health insurance portability and accountability act

Health Insurance Portability and Accountability Act

Additional information can be found on the HIPAA Website at http:/www.wvdhhr.org/hipaa

Sallie Hunt

HIPAA Sr. Legal Counsel

West Virginia

State Government

HIPAA Assessment

WEST VIRGINIA STATE GOVERNMENT

HIPAA PROJECT MANAGEMENT OFFICE

West Virginia State Government HIPAA Assessment Project Charter

HIPAA Overview:

Purpose of HIPAA Title II - Improved efficiency in healthcare delivery by standardizing electronic data interchange (EDI) and mandating the protection of patient confidentiality (privacy) and the security of health data through the setting and enforcing of standards.

Who is affected? –Healthcare providers who transmit administrative or financial transactions electronically that contain health information, health plans and clearing houses.

Sanctions - Sanctions for non-compliance with HIPAA can be both civil and criminal. Fines range from $100 per violation up to $25,000 for multiple violations of the same standard in a calendar year. Additionally, there are fines up to $250,000 and/or imprisonment for up to 10 years for intentional misuse of individually identifiable health information.




Project Overview:

Background – Governor Wise appointed Sonia Chambers, Chair West Virginia Health Care Authority with Oversight and Coordination.

The HIPAA Executive Committee (HEC) was created to assist WV State Government Executive Branch entities in determining:

• If they are covered under HIPAA and subject to its rule

• Current State Compliance status with a Gap Analysis

• HIPAA-specific tools and training

• Strategies for compliance implementation

• Remediation Action Plans with costs and timelines

• Compliance implementation projects




Problem Statement:

• WV State Government Executive Branch business systems, processes, and policies may not be compliant

• Limited resources create an assessment challenge

• Timelines for compliance are tight:

• October 15, 2002 – Transactions and Code Sets Plan

• April 14, 2003 – Privacy Compliance Deadline

• October 16, 2003 – Transactions and Code Sets Deadline

• Security Mandates TBD




Project Goals and Objectives:

• Evaluate HIPAA impacts on WV State Government Executive Branch agencies

• Determine systems, procedures, policies, and contract language requiring change to accomplish compliance

• Phase I – Produce Assessment Findings & Remediations Report w/ recommendations, timelines, costs, etc.

• Develop Phase II – Implementation Plan / Project Charter




Project Scope:

Bob Wise, Governor Governor’s Office (FYI purposes only)Gregory A. Burton, Commissioner Department of AdministrationAlisa L. Bailey, Commissioner Bureau of CommerceKay Goodwin, Cabinet Secretary Department of Education and the ArtsRobert J. Smith, Commissioner Bureau of Employment ProgramsMichael Callaghan, Cabinet Secretary Department of Environmental ProtectionPaul L. Nusbaum, Cabinet Secretary Dept. of Health and Human ResourcesSonia D. Chambers, Chair WV Health Care AuthorityJoe Martin, Cabinet Secretary Dept. of Military Affairs & Public SafetyAnn M. Stottlemyer, Commissioner Bureau of Senior ServicesBrian M. Kastick, Cabinet Secretary Department of Tax and RevenueFred VanKirk, P.E., Cabinet Secretary Department of Transportation Although boards, commissions, and institutions of higher education are not included within the scope, assistance and access to project tools, products, and information will be provided per project resource availability. Additionally, via Education and Outreach, tools, products, lessons learned, best practices, etc. will also be shared with those outside the WV project.




Critical Success Factors:

• Active and visible Executive-level endorsement

• Identified and manageable project scope

• Stable and timely project resources

• Strong project management and a PMO to:

•Serve as a central point of HIPAA and project contact

• Develop and maintain project structure

• Provide project leadership and coordinate / leverage resources

• Facilitate sharing of best-practices

• Monitor deliverables and approve project work products

• Maintain project plans, status reports, documentation, and audit trail

• Represent the project team




Assumptions:

