In order to achieve HIPAA compliance it is important to define the tasks at hand and develop a plan for all phases of the project. The tried and true phased project approach will be the one that leads us all to achieve our goals, while keeping a firm grip on the budget, and focusing on the road ahead.

Phase one is project initiation. The first step of this phase is to achieve upper management sponsorship and support. The success of this effort must be approached from the top down. Next we define our goals, objectives, risks, and path forward. Forming a team and identifying roles and responsibilities and finding the right resources to fill these roles is crucial part of this task. Since no project is entirely successful performed in house or totally out-sourced, you will need to identify existing resources, some may assume new roles, as well as go out to the market for additional employees and/or vendors. A HIPAA project sponsor, Project Manager, Privacy Officer, Security Office, a HIPAA coordinator, educator, and business, as well as technical resources are some of the possible roles that will form your HIPAA Compliance Team. Further more, resources should be identified to maintain the legacy systems until all related partners have cut over to HIPAA. Remember small providers have an extra year, and some payers, providers, and service bureaus will be filing the extension and will need another year before they cut over. The next step is to provide HIPAA awareness training to your staff, from upper management, to mid-level, spreading out to all areas of your organization. It is important to document, publish, and distribute as much information to your organization as possible to increase the knowledge base and achieve a universal effort. Alert your business partners, trading partners, associated, payers, providers, clearing houses, billing agencies, and counterparts, as to what is being done for HIPAA in your organization. Seek to obtain information regarding their HIPAA initiative, and you will gain new ideas as well, as a broader based understanding of the HIPAA efforts of your associates, and form a beginning to new and improved trading partner agreements.

The next phase is Assessment. Determining where the biggest challenges are for Privacy, Security, and TCI (Transactions, Code sets, and Identifiers). A Privacy and Security assessment is broken down into three tasks. Physical Assessment where we identify the areas of the organization, it’s Private Patient information, the physical safeguards and risks, and define our goals to secure and keep private the information that is valuable and confidential. This includes an inspection of the building, the areas where private information is kept, and ensuring it is shielded from the public, and secure from intrusion. For example, shielding monitors with password protected screen-savers would hide and keep safe confidential patient information. Training and awareness of privacy rights and security compliance is essential to this task. Administrative, the second part of Privacy and Security assessment examines the organizations policy, procedure, and guidelines towards securing and keeping confidential information, as well as contingency planning to insure safety and confidentiality. One example would be determining the company policy for marketing to patients or calling patients in a waiting room. The third part is Technical. For example authentication and encryption of secure information for privacy.

The TCI side of assessment includes reviewing all of the organizations current systems, transactions, data, and business practices to identify areas where compliance is needed, including the automation, in some cases, of areas that were previously manual processes. A final analysis report will be produced, as a result of this process, identifying the organizations current privacy, security, and TCI practices, and will determine what is needed to achieve HIPAA compliance. This will empower the organization with the knowledge needed to budget, further identify resources and risks, improve the timeline, and provide a road map of the path forward.

Phase three involves reporting, reviewing, revising, and expanding the existing knowledge gathered in phases I and II. This phase needs total team participation. In addition, sponsors, upper management, mid-level management, and all departments affected should be involved. Revision of budget, planning, resources, must be part of a single vision with all on-board with the plan. It must be a shared vision with a clear understanding of the requirements all share in achieving this goal. Clarity and unity are of the utmost importance here. Leadership, sponsorship, and a clearly mapped plan will result from this effort.

Phase four is the beginning of re-mediation. This phase consists of four activities known as tracks with each activity including are the same four tasks defined as stages of work. The structure is illustrated as follows:

1. Applications Layering

A. Organization

B. Design

C. Construction

D. Implementation

2. Infrastructure

A. Organization

B. Design

C. Construction

D. Implementation

3. Procedural

A. Organization

B. Design

C. Construction

D. Implementation

4. Management Metrics

Although these four activities appear in sequence, the practical solution may be to run these activities concurrently and within each follow the sequence of organization, design, build and test, and implementation. Priority should be given Infrastructure, Procedural, and Applications, with Management Metrics being formed as each activity evolves. However, some feel Management Metrics may be planned first and revised as phases evolve. A proper infrastructure should be in place to support the EDI and Healthcare systems it supports.

The final phase, phase five involves the internal audit as required by HIPAA to keep the project on track and eliminate violations regarding mandated reporting and audit trails. It is mandatory to the success of compliance to implement proper monitoring and audit practices including audit trail reporting, which include controls for the organization, non-stop monitoring, periodic review, reporting and documentation. The importance of reporting and documentation is crucial to the success of this effort. Monitoring and auditing alone will not succeed without associated and overall organizational documentation and reporting. Feedback from all team members, stakeholders, trading partners, and upper management along with design modifications and adjustments, and implementation monitoring are the components which insure the road to compliance is smooth and a safe and successful trip.