Embed Size (px)
Citation preview
Achieving and Sustaining HIPAA Compliance
October 4, 2002
David SwartzGeorge Washington University
Melissa GlynnPricewaterhouseCoopers LLP
Copyright Statement
• Copyright Melissa Glynn and David G. Swartz , 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Abstract
The Health Insurance Portability and Accountability Act (HIPAA) will take effect in 2003. The regulations present institutions with the flexibility to select and implement a compliance approach. George Washington University undertook a structured approach to assess, plan, and implement a compliance program across privacy and security requirements.
Presentation Agenda
• Introduction to HIPAA• George Washington University’s HIPAA
Compliance Project• Project Description • Project Approach• Privacy• Security• Cultural Change
• Questions and Presentation Wrap-Up
Introduction to HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) requires that institutions which create, use, store and analyze identifiable health information for research, treatment or management functions comply with stringent privacy standards by April 14, 2003. The extent of a compliance effort varies based upon the institution’s status under the regulation.
Many academic research institutions will consequently be faced with the task of tending to the implications of the HIPAA standards for research activities. HIPAA will indirectly impact a wider set of institutions, as dependencies with covered entities will have consequences on the transmissions of information and promulgation of increased controls.
Introduction Regulation Components and Implementation Deadlines
• Transaction Codes – October 2002
• Privacy – April 2003
• Security – expected December 2004
Introduction Associated Penalties for Non-Compliance
The Department of Health and Human Services Office of Civil Rights is responsible for enforcement of the Privacy Regulations. Penalties for non-compliance include the following:
Failure to Comply:
• $100 per violation
• $25,000 maximum for all violations for a single requirement
Wrongful Disclosure:
• $50,000 and/or imprisonment for up to 1 year
• $100,000 and/or imprisonment for up to 5 years if under false pretenses.
George Washington University's HIPAA Compliance Project
GW’s Environment
G W (H yb rid E n tity)
P la ns ne e d to b e fin a lizedR e com m e n d:
C o m p le te ly O utso urce O p e ra tio ns
S e pa ra te Le g a l E n tityC o vere d E n tity
G WH e a lth P lan
H e a lth ca reC o m p on e nt o f G W
G W U n ive rs ityE m p lo ye d C lin ic ia ns
S tu de n t He a lth S e rv icesC e a se P ra c tice o f E le c tron ic R efe rra ls
(C o vere d E n tity S ta tu s)
S ch oo ls & P ro gra m s G M E
C lin ica l R e se a rch
A d m in is tra tio n &S e rv ices
G WN o n -Co ve red
F u n ctio ns
G W
MFA Covered Entity
University’s Business AssociateHealthcare Component
George Washington University's HIPAA Compliance Project
GW’s Project Structure
G W
HIPAA Ad visory Com m ittee
W ork in g G rou p
Security
W ork in g G rou p
M edical Education& Train in g
W ork in g G rou p
Research & IRB
W ork in g G rou p
Clinics
W ork in g G rou p
Health P lan
W ork in g G rou p
Agreem entsw ith C lin ics and H ospita l
W ork in g G rou p
Com pliance
W ork in g G rou p
Student Health
W ork in g G rou p
H R
W ork in g G rou p
G rad uate M ed icalEd ucatio n Affiliations
Project M anager
HIPAA Project CoordinatorsChief In fo rm atio n O fficer
Com p lian ce O fficerIn terim P rivacy O fficer
HIPAA Executive Com m itteeVice Presid en ts
GW's HIPAA Compliance ProjectProject Phases
• Phase I – Awareness
• Phase II – Readiness Assessment
• Phase III – Remediation
• Phase IV – Follow Up and Audit
GW's HIPAA Compliance Project Project Approach and Definitions
• Hybrid Entity - HIPAA Privacy regulations can be implemented at the level of the healthcare component instead of at the entire enterprise with proper safeguards. The enterprise itself remains the covered entity but minimizes its risk by isolating the covered functions in the healthcare component.
• Organized Health Care Arrangement (OHCA) – is a clinically integrated care setting in which more than one covered entity participates. The OHCA permits MFA and GW Clinicians to hold themselves out to the public as participating in a joint arrangement and use information for joint activities. Allows for a joint notice and a joint consent.
