Return on Investment (ROI) Program Funding
Application
This template was built using the ITD ROI Submission
Intranet application. FINAL AUDIT REQUIRED: The Enterprise
Quality Assurance Office of the Information Technology Department is
required to perform post implementation outcome audits for all Pooled
Technology funded projects and may perform audits on other projects.
This is: A Pooled Technology Fund or Reengineering Fund Request. Amount
of funding requested: $138,568.00 An Agency IT Expenditure or Budget Request
(General Fund, Road Funds, Grants, etc.). Amount of funding requested:
$0.00
Section I: Proposal
Date:
8/6/02
Agency Name:
DHS - Woodward
Project Name:
HIPAA Project - Woodward
Agency Manager:
Lanita Cavanaugh
Agency Manager Phone Number / E-Mail:
(515)438-2600 / Lcavana1@dhs.state.ia.us
Executive Sponsor (Agency Director or Designee):
Micheal Davis
Project Summary:
Project Funds are being requested to
assist the Woodward Resource Center become HIPAA compliant. This involves
converting large amounts of paper records to electronic format and
installing the necessary security to protect the records and to monitor
access to the records. This effort will also significantly reduce space
required for record storage, facilitate transmission of client
information, facilitate administrative utilization of records, and promote
more effective client service delivery because electronic records are more
readily available and timely accessible.
Request for ROI Application Waiver:
Is this a request for a waiver? YES
Agencies are required to complete this funding
application when requesting funds for any Pooled Technology project, any
IT expenditure costing over $100,000, or any non-routine IT expenditure.
If you feel there is a compelling reason to waive this requirement,
please provide (in the box below) a brief description of the project or
expenditure, the budget amount, and a rationale for the waiver request.
Explanation:
Until a decision is made
regarding your waiver request, it is not necessary to complete any other portion
of this application. The ITD Enterprise Quality Assurance Office will convey
waiver request decisions within five working days of receipt.
A. Statutory or Other Requirements
Is this project or expenditure necessary for compliance with a Federal law,
rule, or order? YES (If "Yes", cite the specific Federal law, rule or order.)
Explanation: Health Insurance Portability and
Accountability Act of 1996 Public law 104-191 - 104th Congress
Is this project or expenditure required by state law, rule or order?
YES (If
"YES", cite the specific state law, rule or order. ) Explanation: Articles of Confederation (adopted by the U.S. Congress
November 15, 1777, ratified by the states and then proclaimed on March 1, 1781),
as well as the U.S. Constitution (proclaimed on March 4, 1789) and the Iowa
Constitution (adopted in 1857). Article XIII of the Articles of Confederation
reads: Every state shall abide by the determinations of the United States in
Congress assembled, on all questions which by this confederation are submitted
to them. And the articles of this confederation shall be inviolably observed by
every state and the Union shall be perpetual; nor shall any alteration at any
time hereafter be made in any of them; unless such alteration be agreed to in a
Congress of the United States and be afterwards confirmed by the Legislatures of
every state.
Does this project or expenditure meet a health, safety or security
requirement? YES (If "YES", explain.) Explanation: HIPAA is federally mandated law that protects patients' health
information by assuring them privacy and security regarding their personal
health information. This law will also standardize medical billing so as to
prevent government billing fraud and make the service to the patients more
efficient.
Is this project or expenditure necessary for compliance with an enterprise
technology standard? YES (If "YES", cite the specific standard.)
Explanation: See the ITD Enterprise Security Policy
Is this project or expenditure consistent with meeting the goals and
objectives of the State's strategic plans? YES (If "YES", cite the specific
standard.) Explanation: It certainly is consistent
with the goal and objective of serving the people of the state of Iowa.
[This section to be scored by
application evaluator.]
Evaluation (15 Points Maximum) If the
answer to these criteria is "no," the point value is zero (0). Depending
upon how directly a qualifying project or expenditure may relate to a
particular requirement (federal mandate, state mandate,
health-safety-security issue, or compliance with an enterprise technology
standard), or satisfies more than one requirement (e.g. it is mandated by
state and federal law and fulfills a health and safety mandate), 1-15
points awarded.
