Review the Security Officer roles and qualifications
Assign the health care component's Security Officer
Identify and assign personnel who will be involved in the Security compliance efforts
Review the HIPAA Security and Electronic Signature Standards Requirements
Attend the formal Security Core Training to be conducted by the PMO
Review and understand the proposed HIPAA Security Regulations (45 CFR Part 142)
Inventory Privacy/Security-Related Laws, Rules and Regulations
Review the Legal Requirements collection instructions from the PMO
Review the NCHICA evaluation of current State Laws on uses and disclosure
Collect Division or health care component privacy and security related State Laws, Federal Laws, rules, and regulations
Complete the Legal Requirements Matrix and submit to PMO
Determine Effective Laws, Rules and Regulations Through Legal Review
Assist PMO and legal counsel in comparing HIPAA Security requirements with collected privacy and security-related laws/rules/regulations
Provide input into documenting potential exceptions based on 160.203 criteria
Monitor request for exception based on process described in 160.204
Review final Legal Summary of effective law prepared by PMO and AG's Office
Define a Process for Due Diligence
Work with the PMO to identify the documentation required for due diligence and validating compliance
Define a process and roles for keeping track of due diligence documentation
Inventory Security-Related Policies, Procedures and Practices
Review Security policies/procedures/practices collection instructions from PMO
Collect Division or health care component's security-related policies, procedures and practices
Complete the Security Policy Matrix and return to the PMO
Coordinate and Assist in the Inventory of Network Assets
Provide support to the DIRM Networking Services automated network discovery if needed
Complete the Pre-Assessment Checklist and submit to the PMO
Coordinate and Participate in the PMO's Detailed Security Assessment
Identify personnel who should participate in the security assessment
Coordinate the health care component's security assessment schedule with the PMO
Participate/provide information during the security assessment
Facility Director and identified staff: review and sign-off on the PMO's (Confidential) Security Assessment Report
Develop a Security Remediation Plan
Review PMO recommendations and risk assessment (from Security Assessment Report) and evaluate the recommended technical and administrative fixes
Review the Security Remediation Guide provided by PMO (when available) and determine if any enterprise technical solutions are planned
Identify the third party entities with whom the health care component exchanges data electronically and where a chain of trust agreement must be established
Consult with PMO (if Remed. Guide not available) to determine Division or health care component-level (vs. enterprise level) policies and procedures that must be developed or modified
Document a remediation plan and communicate this to the PMO
Participate in the PMO's Security Intermediate Training
Attend the formal Security Intermediate training to be provided by the PMO
Update the remediation plan (if needed) and communicate this to the PMO
Establish the Security Officier's Long-Term Responsibilities
Attend the Security Officer expert training to be provided by the PMO
Implement Enterprise-Level Security Solutions (Policies and Procedures)
Review enterprise-level policies and procedures
Identify existing division or health care component policies and procedures that will be replaced
Determine the best method to communicate or roll-out the new enterprise-level policies and procedures
Conduct training or carry out preferred communication method
Cut-over to the new enterprise-level policies and procedures
Discuss planned enterprise-level technical solutions with PMO
Determine how the enterprise solutions will be implemented within the health care component
Carry out the implementation plan
Conduct training or carry out preferred communication method
Implement Division or Health Care Component-Level Solutions (Policies, Procedures and Business Practices)
Develop the required "security management process" for the health care component
Using the templates from the Remediation Guide, develop the policies and procedures that have been identified as division or health-care component level
Determine the best method to communicate or roll-out the new division or health care component-level policies and procedures
Conduct training or carry out preferred communication method
Cut-over to the new division or health care component-level policies and procedures
Review the chain of trust language template provided by the AG's office and incorporate any health care component-specific provisions
Engage the third party with whom electronic data is exchanged and establish the agreement based on process defined by AG's office
Implement Division or Health Care Component-Level Solutions (Technical)
Identify the tasks, resources, and timeframe required for each solution to be implemented
Obtain/procure the solution to be implemented
Carry out the implementation plan (task list)
Privacy Standards
Organize the Privacy Compliance Team
Review the Privacy Officer roles and qualifications
Assign the health care component's Privacy Officer
Identify and assign personnel who will be involved in the Privacy compliance efforts
Review the HIPAA Privacy Standards Requirements
