vendor management 092702

8/2/2019 Vendor Management 092702

1/21

Vendor Management

Presented by the HIPAA COWPresented by the HIPAA COW

EDI Administration Workgroup Co-chairs:EDI Administration Workgroup Co-chairs:

Christine Duprey, Project Manager, Healthcare Solutions - Stratagem, Inc.Christine Duprey, Project Manager, Healthcare Solutions - Stratagem, Inc.

Suzanne Ronde, Independent ConsultantSuzanne Ronde, Independent Consultant

Claudia Egan, Associate - Reinhart Boerner Van DuerenClaudia Egan, Associate - Reinhart Boerner Van Dueren

September 27, 2002September 27, 2002


2/21

What is A Vendor?

A vendor can be any person,A vendor can be any person,

organization or softwareorganization or software

development company thatdevelopment company thatis providing services oris providing services or

products on behalf of aproducts on behalf of a

covered entity.covered entity.


3/21

Steps to Vendor Management

Step One:Step One:Identify the vendors the coveredIdentify the vendors the coveredentity is currently doing businessentity is currently doing businesswith.with.

Identify whether or not the vendor isIdentify whether or not the vendor isa covered entity.a covered entity.

Identify whether or not each vendorIdentify whether or not each vendoris a business associate.is a business associate.

Step Two:Step Two:

Identify the activities completedIdentify the activities completedthroughout the organization wherethroughout the organization whereinformation may be usedinformation may be usedelectronically.electronically.


4/21


5/21

Steps to Vendor Management

Step Four:Step Four:Review the organization businessReview the organization business

practices and systems to ensure thepractices and systems to ensure the

required components for the newrequired components for the new

electronic transactions can beelectronic transactions can begathered in day to day activities.gathered in day to day activities.

Step Five:Step Five:

Review the vendors HIPAAReview the vendors HIPAAcompliance activity.compliance activity.


6/21

Responsibilities

Covered EntityCovered Entity1. Comply with all elements1. Comply with all elements

of HIPAA.of HIPAA.

2. Determine operational2. Determine operational

impacts of compliance.impacts of compliance.3. Determine compliance3. Determine compliance

readiness of the vendors.readiness of the vendors.

4. Monitor the vendor4. Monitor the vendor

compliance activities.compliance activities.5. Initiate appropriate5. Initiate appropriate

agreements.agreements.

Vendor/Business AssociateVendor/Business Associate1. Not a covered entity; not1. Not a covered entity; not

enforced by HIPAA!enforced by HIPAA!

2. Comply with agreements with2. Comply with agreements with

covered entity.covered entity.3. Report breach incidents to the3. Report breach incidents to the

covered entity.covered entity.

4. Clearinghouses special rules4. Clearinghouses special rules

for business associate activityfor business associate activity7 components of Privacy.7 components of Privacy.


7/21

Vendor Myths

If my vendor makes changes to myIf my vendor makes changes to mysystem for EDI Transactions, then Illsystem for EDI Transactions, then Ill

be HIPAA compliant.be HIPAA compliant.

There is no cost associated with theThere is no cost associated with thechanges vendors are making to thechanges vendors are making to thesystems.systems.

My vendor is already making theMy vendor is already making thechanges, there is no need to conduct achanges, there is no need to conduct aGAP Analysis.GAP Analysis.

I dont need to file for the ASCAI dont need to file for the ASCAExtension, my vendor is probablyExtension, my vendor is probably

doing this.doing this.After the changes are made to theAfter the changes are made to thesystem, it will be an easysystem, it will be an easyimplementation process.implementation process.


8/21

The Truth Behind the Myth

The vendor is not responsible for anyThe vendor is not responsible for anyentitys HIPAA compliance. Theentitys HIPAA compliance. The

HIPAA regulations specifically affectsHIPAA regulations specifically affects

the covered entity.the covered entity.

Most vendors will be associating a costMost vendors will be associating a cost

with changes in regards to HIPAA.with changes in regards to HIPAA.GAP Analysis is important for coveredGAP Analysis is important for covered

entities to conduct.entities to conduct.

It is the covered entitys responsibilityIt is the covered entitys responsibility

for filing the ASCA extension.for filing the ASCA extension.

Vendors can assist you in completingVendors can assist you in completingthis.this.

