A Case Study in Integrating ISO 9002 and HIPAA

1
A Case Study in Integrating ISO 9002 and HIPAA

• David Boan, Ph.D.
• (dboan_at_dfmc.org)
• AHQA
• February 1, 2002
• Dallas, Texas

2
Case Study Overview

• Presentation of a work in progress
• Implemented HIPAA standards in ISO environment
• Created processes to support continuous
  improvement.
• Some processes are very new, some we have used
  for over two years

3
Background

• Spring 01 DF senior management decided HIPAA was
  here to stay.
• See HIPAA as benchmark for proper management of
  privacy and security.
• Our customers are HIPAA covered entities and look
  to us for support. (RFPs now routinely ask about
  HIPAA implementation).

4
Key Points

• In order to improve the quality of work
  processes, a set of standards (ISO, HIPAA) must
  be operationalized
• DF began with ISO, then extended these processes
  to address HIPAA
• Several key systems were created that may be of
  value to others considering the same standards.

5
The Driving force behind ISO is

• To give employees the confidence that management
  takes quality seriously
• And give customers confidence that their
  suppliers/contractors take quality seriously

6
How do you show you take quality seriously?

• With a process that is highly visible
• Senior management follow-through
• External audit and certification (accountability)

7
Our Approach to HIPAA

• Define a mandate Why should a QIO bother with
  HIPAA?
• Define the scope What sections do we need to
  address?
• Define a process How do we do it?

8
The Mandate

• It is strategically important to
• Meet the highest standards for safeguarding
  confidential data
• Demonstrate to our customers our commitment to
  quality
• Demonstrate to our staff that quality is a top
  priority
• Position ourselves to assist and support our
  customers compliance efforts.

9
The Scope

• HIPAA focuses on payors, providers and
  clearinghouses, none of which are us.
• HIPAA is a de facto industry standard for secure
  management of data.
• Emphasis on security and privacy, monitor data
  provisions.

10
The Process

• Obtained a directive from senior management
• Created a temporary HIPAA Implementation
  Committee
• Committee created 8 work groups
• Report to permanent QA Committee which gives
  final approval to PPs and incorporates into ISO

11
HIPAA Approach

• Performed assessment with EarlyView
• Grouped items in assessment
• Created a workgroup for each group of items
• Workgroups lead by committee member who recruits
  within company for help
• Develop PP and present to committee for review
  and approval
• Expanded role of QA Committee
• Completed PPs sent to QA Committee

12
DF ISO System (new)
13
Quality Assurance Committee

• Originally
• CEO, ISO Lead and Dept Heads
• Reviewed audits and recommendations (OPIs)
• Revised
• Manage expanded improvement process
• Added Security, Privacy and Compliance Officers
• Added tasks

14
Committee Activities

• Review staff and customer recommendations
• Review audit results (internal external)
• Conduct in-depth reviews
• Promote to company
• Monitor sentinel events

15
HIPAA Implementation Team
16
Opportunities for Process Improvement (OPI)

• Created an incentive for staff to report needed
  improvements
• Started with a small prize for all submissions
  regardless of value
• Now select top suggestion each month
• Occasionally give prize to all

17
(No Transcript)
18
Sentinel Events (new)

• Report events that pose a threat or disrupt
  business
• Events are reported to Dept Head for action,
  tracked and reviewed by QA Committee
• Examples misdirected confidential data,
  intrusion, system failure, etc

19
Customer OPIs (new)

• Created a tool for customers to report
  improvement suggestions
• Tool is now being built into project websites
• Suggestions will go to Contract Managers and QA
  Committee

20
Internal Audit

• Currently have consultant conduct mock audit,
  preparing to take that over
• Evaluating usefulness of consultant
• Trained staff as auditors when first certified,
  but did not maintain. Would need to retrain and
  maintain

21
Focused Review (New)

• Dept Head presents a process in detail
• Must describe
• Auditing
• Documentation
• Management of OPIs
• Response to audit findings
• Plan to do a process each quarter

22
External Audit

• ISO Auditor reviews DF semi-annually
• Everything in Master Policy Book subject to
  review
• Minor findings vs Major Findings
• More than 2 Major Findings and you lose your
  certification

23
Goal

• HIPAA Implementation Team will create process and
  PPs necessary to eliminate current gaps
• At that point Committee will end and QA Team will
  continue the process
• Goal is to complete development by June 02

24
Lessons Learned

• Make the process visible
• Use tools that have already been developed
• Need incentives to keep team focused for the
  long haul
• Automate logging where possible, or build into
  work flow

25
Lessons (cont)

• Senior management must make this a priority
• Dept heads must allow time
• Someone needs to drive the process
• Think long term

26
Resources

• Mass Health Data Consortium http//www.mahealthda
  ta.org/
• Administrative Simplification Website
• http//aspe.hhs.gov/admnsimp/
• North Carolina Health Info Consortium
• http//www.nchica.org/
• Office of Civil Rights
• http//www.hhs.gov/ocr/hipaa/