HIPAA Total Solutions Business Process Improvement Technology & Innovation Government Consulting HIPAA Emergency Services Covered Entity Analysis Policy and Procedure Development Assessment and Gap Analysis Implementation Planning Compliance Options and Recommendations Training and Development HIPAA MMIS Remediation HIPAA Clearinghouse Services Medicaid Consulting MMIS Consulting MITA Services NPI Enumerator IT and Enterprise Consulting HIPAA Clearinghouse Services Procurement and Documentation FOX Tools Image map with links
log-in page Home Contact Site Map Clients GSA-MOBIS About Us Careers Links
 
Assessment & Gap Analysis
 
Once FOX Systems, Inc. (FOX) has identified the covered entity status and determined the impact that covered entity status has on each program or organizational functional area, we then move to performing any detailed Transactions & Code Sets, Privacy, and Security assessments or gap analyses necessary for the organization. Additional data collection is performed for the Divisions, Offices, Units, and Programs within an organization that are initially identified as HIPAA-covered by the Covered Entity analysis.
HIPAA Total Solutions


For EDI Transactions & Code Sets compliance assessment, FOX employs a proprietary gap assessment tool that maps the data elements for all HIPAA-covered electronic transactions to data elements in existing client transactions.

Functions for the EDI tool include the following:

  • “Forward” gap mapping identifying HIPAA-required data elements that are not present in the corresponding client transaction or that are different from the related data element in the corresponding client transaction

  • “Reverse” gap mapping identifying client-required data elements that are not present in the corresponding HIPAA-standardized transaction or that are modified from the data element in the HIPAA-standardized transaction

  • Identification of all sending and receiving parties for electronic transactions, including internal and external business associates or trading partners

The developed FOX EDI maps can be exported into vendor HIPAA transaction certification tools such as ClarEDI’s Faciledi SM, and Edifecs.XEngine to support validation and testing.


For Privacy and Security, FOX uses a number of different methods for data collection, including: additional interviews with staff, collection and review of documentation, and completion of Privacy and Security assessment instruments by the organization’s staff. These assessment instruments are part of a suite of proprietary assessment tools used to collect information, analyze the results, and generate comprehensive reports. FOX employs instruments that have been demonstrated as effective for both public and private organizations. If desired, FOX can also offer web-based project repositories so that designated staff will be able to download the survey tool, complete it, and then upload it to the project website for submission.

When necessary, personal interviews will be used to facilitate and optimize the process. The personal interviews will involve the level of personnel necessary and appropriate to effectively accomplish the task. All of the client’s relevant departments and divisions must participate in the surveys. The information collected will be used to perform a gap analysis and identify differences between existing processes and procedures used throughout the organization and new standards required by HIPAA.

 

Information and documentation needed to perform EDI, Transactions & Code Sets assessments and gap analyses includes:

  • Business operations and processes where patient/member data is created, modified, reviewed, transferred, or exchanged.
  • Existing documentation of patient information and information/process flow, whether automated or manual
  • Policies and procedures related to the processing of patient information, addressing both automated and manual processes.
  • Systems and information involved in business processes, whether automated (e.g., databases, data warehouses, data marts, web interfaces, diskette files, tape files) or manual (e.g., hard copy claims, transmittals, invoices, client rosters).
  • Electronic transaction formats, identifiers, data element values and code sets related to patient data and their associated sources and destinations.
  • Local HCPCS codes: types and uses.
  • Manual forms with associated data element values and code sets related to patient data, and their associated sources and destinations.
  • Information technology, systems, one-way interfaces, automated data exchange, and e-commerce applications that use, create, or modify patient data.

FOX conducts its detailed privacy assessments using our proprietary HIPAA Privacy assessment tool. The purpose of this tool is to gather information on patient information, uses and disclosures, and current privacy policies and measures in place.


Information and documentation needed to perform privacy assessments and gap analyses includes:

  • Existing documentation of patient information and information/process flow, whether automated or manual.
  • Sources and repositories of patient information, whether automated (e.g., databases, data warehouses, data marts, disk files, diskette files, tape files) or manual (e.g., hard copy films, clinician’s notes, lab orders and results, appointment data, documents with patient signature, or other documents normally found in a patient record).
  • Policies and procedures related to the privacy and confidentiality of patient data that address both automated and manual data.
  • Business partner relationships and associated memorandums of understanding, contracts, and agreements, for relationships where transfer of patient data may occur (e.g., subcontracted or partner providers, subcontracted benefit managers, clearinghouse arrangements; delegated medical management, contracted medical record review, transcription services, contracted benefit managers, third-party administrators, primary and secondary payers, etc.).

When necessary, personal interviews will be used tofacilitate and optimize the process. The personal interviews will involve the level of personnel necessary and appropriate to effectively accomplish the task. All of the client’s relevant departments and divisions must participate in the surveys. The information collected will be used to perform a gap analysis and identify differences between existing processes and procedures used throughout the organization and new standards required by HIPAA.


FOX conducts its detailed security assessments using ourproprietary HIPAA Security assessment tool. The purpose of this tool is to gather information on current Security measures in place to protect data, facilities, and to manage and supervise the conduct of personnel with access to individually identifiable health information.


For HIPAA Security assessments and gap analyses, the following information is required:

  • Automated security features and mechanisms (e.g., network and systems architectures, firewalls, DMZs, user authentication features, public key and certificate features, electronic signature implementation, back-up storage and retrieval processes)
  • Network transmission data defining current traffic related to patient identifiable information in any format including file transfers, batch processes, online real-time transactions, email and email attachments, web uploads or downloads, and website inquiries
  • Automated and manual data recovery processes and storage locations
  • Policies and procedures related to security of patient data that address both automated and manual data
  • Sources and repositories of patient and provider information including provider number, whether automated (e.g., databases, data warehouses, data marts, disk files, diskette files, tape files) or manual documents, forms and reports containing provider information
  • Current portfolio of IT and business initiatives in process of implementation that affect the handling of either patient or provider information  


Using data about the current operational and technical infrastructure baseline, FOX will compare the “current state” against the HIPAA standards and will identify the steps required for the client to comply with the HIPAA rules. FOX will review the current technical, business, and data storage environments and its safeguards for maintaining security, confidentiality, and the privacy and security of individually identifiable health information.


The information captured from the survey tools is combined with other data collected from face to face interviews with key IT staff and information gleaned from reviews of documentation and ultimately placed into an Access database. The database is analyzed and gap analysis reports are generated that identify HIPAA gaps and other deficiencies. The FOX Team identifies the gaps and associated risks that exist in the various client systems, policies, procedures, and supporting technologies which may not comply with HIPAA EDI/TCI, Privacy, and Security requirements. A gap analysis is prepared that identifies and prioritizes the areas of the existing data collection environment wherein HIPAA non-compliance resides. The gap analysis will examine and evaluate the client’s policies, processes, procedures, and instructions as they relate to the Privacy and Security standards and the protection of individually identifiable health information.


The combination of Privacy and Security compliance implementation and other professional services provided from the FOX team of HIPAA subject matter experts provides a set of best practices in both the management and implementation of the HIPAA-required assessment and remediation requirements.

Copyright © Fox Systems 2004-2010, All rights reserved.

Valid HTML 4.01 Transitional