SECURITY REGULATION STATUS
Download
Report
Transcript SECURITY REGULATION STATUS
PLANNING FOR HIPAA
COMPLIANCE
Presentation for
NCHIMA Mid-Year Workshop
November 2, 2001
Presented By:
11/2/01
Sarah Brooks, MPA, RHIA
NC DHHS - HIPAA PMO
1
HIPAA IMPACT ON DHHS
The following DHHS agencies will be directly
impacted by HIPAA
– Public Health (State Lab, 13 state operated Developmental
Evaluation Clinics, 86 Local Public Health Departments)
– Mental Health/Developmental Disabilities/Substance Abuse
Services (13 Institutions, 38 Area Programs)
– Medical Assistance (Medicaid program)
– Office of Education (Governor Morehead School, Schools for
Deaf)
– Vocational Rehabilitation
– Social Services (100 County DSS offices)
11/2/01
NC DHHS - HIPAA PMO
2
DHHS REACTION
Centralized Management Response
– Establishment of Program Management
Office (PMO)
Assess and Implement Changes
– Business Operations
– Impacted Information Systems
Develop Enterprise-wide Policies, Procedures
and Training
11/2/01
NC DHHS - HIPAA PMO
3
STATEWIDE INITIATIVE
DHHS HIPAA PMO assigned responsibility for assessing
ALL state agencies
Senate Bill 1005 - passed - $15 million
Directed by the Office of State Budget, Planning and
Management (OSBPM), Secretary of DHHS, State CIO
–
–
–
–
Identify and Document HIPAA Requirements
Perform Statewide Preliminary Assessments
Determine Covered Entities
Establish Timelines and Budgets
Develop HIPAA Strategic Plan for State and report to
General Assembly (Next Steps for Going Forward)
11/2/01
NC DHHS - HIPAA PMO
4
HOW DO YOU TACKLE A MAJOR
INITIATIVE LIKE HIPAA?
PLANNING
PLANNING
PLANNING
MONITORING
MONITORING
MONITORING
11/2/01
NC DHHS - HIPAA PMO
5
HIPAA COMPLIANCE PROCESS
Understanding
HIPPA
• What is HIPPA
• Why do HIPPA
• What are the HIPPA
requirements?
Baselining
the Organization
Planning
Compliance
Strategies
• Where do we stand vs..
these requirements?
(i.e., what needs fixing?)
• How do we close the
gaps?
Key considerations
Key considerations
• Who needs what
information?
• Who’s covered?
• Develop SME’s on
HIPAA
• Compliance plans
needed
• Who is doing what?
Process and Tools
• Which policies?
• Which procedures?
• Which tools and
systems?
Process and Tools
Master Plan
Awareness training
Roles & Responsibilities
Participation in
external organizations
BIFA
Strategic Plan
EDI/TCI assessments
Security/Privacy
assessments
Validating
Compliance
• How do we know
we’re compliant?
Maintaining
Compliance
• How do we stay
compliant?
Key considerations
Key considerations
• Enterprise vs.. local fixes
• Risk and cost/benefit
analysis
• $how me the money
Key considerations
Key considerations
• Ongoing training
• Enterprise strategies
• Self-certification
techniques
• Educating future new
DHHS employees
• Certification of EDI
transactions
• Will need ongoing
auditing & certification
practices
• Thorough testing
• Mandated deadlines
• Security
certifications
Process and Tools
Process and Tools
• Change
Management
Process and Tools
Enterprise & Individual
Compliance Strategies
Testing Strategies
Security/privacy
maintenance plans
Technical infrastructure
Privacy related
business templates
Self-certification
Techniques
3rd party
certifications
Enterprise Training
Plans
Process and Tools
Change management
process & procedures
Roles & responsibilities
Scope matrix
Detailed Work-plans
11/2/01
• Let’s go fixing
• Which people?
HIPAA Web Site
Expansion Budget
Remediating
the Organization
Enterprise privacy &
security policies/proc
quality assurance
reviews
Privacy & security
related policy/proc
templates
NC DHHS - HIPAA PMO
Templates
6
UNDERSTANDING HIPAA
• What is HIPPA?