Review and understand the HIPAA Privacy Regulations (45 CFR Part 160 (revised) and 162)
Attend the formal Privacy Core Training to be conducted by the PMO
Inventory Privacy/Security-Related Laws, Rules and Regulations
Review the Legal Requirements collection instructions from the PMO
Review the NCHICA evaluation of current State Laws on uses and disclosure
Collect Division or health care component privacy and security related State Laws, Federal Laws, rules, and regulations
Complete the Legal Requirements Matrix and submit to PMO
Determine Effective Laws, Rules and Regulations Through Legal Review
Assist PMO and legal counsel in comparing HIPAA Privacy requirements with collected privacy and security-related laws/rules/regulations
Provide input into documenting potential exceptions based on 160.203 criteria
Monitor request for exception based on process described in 160.204
Review final Legal Summary of effective law prepared by PMO and AG's Office
Define a Process for Due Diligence
Work with the PMO to identify the documentation required for due diligence and validating compliance
Define a process and roles for keeping track of due diligence documentation
Inventory Privacy-Related Policies, Procedures, Practices and Forms
Review the Privacy policies/procedures/forms collection instructions from the PMO
Collect the Division or health care component's Privacy-related policies, procedures and forms
Complete the Privacy Policy Matrix and return to the PMO
Indentify Business Associates
Review the Business Associates Checklist (questionnaire) provided by the PMO
Evaluate current business/support relationships and contracts to determine if business associate relationships exist
Categorize identified business associate relationships
Evaluate current PHI data sharing practices and determine the business/legal basis for these
Complete the Business Associates Checklist and return to the PMO
Indentify and Evaluate Applications that Require Privacy and Security Remediation
Review the (PHI or EDI-TCI) applications assessment provided by the PMO to identify applications that contain PHI
Review the Applications Privacy and Security Assessment guideline (to be) provided by the PMO to identify other applications that may be impacted by other privacy and security requirements (other than PHI)
Work with PMO to develop business requirements to guide application remediation efforts
Engage the I.T. support team or vendor to conduct a detailed analysis of the applications impact as well as map and document the electronic flow of PHI from the application
Document impacts and priorities and advise PMO of results
Participate in the PMO's Development of Enterprise-Level Policies and Templates
Work with the PMO in developing enterprise-level privacy policies
Work with the PMO in developing templates for division or health care component-level policies, procedures and forms
Participate in the Planning the Remediation of the Transactional Application System for Privacy and Security
Review the overall approach for remediating the application
Provide input in the development of the overall test plan
Provide input in the detailed implementation schedule and roll-out approach
Plan the Remediation of XYZ Application for Privacy and Security
Develop the overall application remediation approach
Develop the high level technical requirements
Develop the overall test plan
Develop the implementation schedule and roll-out approach
Participate in the PMO's Privacy Intermediate Training
Attend the formal Privacy Intermediate training to be provided by the PMO
Establish the Privacy Officer's Long-Term Responsibilities
Attend the Privacy Officer expert training to be provided by the PMO
Implement Enterprise-Level Privacy Policies
Review enterprise-level policies and procedures
Identify existing division or health care component policies that will be replaced
Determine the best method to communicate or roll-out the new enterprise-level policies and procedures
Conduct training or carry out preferred communication method
Cut-over to the new enterprise-level policies
Implement Division or Health Care Component-Level Policies, Procedures and Forms
Using the templates from the Remediation Guide, develop the policies, procedures and forms that have been identified as division or health-care component level
Determine the best method to communicate or roll-out the new division or health care component-level policies, procedures, forms
Conduct training or carry out preferred communication method
Cut-over to the new division or health care component-level policies, procedures, forms
Review the business associate language template provided by the AG's office and incorporate any health care component-specific provisions
Engage the business associate and establish the agreement based on a process defined by P&C/AG's office
Remediation, Testing and Installation into Production of the Transactional Application System
Identify and assign business personnel who will be involved in Transaction compliance efforts
Identify and assign I.T. personnel who will be involved in Transaction compliance efforts
Review the HIPPA Standards Transactions Requirements
Review and understand HIPAA Regulation 45 CFR Part 160 (revised) & 162
Review and understand the Delay Bill - H.R. 3323
Define a Process for Due Diligence
Work with the PMO to identify the documentation required for due diligence and validating compliance