B. Customer Service Improvements
Summarize the extent to which the the
project or expenditure improves customer service to Iowa citizens or within
State government. Included would be such items as improving the quality of life,
reducing the government hassle factor, provding enhanced services, improving
work processes, etc. Response: HIPAA - Basic
Objectives are to Insure health insurance portability, combat fraud and abuse,
guarantee Security and Privacy of healthcare information, improve the efficiency
and effectiveness of the healthcare system, and enhance customer
services/benefits.
HIPAA addresses many areas.
1. Privacy and
security - within the facility we have paper records. We need to insure these
records are safe from unauthorized access, theft, fire, flood, etc. This may
require the installation of more sophisticated fire and water detection systems
as well as automatically locking doors and/or detection devices to alert workers
to unauthorized entry to the Records Management Department. We are proposing to
convert as much of the paper as possible to document images stored on a local
server. This would alleviate a current problem of lack of storage space for the
paper records. Software we would need would be something to monitor unauthorized
access of our network and operating system software for the server as well as
software to handle the image document management. OCR capabilities would be
required to assist in document retrieval and would make the system more
efficient. For hardware we would need scanners (to convert paper to digital
images), a microfilm reader/printer (to access records already stored on
microfilm), a server, and at least two workstations for scanning/document
management in the medical records area. A heavy duty cross cut paper shredder is
also included in this request to destroy papers with sensitive information.
This project would reduce the amount of paper records stored (saving
much needed space) and would make client records much more readily available to
professional staff wherever they need them (we are located on a 300 acre campus
so coming to the Record Room can be quite a hardship). Having the records more
readily available to professional staff means that the clients would benefit by
having programs and data reviewed in a timely manner and changes and/or
adjustments to programs would be timelier. Client information would also be more
available for Requests for Information received from other agencies and/or
organizations as well as family members. Response time to these requests would
be greatly improved because the data would be much easier to retrieve. The data
supplied would also be more accurate due to the searching capabilities provided
with this project.
A formal HIPAA readiness survey should be completed
at each facility. This will show what needs to be corrected to meet HIPAA
guidelines. Ideally someone from outside of the facility to conduct this
assessment. This is a massive project, staff may need overtime to review, revise
and train staff in order to comply with standards. In addition training
materials will need to be purchased, and time set aside from the normal workday
to complete training for those staff who must work on the wards.
Although the time line for security has not yet been set, we do know
that we need to plan now because we will not have adequate time to secure
funding to comply once the regulations are published. A formal network
assessment should also be completed at each facility to determine what
corrective measures will need to be addressed from the network security side of
HIPAA. This could be completed by ITD staff or possibly a HIPAA consultant.
[This section to be scored by
application evaluator.]
Evaluation (15 Points Maximum)
Minimally improves customer service (0-5 points).
Moderately improves customer service (6-10 points).
Significantly improves customer service (11-15 points).
C. Impact on Iowa's Citizens
Identify the main project or expenditure
stakeholders and summarize the extent to which each, especially citizens, is
impacted. Response: The project is HIPAA compliance.
Citizens will have secure and protected medical information as well protection
from Medicare/Medicaid fraud and a more efficient government operation which
would affect each and every citizen in the state. We get many requests for
information from family members of clients that we have served or are currently
serving. Our customer satisfaction in getting the information they request would
be greatly improved.
[This section to be scored by
application evaluator.]
Provide a pre-project or pre-expenditure
(before implementation) description of the impacted system or process.
Response: WRC already does an adequate job of
protecting patient information. We will need assistance from legal counsel to
determine which state laws may pre-empt the federal law.
