vendor management 092702
TRANSCRIPT
-
8/2/2019 Vendor Management 092702
1/21
Vendor Management
Presented by the HIPAA COWPresented by the HIPAA COW
EDI Administration Workgroup Co-chairs:EDI Administration Workgroup Co-chairs:
Christine Duprey, Project Manager, Healthcare Solutions - Stratagem, Inc.Christine Duprey, Project Manager, Healthcare Solutions - Stratagem, Inc.
Suzanne Ronde, Independent ConsultantSuzanne Ronde, Independent Consultant
Claudia Egan, Associate - Reinhart Boerner Van DuerenClaudia Egan, Associate - Reinhart Boerner Van Dueren
September 27, 2002September 27, 2002
-
8/2/2019 Vendor Management 092702
2/21
What is A Vendor?
A vendor can be any person,A vendor can be any person,
organization or softwareorganization or software
development company thatdevelopment company thatis providing services oris providing services or
products on behalf of aproducts on behalf of a
covered entity.covered entity.
-
8/2/2019 Vendor Management 092702
3/21
Steps to Vendor Management
Step One:Step One:Identify the vendors the coveredIdentify the vendors the coveredentity is currently doing businessentity is currently doing businesswith.with.
Identify whether or not the vendor isIdentify whether or not the vendor isa covered entity.a covered entity.
Identify whether or not each vendorIdentify whether or not each vendoris a business associate.is a business associate.
Step Two:Step Two:
Identify the activities completedIdentify the activities completedthroughout the organization wherethroughout the organization whereinformation may be usedinformation may be usedelectronically.electronically.
-
8/2/2019 Vendor Management 092702
4/21
-
8/2/2019 Vendor Management 092702
5/21
Steps to Vendor Management
Step Four:Step Four:Review the organization businessReview the organization business
practices and systems to ensure thepractices and systems to ensure the
required components for the newrequired components for the new
electronic transactions can beelectronic transactions can begathered in day to day activities.gathered in day to day activities.
Step Five:Step Five:
Review the vendors HIPAAReview the vendors HIPAAcompliance activity.compliance activity.
-
8/2/2019 Vendor Management 092702
6/21
Responsibilities
Covered EntityCovered Entity1. Comply with all elements1. Comply with all elements
of HIPAA.of HIPAA.
2. Determine operational2. Determine operational
impacts of compliance.impacts of compliance.3. Determine compliance3. Determine compliance
readiness of the vendors.readiness of the vendors.
4. Monitor the vendor4. Monitor the vendor
compliance activities.compliance activities.5. Initiate appropriate5. Initiate appropriate
agreements.agreements.
Vendor/Business AssociateVendor/Business Associate1. Not a covered entity; not1. Not a covered entity; not
enforced by HIPAA!enforced by HIPAA!
2. Comply with agreements with2. Comply with agreements with
covered entity.covered entity.3. Report breach incidents to the3. Report breach incidents to the
covered entity.covered entity.
4. Clearinghouses special rules4. Clearinghouses special rules
for business associate activityfor business associate activity7 components of Privacy.7 components of Privacy.
-
8/2/2019 Vendor Management 092702
7/21
Vendor Myths
If my vendor makes changes to myIf my vendor makes changes to mysystem for EDI Transactions, then Illsystem for EDI Transactions, then Ill
be HIPAA compliant.be HIPAA compliant.
There is no cost associated with theThere is no cost associated with thechanges vendors are making to thechanges vendors are making to thesystems.systems.
My vendor is already making theMy vendor is already making thechanges, there is no need to conduct achanges, there is no need to conduct aGAP Analysis.GAP Analysis.
I dont need to file for the ASCAI dont need to file for the ASCAExtension, my vendor is probablyExtension, my vendor is probably
doing this.doing this.After the changes are made to theAfter the changes are made to thesystem, it will be an easysystem, it will be an easyimplementation process.implementation process.
-
8/2/2019 Vendor Management 092702
8/21
The Truth Behind the Myth
The vendor is not responsible for anyThe vendor is not responsible for anyentitys HIPAA compliance. Theentitys HIPAA compliance. The
HIPAA regulations specifically affectsHIPAA regulations specifically affects
the covered entity.the covered entity.
Most vendors will be associating a costMost vendors will be associating a cost
with changes in regards to HIPAA.with changes in regards to HIPAA.GAP Analysis is important for coveredGAP Analysis is important for covered
entities to conduct.entities to conduct.
It is the covered entitys responsibilityIt is the covered entitys responsibility
for filing the ASCA extension.for filing the ASCA extension.
Vendors can assist you in completingVendors can assist you in completingthis.this.
Some organizations may not be awareSome organizations may not be aware
of the training needed or what theof the training needed or what the
implementation entails.implementation entails.
