330 likes | 614 Views
PLANNING FOR HIPAA COMPLIANCE. Presentation for NCHIMA Mid-Year Workshop November 2, 2001 Presented By: Sarah Brooks, MPA, RHIA. HIPAA IMPACT ON DHHS. The following DHHS agencies will be directly impacted by HIPAA
E N D
PLANNING FOR HIPAA COMPLIANCE Presentation for NCHIMA Mid-Year Workshop November 2, 2001 Presented By: Sarah Brooks, MPA, RHIA NC DHHS - HIPAA PMO
HIPAA IMPACT ON DHHS • The following DHHS agencies will be directly impacted by HIPAA • Public Health (State Lab, 13 state operated Developmental Evaluation Clinics, 86 Local Public Health Departments) • Mental Health/Developmental Disabilities/Substance Abuse Services (13 Institutions, 38 Area Programs) • Medical Assistance (Medicaid program) • Office of Education (Governor Morehead School, Schools for Deaf) • Vocational Rehabilitation • Social Services (100 County DSS offices) NC DHHS - HIPAA PMO
DHHS REACTION • CentralizedManagement Response • Establishment of Program Management Office (PMO) • Assessand Implement Changes • Business Operations • Impacted Information Systems • Develop Enterprise-wide Policies, Procedures and Training NC DHHS - HIPAA PMO
STATEWIDE INITIATIVE • DHHS HIPAA PMO assigned responsibility for assessing ALL state agencies • Senate Bill 1005 - passed - $15 million • Directed by the Office of State Budget, Planning and Management (OSBPM), Secretary of DHHS, State CIO • Identify and Document HIPAA Requirements • Perform Statewide Preliminary Assessments • Determine Covered Entities • Establish Timelines and Budgets • Develop HIPAA Strategic Plan for State and report to General Assembly (Next Steps for Going Forward) NC DHHS - HIPAA PMO
HOW DO YOU TACKLE A MAJOR INITIATIVE LIKE HIPAA? PLANNING PLANNING PLANNING MONITORING MONITORING MONITORING NC DHHS - HIPAA PMO
HIPAA COMPLIANCE PROCESS Understanding HIPPA Baselining the Organization Planning Compliance Strategies Remediating the Organization Validating Compliance Maintaining Compliance • What is HIPPA • Why do HIPPA • What are the HIPPA requirements? • Where do we stand vs.. these requirements? (i.e., what needs fixing?) • How do we close the gaps? • Let’s go fixing • How do we know we’re compliant? • How do we stay compliant? • Key considerations • Ongoing training • Educating future new DHHS employees • Will need ongoing auditing & certification practices • Change Management • Key considerations • Who needs what information? • Develop SME’s on HIPAA • Compliance plans needed • Who is doing what? • Key considerations • Who’s covered? • Which policies? • Which procedures? • Which tools and systems? • Which people? • Key considerations • Enterprise vs.. local fixes • Risk and cost/benefit analysis • $how me the money • Key considerations • Enterprise strategies • Thorough testing • Mandated deadlines • Key considerations • Self-certification techniques • Certification of EDI transactions • Security certifications • Process and Tools • Enterprise & Individual Compliance Strategies • Technical infrastructure • Change management process & procedures • Roles & responsibilities • Scope matrix • Detailed Work-plans • Process and Tools • HIPAA Web Site • Awareness training • Participation in external organizations • Expansion Budget • Strategic Plan • Process and Tools • Master Plan • Roles & Responsibilities • BIFA • EDI/TCI assessments • Security/Privacy assessments • Process and Tools • Testing Strategies • Privacy related business templates • Enterprise privacy & security policies/proc • Privacy & security related policy/proc templates • Process and Tools • Self-certification Techniques • 3rd party certifications • quality assurance reviews • Process and Tools • Security/privacy maintenance plans • Enterprise Training Plans • Templates NC DHHS - HIPAA PMO
Key Considerations Who needs what information? Develop Subject Matter Experts (SMEs) on HIPAA Compliance plans needed Who is doing what? Process and Tools HIPAA Web Site Awareness training Participation in external organizations Expansion Budget Strategic Plan UNDERSTANDING HIPAA • What is HIPPA? • Why do HIPPA? • What are the HIPPA Requirements? NC DHHS - HIPAA PMO
DHHS HIPAA WEBSITE • http://dirm.state.nc.us/hipaa/ • Attorney General Opinions • Assessment Tools • FAQs • Calendar of Events • Presentations • Resources/Links • Deliverables NC DHHS - HIPAA PMO
PARTICIPATION IN EXTERNAL ORGANIZATIONS • NC Healthcare Information and Communications Alliance (NCHICA) http://www.nchica.org/ • Government Information Value Exchange for States (GIVES) http://www.hipaagives.org/ • Southern HIPAA Administrative Regional Process (SHARP) http://www.sharpworkgroup.com/ NC DHHS - HIPAA PMO
STRATEGIC PLAN I. MISSION • The mission of this initiative is to bring DHHS into compliance as required under the Health Insurance Portability and Accountability Act (HIPAA) with no material impact to operations and services while exceeding the standard of due care expected of health care agencies by the citizens of North Carolina. NC DHHS - HIPAA PMO