We operate on a
300-acre campus. If data is needed by professionals at our facility, the
professional is required to phone the Records Management Department and schedule
a time that they can physically come to the Records Management Department to
view the stored paper records. The Records Management staff assists the
professional in searching through paper records (often times these records are a
foot or more of stacked paper) to find the data that they need. Once the data is
located, copies are made or notes taken about the data and then the data is
re-filed on the record shelves. The professional staff also have to sign and
date a log indicating that they viewed that particular client’s record. If
information is requested regarding a client no longer at our facility, there are
two major areas to look for the information: 1) still on paper on the shelves or
2) on microfilm. Once the storage location is determined, the Records Management
staff retrieve the data requested by either searching through the paper stacks
or searching through a roll of microfilm on the microfilm printer/reader (which
is on its last leg – repairman said if it breaks again, they cannot guarantee
that they can fix it). The microfilm reader/printer requires the use of special
paper that costs $40+ per roll. Once the data is located, copies are made (or
printed from microfilm), and processed according to procedures (log of data
requested and to whom released is maintained). If our microfilm camera were
operational (right now it is broken and unable to be repaired), we have to
purchase the film and then it would only microfilm 2 pages per minute. After
filming, the Records Management staff would send the film out for processing.
They would receive a duplicate copy back for retrieval purposes and a copy would
be stored at DDM. The time for this processing and copy to be returned usually
takes at least a month. Then the microfilm is proofread against the originals to
insure accuracy.
Provide a post-project or post-expenditure (after implementation) description
of the impacted system or process. In particular, note if the project or
expenditure makes use of information technology in reeengineering traditional
government processes. Response: Continued Training
and Education for all staff on at least an annual basis with special emphasis on
new employees as they are hired. Continued upgrading of the software and
hardware on the network to insure compliance. Ongoing expenses for secure record
storage, supplies, and extra costs associated with this HIPAA project, such as
shredding and disposing of confidential material. In addition the federal and
state regulations will have to be monitored for changes/additions/deletions to
keep us compliant.
With this system in place, if a professional staff
needs to view records, they would log onto the network with a unique log-on
which tracks who and where the logon occurs and call up the particular client’s
records that they wish to review. Their logon would control which records they
would have access to based on their particular caseload. They could then do an
online search for the data they need and either take their notes or print off
the data needed and then log off. Since the system would track who sees each
record, manually signing a written log would no longer be necessary, they could
view the record at their convenience (not just when the Records Management
Department was open) and Records Management staff would not need to assist the
professional, leaving them more time to complete their daily duties. This would
allow much timelier reviewing of data and improve our services to the clients we
serve. If data is requested regarding a client no longer placed at our facility,
the Records Management staff could logon (again, their logon would dictate which
records they were allowed to access as well as track who and when each record
was reviewed). They could do online searches for exactly the data requested
instead of searching through piles of paper looking for particular data, print
it off and process it per existing guidelines/procedures (no special paper
required). This would save money previously spent on special paper and save them
a lot of time, making their response to the customers much quicker and more
accurate. The scanner included in the project will scan up to 45 pages per
minute with no need to send anything out for processing at all an no purchase of
microfilm.
[This section to be scored by
application evaluator.]
Evaluation (10 Points Maximum)
Minimal use of information technology to reengineer
government processes (0-3 points).
Moderate use of information technology to reengineer
government processes (4-6 points).
Significant use of information technology to reengineer
government processes (7-10).
E. Project Participants
List the project participants (i.e. single
agency, multiple agencies, State government enterprise, citizens, associations,
or businesses, other levels of government, etc.) and provide commentary
concerning the nature of participant involvement. Response: HIPAA is a state-wide project which touches each and every DHS office
and facility in some way, and will also impact the parents/guardians of the
citizens we serve which will make them key participants. Other organizations
such as other healthcare facilities, community facilities, community providers
(such as medical offices, hospitals, insurance companies, etc.) will also be
participants.
Woodward Resource Center is a provider of services, so
there will be additional parts of the HIPAA law that apply only to providers
that we will be held accountable to such as the consent/authorization rules, the
rule that allows patients/parents to ammend/correct their medical records, the
rule that states that providers shall be able to provide a list of everyone who
has viewed their records, etc. It will involve a great deal of education,
monitoring, and continual self-inspection to make sure we remain in compliance
both on-campus and off-campus at our Waiver Homes.
[This section to be scored by
application evaluator.]
Evaluation (10 Points Maximum)
One agency (0-3 points).
Multiple agencies or levelsof government (4-6 points).
State government enterprise (7-10 points).
