Vendor Management

1
Vendor Management

• Presented by the HIPAA COW
• EDI Administration Workgroup Co-chairs
• Christine Duprey, Project Manager, Healthcare
  Solutions - Stratagem, Inc.
• Suzanne Ronde, Independent Consultant
• Claudia Egan, Associate - Reinhart Boerner Van
  Dueren

September 27, 2002
2
What is A Vendor?

• A vendor can be any person, organization or
  software development company that is providing
  services or products on behalf of a covered
  entity.

3
Steps to Vendor Management

• Step One
• Identify the vendors the covered entity is
  currently doing business with.
• Identify whether or not the vendor is a covered
  entity.
• Identify whether or not each vendor is a business
  associate.
• Step Two
• Identify the activities completed throughout the
  organization where information may be used
  electronically.

4
Steps to Vendor Management

• Step Three
• Identify the vendors that enable the organization
  to transmit electronic information.
• Determine whether or not the activity completed
  will require changes due to the compliance
  requirements.

5
Steps to Vendor Management

• Step Four
• Review the organization business practices and
  systems to ensure the required components for the
  new electronic transactions can be gathered in
  day to day activities.
• Step Five
• Review the vendors HIPAA compliance activity.

6
Responsibilities

• Covered Entity
• 1. Comply with all elements of HIPAA.
• 2. Determine operational impacts of compliance.
• 3. Determine compliance readiness of the vendors.
• 4. Monitor the vendor compliance activities.
• 5. Initiate appropriate agreements.

• Vendor/Business Associate
• 1. Not a covered entity not
• enforced by HIPAA!
• 2. Comply with agreements with covered entity.
• 3. Report breach incidents to the covered entity.
• 4. Clearinghouses special rules for business
  associate activity 7 components of Privacy.

7
Vendor Myths

• If my vendor makes changes to my system for EDI
  Transactions, then Ill be HIPAA compliant.
• There is no cost associated with the changes
  vendors are making to the systems.
• My vendor is already making the changes, there is
  no need to conduct a GAP Analysis.
• I dont need to file for the ASCA Extension, my
  vendor is probably doing this.
• After the changes are made to the system, it will
  be an easy implementation process.

8
The Truth Behind the Myth

• The vendor is not responsible for any entitys
  HIPAA compliance. The HIPAA regulations
  specifically affects the covered entity.
• Most vendors will be associating a cost with
  changes in regards to HIPAA.
• GAP Analysis is important for covered entities to
  conduct.
• It is the covered entitys responsibility for
  filing the ASCA extension. Vendors can assist
  you in completing this.
• Some organizations may not be aware of the
  training needed or what the implementation
  entails.

9
Information Received from Vendors

• White Papers
• Readiness Documents
• HIPAA 101 Information
• Implementation Plans
• Testing Dates
• What do you do with this information?

10
Information You Need to Know

• What transactions will they be addressing?
• What is the release date?
• Implementation dates?
• Is the vendor doing testing and certification of
  these?
• What code sets will be supported?
• Release dates
• When the code set is no longer accepted
• Do you need to file for an extension?

11
Information You Need to Know, Cont.

• Implementing the Changes
• Do you have a migration plan?
• Will there be a need for training of staff for
  the changes?
• Is there a cost associated with changes?
• What security measures in regards to HIPAA have
  you addressed?
• Encryption?
• Monitoring or tracking mechanisms?

12
Information You Need to Know, Cont.

• What are the HIPAA initiatives of the vendor?
• HIPAA Team
• Implementation plan
• Conducted HIPAA training or awareness
• Organizational assessment

13
Which Agreement(s)?

• Chain of Trust
• Business Associate or
• Trading Partner?

14
Chain of Trust Agreement

• Apportions Contractual Liability for Breaches of
  the Security of Data Exchanged between Parties
• Not (yet) required by HIPAA

15
Business Associate Agreement

• PHI Driven
• Contractual Extension of HIPAA Privacy Rule to
  Non-Covered Entities
• Required Elements
• Indemnification

16
Trading Partner Agreement

• Memorializes Details of Electronic Data Exchange
• Not Required by HIPAA (like Business Associate
  Agreement)

17
The Big Disappointment (Sort of)

• The Use of HIPAA Standard Transactions does not
  mean Identical Transactions among all payors and
  providers
• Instead, Payors will have Companion Guides, for
  example, specific to adjudication

18
Trading Partner Agreement

• Recommended as a Standard way to
• Communicate companion guides
• Set Expectations
• Assign Responsibilities
• Allocate Costs

19
Trading Partner Agreement Elements/ Legal
Restrictions

• Parties May Not
• Change definition, data condition, use of data
  element or segment
• Add elements of segments to max. defined data set
• Use items marked Not Used in IG
• Change the meaning or intent of implementation
  specification

20
Trading Partner Agreement Elements

• Testing Requirements Prior to Go Live
• Communications Details
• Financial Arrangements
• Companion Guide Details
• Security Measures and Responsibilities

21
Questions?????