HIPAA Coordinators Kickoff Meeting

1
HIPAA Coordinators Kickoff
Meeting

• August 1, 2002

2
Background

• Ernst Young HIPAA Gap Assessment Project-
  completed September 2001
• Identified gaps and risks within UTMB Departments
  associated with new HIPAA regulations
• Use these risks as a starting point
• Need to validate and update identified gaps and
  risks (risks may have changed / no longer valid)
  
• HIPAA workgroups were formed to create
  institutional policies to address new HIPAA
  regulations and identified risks
• HIPAA approval process- HIPAA Task Force
  Physician Review Committee
• Completed 40 new institutional policies,
  currently submitted for IHOP approval
  http//www2.utmb.edu/compliance/hipaa/index.htm

3
HIPAA Departmental Remediation Process
Initial Department Meeting
HIPAA Team completes Analysis
Schedule Appointment
Departmental Response

• Appointment is set with Department Coordinator
• Send Departmental Review Worksheet via email by
  August 2
• Department Coordinator assigns a person or
  themselves to meet with HIPAA Implementation Team

• HIPAA Implementation Team meets with Department
• Go over Departmental Review Worksheet
• Review and discuss EY issues/risks
• Discuss and identify any additional HIPAA gaps
  risks
• Conduct Physical walk-through of department using
  departmental space survey

• HIPAA Implementation Team completes Departmental
  Assessment Worksheet
• HIPAA Implementation Team completes Physical
  Security Inspection Worksheet
• Both worksheets are sent via email to Department

• Department reviews Departmental Assessment and
  Physical Security Inspection Worksheets
• Department completes worksheets
• Department sends completed worksheets to HIPAA
  Implementation Team via email

4
HIPAA Departmental Remediation Process
HIPAA Compliance Date APRIL 14, 2003
4 Month Self- Assessment
Final Department Meeting
2 Month Self-Assessment

• Department performs self-assessment and updates
  Departmental Assessment and Physical Inspection
  Worksheets
• Department sends updated worksheets to HIPAA
  Implementation Team via email

• HIPAA Remediation meets with Department to review
  Departmental Assessment Worksheet
• HIPAA Implementation Team performs final
  walk-through of department and completes Physical
  Security Inspection Worksheet

• Department performs self-assessment and updates
  Departmental Assessment and Physical Inspection
  Worksheets
• Department sends updated worksheets to HIPAA
  Implementation Team via email

• What if the dates for HIPAA compliance change
  within the year?

5
Departmental Assessment Worksheet

• What is it?
• Excel Spreadsheet
• Summary of identified EY risks for each UTMB
  Department
• Average of 15-20 risks per each department (use
  as a starting point)
• When do we use it?
• 4 Evaluation Periods
• Initial Department Meeting (August-October)
• 2 month self-assessment (October-December)
• 4 month self-assessment (December-February)
• Final Department Meeting (February-Early April)
• Who will be using the assessment worksheet other
  than Institutional Compliance or my department?
• Audit Services will be conducting spot checks to
  validate reporting results.
• The Department of Health and Human Services may
  conduct compliance reviews to determine whether
  UTMB is complying with HIPAA.

6
Departmental Assessment Worksheet

• What are the key components?
• Policy Mitigation (30)
• Departmental Implementation efforts (45)
• Training of Departmental Personnel (25)
• How does it work?
• Ratings Scale
• 7 Columns of information
• Departmental Risks
• Institutional Policies Addressing Risk
• Policy Mitigation of Risk
• Departmental Implementation Readiness
• Training
• Total Score
• Departmental Response

7
Rating Scale
Rating Scale (0-10)
100
1-3
4-6
7-9

• 0

No action taken
Implementation in initial phases
Implementation aprox. half complete
Implementation in final stages
Implementation complete
Implementation
0 Training complete
10-30 of personnel in dept. trained
40-60 of personnel in dept. trained
70-90 of personnel in dept. trained
100 of personnel in dept. trained
Training

• In order to track progress on each departments
  effort to mitigate risks and get departmental
  personnel trained on HIPAA, we utilized a numeric
  scale between 0 and 10.

8
Departmental Risks and Policy Mitigation
9
Departmental Implementation
10
HIPAA Training
11
Total Score

• Total score (100 being the highest score) is
  automatically calculated for each risk to
  designate success in making changes within the
  department to mitigate the risk and completing
  HIPAA Training for departmental personnel.

12
Departmental Response
13
Cumulative Average Score

• Cumulative Average Score is taken from the
  average of all the total scores for each
  evaluation period.
• Goal is to have a 100 Cumulative Average Score
  for each department after Final Walk-through is
  completed.
• Progress advancement on HIPAA will be tracked
  online.

14
Physical Security Inspection Worksheet

• What is it?
• Separate Excel Spreadsheet
• Lists of specific physical security issues
  related to HIPAA identified on departmental
  walkthroughs
• When do we use it?
• Completed during same 4 Evaluation Periods as
  Departmental Assessment Worksheet
• How is it different than Departmental Assessment
  Worksheet?
• Departmental Assessment Worksheet addresses the
  broad processes and risks within the department.
• Physical Security Inspection Worksheet addresses
  specific, physical safeguards needed for HIPAA
  compliance within the department.
• Goal is to have all identified physical security
  issues completed by final departmental
  walkthrough.

15
Physical Security Inspection Worksheet
16
Next Steps

• You will be receiving a call to schedule an
  initial departmental remediation meeting.
• We will review the Departmental Assessment
  Worksheet populated with your department-specific
  risks during the initial departmental meeting and
  answer any questions you may have.