• Why do HIPPA?
• What are the HIPPA Requirements?
Key Considerations
Process and Tools
– Who needs what information?
HIPAA Web Site
– Develop Subject Matter
Experts (SMEs) on HIPAA
Awareness training
– Compliance plans needed
Participation in external
organizations
– Who is doing what?
Expansion Budget
Strategic Plan
11/2/01
NC DHHS - HIPAA PMO
7
DHHS HIPAA WEBSITE
http://dirm.state.nc.us/hipaa/
– Attorney General Opinions
– Assessment Tools
– FAQs
– Calendar of Events
– Presentations
– Resources/Links
– Deliverables
11/2/01
NC DHHS - HIPAA PMO
8
PARTICIPATION IN EXTERNAL
ORGANIZATIONS
NC Healthcare Information and Communications
Alliance (NCHICA)
http://www.nchica.org/
Government Information Value Exchange for States
(GIVES)
http://www.hipaagives.org/
Southern HIPAA Administrative Regional Process
(SHARP)
http://www.sharpworkgroup.com/
11/2/01
NC DHHS - HIPAA PMO
9
STRATEGIC PLAN
I. MISSION
– The mission of this initiative is to bring DHHS
into compliance as required under the Health
Insurance Portability and Accountability Act
(HIPAA) with no material impact to operations
and services while exceeding the standard of
due care expected of health care agencies by
the citizens of North Carolina.
11/2/01
NC DHHS - HIPAA PMO
10
STRATEGIC PLAN
II. MAJOR GOALS
The major goals of the initiative are to:
– Comply with all HIPAA Administrative Simplification regulations by
the federally required compliance dates.
– Protect privacy and security of citizens’ personal health
information.
– Implement healthcare strategies to enhance efficiencies across
DHHS operations.
– Maintain uninterrupted provision of and/or payment for services
provided to citizens.
– Look for economies of scale and minimize redundancy of work
efforts.
11/2/01
NC DHHS - HIPAA PMO
11
STRATEGIC PLAN
III. GUIDING PRINCIPLES
The guiding principles of the initiative are:
– Quality service must be provided to clients without interruption.
– The initiative must be sponsored by a group of senior DHHS
managers with the authority to make decisions affecting DHHS
divisions and offices.
– Key stakeholders must be involved, as appropriate, in the
development, review and approval of enterprise solutions.
– The organizational structure must promote effective communication.
– The appropriate individuals should be identified and given the
authority and opportunity to effectively participate in and accomplish
the objectives of the initiative.
11/2/01
NC DHHS - HIPAA PMO
12
STRATEGIC PLAN
III. GUIDING PRINCIPLES
(cont.)
– A team structure will be emphasized for accomplishing
initiative objectives.
– Roles and responsibilities will be clearly defined and clearly
communicated.
– Standard quality assurance policies must be adhered to.
– Metrics by which the project and progress can be measured
must be defined.
– Automated tools will be used where possible.
– Use common services, policies, and procedures where
appropriate.
11/2/01
NC DHHS - HIPAA PMO
13
STRATEGIC PLAN
IV. EXTERNAL INFLUENCES ON THE INITIATIVE
Several factors, external to the DHHS, may impact the
initiative. These are as follows:
– The US DHHS is setting compliance dates; therefore, NC DHHS will
have no control over end dates for each phase of the project.
– Assessment and remediation must be planned and, in some cases,
performed before all HIPAA regulations have been published in the
Federal Register. This work will have to be performed without knowing
the potential impact of subsequently released regulations.
11/2/01
NC DHHS - HIPAA PMO
14
STRATEGIC PLAN
– Compliance with HIPAA regulations will require statewide electronic
data interchange and security technical infrastructure that does not
exist today. The Office of Information Technology Services (ITS) must
be involved throughout the process to ensure that this technical
infrastructure is appropriately planned, designed and deployed.
– The impact on DHHS business associates may result in their no longer
desiring to do business with DHHS. In this case, DHHS may be forced,
or may desire, to solicit new business associates that are less
experienced in regard to providing specialized services to NC citizens.
