Docstoc

HIPAA Privacy Assessment

Document Sample
HIPAA Privacy Assessment Powered By Docstoc
					The Eighth National
  HIPAA Summit
      A Case Study –
      Visiting Nurse
   Service of New York:
      HIPAA Privacy
     Implementation
        Approach




                          March 8, 2004
    March 8, 2004                         1
                Introduction




March 8, 2004                  2
                         Introduction - Speakers

Our speakers today lead the VNSNY HIPAA implementation program
and include individuals from VNSNY and Deloitte.


          Speaker          Role               Presentation Sections

     Roxlyn          Chief Privacy     Introduction, Implementation
     Woosley         Official, VNSNY   Challenges



     Yelena Patish   Performance       Practical Example
                     Improvement
                     Specialist,
                     VNSNY
     Jack Scott      Senior Manager,   Approach and Methodology
                     Deloitte




     March 8, 2004                                                    3
                                    Introduction - VNSNY

The Environment
    Largest non-profit home health care agency in the nation with approximately 10,000
     employees, including:
         Registered Nurses: 2,100
         Rehabilitation Therapists: 500
         Social Workers: 450

         Home Health Aides: 4,700

    VNSNY’s covered entities include a health plan and health care providers
    Six regional offices coordinate home and community-based services to over 24,000 patients in
     New York City and Nassau County

The Services
         Acute Care                        Congregate Care/Wellness Program
         Long-Term Home Health Care        VNS CHOICE Health Plan
         Rehabilitation Services           Geriatric Care Management &
                                             Assessment
         Family Care Services
                                            Community Mental Health
         Hospice Care
                                            Children and Family Services
         Two licensed home care
          agencies                          Infusion Services

      March 8, 2004                                                                                 4
                         Introduction - Today’s Objectives


 Review VNSNY’s business philosophy toward privacy compliance

 Provide an overview of the HIPAA implementation approach and methodology

 Discuss a Practical example of one of the implementation projects

 Discuss Implementation Business Challenges

 Questions and Answers




         March 8, 2004                                                       5
                     Introduction - VNSNY Philosophy

VNSNY has developed underlying principles in approaching privacy
compliance that balance privacy concerns and reasonable business
practices
    Protect the privacy of our patient’s PHI because it is and has been “the right
     thing to do” and now is regulated by law

    Maintain a “practical” business approach in the development of privacy solutions

    Develop business practices that are consistent with the HIPAA privacy
     requirements for safeguarding health information

    Build continuing compliance capability

    Delegate project task and activities to the department level, balancing
     centralization and decentralization of responsibilities

    Maintain the bridge between Security and TCI

    Adopt a broad approach to defining “TPO” and a practical approach to the
     Designated Record Set

     March 8, 2004                                                                      6
                              VNSNY HIPAA Organizational Chart

                                       VNSNY Corporate                  Covered Entity
                                      Chief Privacy Officer        VNSNY Employee Group
                                                                         Health Plan
                                                                   Privacy Official




      Covered Entity                Non-covered Entity             Affiliated Covered
 Privacy Official                  Privacy Liaison                     Entities
                                                                Privacy Officials
 Privacy Liaison
                                                                Privacy Liaisons




              March 8, 2004                                                                7
                          Organizational Structure - Privacy
                               Implementation Team
The Project Team was created to work with management, business units, Subject-
Matter Experts (SMEs), and Information Systems (IS) to develop and implement VNS’
Privacy Policies and Procedures

                                               Executive Oversight

                                                        Chief Operating Officer
             Operations
            Management
               Group
                              Project Oversight
                                        Deloitte & Touche                          VNS
                                  National HIPAA Privacy Leadership          Executive Sponsor
       IS                                                                                                    SMEs


             Core Project Team
                                  Deloitte & Touche                                        VNS
                                                                                  Interim Privacy Official
                                    Project Manager
                                                                                      Project Leader
                                      Project Staff
                                                                                        Project Staff
                                                                                    Department Liaisons