• Project scope will remain consistent

• Systems outside the control of WV State Government will not be addressed

• The PMO is the central point of HIPAA project contact

HIPAA Project PlanTask Name Duration Start Finish % Complete

ADMINISTRATIVE PHASE : 356 days? 08/09/01 12/19/02 99% (DELIVERABLE I: ESTABLISH PMO)PMO Structure and Resources 356 days? 08/09/01 12/19/02 98% Pre-project GOT Research 145 days 08/09/01 02/27/02 100% Establish Executive Sponsorship 1 day 02/27/02 02/27/02 100% Define Project Scope 117 days 03/07/02 08/16/02 100% Designate Project Manager (PM) 1 day 03/14/02 03/14/02 100% Establish HIPAA Executive Committee (HEC) 1 day 03/21/02 03/21/02 100%HEC Meetings 186 days 04/04/02 12/19/02 71% Define HEC Charter 5 days 08/26/02 08/30/02 100%Identity Additional Resources (Teams) 115 days 03/21/02 08/28/02 100% Legal Team 50 days 03/21/02 05/29/02 100% IT Team 105 days 04/04/02 08/28/02 100%

HIPAA Project Plan

Task Name Duration Start Finish % CompleteDefine Phase I Roles & Responsibilities 107 days 04/04/02 08/30/02 100%Draft Project Charter 9 days 07/22/02 08/01/02 100%Establish Physical PMO 7 days 08/15/02 08/26/02 100%Hire PMO Admin Asst 15 days? 08/19/02 09/06/02 100%Project Tools, Processes and Reports 128 days 04/04/02 09/30/02 100%

Develop PMO Workbook 32 days 08/19/02 10/01/02 100%

Deliverable Approvals 46 days 08/01/02 10/03/02 100% Project Charter 5 days 08/01/02 08/07/02 100% Project Plan 1 day 10/03/02 10/03/02 100% PMO Workbook 1 day 10/03/02 10/03/02 100%Deliverable 1: Establish PMO - Completed 0 days 10/03/02 10/03/02 100%



Milestones Planned Completion Date Revised Date ActualGovernor Appointed HIPAA Sponsor 02/27/02 02/17/02Definition of Project Scope 03/07/02 08/16/02HIPAA Executive Committee (HEC) Formed 03/21/02 03/21/02Technical Advisory Groups Initiated 04/04/02 04/04/02Project Charter Approved 04/04/02 08/07/02Project Plan Developed 04/11/02 08/13/02Covered Entity Assessment Survey Distributed 07/31/02 08/19/02Covered Entity Status Report 09/06/02 09/30/02TCS Impact Determination Questionnaire Distributed 09/09/02 09/09/02*WV Pre-emption Analysis Report 09/20/02 10/04/02TCS Gap Analysis Report 09/30/02 10/15/02Privacy Impact Determination Questionnaire Distributed 10/11/02Security Impact Determination Questionnaire Distributed 10/11/02TCS Extension Plan(s) Due 10/15/02Privacy Gap Analysis Report 10/31/02Security Gap Analysis Report 10/31/02Privacy Remediation Recommendations 11/15/02Security Remediation Recommendations 11/15/02Phase II Implementation Plans 12/02/02Training On-goingProject Management Office On-goingPrivacy Implementation Deadline 4/14/2003TCS Testing to Begin Deadline 4/16/2003

* On-going - distributed as CE surveys received




Project Organizational Chart:

N on-H IP A A S tate &F ederal Laws

S ecurity

T C S

P rivacy

C overage and S urvey Instrum en ts

S allie H untH E C

S r. Legal C ounselP rivacy T eam Leader

T C S T A G

S ecurity IT

P rivacy IT

P O C / P ro ject IT S upport

John W agnerH E C

H IP A A IT T eam Lead

P ro ject M anagem entO ffice A ssis tant

T racy C hristo feroH E CP M O

P ro ject M anager

F inance

O ffice o f O perations

O ffice o f In spector G eneral

M anagem en t In form ation S erv ices

B ureau fo r M ed ical Serv ices

B ureau fo r C h ild ren and Fam ilies

B ehav io ral H ealth & H ealth F acilities

John B ianconeH E C

D H H R H IP A A C oord inator

M arsha D ad ism anH E C

E ducation and O utreachT eam Lead

S onia C ham bersC hair, W V H C AH IP A A S ponsor

H IP A A E xecu tive C om m ittee (H E C )

Legal Team

• Coverage and Survey Instruments

• Privacy

• TCS

• Security

• Non-HIPAA State and Federal Laws

WEST VIRGINIA STATE GOVERNMENTHIPAA PROJECT MANAGEMENT OFFICE

Legal Team Process

• Attorneys from probable covered entities identified and asked to participate on team

• Kick-off meeting held in May 2002

• Attorneys asked to step forward as team leaders and others to participate on teams

