4. How we began…An Overview
Established HIPAA Program Office
Understanding the HIPAA privacy regulations and
identifying the key points.
Creating teams
Developing team assignments and timelines
Creating deliverables (e.g. policies, forms)
Multiple revisions to deliverables
Leadership approval
Procedures developed at each entity
Implementation at the entity level
Audit and evaluation
5. Creating teams
HIPAA Privacy – 10 Work groups
HIPAA EDI – Advisory Group
– Application subgroups with team leader for each
application
– Work driven by entity work team
HIPAA Security – Advisory Group
– Application/system – Focus team
– Survey development system level
– Development of risk assessment tool
6. HIPAA PRIVACY WORK GROUPS
See Title 45 of the Code of Federal Regulations (45 CFR Parts 160 ε 164)
Business Associate Contracts – 164.502e/164.504e
Consents and Authorizations for uses and disclosures, authorization or opportunity to
agree or object is not required – 164.506, 164.508, 164.510, 164.512
Minimum Necessary Requirements for Disclosures of Protected Health Information –
164.514d
Marketing and Fundraising – 164.508, 164.514(f)
Notice of Privacy Practices, Rights to request Privacy Protection for Protected Health
Information – 164.520, 164.522
Access of Individual to Protected Health Information, Amendment of Protected Health
Information – 164.524, 164.526
Accounting of Disclosures of Protected Health Information – 164.528
Employee Training – 164.530b
Complaints to the Covered Entity – 164.530d
Research
7. Developing team assignments and timelines
Corporate sponsors assigned
Group leader established for each team
Team members volunteered and/or assigned based on
expertise
Timelines established to meet overall project timeline
Minutes maintained and utilized as an ever growing
work plan
Work plans established for each team with
assignments and due dates
8. Understanding the HIPAA privacy regulations
and identifying the key points.
Thorough review of the regulations
Divided into topic areas
Team formed for each topic area
Identified leadership for each team
Meetings held on a regular basis
Membership composed of experts from across the
health system
To do list and work plan developed for each team
9. HIPAA Project Management Time
Line for Privacy Regulations
JAN '02 F M A MY J JY A S O N D Jan '03 F M
APRIL '
03
P rogram
Office
opens
Work group
To Do lists
completed
HIP AA
Information
available on
Infonet
P olicies in
Draft
format
Finalize
policies &
Develop
Implementa
tion
materials
and
guidelines
P olicy
approval
process
Final
P olicies &
Implementa
tin
Guidelines
Compli-
ance
Develop
master
w ork plan
Education
for new
Residents
Employee
Training
begins
Shared
drive
opera-
tional
Entity Implementation P rogram Audit &evaluation
Training
Risk Assessment
/Gap Analysis
Policy Development Implementation at entity level Program evaluation
HIPAA Project Management Time Line for Privacy Regulations
PHASE I PHASE II PHASEIII PHASEIV
10. Identifying Risk
An individual has the right to privacy and confidentiality
Protect health information from unauthorized access
Monitor release of information
Consent for Treatment/Payment/Health Care Operations
Authorizations
Employees should only access information they need to perform
their job (role based access)
Identifying Business Associates
Addressing Complaints - per new policy established
Physical Security - as related to the physical environment
11. Creating Deliverables
(e.g. policies, forms)
Teams identified deliverables by
interpretation of the regulations
Draft policies, forms and miscellaneous
documents created/reviewed/revised
Documents sent to leadership for approval
Documents placed in approved format and
made available on intranet
13. Names of Policies & Forms
Policy: Accounting of Disclosures of Protected Health Information
Form: Patient request for accounting of disclosure of protected health information
Policy: Complaint Management Process Pursuant to the HIPAA Privacy Rules
Form: None
Policy: Consent for Use and Disclosure of Information for Treatment/Payment/Health
Care Operations
Form: Consent to Medical Care
Policy: HIPAA Training Related to Protected Health Information
Form: None
Policy: Use of Protected Health Information for Fundraising
Form: Fundraising Opt-out form
14. Names of Policies & Forms
Policy: Guidelines for Purchasing (Business Associate Policy)
Form: Health insurance portability and accountability. (Letter)
Form: Health insurance portability and accountability web site terms and conditions
Policy: Patient Access to Protected Health Information
Form: Request for access to protected health information
Form: Medical record charges for non-patient care requests
Form: Reviewable denial to access PHI
Form: Unreviewable denial to access PHI
Policy: Use of Protected Health Information for Marketing
Form: Marketing Authorization For Release of PHI
Policy: Minimum Necessary Standards for the Use and Disclosure of Protected Health
Information
Form: None
Policy: Health Insurance Portability & Accountability Act of 1996.