STRATEGIC PLAN II. MAJOR GOALS The major goals of the initiative are to: • Comply with all HIPAA Administrative Simplification regulations by the federally required compliance dates. • Protect privacy and security of citizens’ personal health information. • Implement healthcare strategies to enhance efficiencies across DHHS operations. • Maintain uninterrupted provision of and/or payment for services provided to citizens. • Look for economies of scale and minimize redundancy of work efforts. NC DHHS - HIPAA PMO
STRATEGIC PLAN III. GUIDING PRINCIPLES The guiding principles of the initiative are: • Quality service must be provided to clients without interruption. • The initiative must be sponsored by a group of senior DHHS managers with the authority to make decisions affecting DHHS divisions and offices. • Key stakeholders must be involved, as appropriate, in the development, review and approval of enterprise solutions. • The organizational structure must promote effective communication. • The appropriate individuals should be identified and given the authority and opportunity to effectively participate in and accomplish the objectives of the initiative. NC DHHS - HIPAA PMO
STRATEGIC PLAN III. GUIDING PRINCIPLES (cont.) • A team structure will be emphasized for accomplishing initiative objectives. • Roles and responsibilities will be clearly defined and clearly communicated. • Standard quality assurance policies must be adhered to. • Metrics by which the project and progress can be measured must be defined. • Automated tools will be used where possible. • Use common services, policies, and procedures where appropriate. NC DHHS - HIPAA PMO
STRATEGIC PLAN IV. EXTERNAL INFLUENCES ON THE INITIATIVE Several factors, external to the DHHS, may impact the initiative. These are as follows: • The US DHHS is setting compliance dates; therefore, NC DHHS will have no control over end dates for each phase of the project. • Assessment and remediation must be planned and, in some cases, performed before all HIPAA regulations have been published in the Federal Register. This work will have to be performed without knowing the potential impact of subsequently released regulations. NC DHHS - HIPAA PMO
STRATEGIC PLAN • Compliance with HIPAA regulations will require statewide electronic data interchange and security technical infrastructure that does not exist today. The Office of Information Technology Services (ITS) must be involved throughout the process to ensure that this technical infrastructure is appropriately planned, designed and deployed. • The impact on DHHS business associates may result in their no longer desiring to do business with DHHS. In this case, DHHS may be forced, or may desire, to solicit new business associates that are less experienced in regard to providing specialized services to NC citizens. • The NC Senate and House will need to understand the importance of HIPAA, its potential impact on NC and its benefits (including reduced administrative burden, lower operating costs, and improved data quality) to appropriate the funds necessary to comply with HIPAA regulations. NC DHHS - HIPAA PMO
STRATEGIC PLAN V. OBJECTIVES • Identify budgetary needs of all DHHS divisions and offices and acquire necessary state funding for the HIPAA initiative. • Key Strategies • Develop a tool that DHHS can use to identify HIPAA budgetary requirements. • Provide a process of revising budget plans and communicating current budget estimates to DHHS management, the OSBPM and State Legislators. NC DHHS - HIPAA PMO
STRATEGIC PLAN • Measures of Success • Acquire adequate funding to accomplish DHHS compliance efforts. • Actual expenditures do not exceed planned expenditures. • External Factors • OSBPM and the State Legislature must support DHHS’ need for funding to comply with HIPAA requirements. • The US DHHS needs to finalize HIPAA regulations based on its current planned release dates. NC DHHS - HIPAA PMO
STRATEGIC PLAN • Internal Factors • The DHHS Office of the Secretary communicates budgetary requirements to State leadership. • Divisions and offices must provide accurate budget estimates and revisions for individual division/office HIPAA efforts on timely basis as requested by DHHS. • All divisions and offices must work together to maximize enterprise solutions to reduce the overall cost of HIPAA implementation. NC DHHS - HIPAA PMO
STRATEGIC PLAN V. OBJECTIVES (cont) • Plan and manage activities necessary to bring DHHS into HIPAA compliance. • Ensure that HIPAA requirements are consistently communicated to appropriate internal and external parties. • Assess impact of HIPAA regulations on all divisions and offices within DHHS. NC DHHS - HIPAA PMO