                         The core project team consists of 5 full-time and 3 part-time members



         March 8, 2004                                                                                              8
                Approach and Methodology




March 8, 2004                              9
                          Project Approach – Phase I

A cyclical approach is used for the implementation of the privacy regulations for VNSNY
     Identify and resolve key decisions VNS must make to guide the organization’s privacy protocol
     Develop Corporate Privacy policies
     Identify VNS project implementation requirements
     Roll out approved policies to the business units for implementation
     Monitor progress with management group
     Provide guidance, support and direction to business unit implementation efforts (PMO approach)
                                      4. Modify & Amend Policies


                  3. Discuss Draft                                       5. Present Policies to
                 Policies with SMEs                                     the Management Group
                                                                             for Approval

                                                Design &
                                             Implementation
             2. Privacy Team                     Project                     6. Roll-out Policies to
             Develops Policy                                                Business Units & Identify
                                                                             Project Implementation
                                                                                 Requirements


                 1. Identify & Resolve Key
                       Decisions with SMEs                 7. Implementation
                                                                Projects
         March 8, 2004                                                                                  10
                        Project Scope – Phase I



                                 Group 1:

                                 1.   Complaints
                                 2.   Monitoring
                                 3.   Employee Training
                                 4.   Privacy Notice
   Policies were bundled into
    “like” groups
                                 Group 2:

   Each group was addressed     1.    Minimum Necessary                7.    Fundraising
                                 2.    Verification of Identity &       8.    Marketing
    concurrently within the            Authority
                                                                        9.    De-Identification
    same “cycle”                 3.
                                 4.
                                       Disclosures
                                       Permitted Disclosures
                                                                        10.   Limited Data Set
                                                                        11.   Authorizations
                                 5.    Public Good Disclosures
                                                                        12.   Disclosure Accounting
                                 6.    Research


                                 Group 3:

                                 1.    Restrictions on Use &/or Disclosure      4.   Plan Sponsors
                                 2.    Waiver Prohibition                       5.   Policies & Procedures
                                 3.    Business Associates                      6.   Record Retention


                                 Group 4:
                                 1.    Access to Records
                                 2.    Amendment of Records
                                 3.    Designated Record Set




        March 8, 2004                                                                                        11
                                                    Phase I Project Timeline
Privacy
Liaison
 Mtg.
                                                    1/30                   2/12
                                                                                        x   cancelled
                                                                                         2/19                             3/12                                     TBD
OMG
Mtg.
  12/20         1/7                    1/21                  2/4
                                                                                       x cancelled
                                                                                       2/18                   3/4                   3/18                 4/3                     4/14
             Policy Design
                              Policy
 Project                      Draft             Introduce Policies to                                                                                                           HIPAA
 Kick-off                    Review                  Subsidiaries                                                                                                             Compliance
                                                     Privacy Liaison
                                                Implementation Planning                                             Implementation Execution

                                          Employee Training Content                                                        Employee Training

                                              Finalize Privacy Notice                                               Print & Distribute Privacy Notice

                                                   Policy Design
                                                                                                                      Introduce
                                                                        Policy Draft
                                                                                                                      Policies to
                                                                          Review
                                                                                                                     Subsidiaries
                                                                                                                      Privacy Liaison
                                                                                                                     Implementation            Implementation Execution
                                                                                                                         Planning

                                                                                           Policy
                                                                                           Design
                                                                                                     Policy          Introduce
                                                                                                     Draft           Policies to
                                                                                                    Review          Subsidiaries

                                                                                                                      Privacy Liaison
                                                                                                                     Implementation            Implementation Execution
                                                                                                                         Planning

                                                                                                                           Policy Design

                                                                                                                                                Policy         Introduce
                                                                                                                                                Draft          Policies to
                                                                                                                                               Review          Subsidiaries
                                                                                                                                                                Privacy Liaison
                                                                                                                                                                Implementation
                                                                                                                                                                Planning

                                                                                                                                                                 Implementation
                                                                                                                                                                 Execution
            March 8, 2004                                                                                                                                                        12
                                                                          Phase I Dashboard (sample)