Form: None
Policy: Information Restriction on Patient/Resident Information (Information Block)
Form: None
15. Names of Policies & Forms
Policy: Notice of Privacy Practices for Protected Health Information Pursuant to the
HIPAA Privacy Rules
Form: HIPAA notice of privacy practices
Policy: Use and Disclosure of Protected Health Information for Research Purposes Pursuant to
the HIPAA Privacy Rules
Form: Authorization to permit the use and/or disclosure of identifiable health information.
Form: Honest Broker Letters
Data Use Agreement
Reviews Preparatory to PHI Usage Agreement
Policy: Release of Protected Health Information
Form: Authorization for release of protected health information
Policy: Patient Amendment to Protected Health Information
Form: Request to correct/amend protected health information
Form: Amendment denial letter
17. Procedures developed at each
entity
Implementation sessions scheduled for each
entity within the system
Managers and Privacy Officers were
provided education
Implementation binders developed and
distributed to each Privacy Officer
Information kept current on share drive
19. What should you do next at your entity?
Prepare for the introduction of new policies, forms and
other documentation (i.e. replaces old ones)
Prepare for training blitz beginning in September 2002.
Conduct “walk throughs” identifying issues related to
physical security requirements.
Discuss IT needs with CIO and IT staff.
Begin status reporting to HIPAA Program Office.
20. Implementation at the entity level
Procedures developed to implement key
areas identified by system policies
Flexibility allowed per entity based upon
resources available & operations
Procedures sent to HIPAA Program Office
for system file
22. Education
Purchased authoring tool
Engaged internal experts across system to
write material for modules
Elicited support from University
Used educational material and modified it
for University and health plan needs
Significant cost avoidance realized
24. Viruses
Security Related Policies
Security Violations/Incident Reporting
Technical Assistance
Printing & Confidentiality
Proper Computer Use
Internet Use
Passwords
Use of Email
Information Security Awareness
Brochure for computer users
25. Process Monitoring
Need for constant reevaluation and monitoring of
overall project status.
•Held periodic forums for Privacy Officers
•Frequent communications
•Development of a share drive
•Modification of timeline
•Answering questions and development of FAQs
•Development of a “HIPAA Ask Me” mailbox
26. JAN
'02
Feb.- Mar. April - Aug. J
Sept. - Dec. Jan '03 - Feb. March APRIL ' 03
PHASE IV (HIPAA
Privacy -full
IMPLEMENTATION)
PHASE V HIPAA
Privacy
Compliance
March 3, 2003 April 14, 2003
P rogram
Office
opens
Work
group To
Do lists
complet
ed
HIP AA
Information
available on
Infonet
P olicies in
Draft
format
F
i
n
a
l
i
z
e
p
o
l
i
c
Audit & evaluation
Compliant
with
government
deadline
and
Ongoing
auditing and
monitoring
Create
master
w ork
plan
Shared
drive
opera-
tional
HIPAA Project Management Time Line for Privacy Regulations
PHASE I PHASE II PHASE III PHASE IV (Modified)
Development of entity
specific procedures
Basic Education Program
(2/14/03)
Procedures development
(2/14/03)
Audit & evaluation data
collection
Education and
Training
Risk Assessment
/Gap Analysis
Policy Development
Implementation at
entity level
Extended education and
Procedure development;
Program evaluation
27. Entity Scorecard Key
Key:
Purple NO REPORT SUBMITTED
Red No progress has been made or past due date
Yellow In progress
Green Completed
Orange Entity has not responded for current report period (12/20/02)
28. Implementation Team formed 0% 100% 0%
HIPAA Presentation 0% 100% 45%
Develop Procedures 0% 0% 90%
Send copy of new 0% 0% 0%
Education/Training General Education 0% 100% 30%
Total Number of 0% 0% 0%
Level 2 education 0% n/a n/a
Physician education 0% n/a n/a
Track and compile 0% 100% 30%
Report data to 0% 100% 0%
Physical S ecurity Conduct walk throughs 0% 0% 60%
Identify risks 0% 50% 30%
Implement solutions 0% 0% 15%
Work with IT Print consent forms 0% 0% 0%
Develop role based 0% 0% 0%
Confirm ability to 0% na 0%
Forms Order new forms 0% 0% 0%
Replace old forms 0% 0% 0%
Order registration 0% n/a 0%
Post Notice of All locations 0% 0% 0%
Implement HIPAA All Departments 0% 0% 0%
Entity Scorecard
32. Auditing and Monitoring
Established system “Go Live date” prior
to government compliance date
Engaged Internal Audit Department to
perform readiness surveys five weeks
prior to compliance deadline
Will review data collected to address and
refine system activity