• Full team meetings to receive status reports with real work occurring in sub-teams


Legal Team Process

• At the kickoff meeting in May, everyone was given a team charter which outlined the deliverables for each sub-team

• Each team leader prepared a weekly report of status and obstacles and remitted it to the Legal Team Leader by Tuesday of each week

• On Wednesday of each week, a full team report was issued, along with a log of issues

• Reports were distributed by e-mail and posted to the web


Coverage and Survey Instruments Team

• Developed Covered Entity Assessment Survey• Reviewed other states’ tools – used NC’s as the

basis for the model• Found a balance between developing a

comprehensive tool and a concise tool• Important to find examples of inclusions and

exclusions for the non-HIPAA literate respondent


Coverage and Survey Instruments Team

• Challenge to decide at what level to distribute the survey

• Decision made to send the survey to the cabinet secretary of all executive branch agencies

• Recognized that each agency is organized differently

• Different structures require different distribution decisions, which could only be made by the agency itself


Privacy Team

• Reviewed and revised NCHICA’s HIPAA EarlyView Privacy Assessment Tool

• Reviewed and revised questions, clarifications, best practices and glossary

• Reviewed and revised tool a second time, taking into consideration the August 14, 2002 Privacy modifications

• Recognition that identified gaps will be at a very high level


Security Team

• Even though Security regs are still proposed, implementation is necessary to support Privacy

• Reviewed and revised NCHICA’s HIPAA EarlyView Security Assessment Tool

• Reviewed and revised 500+ questions and glossary

• Attorneys felt outside their comfort zone – felt it was an IT issue


Transactions and Code Sets Team

• Developed the Transactions and Code Sets Assessment Tool

• Used North Carolina’s tool as the basis

• Reviewed the questions against the regulations

• Difficult to interest attorneys in this team

• Small team, yet met deliverables


Non-HIPAA State and Federal Laws Team

• Performed state law preemption analysis • Developed a paradigm to be applied with regard to

the relationship between HIPAA and other federal laws, such as the Privacy Act, FOIA, FERPA, etc.

• Reviewed the Privacy Assessment tool and revised it to reflect the preemption analysis

• Will serve as advisor to Privacy Team through implementation


Covered Entity Status Report• Who are the covered entities within State

government?• Who are the providers, plans and

clearinghouses?• Who are the business associates, trading

partners and chain of trust partners?• Who are WV’s health oversight agencies?


HIPAA’s Organizational Requirements

• OHCA• ACE• Hybrid entity


Status of Executive Branch HIPAA Compliance

• Transactions and Code Sets

• Privacy

• Security


Assessment Process for Transactions and Code Sets, Privacy and Security

• Once CE survey was turned into PMO, HEC members met with each agency HIPAA coordinator and gave them TCS survey and trained them on its application and next steps

• TCS survey was returned to PMO and input into database

• Analysis at component, overall agency and state levels

• Same process for Privacy and Security


TCS Model Compliance Plans

• Compliance Plan Requirements

- Awareness

- Operational Assessment

- Development and Testing

• Plans filed by WV State Agencies


Privacy Team

• Agency HIPAA Coordinators identified team members from their agencies – attorneys, policy writers, IT, training staff, etc.

• Teams formed to:– Review gaps and make enterprise-wide recommendations

resulting from assessment– Develop policies and procedures– Develop Business Associate Agreements– Serve as a resource to other teams regarding preemption

and other federal laws– Training



TBD

Security Team

Implementation Design• Privacy, Security and Transactions and

Code Sets Teams

• Multi-disciplinary teams

• Goal is to seek enterprise-wide solutions to promote efficiencies and economies of scale, while enabling each agency’s HIPAA compliance


Policies and Procedures

• Policy templates were identified and purchased• Training modules for the policy writers were created

for each area of the regulations, and an accompanying schedule was outlined for policy development to ensure that the April 2003 compliance deadline will be met

• Policy and procedure development, and training will occur simultaneously

• Agencies will document their policy development, implementation and training and will submit the documentation to the HEC


Business Associate Agreements

• Master Business Associate Agreements will be developed

• All contracts requiring BAAs will be identified and amended

• Processes for ensuring that all future contracts are screened for BAAs, and where needed, are executed



http:/www.wvdhhr.org/hipaa

health insurance portability and accountability act

Documents