Implementation progress is monitored at the corporate, subsidiary and
business unit level
        B        Completed                  Y      Delay likely


        G                                   R      Behind Schedule
                 On-schedule


                                                                                  (C ) Intro duce P o licy to      (D ) Implementatio n P lan
                                                (B ) A ppro val o f P o licy                                                                     (E) Implementatio n Initiated   (F ) Implementatio n C o mplete
             (A ) P rivacy P o licy                                                      Subsidiaries                      D evelo ped

                                                T arget D ate     Status       T arget D ate          Status     T arget D ate      Status      T arget D ate      Status        T arget D ate       Status

                                                                                                         GROUP 1 Policys


                                                                      B
   Designation of Entity Status                  12/20/202                         N/A                               N/A                            N/A                              N/A

   Privacy Office (Designation of Privacy                             B
   Official/Liaison)                              1/7/2003                         N/A                               N/A                            N/A                              N/A

                                                                      B                                  B                             B                              B                                B
   Privacy Notice                                1/21/2003                      1/31/2003                         2/12/2003                      2/12/2003                        4/14/2003

                                                                      B                                  B                             B                              B                                B
   Employee Training                             1/21/2003                      1/31/2003                         2/12/2003                      2/12/2003                        4/14/2003


                                                                      B                                  B                             B                              B                               B
   Complaint Process                             1/21/2003                      1/31/2003                         2/12/2002                      2/12/2002                        4/14/2003

                                                                      B                                  B                             B                             B                                B
   M onitoring                                   1/21/2003                      1/31/2003                         2/12/2003                      2/12/2003                        4/14/2003




                    March 8, 2004                                                                                                                                                                                  13
                      Project Scope – Phase II



                                       Disclosure Implementation Projects:

                                       1. Routine and Non-Routine Disclosure Process
                                       2. Authorization
   Projects were bundled into         3. Disclosure Tracking
    project threads
   Each group was addressed           Individual Rights Projects:
    concurrently within the            1. Access and Amendment of Records
    same “cycle”                       2. Confidential Communications and
                                          Restrictions
                                       3. Designated Record Set



                                       Relationships With Third Parties Project:
                                       1. Business Associate Agreements




                                       Minimum Necessary Use & Disclosure Project:
                                       1. Minimum Necessary Access




      March 8, 2004                                                                    14
                                                           Phase II Project Time Line
Privacy
Liaison
 Mtg.
       6/26                           7/31                                   9/18
OMG
Mtg.
                                                                    9/8
    6/25                           7/28                      8/30                        9/30   10/30                       11/30        12/30

        Develop,
       Design, and
        Document
                            Develop Tools, Guidelines,
         Process                                             Develop Departmental Specific
                                   Forms, etc.
                                                                   Training Content             Conduct Departmental Specific Training
                                                                                                      Implementation Complete
              Develop, Design, and Document Process                                              Develop and Execute Monitoring Plan

                                      Develop Tools, Guidelines, Forms,
                                                     etc.
                                                                                                Conduct Departmental Specific Training
                                                              Develop Departmental Specific            Implementation Complete
         Develop,                                                   Training Content
        Design, and                                                                              Develop and Execute Monitoring Plan
         Document
                             Develop Tools, Guidelines,
          Process                                             Develop Departmental Specific
                                    Forms, etc.
                                                                    Training Content            Conduct Departmental Specific Training
                                                                                                       Implementation Complete
         Develop,
        Design, and                                                                              Develop and Execute Monitoring Plan
         Document
                            Develop Tools, Guidelines,
          Process                                             Develop Departmental Specific
                                   Forms, etc.
                                                                    Training Content            Conduct Departmental Specific Training
                                                                                                       Implementation Complete
                                                                                                 Develop and Execute Monitoring Plan




                      March 8, 2004                                                                                                      15
                                                           Phase II Dashboard (sample)



      B        Completed                        Y        Delay likely                                                                                                                                        Crosses Security


