health insurance portability and accountability act
DESCRIPTION
West Virginia State Government HIPAA Assessment. Health Insurance Portability and Accountability Act. Additional information can be found on the HIPAA Website at http:/www.wvdhhr.org/hipaa. Sallie Hunt HIPAA Sr. Legal Counsel. WEST VIRGINIA STATE GOVERNMENT - PowerPoint PPT PresentationTRANSCRIPT
Health Insurance Portability and Accountability Act
Additional information can be found on the HIPAA Website at http:/www.wvdhhr.org/hipaa
Sallie Hunt
HIPAA Sr. Legal Counsel
West Virginia
State Government
HIPAA Assessment
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
HIPAA Overview:
Purpose of HIPAA Title II - Improved efficiency in healthcare delivery by standardizing electronic data interchange (EDI) and mandating the protection of patient confidentiality (privacy) and the security of health data through the setting and enforcing of standards.
Who is affected? –Healthcare providers who transmit administrative or financial transactions electronically that contain health information, health plans and clearing houses.
Sanctions - Sanctions for non-compliance with HIPAA can be both civil and criminal. Fines range from $100 per violation up to $25,000 for multiple violations of the same standard in a calendar year. Additionally, there are fines up to $250,000 and/or imprisonment for up to 10 years for intentional misuse of individually identifiable health information.
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Project Overview:
Background – Governor Wise appointed Sonia Chambers, Chair West Virginia Health Care Authority with Oversight and Coordination.
The HIPAA Executive Committee (HEC) was created to assist WV State Government Executive Branch entities in determining:
• If they are covered under HIPAA and subject to its rule
• Current State Compliance status with a Gap Analysis
• HIPAA-specific tools and training
• Strategies for compliance implementation
• Remediation Action Plans with costs and timelines
• Compliance implementation projects
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Problem Statement:
• WV State Government Executive Branch business systems, processes, and policies may not be compliant
• Limited resources create an assessment challenge
• Timelines for compliance are tight:
• October 15, 2002 – Transactions and Code Sets Plan
• April 14, 2003 – Privacy Compliance Deadline
• October 16, 2003 – Transactions and Code Sets Deadline
• Security Mandates TBD
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Project Goals and Objectives:
• Evaluate HIPAA impacts on WV State Government Executive Branch agencies
• Determine systems, procedures, policies, and contract language requiring change to accomplish compliance
• Phase I – Produce Assessment Findings & Remediations Report w/ recommendations, timelines, costs, etc.
• Develop Phase II – Implementation Plan / Project Charter
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Project Scope:
Bob Wise, Governor Governor’s Office (FYI purposes only)Gregory A. Burton, Commissioner Department of AdministrationAlisa L. Bailey, Commissioner Bureau of CommerceKay Goodwin, Cabinet Secretary Department of Education and the ArtsRobert J. Smith, Commissioner Bureau of Employment ProgramsMichael Callaghan, Cabinet Secretary Department of Environmental ProtectionPaul L. Nusbaum, Cabinet Secretary Dept. of Health and Human ResourcesSonia D. Chambers, Chair WV Health Care AuthorityJoe Martin, Cabinet Secretary Dept. of Military Affairs & Public SafetyAnn M. Stottlemyer, Commissioner Bureau of Senior ServicesBrian M. Kastick, Cabinet Secretary Department of Tax and RevenueFred VanKirk, P.E., Cabinet Secretary Department of Transportation Although boards, commissions, and institutions of higher education are not included within the scope, assistance and access to project tools, products, and information will be provided per project resource availability. Additionally, via Education and Outreach, tools, products, lessons learned, best practices, etc. will also be shared with those outside the WV project.
