. • 4 hours long • Held approximately every 6 weeks • Lecture style presentation • Several hundred people have attended so far AwarenessOrientationIdentificationOrganizationTechnologyNormalizeContacts

4. HIPAA first look meetings (Gap Analysis) • Goals: Equip groups with information required to prepare HIPAA budget requests. Give snapshot to senior mgmt. • 3-6 hours long • Scheduled with individual groups • In attendance management and IT people • Deliverable is a spreadsheet filled out by the group • Compliance level (L M H) • Challenges, needs, success factors in becoming compliant ($ ET ST OC T O SL HSL SD) • Opportunities while/in becoming compliant ($ ST O SL HSL TEAM STDS SD) • Cost estimate to become compliant (L M H) • Cost estimate to stay compliant (L M H) • About 18 groups have participated so far AwarenessOrientationIdentificationOrganizationTechnologyNormalizeContacts

5. Groups • Goal: Organize people and activities required to bring the organization into HIPAA compliance. • Changes to policy, procedures, and technology in equal measure is required. • Executive committee • Policy group • Evaluation and monitoring committee • Information security office • Technical security guidance groups • Oversight groups • Managers AwarenessOrientationIdentificationOrganizationTechnologyNormalizeContacts

6. Goal: Prototype, pilot, and implement technological solutions to HIPAA requirements best addressed by common or interoperable technological solutions. • Firewall • Public Key Infrastructure (PKI) • Digital Signature • Virtual Private Network (VPN) • Wireless network access • Anti-virus software • Personal firewall • PDA access • Intrusion detection • Security incident AwarenessOrientationIdentificationOrganizationTechnologyNormalizeContacts

7. Goal: Participate in activities with representatives of other HCOs intended to define what is adequate, promote interoperable standards, and coordinate implementation. • North Carolina Healthcare Information and Communications Alliance (NCHICA) • Implementation Planning Task Force • Data Security Workgroup • Network Security and Interoperability Workgroup • Transactions Workgroup • Workgroup for Electronic Data Interchange (WEDI) AwarenessOrientationIdentificationOrganizationTechnologyNormalizeContacts

8. David McKelvey: David.McKelvey@Duke.edu NCHICA: http://www.NCHICA.org WEDI: http://www.WEDI.org AwarenessOrientationIdentificationOrganizationTechnologyNormalizeContacts