      G        On-schedule                      R       Behind Schedule


                                                                                                                                                                             ( E ) C o nduc t                       ( F ) Init ia l
                                                       ( B ) D e v e lo p, D e s ign     ( C ) D e v e lo p T o o ls ,      ( D ) D e v e lo p D e pa rt m e nt a l
                                                                                                                                                                      D e pa rt m e nt a l S pe c if ic         Im ple m e nt a t io n
( A ) Im ple m e nt a t io n A c t iv it ie s       a nd D o c um e nt P ro c e s s    G uide line s , F o rm s , e t c .    S pe c if ic T ra ining C o nt e nt
                                                                                                                                                                                T ra ining                          C o m ple t e

                                                    T a rge t D a t e   S t a t us     T a rge t D a t e      S t a t us    T a rge t D a t e         S t a t us      T a rge t D a t e     S t a t us    T a rge t D a t e     S t a t us

Disclosure Implementation Projects

                                                                            B                                    B                                     B                                         B                                 G
Ro utine & No n Ro utine Disclo sure P ro cess        7/25/2003                          8/22/2003                            9/30/2003                                12/30/2003                           2/16/2004
                                                                            B                                    B                                     B                                         B                                 G
A utho rizatio n                                      7/25/2003                          8/22/2003                            9/30/2003                                12/30/2003                           2/16/2004
                                                                            B                                    B                                     B                                         B                                 G
Disclo sure Tracking                                  7/25/2003                          8/22/2003                            9/30/2003                                12/30/2003                           2/16/2004
Individual Rights Projects

                                                                            B                                    B                                     B                                         B                                 G
A ccess and A mendment o f Reco rds                   7/25/2003                          8/22/2003                            9/30/2003                                12/30/2003                           2/16/2004
Co nfidential Co mmunicatio ns and                                                                               B                                     B                                         B
                                                                            B                                                                                                                                                      G
Restrictio ns                                         8/22/2003                          9/12/2003                            9/30/2003                                12/30/2003                           2/16/2004
                                                                                                                 B                                     B                                         B                                 G
Designated Reco rd Set                                    N/A              N/A           8/22/2003                            9/30/2003                                12/30/2003                           2/16/2004
Relationships with third Parties

                                                                            B                                    B                                     B                                         B                                 G
B usiness A sso ciate A greements                     7/25/2003                          8/22/2003                            9/30/2003                                12/30/2003                           2/16/2004
M inimum Necessary Use and Disclosure

                                                                            Y                                    Y                                     Y                                         B                                 G
(1 M inimum Necessary A ccess*
  )                                                   7/25/2003                          8/22/2003                            9/30/2003                                12/30/2003                           2/16/2004



                   March 8, 2004                                                                                                                                                                                                             16
                          RegsPrint




Compliance
 management tool

Identifies
 operational “touch
 points” to
 compliance risk
 elements




          March 8, 2004               17
                             Virtual Project Office

   In an effort to keep the organization informed and involved on HIPAA news and pertinent
    information, the HIPAA Privacy Team developed the VNS HIPAA Virtual Project Office
    (VPO)
   The VPO is part of the VNS Intranet Portal that functions as an online project office. All
    HIPAA related documentation is posted on this site for employee accessibility




         March 8, 2004                                                                      18
            Practical Example - Disclosures




March 8, 2004                                 19
                    Disclosure Implementation
                       Summary Work Plan



    Develop list of routine disclosures typical of day to day
     business activity
    Analyze disclosures based upon Privacy requirements
    Develop Non routine Disclosure Review Process
    Develop Disclosure Authorization Process
    Develop Disclosure Tracking Process
    Develop Guidelines, summary documents to be used by
     managers and employees
    Develop and implement Technical Solutions
    Conduct Procedure Specific Training




    March 8, 2004                                                20
                            HIPAA Flag and HIPAA Tab


   The HIPAA Flag and HIPAA Tab concepts were developed to assist VNSNY staff with a tool to
    track, and monitor the required elements of the HIPAA Privacy law

