Ascension Health HIPAA Web Site
Maintained by Don Stry, Information Services Division
(812) 228-2131; Email: dstry@ascensionhealth.org
Section: Getting Started

Cookbook Approach for HIPAA Readiness
(How to start – what to do!)

(Updated 08/27/01)

First, realize that all HIPAA regulations, rules or standards pertain to patient identifiable information. The following is an oversimplification of how to proceed (steps 5 through 9 can overlap):

  1. Form a HIPAA team, with representatives of major areas, especially corporate responsibility, I/S, medical records, risk, legal, patient care, business operations and human resources; assign them responsibilities for HIPAA readiness.
  2. Gain a better understanding of the regulations by researching the Ascension Health HIPAA website at http://hipaa.ascensionhealth.org/ , especially the section "Resources for Members Only" and the item "Summary of Privacy Rule, from Jeff Short, Attorney (Updated 01/09/01)". Also review the actual HIPAA rules on the government website http://aspe.hhs.gov/admnsimp .
  3. Educate your HIPAA team and others at your location on the HIPAA requirements.
  4. Develop a rough game plan based on the major phases: assessment, gap and risk analysis, project plan development, remediation/implementation, and monitoring and documentation.
  5. Use the web-enabled HIPAA Toolkit to perform an assessment.
  6. Collect all your organization’s data/systems security and data privacy (confidentiality) policies, procedures and measures.
  7. Identify all your organization’s business partners so you can begin to attain Business Associate Agreements with them all.
  8. Identify all databases and application systems handling patient identifiable information.
  9. Determine from your application software vendors their HIPAA readiness plans.
  10. Identify all entry points (inquiry accesses to patient information) and electronic transfers of patient information.
  11. Identify and document all security policies, procedures and measures used at each access point or data transfer to ensure only authorized persons have access and that appropriate measures are employed for protection of patient data.
  12. Compare security and confidentiality policies, procedures, and measures with HIPAA requirements, which can be downloaded from the government website http://aspe.hhs.gov/admnsimp
  13. Identify and document shortcomings (gaps) and analyze the risk tolerance of the organization for each.
  14. Decide and document a course of action for those risks determined to be excessive.
  15. Prepare your detailed project plan.
  16. Implement the plan.
  17. Document assumptions, assessments, risk analysis, decisions, policies, procedures, training, plans, results, etc.
  18. Monitor ongoing compliance.

 

<<Back