Taming of the HIPAA Monster (Managing Your HIPAA Compliance Process)


The HIPAA Monster

HIPAA is a complex beast that encroaches on every aspect of a covered entity's culture, its business processes, the workforce's behavior, and every aspect of health care. Each health care entity is required to establish its own process to ensure compliance with HIPAA. An organization's size, function, compliance strategy, and effective use of resources will determine success in taming the hipaa monster. Effective compliance requires organization-wide implementation, and effective communication between your business associates and trading partners. The key to compliance success is to standardize your approach, follow a logical process, and document that process.

Standardization

If a project is hard to manage there is a good chance the process is not fine-tuned and the objective is not clearly defined. The key to efficient achievement of HIPAA compliance is standardization. Cut the big HIPAA monster into smaller pets, and use a logical approach.

Organization

The first step in standardizing your compliance strategy is determining who will be responsible and accountable for the compliance initiative. By now most, if not all of you should have defined your HIPAA compliance organization structure. If not, it must be created as soon as possible. The structure should include those in the workforce that have roles of authority in areas that are directly impacted by the HIPAA privacy, security, and transactions standards. From the get-go, include a qualified human relations/change management professional in your mix of HIPAA implementation team members. If your HR Director and/or Training Manager don't qualify, still include them and consider enlisting outside organizational change expertise for strategic support.

Recommended Provider HIPAA organization structure:

HIPAA Oversight - Committee - made up of a multi-disciplinary group from Compliance, HR, HIM, Nursing, Medical Staff, Operations, Business Office, Facilities, Registration, Affiliates, Outpatient, Legal, and IT.

Task Forces (reporting to Oversight) - EDI, Privacy and Security, Education, and Audit.

Workgroups (reporting to a Task Force) - smaller group with tasks assigned per the task force it reports to.

Small providers may only require one committee, the "HIPAA Committee", which will be comprised of the privacy and security officer(s), the office manager, and the physician(s).

Identifying the HIPAA organization is crucial. Consider the issues that must be addressed:

  • Building initial organizational awareness of HIPAA.
  • Asking your business associate billing service / clearinghouse the right questions about your trading partners and holding them accountable.
  • Comprehensive assessment of the organization's policies and procedures.
  • Developing an action plan with deadlines and timetables.
  • Developing a technical and management infrastructure to implement the plan.
  • Implementing a comprehensive action plan, including developing new policies, processes, and procedures.
  • Building agreements with service organization.
  • Redesigning a compliant technical information infrastructure.
  • Purchasing new, or adapting, information systems.
  • Developing new internal communications.
  • Training and enforcement.

A variety of issues will need to be considered when analyzing the impact of HIPAA. These issues include:

  • Limited resources, both in terms of dollars, staffing, and time -- but which are necessary to implement these regulations.
  • Understanding and effectively managing the relationships between application vendors, business associate billing services / clearinghouses and payers.
  • Costs associated with implementation. Analysis of ROI is imperative when analyzing various implementation strategies.
  • Convergence of e-health strategies and HIPAA objectives, which are clearly connected in the areas of standardization and technical security measures.
  • Limitations of existing technology which will add to the cost of compliance.
  • Implementation of the information security and privacy features in HIPAA will pave the way for increasingly sophisticated e-health and other healthcare e-commerce and communications applications.

In addition to ensuring patient privacy and information security, HIPAA is about improving the efficiency and cost-effectiveness of administering healthcare.

Identify Gaps

Proper identification of gaps provides the basis for determining what needs to be done. Present processes and procedures must be assessed in regards to HIPAA requirements and implementation specifications for administrative, physical, and security safeguards and general administrative requirements of transactions and code sets standards. If you do not properly identify your gaps, it will be impossible to effectively determine where you are, where you need to be, and what needs to be done (your compliance plan). How do you identify gaps?

1. List all the requirements of HIPAA.
2. Identify the requirements for which you currently have policies, procedures, and processes.
3. Identify what current policies, procedures and processes are in compliance with requirements.
4. Identify what policies, procedures or processes are needed to address requirements.
5. Determine where your business associate billing service / clearinghouse, application vendor, and health plan are in their compliance initiative.

There are three main ingredients needed for an accurate gap assessment:

  • Understanding of your organization's culture, business processes and technology.
  • HIPAA subject matter expertise.
  • Awareness of the EDI requirements of your trading partners.

Without these three ingredients, you cannot accurately identify gaps. Operational knowledge, and involvement of those with this knowledge in the gap assessment, is vital if you are to develop a compliance work plan that will ensure success of your compliance initiative. You may either have or need to develop HIPAA subject matter expertise internally or seek assistance from the outside.

As you go through the standards of the regulations and perform surveys, ask the key questions and answer them accurately. You must be realistic in your responses to survey questions. You cannot assume that a process is in place and that you have a written formal procedure that correctly reflects the actual processes being used by your workforce. Those involved in the gap assessment must do a physical walkthrough of your entire organization. They must talk to the workforce. It is crucial that the survey responses accurately reflect the business processes of the organization.