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Critical Success Factors:
• Active and visible Executive-level endorsement
• Identified and manageable project scope
• Stable and timely project resources
• Strong project management and a PMO to:
•Serve as a central point of HIPAA and project contact
• Develop and maintain project structure
• Provide project leadership and coordinate / leverage resources
• Facilitate sharing of best-practices
• Monitor deliverables and approve project work products
• Maintain project plans, status reports, documentation, and audit trail
• Represent the project team
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Assumptions:
• Project scope will remain consistent
• Systems outside the control of WV State Government will not be addressed
• The PMO is the central point of HIPAA project contact
HIPAA Project PlanTask Name Duration Start Finish % Complete
ADMINISTRATIVE PHASE : 356 days? 08/09/01 12/19/02 99% (DELIVERABLE I: ESTABLISH PMO)PMO Structure and Resources 356 days? 08/09/01 12/19/02 98% Pre-project GOT Research 145 days 08/09/01 02/27/02 100% Establish Executive Sponsorship 1 day 02/27/02 02/27/02 100% Define Project Scope 117 days 03/07/02 08/16/02 100% Designate Project Manager (PM) 1 day 03/14/02 03/14/02 100% Establish HIPAA Executive Committee (HEC) 1 day 03/21/02 03/21/02 100%HEC Meetings 186 days 04/04/02 12/19/02 71% Define HEC Charter 5 days 08/26/02 08/30/02 100%Identity Additional Resources (Teams) 115 days 03/21/02 08/28/02 100% Legal Team 50 days 03/21/02 05/29/02 100% IT Team 105 days 04/04/02 08/28/02 100%
HIPAA Project Plan
Task Name Duration Start Finish % CompleteDefine Phase I Roles & Responsibilities 107 days 04/04/02 08/30/02 100%Draft Project Charter 9 days 07/22/02 08/01/02 100%Establish Physical PMO 7 days 08/15/02 08/26/02 100%Hire PMO Admin Asst 15 days? 08/19/02 09/06/02 100%Project Tools, Processes and Reports 128 days 04/04/02 09/30/02 100%
Develop PMO Workbook 32 days 08/19/02 10/01/02 100%
Deliverable Approvals 46 days 08/01/02 10/03/02 100% Project Charter 5 days 08/01/02 08/07/02 100% Project Plan 1 day 10/03/02 10/03/02 100% PMO Workbook 1 day 10/03/02 10/03/02 100%Deliverable 1: Establish PMO - Completed 0 days 10/03/02 10/03/02 100%
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
Milestones Planned Completion Date Revised Date ActualGovernor Appointed HIPAA Sponsor 02/27/02 02/17/02Definition of Project Scope 03/07/02 08/16/02HIPAA Executive Committee (HEC) Formed 03/21/02 03/21/02Technical Advisory Groups Initiated 04/04/02 04/04/02Project Charter Approved 04/04/02 08/07/02Project Plan Developed 04/11/02 08/13/02Covered Entity Assessment Survey Distributed 07/31/02 08/19/02Covered Entity Status Report 09/06/02 09/30/02TCS Impact Determination Questionnaire Distributed 09/09/02 09/09/02*WV Pre-emption Analysis Report 09/20/02 10/04/02TCS Gap Analysis Report 09/30/02 10/15/02Privacy Impact Determination Questionnaire Distributed 10/11/02Security Impact Determination Questionnaire Distributed 10/11/02TCS Extension Plan(s) Due 10/15/02Privacy Gap Analysis Report 10/31/02Security Gap Analysis Report 10/31/02Privacy Remediation Recommendations 11/15/02Security Remediation Recommendations 11/15/02Phase II Implementation Plans 12/02/02Training On-goingProject Management Office On-goingPrivacy Implementation Deadline 4/14/2003TCS Testing to Begin Deadline 4/16/2003
* On-going - distributed as CE surveys received
WEST VIRGINIA STATE GOVERNMENT
HIPAA PROJECT MANAGEMENT OFFICE
West Virginia State Government HIPAA Assessment Project Charter
Project Organizational Chart:
N on-H IP A A S tate &F ederal Laws
S ecurity
T C S
P rivacy
C overage and S urvey Instrum en ts
S allie H untH E C
S r. Legal C ounselP rivacy T eam Leader
T C S T A G
S ecurity IT
P rivacy IT
P O C / P ro ject IT S upport
John W agnerH E C
H IP A A IT T eam Lead
P ro ject M anagem entO ffice A ssis tant
T racy C hristo feroH E CP M O
P ro ject M anager
F inance
O ffice o f O perations
O ffice o f In spector G eneral
M anagem en t In form ation S erv ices
B ureau fo r M ed ical Serv ices
B ureau fo r C h ild ren and Fam ilies
B ehav io ral H ealth & H ealth F acilities
John B ianconeH E C
D H H R H IP A A C oord inator
M arsha D ad ism anH E C
E ducation and O utreachT eam Lead
S onia C ham bersC hair, W V H C AH IP A A S ponsor
H IP A A E xecu tive C om m ittee (H E C )
Legal Team
• Coverage and Survey Instruments
• Privacy
• TCS
• Security
• Non-HIPAA State and Federal Laws
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Legal Team Process
• Attorneys from probable covered entities identified and asked to participate on team
• Kick-off meeting held in May 2002
• Attorneys asked to step forward as team leaders and others to participate on teams
• Full team meetings to receive status reports with real work occurring in sub-teams
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Legal Team Process
• At the kickoff meeting in May, everyone was given a team charter which outlined the deliverables for each sub-team
• Each team leader prepared a weekly report of status and obstacles and remitted it to the Legal Team Leader by Tuesday of each week
• On Wednesday of each week, a full team report was issued, along with a log of issues
