Skip Stein

Technology Consultant

Information Technology Systems,  Intelligent Home Design & Automation

Honesty ~ Integrity ~ Loyalty ~ Respect

Home
Up

Computer Terms

Int'l Trade Terms

HIPAA Glossary

**********************

 

 

******************

USA Founding Documents

United We Stand!

 

 

Never Forget!

Support our Troops!

 

 

 

Remember our Veterans!

 

 

 

Professional Profile

Privacy

Contact Me!

Updated:09/19/2008
Copyright
© 1996-2008 Skip Stein

HIPAA GAP Analysis Outline

SECTION 1: Pre-Analysis

 

  1. Download copies of all proposed HIPAA rules from http://aspe.os.dhhs.gov/admnsimp/.
  1. Register for e-mail notification of HIPAA document publication at http://aspe.os.dhhs.gov/admnsimp/lsnotify.htm.
  1. Launch an organization-wide HIPAA education effort:

  • Broadcast e-mails.

  • Employee newsletter.

  • Lunchtime seminars.

  • Expert speakers.

  • Management meetings.

  1. Appoint key individuals from throughout your organization for a compliance task force:

  • Healthcare Administration.

  • Claims Processi

  • Finance

  • Management Information Systems

  • Data Base Administration.

  • Network Security and Access Control.

  • Financial Systems.

  • Software systems change control, security access and integration processes and procedures.

  • Claims Adjudication.

  • Claims Payment Receivable/Payable Reconciliation.

SECTION 2: Analysis

Create an inventory of the computers and databases where protected health information (PHI) is stored: 

  1. Conduct a risk assessment and prioritization of potential PHI vulnerabilities.
  2. Organize existing security policies into the four established categories of the HIPAA security standards:

  • Electronic Transactions and Code Set

  1. Evaluate existing electronic transaction processing.

  2. Analyze current use of Electronic Data Exchange (EDI) transactions.

  3. Assess the change/impact of revised HIPAA X12N EDI transaction variations from standard X12.

  • Privacy

  • Unique Identifiers

  • Security

  1. Administrative Procedures.

  2. Physical Safeguards.

  3. Technical Data Security Services.

  4. Technical Security Mechanisms.

  3.  Develop checklists of:

  • Adequate security policies.

  • Security policies to be revised.

  • Security policies to be created. 

  1. Evaluate your master patient index (MPI) for duplicates (patients assigned more than one number) and overlays (more than one patient assigned the same number). The MPI is needed to:

  • Accurately match persons being registered for care with their record.

  • Minimize duplicate records within a facility and across patient care settings.

  • Facilitate merging MP’s to create enterprise MPI’s.

  • Facilitate links with clinical data repositories, pharmacies, and outside laboratories.

  • Facilitate access to longitudinal (lifetime) patient records.

The MPI may index patients, persons, members of healthcare plans, guarantors, physicians, healthcare practitioners, payers, employees, employers, or others. It may also be called an enterprise master patient index (EMPI), enterprise patient index (EPI), corporate person index (CPI), or another similar description. 

  1. Evaluate your billing system against HIPAA compliant EDI (electronic data interchange) transaction standards.
  1. Evaluate your current privacy policies against HIPAA proposed standards
  1. Develop checklists of:

  • Adequate privacy policies.

  • Privacy policies to be revised.

  • Privacy policies to be created. 

  1. Evaluate your existing vendor contracts for HIPAA compliance problems/issues.
  1. Develop data cross-walks for HIPAA data base elements required for new HIPAA mandated transactions to determine where ‘gaps’ exist within the existing information system data bases.
  1. Evaluate existing information system audit trails.
  1. Document all findings.

SECTION 3: Post-Analysis 

  1. Develop a plan to address PHI vulnerabilities (identified in Section 2, Number 2) placing highest priority on areas of greatest risk.
  2. 2.      Revise and/or create security policies necessary for HIPAA compliance. 
  3. Perform Master Patient Index (MPI) clean up. 
  4. If EDI standards have been modified to meet specific payer requirements (see Section 2, Number 6), change back to approved standard formats for HIPAA compliance. 
  5. Revise and/or create privacy policies necessary for HIPAA compliance. 
  6. Revise vendor contracts to assure HIPAA compliance. 
  7. If necessary, implement audit technologies that record every access to PHI (including read-only access) and analyze and flag suspicious patterns. 
  8. Document all revisions and changes.

 SECTION 4: Getting the Work Done in Time! 

  1. Develop detailed implementation work programs, schedules and budgets.
  2. Align existing resources and determine the need for outside resources to augment the implementation efforts. 
  3. Detail database systems modifications, including structural changes and application processing changes. 
  4. Determine revisions to processing cycles and times. 
  5. Assign project leads in business-aligned areas, including members from all impacted areas. 
  6. Allocate personnel, equipment and environmental resources to support the effort. 
  7. Get to work!!!!!!!!!!!!!!!!!!!!

Up USA Documents My Other Web Sites Commentary Brochure Background Personal History Consultant Profile Global Business Consulting Services CV/Resumes Archive Computer Terms Site Map

Send mail to the Webmaster with questions or comments about this web site.
Copyright © 1996-2008  Skip Stein
Last modified: September 19, 2008