News

June 2010 - Edward Koscic and Associates, LLC is now an official member of AHIMA

June 2010 - Below, please find a sample HIPPA Risk Analysis. To see a detailed analysis, contact Ed at eek@go2guy.us

FACILITY NAME

Overview

FACILITY NAME operate multi level senior care facilities in Maryland, Virginia, and Pennsylvania. Services range from independent living cottages and apartments through Skilled Nursing Facilities. The facilities are subject to the provisions of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) (HIPAA) for protection of resident health information (Security and Privacy standards,) as required by 45 CFR 164.306 and amendments. New provisions of the American Recovery and Reinvestment Act of 2009, especially the HITECH Act, impose additional requirements and potential penalties for handling protected health information.

The Centers desire to review their current level of compliance with the requirements and to improve compliance in areas identified as vulnerable.

The following actions are required to accomplish the Centers’ goals:

Assess the Centers’ compliance with current standards and requirements for data Privacy and Security
Decide on the degree of risk each identified issue poses to the Centers
Plan actions to address threats and vulnerabilities
Implement the plan of action
Monitor the outcomes of the implementation.

Edward Koscic & Associates (EKA) proposes a phased work plan to meet the Centers’ needs.

Phase 1 will help the Centers understand the current standards with which they need to comply. With EKA’s assistance, appropriate tools and methods will be indentified to assess the Centers’ compliance. EKA will develop tools, methods, and protocols not otherwise available to facilitate the assessment tailored to the range of facilities FACILITY NAME operates.
Phase 2 will consist of the Centers’ performing the in-depth assessments planned in Phase One. EKA recommends that staff from sister facilities apply the assessment tools to each facility. Staff assessors will need to be trained to insure consistent and reliable assessments.
Phase 3 will
- Analyze the results of the assessments to identify threats and vulnerabilities
- Develop a corporate compliance plan
- Develop a compliance plan for each facility
- Revise and develop procedures as necessary
- Develop implementation plan
- Develop monitoring plan to insure continued compliance

Level of Effort – Phase 1

Phase 1 will start with a one day on-site meeting at FACILITY NAME’s headquarters to develop agreement on the scope of the project, explore the current requirements, and discuss level of assistance FACILITY NAME desires from EKA. The on-site headquarters meeting should be followed by a half day meeting at one of FACILITY NAME’s Skilled Nursing Facilities to gain a high level appreciation of the current state of compliance, tools in use, and staff attitudes.

The project will be staffed by Ed Koscic and Dave Oatway. Ed will be the project manager and reviewer. Dave will be the principle analyst and trainer.

We estimate the initial meeting will require 16 hours of preparation and post action reporting, 16 hours each (32 hours) for the on-site meeting and 8 hours each (16 hours) travel for a total of 64 hours. EKA’s fee is $150 per hour. Travel, rental car, hotel, and meals will be billed at actual cost and is expected to be less than $1,000 per person. Total cost of the initial consultation for Phase 1 will not exceed $10,600.

After the initial meeting all further work by EKA will be pre-approved by FACILITY NAME according to FACILITY NAME’s needs.

After the initial consultation EKA proposes most additional effort be remote by conference call and internet conferencing. Additional on-site consultation will be at FACILITY NAME’s request. Dave has completed several major projects, including managing the data collection and analysis of the CMS STRIVE Project (resulting in RUG IV) by remote services.

Business Arrangements

EKA expects FACILITY NAME to assign a senior manager as point of contact for the project. This person should be the required Privacy and Security Official for the Centers. Each facility will also need to have a Privacy and Security Official designated. These officials must have sufficient time to perform their duties, including consultation and planning. EKA anticipates periodic conference calls between principles during the development, assessment, and analysis phase of the project.

EKA will not need access to any privileged health information for this engagement. EKA will hold all results of assessments and business practices of FACILITY NAME in confidence during and after the engagement except as required by competent court of law.

EKA retains copyright to all tools developed during this engagement. EKA grants FACILITY NAME limited rights to use all tools proposed during this engagement for assessing and improving FACILITY NAME facilities. FACILITY NAME may not publish or distribute such tools without express written permission from EKA and Dave Oatway.

We attach an article by Dave that was published in Nursing Homes Magazine in 2005. This article describes the scope of the Security assessment and compliance requirements.

HIPAA Security Standards – Roadmap to compliance for Nursing Facilities