F. Risk
Describe the likelihood of successful technical implementation
of the project. This is not the same as meeting the programmatic (business) goal
of the project. Response: The likelihood of
successful implementation is a given because Federal law mandates compliance. We
will have no other choice than to be successful or risk losing federal and state
funding for our clients. There is virtually no risk at all to this project. The
technology is already being used by another state agency (DIA). The company
(Paper-Free Technology) was included in the State’s HIPAA assessment and is
HIPAA compliant. The technical implementation of the project has a very good
likelihood of success. If the project fails, the only impact would be that
business would continue as it currently is. The purchase of new microfilm
equipment would be necessary if this project is not implemented.
[This section to be scored by
application evaluator.]
Evaluation (5 Points Maximum)
High Overall Risk, Low Chance of Success (0-2 points).
Moderate Overall Risk, MOderate Chance of Success (3-4
points).
Low Overall Risk, High Chance of Success (5 points).
What is the programmatic (business) risk of not achieving the project goals
to Iowa citizens and employees? What are the risks to Iowans if this project
fails? Response: Breaking HIPAA’s privacy or
security rules can mean either a civil or a criminal sanction. Inadvertent
violations, not necessarily resulting in personal gain, usually result in fines
of up to $100 for each violation of a requirement per individual. For instance,
if the hospital released 100 patient records, it could be fined $100 for each
record, for a total of $10,000. The annual limit for violating each identical
requirement is $25,000.
Criminal penalties for wrongful disclosure can
include not only large fines, but also jail time. In some specific cases, even
inadvertent violations can result in criminal sanctions. The criminal penalties
increase as the seriousness of the offense increases. In other words, selling
patient information is more serious than accidentally letting it be released, so
it brings stiffer penalties. These penalties can be as high as a $250,000 fine
or prison sentences of up to 10 years.
For example:
Knowingly
releasing patient information in violation of HIPAA can result in a one-year
jail sentence and $50,000 fine.
Gaining access to health information
under false pretenses can result in a five-year jail sentence and a $100,000
fine.
Releasing patient information with harmful intent or selling the
information can lead to a 10-year jail sentence and a $250,000 fine.
[This section to be scored by
application evaluator.]
Evaluation (5 Points Maximum)
High Overall Risk, Low Chance of Success (0-2 points).
Moderate Overall Risk, MOderate Chance of Success (3-4
points).
Low Overall Risk, High Chance of Success (5 points).
G. Requestor Experience and Past Results
Provide three examples of
relevant agency IT projects, project management experience and results. List any
projects that required remediation and steps taken to resolve.
Response: The requestor was part of the Y2K project
for Woodward Resource Center and efforts in that endeavor were successful. The
requestor was also successful in setting up a completely new filing system
designed to save space and make records more easily accessible when needed.
Success was also the result in scheduling staff to cover a 24-7 operation at our
facility (switchboard) and arranging for the print shop and mail deliveries on
grounds without staffing to cover those operations. The requestor was also in
charge of developing a client database that would provide all the data that
management needs to make sound data-driven decisions and this project has been
quite successful.
[This section to be scored by
application evaluator.]
Evaluation (5 Points Maximum)
Minimal success(0-2 points).
Usually successful (3-4 points).
Almost always successful (5 points).
This criteria involves
rating the extent to which previous projects have successfully achieved
their objectives e.g. on time, on budget, minimal implementation problems,
positive programmatic impact, partnering with other agencies, and impact
on other agencies.
H. Funding Requirements
On a fiscal year basis, enter the estimated
cost by funding source:
FY04
FY05
FY06
Cost($)
% Total Cost
Cost($)
% Total Cost
Cost($)
% Total Cost
State General Fund
$0
0%
$0
0%
$0
0%
Pooled Tech. Fund
$138,568
100%
$27,100
100%
$27,100
100%
Federal Funds
$0
0%
$0
0%
$0
0%
Local Gov. Funds
$0
0%
$0
0%
$0
0%
Grant or Private Funds
$0
0%
$0
0%
$0
0%
Other Funds (Specify)
$0
0%
$0
0%
$0
0%
Total Project Cost
$138,568
100%
$27,100
100%
$27,100
100%
Non-Pooled Tech. Total
$0
0%
$0
0%
$0
0%
Is this project the first part of a future, larger project? YES (If "YES", explain.)