   The following “HIPAA flags” were created for compliance:
      •     H1: Restrictions and Confidential Communications

      •     H2: Designation of a Personal Representative

      •     H3: Authorization

      •     H4: Disclosure Tracking

      •     H5: Disclosure Accounting

      •     H6: Request for Access to Record

      •     H7: Request for Amendment to Record

      •     H8: Marketing OPT Out – (This field will only be used by the marketing and fundraising department)




       March 8, 2004                                                                                             21
                        HIPAA Flag and HIPAA Tab

   A “HIPAA tab” has been developed to be inserted in the patient’s
    medical and billing record

   The HIPAA tab will contain all HIPAA related correspondence and forms
    for any patient that exercises one of their individual rights, or if VNSNY
    discloses PHI




        March 8, 2004                                                            22
                               Disclosure Guidelines for
                                Management (sample)


                                       VNSNY receives a request for disclosure of PHI




               Does                                                Does
         disclosure require            No                    disclosure require                          Yes
           Authorization?                                        Tracking?




                 Yes                                                  No


                                            Treatment, Payment, Operations (TPO)                  Authorization is not required
  Authorization is required*
                                            Authorization is not required                         Tracking is required*
  Tracking is not required
                                            Tracking is not required
                                                                                                        Public Health activities
     Attorney Requests
                                                Care Coordination with providers and                   Victims of Abuse
     Insurance Companies for
                                                 vendors                                                Coroner/Medical Examiner
      collection of benefits: life
                                                Coordination of Care with patient/family/              Law Enforcement
      insurance, LTC insurance (not
                                                 caregivers                                             Deceased Individuals
      payment for VNSNY services)
                                                Application for Health Related Services                Organ Donors
     Pharmaceutical Companies
                                                 (SSI, HRA)                                             Health or Safety (Red Cross)
     All third-party requests
                                                Application for Non-Health Related                     Anti-counter Terrorism
                                                 Services(Meals on Wheels, Access-a-Ride)               Workers Compensation
                                                Informal Network                                       Judicial/Court Proceedings
                                                Drug Reviews                                           Health Oversight
                                                Financial Auditing                                     Specialized Government
                                                Case Management                                         functions(FBI)
                                                Billing,Collections,Payment
     Forward request to RCU                    Utilization Management
     RCU obtains HIPAA valid                   Pre-admission Inquiries
      authorization                             Quality Management/Patient Satisfaction
     RCU activates H3 flag
                                                                                                      May disclose with verification of
                                                                                                        identity and authority and
                                                                                                           minimum necessary
                END
                                                Verify if H1 flag is activated for restrictions

                                                                                                                    END

     RCU releases information
                                                                     END
      with verification of identity
      and authority.
     Team files documentation in                                                                       HIPAA flag H4 is activated
      the HIPAA tab of the medical                                                                      Manager will work with Team
      record                                If no Restrictions exist, may release with                   to activate flag
     Retain all documentation for 7        verification of identity and authority                      Retain all documentation for 7
      years                                 and minimum necessary                                        years


March 8, 2004                                                                                                                             23
                        Patient Rights Guidelines for
                             Managers (sample)



 Patient Right          Definition                  Individuals Responsible                          HIPAA Flag

Restrictions &   Patients have the right to   Privacy Official is responsible for      H1
Confidential     restrict who VNSNY can       reviewing and processing all requests    Manager will work with team to
Communication    disclose their information   Patients need to submit their requests   activate flag
                 to                           in writing to the Privacy Official       Team will be responsible for filing all
                 Patients have the right to   Privacy Official will work with the      written documentation in the HIPAA
                 request to receive           manager to determine if request will     Tab
                 communication in an          be approved or denied
                 alternate matter

Disclosure       Patients have the right to   Manager or supervisor will be            H5
Accounting       request an accounting of     responsible for reviewing request        Manager will work with team to
                 their disclosures            Manager or supervisor will work with     activate flag
                                              the team to determine what               Team will be responsible for filing all
                                              disclosures have been made               written documentation in the HIPAA
                                              Manager or supervisor will be            Tab
                                              responsible for completing a letter to
                                              be sent to the patient, responding to
                                              their request