• Reports were distributed by e-mail and posted to the web
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Coverage and Survey Instruments Team
• Developed Covered Entity Assessment Survey• Reviewed other states’ tools – used NC’s as the
basis for the model• Found a balance between developing a
comprehensive tool and a concise tool• Important to find examples of inclusions and
exclusions for the non-HIPAA literate respondent
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Coverage and Survey Instruments Team
• Challenge to decide at what level to distribute the survey
• Decision made to send the survey to the cabinet secretary of all executive branch agencies
• Recognized that each agency is organized differently
• Different structures require different distribution decisions, which could only be made by the agency itself
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Privacy Team
• Reviewed and revised NCHICA’s HIPAA EarlyView Privacy Assessment Tool
• Reviewed and revised questions, clarifications, best practices and glossary
• Reviewed and revised tool a second time, taking into consideration the August 14, 2002 Privacy modifications
• Recognition that identified gaps will be at a very high level
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Security Team
• Even though Security regs are still proposed, implementation is necessary to support Privacy
• Reviewed and revised NCHICA’s HIPAA EarlyView Security Assessment Tool
• Reviewed and revised 500+ questions and glossary
• Attorneys felt outside their comfort zone – felt it was an IT issue
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Transactions and Code Sets Team
• Developed the Transactions and Code Sets Assessment Tool
• Used North Carolina’s tool as the basis
• Reviewed the questions against the regulations
• Difficult to interest attorneys in this team
• Small team, yet met deliverables
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Non-HIPAA State and Federal Laws Team
• Performed state law preemption analysis • Developed a paradigm to be applied with regard to
the relationship between HIPAA and other federal laws, such as the Privacy Act, FOIA, FERPA, etc.
• Reviewed the Privacy Assessment tool and revised it to reflect the preemption analysis
• Will serve as advisor to Privacy Team through implementation
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Covered Entity Status Report• Who are the covered entities within State
government?• Who are the providers, plans and
clearinghouses?• Who are the business associates, trading
partners and chain of trust partners?• Who are WV’s health oversight agencies?
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
HIPAA’s Organizational Requirements
• OHCA• ACE• Hybrid entity
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Status of Executive Branch HIPAA Compliance
• Transactions and Code Sets
• Privacy
• Security
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Assessment Process for Transactions and Code Sets, Privacy and Security
• Once CE survey was turned into PMO, HEC members met with each agency HIPAA coordinator and gave them TCS survey and trained them on its application and next steps
• TCS survey was returned to PMO and input into database
• Analysis at component, overall agency and state levels
• Same process for Privacy and Security
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
TCS Model Compliance Plans
• Compliance Plan Requirements
- Awareness
- Operational Assessment
- Development and Testing
• Plans filed by WV State Agencies
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Privacy Team
• Agency HIPAA Coordinators identified team members from their agencies – attorneys, policy writers, IT, training staff, etc.
• Teams formed to:– Review gaps and make enterprise-wide recommendations
resulting from assessment– Develop policies and procedures– Develop Business Associate Agreements– Serve as a resource to other teams regarding preemption
and other federal laws– Training
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
TBD
Security Team
Implementation Design• Privacy, Security and Transactions and
Code Sets Teams
• Multi-disciplinary teams
• Goal is to seek enterprise-wide solutions to promote efficiencies and economies of scale, while enabling each agency’s HIPAA compliance
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Policies and Procedures
• Policy templates were identified and purchased• Training modules for the policy writers were created
for each area of the regulations, and an accompanying schedule was outlined for policy development to ensure that the April 2003 compliance deadline will be met
• Policy and procedure development, and training will occur simultaneously
• Agencies will document their policy development, implementation and training and will submit the documentation to the HEC
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
Business Associate Agreements
• Master Business Associate Agreements will be developed
• All contracts requiring BAAs will be identified and amended
• Processes for ensuring that all future contracts are screened for BAAs, and where needed, are executed
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE
http:/www.wvdhhr.org/hipaa