– The NC Senate and House will need to understand the importance of
HIPAA, its potential impact on NC and its benefits (including reduced
administrative burden, lower operating costs, and improved data
quality) to appropriate the funds necessary to comply with HIPAA
regulations.
11/2/01
NC DHHS - HIPAA PMO
15
STRATEGIC PLAN
V. OBJECTIVES
– Identify budgetary needs of all DHHS divisions and
offices and acquire necessary state funding for the
HIPAA initiative.
– Key Strategies
Develop a tool that DHHS can use to identify HIPAA budgetary
requirements.
Provide a process of revising budget plans and communicating
current budget estimates to DHHS management, the OSBPM
and State Legislators.
11/2/01
NC DHHS - HIPAA PMO
16
STRATEGIC PLAN
– Measures of Success
Acquire adequate funding to accomplish DHHS
compliance efforts.
Actual expenditures do not exceed planned expenditures.
– External Factors
11/2/01
OSBPM and the State Legislature must support DHHS’
need for funding to comply with HIPAA requirements.
The US DHHS needs to finalize HIPAA regulations based
on its current planned release dates.
NC DHHS - HIPAA PMO
17
STRATEGIC PLAN
– Internal Factors
11/2/01
The DHHS Office of the Secretary communicates
budgetary requirements to State leadership.
Divisions and offices must provide accurate budget
estimates and revisions for individual division/office HIPAA
efforts on timely basis as requested by DHHS.
All divisions and offices must work together to maximize
enterprise solutions to reduce the overall cost of HIPAA
implementation.
NC DHHS - HIPAA PMO
18
STRATEGIC PLAN
V. OBJECTIVES (cont)
– Plan and manage activities necessary to bring DHHS
into HIPAA compliance.
– Ensure that HIPAA requirements are consistently
communicated to appropriate internal and external
parties.
– Assess impact of HIPAA regulations on all divisions
and offices within DHHS.
11/2/01
NC DHHS - HIPAA PMO
19
STRATEGIC PLAN
V. OBJECTIVES (cont)
– Determine and plan appropriate implementation and
transition strategies.
– Implement HIPAA compliance plans.
– Monitor HIPAA compliance through audit, quality
assurance, and certification programs.
– Transition HIPAA regulations and solutions into
ongoing departmental operations.
11/2/01
NC DHHS - HIPAA PMO
20
STRATEGIC PLAN
VI. SCOPE OF EFFORT
It is anticipated that the centralized DHHS HIPAA Office
established to oversee the initiative would primarily be
responsible for state owned and operated divisions,
institutions, facilities and offices across the State of North
Carolina. In most cases, local entities such as the county
Departments of Social Services, Public Health Agencies, and
Area Mental Health Programs will be responsible for funding
and performing their own HIPAA efforts. The matrix below
reflects the extent to which DHHS will be responsible for
HIPAA related activities for DHHS and its state and locally
associated entities.
11/2/01
NC DHHS - HIPAA PMO
21
BASELINING THE ORGANIZATION
Where Do We Stand vs. These Requirements
(i.e., What Needs Fixing)?
Key Considerations
Process and Tools
– Who’s covered?
Master Plan
– Which policies?
Roles & Responsibilities
– Which procedures?
BIFA
– Which tools and systems?
EDI/TCI assessments
– Which people?