Define a process and roles for keeping track of due diligence documentation
Conduct High-Level EDI-TCI Assessment
Provide an inventory of application systems to the PMO
Complete all System Functionality Statement questionnaires for each application system
Review the EDI-TCI assessment report provided by PMO
Sign-off on the EDI-TCI assessment report, submit sign-off to PMO
Participate in the detailed Gap Analysis of the Transactional Application System
If vendor-supported, obtain from the vendor a formal notification of its plan to comply with HIPAA requirements
Work with the I.T. support group in reviewing the ASC Implementation Guide for data and processing requirements
Work with the I.T. support group to identify trading partners and establish communications (initiate discussions) with the trading partners (payors)
Work with the I.T. support group to document trading-partner specifications (e.g., situational fields) for the transactions
Work with the I.T. support group to review requirements for the standardized medical code sets
Work with the I.T. support group to identify what gaps exist between the transaction data in the transactional application system vs. the ASC transaction standard and trading partner data requirements
Work with the I.T. support group to determine, evaluate and document potential data sources to resolve these gaps
Document summary of gap analysis findings and advise PMO of results
Identify Other Systems that have to be Remediated
Review the EDI-TCI assessment report impact matrix provided by the PMO
Engage the I.T. support group (internal, DIRM or software vendor) to evaluate the applications with identified impact in the impact martix
Document impact and priorities and advise PMO of results
Determine the Changes to the Health Care Component's Day-to-Day Business Process
Identify business process/operations/procedures/forms that will be affected by gap resolution
Document business process impact
Establish a Relationship with a Clearinghouse Service (If Required)
Work with HIPAA PMO to identify, evaluate, and procure clearinghouse services
Review any existing or standard service level agreement (SLA) offered by the clearinghouse
Provide input on DHHS service level requirements to be incorporated into the contract
Review the business associate language template provided by the AG's office and incorporate any health care component-specifc provisions
Review the chain of trust language template provided by the AG's office and incorporate any health care component-specifc provisions
Obtain a copy of the signed contract and keep as part of due diligence documentation
Establish Formal Trading Partner Relationships
Engage payers (DMA-Medicaid, Medicare, etc) and the Clearinghouse to formalize the exchange of transactions
Review the trading partner agreement (TPA) template provided by the AG's office and incorporate any health care component-specifc provisions
Determine the contractual instrument to be used for the TPA with each payer
Work with the PMO and AG office to determine the contractual instrument to be used for the TPA between the Clearinghouse and the payers
Incorporate the chain of trust language in the TPA between the Clearinghouse and payers
Obtain a copy of the signed contract(s) and keep as part of due diligence documentation
Participate in Planning the Remediation of the Transactional Application System
Review the overall approach for remediating the application
Provide input into the vendor's development of an overall test plan
Provide input in the detailed implementation schedule and roll-out approach
Plan the Changes to the Health Care Component's Day-to-Day Business Process
Document the new or revised business process/procedures/forms that have to take place
Coordinate the implementation schedule of changed processes with the roll-out of the transactional application system
Determine the need to train staff on these process changes
Communicate the planned business and systems changes to the user community
Plan the XYZ System Remediation
Develop the overall application remediation approach
Develop the high level technical requirements (e.g., application and data architecture)
Develop the overall test plan
Develop the implementation schedule and roll-out approach
Remediation, Testing and Installation into Production of the Transactional Application System
Monitor the transactional application system remediation activities (detailed design, construction, testing)
Develop acceptance test cases that will be used for user acceptance testing
Monitor the results of the 3rd party certification test
Conduct user acceptance testing of the system changes
Monitor the migration of the remediated system into production
Once in production, verify that production transactions are processed correctly by the remediated transactional application system (for daily, monthly, quarterly, etc. processing)
Implement the Changes to the Health Care Component's Day-to-Day Business Process
Develop training materials and conduct training on new business process if needed
Implement new procedures, forms, etc., in conjunction with the remediated system(s)' roll-out
XYZ System Remediation, Testing and Installation into Production
Current URL: http://compliancemanager.com/ModelStore/ModelPreview?ModelStoreId=d892b9ba-55b9-4733-9902-a452a1b5d01f Base URL: http://compliancemanager.com/ Current URL Domain Name: compliancemanager.com
Security and Electronic Signature Standards
