Ascension Health HIPAA Web Site
Maintained by Don Stry, Information Services Division
(812) 228-2131; Email: dstry@ascensionhealth.org
Section: Getting StartedSuggested HIPAA Project Phases
08/28/01
1. Awareness
a. Organize: appoint an overall program manager for your organization’s HIPAA compliance effort, with cross-functional authority; appoint a security administrator for overall corporate assets, including information security; assign resources as required; at a minimum, get senior management, risk management, medical records and I/S involved; form a task force and/or project team.
b. Prioritize: acknowledge the importance and overall priority of this as a corporate-wide initiative sponsored by senior management.
c. Research: identify and understand the HIPAA Regulations that impact the health system.
d. Communicate: make this information available to those in your organization, including your board.
e. Educate and train: provide education and training to your staff.
2. Inventory
Have a current inventory of the following:
a. All computer systems and networks.
b. Business associates sharing protected health information (PHI).
c. Access points to computerized or electronic patient information.
d. Storage locations and media of electronic patient information.
e. Data security measures, including policies, procedures, devices and audit trails.
f. Systems not covered in your organization’s Disaster Recovery Plan.
3. Assessment of Vulnerability and Risk Analysis
a. Evaluate current privacy and security-related policies, procedures and practices against the requirements of the HIPAA regulations.
b. Evaluate your application software to determine its HIPAA readiness (may need to contact vendors).
c. Identify and quantify the gaps between your current situation with HIPAA requirements..
d. Analyze and assess the risk of each gap.
e. Determine the acceptable level of residual risk of each gap (that the organization is will to accept).
f. Identify those "priority" gaps, which will require a solution.
g. Estimate potential costs.
4. Planning
a. Develop an action plan with deadlines and timetables.
b. Develop a technical and management infrastructure to implement the plan.
c. Refine cost estimates and develop a HIPAA budget.
5. Solution Design
a. Develop solution options for each priority gap.
b. Choose the most cost effective solution approach for each priority gap.
c. Design, develop and/or acquire solutions.
d. Develop new or revised policies, processes and procedures.
e. Build "Business Associate Agreements" with organizations handling your PHI.
f. Develop new internal communications, training and enforcement.
6. Testing and Implementation
a. Test solutions and verify validity and effectiveness
b. Prepare detail plans of implementation.
c. Identify resources and revise cost estimates.
d. Develop timelines.
e. Implement the solutions.
7. Contingency Planning
a. Identify critical processes and data.
b. Develop strategies for possible scenarios.
c. Develop appropriate data backup plans.
d. Develop (or review existing) disaster recovery (DR) plans.
e. Test and refine DR plans.
f. Develop escalation criteria and authority to escalate.
8. Documentation
a. Prepare appropriate documentation relating to your organization’s efforts for complying with the HIPAA regulations.
b. Document assumptions, inventories, assessments, risk analysis, decisions, rationale used in making decisions, plans, processes and accomplishments.
9. Monitoring and Reviews
a. Develop a strategy for ensuring the organization’s continued compliance with the HIPAA regulations.
b. Develop and implement monitoring, auditing and control plans, which include ongoing processes, resources and responsibilities.
c. Assign accountability for oversight.
d. Perform periodic reviews and audits.