GW's HIPAA Compliance ProjectProject Approach and Definitions
• Establishing Business Associate Relationships - A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of protected health information.
• A business associate is not a member of the health care provider, health plan, or other covered entity's workforce.
• A health care provider, health plan, or other covered entity can also be a business associate to another covered entity.
GW’s HIPAA Compliance ProjectPrivacy
Scope •Institutional Review Board & Research Management
•Graduate Medical Education •Clinics •Student Health •Human Resources and Employee Benefits
•Compliance Office •General Counsel
Activities• Uses and Disclosures• Consents • Authorizations• Legal / Contract Reviews• Project Documentation• Training• Privacy Officer Designation
GW’s HIPAA Compliance ProjectSecurity
• Tell you what to do, not how to do it!• General Security Goals -- Confidentiality, Integrity, Availability
(CIA)• Confidentiality -- authorized access• Integrity -- accuracy of data• Availability -- need to get to it when you need it
• Based upon best practices model• GW is using National Institute of Standards and Technology
(NIST) model • Final regulations not listed yet -- expected shortly
• Main categories to security in HIPAA • Administrative procedures• Physical safeguards• Technical security measures
Process
People
Technology
Systems must be built to technically
adhere to policy
People must understand their responsibilities
regarding policy
Policies must be developed,
communicated, maintained and
enforced
Processes mustbe developed thatshow how policies
will be implemented
Security ImplementationRelies On:
NIST – National Institute of Standards and Technology
Level 1 Documented Policy
Level 2 Documented Procedures
Level 3 Implemented Procedures and Controls
Level 4 Measured Program
Level 5 Pervasive Program
Universities expectedto operate at this level
Security Assessment Framework:
Security Procedures
And ControlsAre implemented
Security Procedures
And ControlsAre implemented
GW HIPAA Security Timeline
Some security in place but does not meet
Level 1 Criteria
Some security in place but does not meet
Level 1 Criteria
Level 0:• GW• Most Universities
Formally documented and Disseminated policyResponsibilities Assigned
Compliance Identified
Formally documented and Disseminated policyResponsibilities Assigned
Compliance Identified
Documented proceduresfor implementing security controls
identified in policies
Documented proceduresfor implementing security controls
identified in policies
Level 1:•GW – Achieved
Level 2:• GW – Jan 03
Level 3:•GW – Dec 04
Host/router Security
Password Management
Central Security Office
Compliance Office
Policy Manager
Virus Filters
Incidence Response
Data Center Firewalls
Security Architecture
3rd Party Assessment
Disaster Recovery
Change Control
Assignment of Duties
Awareness & Training
Personal FirewallsScanning LabMonitoring
Strong Authentication
Remote Access - VPN
Intrusion Detection
Enterprise Firewall
NIST: Security Assessment Framework
GW’s HIPAA Compliance ProjectCultural Changes
Area
• Institutional Review Board & Research Management
• Clinics
• Compliance Office
• Security
Impacts
• Increased monitoring of research protocols, management reviews, audits
• Standardized processes, documentation and information management approaches
• Ongoing training requirements, audits and reporting demands
• Promulgation of standards, monitoring approaches
Culture Analogy - Seatbelts
“ It should be noted that it took many years to get the seatbelt usage up to its present level, and it takes a heavy hand from the police to persuade the stupid to do the obvious.” — Peter N. Wadham
"Out at sea it takes 30 miles for an oil tanker to reverse its direction. It takes time and commitment to change, based on foundational values, principles and quality relationships to positively affect your company's culture -- its way of doing things. " — The Freeman Institute Changing the Culture of Your Organization
"Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day."— Frances Hesselbein Key to Cultural Transformation
Questions and Presentation Wrap-up
• Recommended information sources• http://www.aamc.org• http://www.hhs.gov/topics/privacy.html• http://www.hipaadvisory.com• http://www.hcfa-1500
forms.com/hipaa/fieldguide.html • http://www.pwchealth.com/hipaa.html• http://www.cio.gov/documents/info_security
assessment_framework_Sept_2000.html