STRATEGIC PLAN V. OBJECTIVES(cont) • Determine and plan appropriate implementation and transition strategies. • Implement HIPAA compliance plans. • Monitor HIPAA compliance through audit, quality assurance, and certification programs. • Transition HIPAA regulations and solutions into ongoing departmental operations. NC DHHS - HIPAA PMO
STRATEGIC PLAN VI. SCOPE OF EFFORT It is anticipated that the centralized DHHS HIPAA Office established to oversee the initiative would primarily be responsible for state owned and operated divisions, institutions, facilities and offices across the State of North Carolina. In most cases, local entities such as the county Departments of Social Services, Public Health Agencies, and Area Mental Health Programs will be responsible for funding and performing their own HIPAA efforts. The matrix below reflects the extent to which DHHS will be responsible for HIPAA related activities for DHHS and its state and locally associated entities. NC DHHS - HIPAA PMO
Key Considerations Who’s covered? Which policies? Which procedures? Which tools and systems? Which people? Process and Tools Master Plan Roles & Responsibilities BIFA EDI/TCI assessments Security/Privacy assessments BASELINING THE ORGANIZATION Where Do We Stand vs. These Requirements (i.e., What Needs Fixing)? NC DHHS - HIPAA PMO
MASTER PLAN Type Name Start End Phase Understanding HIPAA Activity Regulation Review Task Read & Understand Regulations & Related Documentation 9/4/00 3/29/02 Milestone Transactions, Codesets, & Identifiers Review Complete 5/31/01 5/31/01 Milestone Privacy Review Complete 9/30/01 9/30/01 Milestone Security Review Complete (not yet released) 4/30/02 4/30/02 Milestone Enforcement Review Complete (not yet released) 9/30/03 9/30/02 Activity Planning Task Conduct Planning Activities 9/4/00 8/31/01 Milestone Strategic Plan 7/31/01 7/31/01 Milestone Compliance Strategy (Framework) 7/31/01 7/31/01 Milestone High level Roles & Responsibilities 8/17/01 8/17/01 Milestone PMO EDI Project Plan 8/31/01 8/31/01 Milestone PMO Privacy Project Plan 8/31/01 8/31/01 Milestone PMO Security Project Plan 8/31/01 8/31/01 Milestone Division Workplans 7/31/01 7/31/01 Milestone Department Master Plan 8/31/01 8/31/01 NC DHHS - HIPAA PMO
ROLES AND RESPONSIBILITIES Primary Responsibility Other Entities Involved Notes EDI/TCI Develop PMO project plan for EDI/TCI PMO EDI/TCI Team Lead Monitor PMO project plan for EDI/TCI PMO Operations Manager Provide Weekly Status Reports PMO EDI/TCI Team Lead Review Weekly Status Reports PMO Operations Manager Provide consultation to other PMO teams PMO EDI/TCI Team NC DHHS - HIPAA PMO
ASSESSMENTS • Information Flow Assessment • Assessment Tool • Guidelines • Privacy Assessment • NCHICA Early View Privacy • Security Assessment • NCHICA Early View Security • EDI Assessment • Initial and Comprehensive Assessments NC DHHS - HIPAA PMO
GAP ANALYSIS AND RISK ASSESSMENT • Gap Analysis • Gaps in Current Practice, Policies, Procedures, Systems, etc. causing non-compliance • Risk Assessment • An uncertain event that, if it occurs, has a positive or negative effect on the project’s objectives NC DHHS - HIPAA PMO
Key Considerations Enterprise vs. Local Fixes Risk and Cost/Benefit Analysis $how Me the Money Process and Tools Enterprise & Individual Compliance Strategies Technical Infrastructure Change Management Process & Procedures Roles & Responsibilities Scope Matrix Detailed Workplans PLANNING COMPLIANCE STRATEGIES How Do We Close the Gaps? NC DHHS - HIPAA PMO
PROJECT PLANNING • Attack HIPAA as a major project • Develop a comprehensive project plan • Microsoft Project • NIKU • Others • Involve all major players in the planning process - don’t plan in a vacuum NC DHHS - HIPAA PMO
HIPAA WORKPLAN • Phase • Based on Compliance Model • Activity • High level activity to be planned • Task • Primary tasks to be accomplished • Subtasks associated with primary tasks • Work Products/Deliverables • Anticipated and Actual Start/Finish • Resources NC DHHS - HIPAA PMO
Key Considerations Enterprise Strategies Thorough Testing Mandated Deadlines Process and Tools Testing Strategies Privacy Related Business Templates Enterprise Privacy & Security Policies/Procedures Privacy &Security Related Policy/Procedure Templates REMEDIATING THE ORGANIZATION Let’s Go Fixing NC DHHS - HIPAA PMO
Key Considerations Self-Certification Techniques Certification of EDI Transactions Security Certification Process and Tools Self-Certification Techniques 3rd Party Certifications Quality Assurance Reviews VALIDATING COMPLIANCE How Do We Know We’re Complaint? NC DHHS - HIPAA PMO
Key Considerations Ongoing Training Educating Future New DHHS Employees Will Need Ongoing Auditing & Certification Practices Change Management Process and Tools Security/Privacy Maintenance Plans Enterprise Training plans Templates MAINTAINING COMPLIANCE How Do We Stay Complaint? NC DHHS - HIPAA PMO
QUESTIONS ? ? NC DHHS - HIPAA PMO