Case Study – HIPAA/Ohio Developmental Disability Boards

In conjunction with Medicaid Consulting Group and Interhack Corporation, Eagle Consulting Partners assisted over 50 of Ohio’s County Developmental Disability Boards with HIPAA Privacy and Security compliance.

Privacy compliance was achieved by these  counties between 2002 and 2003.  The counties were provided educational materials and led through a 32 step compliance process.  The program design included four separate 1-day educational sessions with “homework” to be completed by each board between sessions.

A separate process was conducted 16 months later with 60  boards to facilitate compliance with the HIPAA Security regulation.  As the first step, Interhack Corporation created RiskAssess, an on-line tool for county boards to complete their security risk assessment, along with policy and procedure development by Eagle Consulting Partners.  With these tools, a two day training program for administrators in charge of security compliance.

County Developmental disability Boards are complex entities and this project included the following analysis and action steps:

  • Designation of the covered entity.  County boards are agencies of county government, and themselves have both health care and non-health care components.  This results in a myriad of compliance options which arise with from the hybrid entity concept in the HIPAA Privacy rule.  Most participating boards chose to designate the entire board as the covered entity, although some counties chose to take advantage of the hybrid entity concept to effectively reduce the legal liability of the board.
  • HIPAA – FERPA Interaction.  Significant effort is was undertaken to understand which portions of the county board were fell under the regulatory umbrella of FERPA.  Those portions needed to comply with FERPA privacy regulations.  Many boards chose to design policies which simultaneously complied with HIPAA and FERPA, allowing a uniform set of policies for the entire board.
  • PHI Inventory.  Effective control of information for  privacy and security required that each board conduct an inventory of protected health information, including both paper and electronic forms.  Because of the myriad of documentation at boards, this was a significant undertaking.
  • Minimum Necessary Compliance.  The different job positions at the boards were identified, and the categories of information which each job position needed to complete their responsibilities was identified.  Procedures were developed for routine disclosures involved in payment and operations.  Finally, for compliance with Security regulations, these designations were incorporated into the security controls in the board information systems.
  • Business Associate Analysis.  With the myriad of different providers and outside organizations that county boards are involved with, determination of who is and isn’t a business associate is non-trivial.  Recommendations were prepared, along with draft language for insertion into the contracts.
  • Sheltered Workshop Affiliation.  Tools were presented to help each board whether their sheltered workshop was a covered entity.  In most cases, counties were able designate the non-profit workshop as a non-covered entity.  Attention was given to the articles of incorporation and bylaws of the non-profit, the non-profit’s policy and procedure manuals, and the operating agreement between the county board and the non-profit.
  • Security Risk Assessment.  Partner Interhack Corporation conducted on-site risk assessments at four county boards.  Hardware and software assets were inventoried along with written computer security policies.  Based on this information, an internet tool, named RiskAssess, was created to allow each board to supply answers to a series of questions about board operations, computer system configuration, administration, and operating practices.  These responses, combined with up-to-date information on major threats and risks, allows RiskAssess to create a customized risk analysis report for each board in the format specified by NIST SP 800-30.
  • Policy and Procedure Creation.  HIPAA Privacy policies were done in a collaborative fashion with each board volunteering to create one or two policies.  These in turn were were then reviewed and edited by Eagle as necessary and shared with the other boards.  For HIPAA Security policies, Eagle Consulting prepared sample policies after interviews with 4 county boards, combined with industry best practices.
  • Group Benefit Plans.  Compliance guidance was prepared for privacy of the information involved with the board’s group benefit plans — group health, dental, vision, flexible spending plans, and employee assistance programs.
  • Other Steps.  In addition to the activities detailed above, a step-by-step methodology specifically developed for this engagement guided the board through additional implementation tasks.  These tasks included implementation of physical, technical, and administrative safeguards to protect patient confidentiality, assessing the interaction with Ohio law governing MR/DD Boards, negotiation of business associate contracts, and staff training.

The unique design of this engagement guided the boards through the HIPAA Privacy and Security compliance process, with expert advice, for a very modest investment in professional services.