The only wrong answers to survey questions are those answers that do not properly reflect the existing business processes. Although the temptations are great to make changes as you go through the survey questions, don't! It is doubtful that any changes made without proper documentation and analysis will create any measurable efficiency and could cause disruption of operations. Your gap assessment has only one purpose: to provide a "baseline." This baseline defines your starting point. Now you know where you are in relation to HIPAA compliance. Now you know the exact size of the HIPAA monster. Once you have determined the size of the monster, you can determine its risk to your organization and the steps needed to mitigate these risks.

Risk Assessment

Assemble your decision makers and go through each gap to determine your mitigation plan. During the survey process you did not make any mitigation decisions. You did not consider "risk" to your organization. You gathered all of the gaps. Now is the time to evaluate them. You need to consider the following:

Is mitigation required by HIPAA or is it addressable?

If it is addressable, do you need to address it? Bottom line, if you are at risk due to the gap and if you can fix it, you must fix it. If it is required, you must fix it.

Are you able to mitigate the gaps that exist in the transactions and code set standards in-house? If not, can your application vendor or business associate billing service / clearinghouse provide you with your mitigation solution?

How do you fix it? That depends on the amount of risk and the potential solutions available to you. What are some of the considerations in mitigating risk?

  • Time
  • Priorities
  • Impact to patient care.
  • Available resources in-house.
  • Budget
  • Perception of the workforce.
  • Technology capabilities.
  • Clear communication with your application vendor and business associate / clearinghouse.

Keys to success with Risk Assessment - analyze your issues and gaps and determine your risk level. Give a lot of thought to this step. Your work plan and budget result from your risk assessment, as well as your due diligence results.

Mitigation

Once you know your risk and what needs to be mitigated, take action, and delegate the action out to the task forces and workgroups and managers. They should be empowered to propose solutions and provide recommendations. They should bring issues and obstacles one level up for resolution. The task forces should also take issues and obstacles that they cannot resolve one level up to the oversight committee. Once the mitigation plan is clear, get it done according to the assigned target dates. Make sure the work plan is clear and organized by priority. Make sure you have the time, human and financial resources to execute your mitigation plan.

Measurements

During your surveys you should provide 2 kinds of levels of evaluation. One is your process level, and the other is your policy and procedure level. Each level should be scored separately so you know how you have improved over time. You may have a great fax process in place that is HIPAA compliant, but you do not have a fax policy. Give yourself credit for the process, but give yourself a "ding" on the lack of policy. Measure this over and over until you reach a "no gap" status. In order to reach a "no gap" status, you must:

1. Have a HIPAA compliant policy and procedure.
2. Educate your workforce on your policies and procedures.
3. Implement the policy and procedure.
4. Ongoing audit of the process.

Once you have accomplished the four steps above, you have mitigated the gap.

Because business processes will change, your technology will change, the standards will change, and incidents will occur, there may always be gaps that need to be mitigated. You need to know your status of mitigating risks from an organizational standpoint, departmental standpoint, facility standpoint, and software application standpoint. Executives and managers should be provided information about mitigation status, your "HIPAA snapshot," upon request. You need to know how you are doing with HIPAA. How will you know? The answer is to have a way to measure and a way to report the snapshot of your measurement at any time.

Educate

You will develop new policies and procedures. They are no good unless your entire organization knows about them and understands them. Create HIPAA compliant policies suitable for your unique organization, and teach everyone. Education must include an awareness of privacy and information security, training on policies and procedures, and how they will impact operations. To avoid frustration, special care should be taken to provide approved scripts for foreseeable questions that the patients may have. You also need to provide a means for staff to document situations that arise that were not considered and provide them a script for dealing with these situations until new processes may be put in place.

Providing effective HIPAA awareness training is probably the most reasonable and cost-effective measure that a health care organization can take. It sends a clear message to your staff. Awareness training can help raise their privacy antenna, and get their

mental wheels turning, thereby encouraging staff to begin thinking about

potential, practical solutions for their particular environment. Effective awareness training also "grease the skids" for the enterprise's more formal, official training program where modified policies and procedures are presented or new policies and procedures are introduced. A culture change is required. Awareness training is the only effective means of ensuring that your staff gets the memo that HIPAA is here and will be enforced.

Audit and Audit again

When you go through your gap assessment, there will be policies and procedures that are found to be in compliance with the requirements. Compliance should be documented and the requirement should be immediately audited to provide self-certification of compliance with that requirement. Once your modified or new policies and procedures are implemented, an audit must be conducted to verify that the process meets the privacy requirements, security requirements (implementation specifications), and the general administrative requirements of the transactions and code sets standards. If you do not check, you are taking a gamble, and you are not fulfilling your due diligence requirements.

Document, Document, Document


In real estate, they say the key is location, location, location. With HIPAA, you must document, document, and document. What must you document?