Some organizations may not be awareSome organizations may not be aware

of the training needed or what theof the training needed or what the

implementation entails.implementation entails.


9/21

Information Received from Vendors

White PapersWhite Papers

Readiness DocumentsReadiness Documents

HIPAA 101HIPAA 101

InformationInformation

Implementation PlansImplementation Plans

Testing DatesTesting DatesWhat do you do withWhat do you do with

this information?this information?


10/21

Information You Need to Know

What transactions will they beWhat transactions will they beaddressing?addressing?

What is the release date?What is the release date?

Implementation dates?Implementation dates?

Is the vendor doing testing andIs the vendor doing testing and

certification of these?certification of these?

What code sets will be supported?What code sets will be supported?

Release datesRelease dates

When the code set is no longerWhen the code set is no longer

acceptedaccepted

Do you need to file for anDo you need to file for an

extension?extension?


11/21

Information You Need to Know, Cont.

Implementing the ChangesImplementing the Changes

Do you have a migration plan?Do you have a migration plan?

Will there be a need for trainingWill there be a need for training

of staff for the changes?of staff for the changes?

Is there a cost associated withIs there a cost associated with

changes?changes?

What security measures in regardsWhat security measures in regards

to HIPAA have you addressed?to HIPAA have you addressed?

Encryption?Encryption?

Monitoring or trackingMonitoring or tracking

mechanisms?mechanisms?


12/21

Information You Need to Know, Cont.

What are the HIPAAWhat are the HIPAA

initiatives of the vendor?initiatives of the vendor?

HIPAA TeamHIPAA TeamImplementation planImplementation plan

Conducted HIPAAConducted HIPAA

training or awarenesstraining or awarenessOrganizational assessmentOrganizational assessment


13/21

Which Agreement(s)?

Chain of Trust;Chain of Trust;

Business Associate; orBusiness Associate; or

Trading Partner?Trading Partner?


14/21

Chain of Trust Agreement

Apportions ContractualApportions Contractual

Liability for Breaches ofLiability for Breaches of

the Security of Datathe Security of DataExchanged betweenExchanged between

PartiesParties

Not (yet) required byNot (yet) required byHIPAAHIPAA


15/21

Business Associate Agreement

PHI DrivenPHI Driven

ContractualContractual

Extension of HIPAAExtension of HIPAAPrivacy Rule to Non-Privacy Rule to Non-

Covered EntitiesCovered Entities

Required ElementsRequired Elements

IndemnificationIndemnification


16/21

Trading Partner Agreement

Memorializes Details ofMemorializes Details of

Electronic DataElectronic Data

ExchangeExchangeNot Required by HIPAANot Required by HIPAA

(like Business Associate(like Business Associate

Agreement)Agreement)


17/21

The Big Disappointment (Sort of)

The Use of HIPAAThe Use of HIPAA

Standard TransactionsStandard Transactions

does not mean Identicaldoes not mean Identical

Transactions among allTransactions among allpayors and providerspayors and providers

Instead, Payors will haveInstead, Payors will have

Companion Guides, forCompanion Guides, for

example, specific toexample, specific to

adjudicationadjudication


18/21

Trading Partner Agreement

Recommended as aRecommended as a

Standard way to:Standard way to:

CommunicateCommunicatecompanion guidescompanion guides

Set ExpectationsSet Expectations

Assign ResponsibilitiesAssign ResponsibilitiesAllocate CostsAllocate Costs


19/21

Trading Partner Agreement Elements/

Legal Restrictions:

Parties May Not:Parties May Not:

Change definition, dataChange definition, data

condition, use of datacondition, use of data

element or segmentelement or segment

Add elements of segments toAdd elements of segments to

max. defined data setmax. defined data set

Use items marked NotUse items marked Not

Used in IGUsed in IG

Change the meaning or intentChange the meaning or intent

of implementationof implementation

specificationspecification


20/21

Trading Partner Agreement Elements

Testing RequirementsTesting Requirements

Prior to Go LivePrior to Go Live

Communications DetailsCommunications Details

Financial ArrangementsFinancial Arrangements

Companion Guide DetailsCompanion Guide Details

Security Measures andSecurity Measures and

ResponsibilitiesResponsibilities


21/21

Questions?????