Security/Privacy assessments
11/2/01
NC DHHS - HIPAA PMO
22
MASTER PLAN
Type
Phase
Activity
Task
Milestone
Milestone
Milestone
Milestone
Activity
Task
Milestone
Milestone
Milestone
Milestone
Milestone
Milestone
Milestone
Milestone
11/2/01
Name
Understanding HIPAA
Regulation Review
Read & Understand Regulations & Related Documentation
Transactions, Codesets, & Identifiers Review Complete
Privacy Review Complete
Security Review Complete (not yet released)
Enforcement Review Complete (not yet released)
Planning
Conduct Planning Activities
Strategic Plan
Compliance Strategy (Framework)
High level Roles & Responsibilities
PMO EDI Project Plan
PMO Privacy Project Plan
PMO Security Project Plan
Division Workplans
Department Master Plan
NC DHHS - HIPAA PMO
Start
End
9/4/00
5/31/01
9/30/01
4/30/02
9/30/03
3/29/02
5/31/01
9/30/01
4/30/02
9/30/02
9/4/00
7/31/01
7/31/01
8/17/01
8/31/01
8/31/01
8/31/01
7/31/01
8/31/01
8/31/01
7/31/01
7/31/01
8/17/01
8/31/01
8/31/01
8/31/01
7/31/01
8/31/01
23
ROLES AND
RESPONSIBILITIES
Primary Responsibility
Other Entities Involved
Notes
EDI/TCI
Develop PMO project plan for EDI/TCI
PMO EDI/TCI Team Lead
Monitor PMO project plan for EDI/TCI
PMO Operations Manager
Provide Weekly Status Reports
PMO EDI/TCI Team Lead
Review Weekly Status Reports
PMO Operations Manager
Provide consultation to other PMO teams
PMO EDI/TCI Team
11/2/01
NC DHHS - HIPAA PMO
24
ASSESSMENTS
Information Flow Assessment
– Assessment Tool
– Guidelines
Privacy Assessment
– NCHICA Early View Privacy
Security Assessment
– NCHICA Early View Security
EDI Assessment
– Initial and Comprehensive Assessments
11/2/01
NC DHHS - HIPAA PMO
25
GAP ANALYSIS AND RISK
ASSESSMENT
Gap Analysis
– Gaps in Current Practice, Policies, Procedures, Systems,
etc. causing non-compliance
Risk Assessment
– An uncertain event that, if it occurs, has a positive or
negative effect on the project’s objectives
11/2/01
NC DHHS - HIPAA PMO
26
PLANNING COMPLIANCE
STRATEGIES
How Do We Close the Gaps?
Key Considerations
– Enterprise vs. Local Fixes
– Risk and Cost/Benefit
Analysis
– $how Me the Money
Process and Tools
Enterprise & Individual
Compliance Strategies
Technical Infrastructure
Change Management Process
& Procedures
Roles & Responsibilities
Scope Matrix
Detailed Workplans
11/2/01
NC DHHS - HIPAA PMO
27
PROJECT PLANNING
Attack HIPAA as a major project
Develop a comprehensive project plan
– Microsoft Project
– NIKU
– Others
Involve all major players in the planning
process - don’t plan in a vacuum
11/2/01
NC DHHS - HIPAA PMO
28
HIPAA WORKPLAN
Phase
– Based on Compliance Model
Activity
– High level activity to be planned
Task
– Primary tasks to be accomplished
– Subtasks associated with primary tasks
Work Products/Deliverables
Anticipated and Actual Start/Finish
Resources
11/2/01
NC DHHS - HIPAA PMO
29
REMEDIATING THE
ORGANIZATION
Let’s Go Fixing
Key Considerations
Process and Tools
– Enterprise Strategies
Testing Strategies
– Thorough Testing
Privacy Related Business
Templates
– Mandated Deadlines
Enterprise Privacy &
Security Policies/Procedures
Privacy &Security Related
Policy/Procedure Templates
11/2/01
NC DHHS - HIPAA PMO
30
VALIDATING COMPLIANCE
How Do We Know We’re Complaint?
Key Considerations
Process and Tools
– Self-Certification Techniques
Self-Certification Techniques
– Certification of EDI
Transactions
3rd Party Certifications
Quality Assurance Reviews
– Security Certification
11/2/01
NC DHHS - HIPAA PMO
31
MAINTAINING COMPLIANCE
How Do We Stay Complaint?
Key Considerations
– Ongoing Training
– Educating Future New
DHHS Employees
– Will Need Ongoing
Auditing & Certification
Practices
Process and Tools
Security/Privacy
Maintenance Plans
Enterprise Training plans
Templates
– Change Management
11/2/01
NC DHHS - HIPAA PMO
32
QUESTIONS ?
?
11/2/01
NC DHHS - HIPAA PMO
33