H.I.P.A.A. Compliance.com
HIPAA Assessment and Analysis work flow:
1. Identify a senior executive sponsor for
the organization's overall HIPAA compliance program who acts as
chief supporter, executive liaison, and "path smoother."
2. Designate a HIPAA compliance project leader -- who should be
trained in HIPAA and its practical implications, and have project
management capabilities.
3. Assemble a HIPAA assessment team.
- Likely candidates in a hospital organization: staff from
Medical Records, Risk Management, IT, Business Office, Clinical
and Ancillary departments, Facilities, Legal, Compliance, Human
Resources, Research, Nursing Informatics
- In smaller organizations and practices, include office manager,
nurse or other clinical staff, and IT support
(internal or external)
4. Establish team structure, reporting relationships, meeting and
report schedules.
5. Prepare an enterprise-wide Risk Assessment plan.
- Break down the work and individual tasks
- Estimate level and duration of effort
- Calculate resource requirements
- Assign responsibilities
- Develop timeline
- Determine deliverables
- Finalize budget
6. Develop baseline inventory of policies, procedures, practices,
systems and forms.
- Determine if/how your Y2K inventory can be applied
- Contact vendors, clearinghouses, payers regarding HIPAA plans
- Identify "business associates" and review contracts
- Identify "organized health care arrangements" you
may have
- Interview key staff to confirm or expand upon findings
7. Review 3rd party transactions and EDI relationships including:
- Identifying all transactions utilizing EDI
- Identifying all EDI standards currently in use
- Understanding how and which systems capture and exchange PHI
- Documentation of information systems applications
- Potential 3rd party "partners" and their levels
of compliance
- Details of partner agreements
- Code sets in use, including local codes
- Opportunities for process streamlining through EDI
- Understanding where and how identifiers are used
8. Conduct technical, physical and administrative security review.
- Overall architecture, including internal and external networks,
and potential issues
- Use of virus detection software, firewalls, other mechanisms
- Applications and operating system security features
- Communications security: email, FAX usage, encryption, electronic
signatures, Internet connections, etc.
- Access points to networks and systems - internal and external
- Data flow through systems and applications
- Back-up systems and procedures
- Websites and Intranets
- User security practices such as logon/logoff, passwords, etc.
- Support of users - clinical, internal, and external
- Workstation locations, policies and practices
- Contingency and disaster planning
- Physical security: locks, badges, pass codes, etc.
- Incident reporting and follow-up
9. Review policies, procedures, processes and practices relating
to privacy, and uses and disclosures of PHI.
- Review business processes, clinical workflow, data flow -
giving special attention to use and transmission of PHI
- Review organization's consents/authorizations procedures
- Understand all major sources of patient information
- Understand who receives or has access to PHI, including for
administrative, financial, research, marketing, and fundraising
- Understand what "minimum necessary" provisions and
practices currently exist, and on what basis (role-based, name-based,
etc.)
- Determine what mechanisms exist for accounting of disclosures,
requests of restrictions of PHI, and review/amendment of records
- Review contracts with and HIPAA plans of business associates
- Contact vendors, clearinghouses, payers and other partners
who use or have access to PHI to understand their HIPAA plans
- Assess vulnerabilities that expose patient health information
- Review state privacy laws
- Review privacy training and enforcement practices
10. Identify gaps between your organization's current policies,
procedures, systems and applications in all facilities, relative
to HIPAA requirements.
- Using the inventory, assess and document compliance levels,
gaps and vulnerabilities against HIPAA requirements and more
stringent state provisions
- Determine areas requiring de-identification of PHI and related
processes
11. Perform a security risk analysis.
- Use methodology that is comprehensive but understandable
and scalable, to facilitate risk mitigation
- Include key managers in final analysis
- Identify and evaluate risks in terms of
- value of assets,
- degree of exposure,
- likely consequences of incidents (including costs, additional
staff hours, loss of life, reputation or public trust, etc.),
- probability / frequency of threat occurring,
- costs of alternative remediation measures, and
- organization's strategic objectives.
- Rank priorities by comparing assets, vulnerabilities, threats
and business goals
- Risk mitigation does not pertain to prescribed measures
12. Perform impact analysis for minimum necessary access, uses
and disclosures, considering:
- Nature of disclosed information and importance to job functions
and external relationships
- Where information can be de-identified without interfering
with needed functions
- Costs and technologies for limiting information disclosure
and de-identifying PHI
13. Prepare final impact report, specifying details such as:
- Non-compliance
- Observed and potential risks
- Disparities between procedure, practice and/or culture, and
HIPAA requirements
- Availability of archived PHI
- Impact of potential HIPAA-related changes on secondary uses
of PHI (clinical systems, support applications, etc.)
- Opportunities for operational streamlining and cost savings
- Analysis of security risk management priorities/strategies
- Applicability of HIPAA provisions for hybrid and affiliated
covered entities
- Alternative HIPAA solutions, including beneficial EDI advances,
and their costs
- Available resources
- Opportunities for HIPAA-related changes that will facilitate
e-health goals
- Recommended HIPAA-related remediation and strategic measures
from: Phoenix Health Systems / 9200 Wightman Rd, Suite 400 / Montgomery Village, MD 20886 Telephone: 800 649-5225 / info@phoenixhealth.com
|