-
8/2/2019 Vendor Management 092702
9/21
Information Received from Vendors
White PapersWhite Papers
Readiness DocumentsReadiness Documents
HIPAA 101HIPAA 101
InformationInformation
Implementation PlansImplementation Plans
Testing DatesTesting DatesWhat do you do withWhat do you do with
this information?this information?
-
8/2/2019 Vendor Management 092702
10/21
Information You Need to Know
What transactions will they beWhat transactions will they beaddressing?addressing?
What is the release date?What is the release date?
Implementation dates?Implementation dates?
Is the vendor doing testing andIs the vendor doing testing and
certification of these?certification of these?
What code sets will be supported?What code sets will be supported?
Release datesRelease dates
When the code set is no longerWhen the code set is no longer
acceptedaccepted
Do you need to file for anDo you need to file for an
extension?extension?
-
8/2/2019 Vendor Management 092702
11/21
Information You Need to Know, Cont.
Implementing the ChangesImplementing the Changes
Do you have a migration plan?Do you have a migration plan?
Will there be a need for trainingWill there be a need for training
of staff for the changes?of staff for the changes?
Is there a cost associated withIs there a cost associated with
changes?changes?
What security measures in regardsWhat security measures in regards
to HIPAA have you addressed?to HIPAA have you addressed?
Encryption?Encryption?
Monitoring or trackingMonitoring or tracking
mechanisms?mechanisms?
-
8/2/2019 Vendor Management 092702
12/21
Information You Need to Know, Cont.
What are the HIPAAWhat are the HIPAA
initiatives of the vendor?initiatives of the vendor?
HIPAA TeamHIPAA TeamImplementation planImplementation plan
Conducted HIPAAConducted HIPAA
training or awarenesstraining or awarenessOrganizational assessmentOrganizational assessment
-
8/2/2019 Vendor Management 092702
13/21
Which Agreement(s)?
Chain of Trust;Chain of Trust;
Business Associate; orBusiness Associate; or
Trading Partner?Trading Partner?
-
8/2/2019 Vendor Management 092702
14/21
Chain of Trust Agreement
Apportions ContractualApportions Contractual
Liability for Breaches ofLiability for Breaches of
the Security of Datathe Security of DataExchanged betweenExchanged between
PartiesParties
Not (yet) required byNot (yet) required byHIPAAHIPAA
-
8/2/2019 Vendor Management 092702
15/21
Business Associate Agreement
PHI DrivenPHI Driven
ContractualContractual
Extension of HIPAAExtension of HIPAAPrivacy Rule to Non-Privacy Rule to Non-
Covered EntitiesCovered Entities
Required ElementsRequired Elements
IndemnificationIndemnification
-
8/2/2019 Vendor Management 092702
16/21
Trading Partner Agreement
Memorializes Details ofMemorializes Details of
Electronic DataElectronic Data
ExchangeExchangeNot Required by HIPAANot Required by HIPAA
(like Business Associate(like Business Associate
Agreement)Agreement)
-
8/2/2019 Vendor Management 092702
17/21
The Big Disappointment (Sort of)
The Use of HIPAAThe Use of HIPAA
Standard TransactionsStandard Transactions
does not mean Identicaldoes not mean Identical
Transactions among allTransactions among allpayors and providerspayors and providers
Instead, Payors will haveInstead, Payors will have
Companion Guides, forCompanion Guides, for
example, specific toexample, specific to
adjudicationadjudication
-
8/2/2019 Vendor Management 092702
18/21
Trading Partner Agreement
Recommended as aRecommended as a
Standard way to:Standard way to:
CommunicateCommunicatecompanion guidescompanion guides
Set ExpectationsSet Expectations
Assign ResponsibilitiesAssign ResponsibilitiesAllocate CostsAllocate Costs
-
8/2/2019 Vendor Management 092702
19/21
Trading Partner Agreement Elements/
Legal Restrictions:
Parties May Not:Parties May Not:
Change definition, dataChange definition, data
condition, use of datacondition, use of data
element or segmentelement or segment
Add elements of segments toAdd elements of segments to
max. defined data setmax. defined data set
Use items marked NotUse items marked Not
Used in IGUsed in IG
Change the meaning or intentChange the meaning or intent
of implementationof implementation
specificationspecification
-
8/2/2019 Vendor Management 092702
20/21
Trading Partner Agreement Elements
Testing RequirementsTesting Requirements
Prior to Go LivePrior to Go Live
Communications DetailsCommunications Details
Financial ArrangementsFinancial Arrangements
Companion Guide DetailsCompanion Guide Details
Security Measures andSecurity Measures and
ResponsibilitiesResponsibilities
-
8/2/2019 Vendor Management 092702
21/21
Questions?????