Access To        Patients have the right to   Regional Compliance Unit will be         H6
Record           request access to their      responsible for reviewing and            Regional Compliance Unit will be
                 record or PHI                processing request                       responsible for activating flag.
                                              Patients need to submit their request    Team will be responsible for filing all
                                              in writing to the Regional Compliance    written documentation in the HIPAA
                                              Unit                                     Tab




March 8, 2004                                                                                                                    24
                Implementation Challenges




March 8, 2004                               25
                               Privacy Implementation
                                Challenges - Internal

I. CULTURAL SHIFT
    RAISING AWARENESS OF ALL STAFF, ESPECIALLY NON-CLINICAL,
     CUSTOMER SERVICE STAFF
                Minimum Necessary
                Handling Family Member Inquiries
    KEEPING PATIENT INFORMATION PRIVATE IN THE COMMUNITY
                Nurses and therapists carrying patient information
                Patient information in the patient’s home
    Lack of standardization in a large decentralized organization


II. MEDICAL RECORDS
    What is treatment, payment, and operations (TPO), and what is not?
    Disclosure
                Disclosure Tracking
    Verification and/or authorization




      March 8, 2004                                                       26
                        Privacy Implementation
                         Challenges - External


III. BUSINESS ASSOCIATES

      Who are VNSNY business associates?
      When is VNSNY a business associate?
      Define BA relationships
      Developing and centralizing contract management database
      Incorporating workload with no additional resources


IV. SHARING INFORMATION FOR REFERRING PATIENTS FOR HOME CARE

    Clarifying when this is a provider to provider relationship
    Concerns and fears in the marketplace and community




       March 8, 2004                                               27
                           Privacy Implementation
                            Challenges - External




V. BUSINESS CONSIDERATIONS

    Tendency for many trading partners to “disrupt” operation
              “Deer in the headlights” affect
              Lack of understanding of the Privacy rule
              Requires additional resources to conduct operations




      March 8, 2004                                                  28
                               Contact Information

                Please feel free to contact us for further discussion


      Speaker                    Phone                  E-mail Address
 Roxlyn Woosley               212.609.6345           roxlyn.woosley@vnsny.org


   Yelena Patish              212.609.1665              yelenap@vnsny.org



     Jack Scott               412.338.7785             jascott@deloitte.com




                                  Questions ?



March 8, 2004                                                                   29
                            About Deloitte

Deloitte, one of the nation's leading professional services firms, provides audit, tax,
financial advisory services and consulting through nearly 30,000 people in more than 80
U.S. cities. Known as an employer of choice for innovative human resources programs,
the firm is dedicated to helping its clients and its people excel. "Deloitte" refers to the
associated partnerships of Deloitte & Touche USA LLP (Deloitte & Touche LLP and
Deloitte Consulting LLP) and subsidiaries. Deloitte is the US member firm of Deloitte
Touche Tohmatsu. For more information, please visit Deloitte's web site at
www.deloitte.com/us.

Deloitte Touche Tohmatsu is an organization of member firms devoted to excellence in
providing professional services and advice. We are focused on client service through a
global strategy executed locally in nearly 150 countries. With access to the deep
intellectual capital of 120,000 people worldwide, our member firms, including their
affiliates, deliver services in four professional areas: audit, tax, financial advisory
services and consulting. Our member firms serve more than one-half of the world’s
largest companies, as well as large national enterprises, public institutions, locally
important clients, and successful, fast-growing global growth companies.

Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte
Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or
omissions. Each of the member firms is a separate and independent legal entity
operating under the names “Deloitte”, "Deloitte & Touche", "Deloitte Touche Tohmatsu"
or other related names. The services described herein are provided by the member firms
and not by the Deloitte Touche Tohmatsu Verein. For regulatory and other reasons
certain member firms do not provide services in all four professional areas listed above.

   March 8, 2004                                                                              30

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:9/29/2012
language:English
pages:30