  • Surveys
  • Issues
  • Incidents
  • Sanctions
  • Policies and Procedures
  • Risk Assessment
  • Mitigation plan
  • Mitigation tracking
  • Work plan
  • Budget
  • Gaps
  • PHI Dataflow
  • Business Associate Agreements
  • Systems Life Cycle Management
  • Training
  • And anything else you can think of.

Why? Lack of documentation is lack of evidence that you applied due diligence.
When the "HIPAA police" come to town, they want to see what you did and why.
You need to show them.

Additional Comments on HIPAA

HIPAA is not Y2K. Most people understood that when "99" turned to "00" there was a difference between "00" and "2000." They may not have understood how applications and formulas had to be combed through looking for programming that needed changing. But they understood that there would be a potential problem if it was not addressed and few had a problem entering four digits instead of two when working with dates. For the most part Y2K was relegated to the IT department, with minor changes for system users. The need for HIPAA privacy and information security is not a concept that is always understood.

Here are some topics for awareness training to assist in gaining buy-in of your workforce to the administrative, technical, and physical safeguards that you implement:

  • Introduction to HIPAA terminology such as: use, disclosure, PHI, workstation, malicious software, backups, disaster recovery, edi transactions, access, workforce, business associate.
  • Introduction to HIPAA concepts such as privacy rights, minimum necessary, required by law, required standards, addressable standards, organized health care arrangement, Notice of Privacy Practices, incidental disclosures.
  • Specific, critical features of patient-access privacy issues.
  • Information flow within the organization.
  • Information flow in to and out of organization and within the health care industry.
  • Inherent security risks of electronic information.
  • Benefits of technology.
  • Commitment of organization to respect patient privacy and safeguard their PHI.
  • Benefits of ensuring patient privacy.
  • Benefits of information security.
  • Detrimental consequences of unauthorized use and disclosure of PHI.
  • Reinforcement of the goals of patient privacy and information security.

HIPAA is not going away. Your snapshot will constantly change. Conduct your surveys each year. Test you organization each year. Determine your score, and re-educate. Go through your compliance process with each incident, change of policies and procedures, change in business processes, change in technology and integrate privacy and information security in all business decisions. Don't overlook the fact that the patients are the main "HIPAA police". They will have their eyes and ears open to make sure their information is protected. Don't overlook your first line of defense, the front-line employee who interacts with the patient, creates, accesses and files PHI, and passes it along to others in the delivery chain. Those in the workforce who resist change or whose attitudes are inappropriate for this new HIPAA culture will be the most frequent reason for failure of organizational initiatives. They will have the opportunity to undermine and even derail implementation. The culture must be pulling in the same direction as the plan. Only those organizations that focus on the attitudes and behavior of their workforce can hope to achieve DHHS' objective for HIPAA privacy and information security implementation - a healthcare delivery environment that is conscientious, diligent and thorough in its protectiveness of privacy rights and the confidentiality of health information.

There is no silver bullet. Your insurance policy is your documentation. Should a privacy complaint by filed with HHS, your potential penalties will be based on your evidence of due diligence. Should compliant transactions not be achieved, it will be your sustained actions and demonstrable progress that will determine if a civil money penalty (CMP) will be imposed.

If you do not have the resources in house to develop a comprehensive compliance tool, utilize one or more of the many software tools available to help you manage and document your compliance efforts. In the same way you utilize Quicken for checking and Turbo Tax for taxes, commercially available HIPAA compliance tools can help you stay on track, avoid overlooking a requirement, and provide an organized way to document your due diligence.

If you need outside HIPAA resources and / or expertise, consider hiring a seasoned consultant to assist you. Go with a firm that has a lot of experience with healthcare IT as well as enterprise-wide healthcare compliance projects. Make sure the firm assigns the person or persons who have the experience. Check their references! This investment can save you money in the long run if you invest wisely.

And always remember: it is better to know than to not know. The answers to the questions that you do not ask may undermine your HIPAA compliance plan. This is especially true in regards to the relationships between your application vendor, business associate billing service / clearinghouse and your health plans.

Good luck on your road to HIPAA compliance, and remember that the information you are protecting may someday be your own!

Gerry Blass
President, Blass Consulting LLC
Colts Neck, NJ
www.complyassistant.com
Attend an Online Interactive Meeting
Attend an online meeting 5 days a week during your normal business hours. Online meetings are provided via our dedicated website.
Click here to request an online meeting.
Copyright 2002 - 2005. All rights reserved. Blass Consulting, LLC.

About the Company

About the ComplyAssistant Family of Software

Attend an Online Interactive Meeting

Contact Us

Seminars

Links
White Papers

Risk Analysis: 1st Step in HIPAA Security


HIPAA Monster

Justifying A HIPAA Software Tool

TCS Issues, Concerns & Enforcement

Security Issues, Concerns & Enforcement

So You Missed The Final Deadline