Explanation: 1) An overall HIPAA readiness survey to
be completed, and corrections implemented, paper records as well as electronic
need protection. 2) Training of staff (possible overtime costs if not able
to complete during the normal shift) 3) A formal network security audit from
and independent source, if needed corrections will be implemented. 4)
Continual upgrade of software and hardware to insure HIPAA regulations are met.
5) Yearly training for all staff on HIPAA requirements. 6) Periodic
HIPAA audits and testing of security.
Is this project a continuation of a previously begun project? YES (If "YES", explain.)
Explanation:
[This section to be scored by
application evaluator.]
Evaluation (10 Points Maximum)
This is the first year of a multi-year project / expenditure or
project / expenditure duration is one year (0-5 points)
The project / expenditure is of a multi-year nature and each annual
component produces a definable and stand-alone outcome, result or
product (2-8 points).
This is beyond the first year of a multi-year project / expenditure
(6-10 points)
The last part of this criteria involves rating the
extent to which a project or expenditure is at an advanced stage of
implementation and termination of the project / expenditure would waste
previously invested resources.
I. Source of Funds (Pooled Technology Funds Only)
On a fiscal year
basis, how much of the total project cost ($ amount and % ) would be
absorbed by your agency from non-Pooled Technology funds? If desired,
provide additional comment / response below. Response: Although this regulation is federally mandated, the federal
government has made no funds available to providers for becoming and remaining
compliant to this mandate.
[This section to be scored by
application evaluator.]
Evaluation (5 Points Maximum)
0% (0 points)
1%-12% (1 point)
13%-25% (2 points)
25%-38% (3 points)
39%-50% (4 points)
Over 50% (5 points)
Section II: Financial Analysis
A. Project Budget Table
It is necessary to estimate and assign a
useful life figure to each cost identified in the project budget. Useful
life is the amount of time that project related equipment, products, or services
are utilized before they are updated or replaced. In general, the useful life of
hardware is three (3) years and the useful life of software is four (4) years.
Depending upon the nature of the expense, the useful life for other project
costs will vary between one (1) and four (4) years. On an exception basis, the
useful life of individual project elements or the project as a whole may exceed
four (4) years. Additionally, the ROI calculation must include all new
annual ongoing costs that are project related.
The Total Annual Prorated Cost (State Share) will be calculated based on the
following equation:
Budget Line Items
Budget Amount (1st Year Cost)
Useful Life (Years)
% State Share
Annual Ongoing Cost (After 1st Year)
% State Share
Annual Prorated Cost
Agency Staff
$0
1
0.00%
$0
0.00%
$0
Software
$7,550
4
100.00%
$0
0.00%
$1,888
Hardware
$21,368
3
100.00%
$0
0.00%
$7,123
Training
$25,000
4
100.00%
$5,000
100.00%
$11,250
Facilities
$50,000
20
100.00%
$0
0.00%
$2,500
Professional Services
$0
4
0.00%
$0
0.00%
$0
ITD Services
$0
4
0.00%
$0
0.00%
$0
Supplies, Maint, etc.
$29,650
1
100.00%
$17,100
100.00%
$46,750
Other
$5,000
1
100.00%
$5,000
100.00%
$10,000
Totals
$138,568
---
---
$27,100
---
$79,510
B. Tangible and/or Intangible Benefits
Respond to the following and
transfer data to the ROI Financial Worksheet as necessary:
1. Annual Pre-Project Cost - This section should be completed only if
state government operations costs are expected to be reduced as a result of
project implementation. Quantify all actual state government direct and indirect
costs (personnel, support, equipment, etc.) associated with the activity, system
or process prior to project implementation. Describe Annual
Pre-Project Cost: Note: we do not anticipate any cost
savings from this HIPAA project but we do anticipate avoiding fines/sanctions
and retaining our eligibility to receive state and federal reimbursements.
Quantify Annual Pre-Project Cost:
State Total
FTE Cost(salary plus
benefits):
$0.00
Support Cost (i.e. office supplies,
telephone, pagers, travel, etc.):
$0.00
Other Cost (expense items other than FTEs
& support costs, i.e. indirect costs if applicable,
etc.):
$0.00
Total Annual Pre-Project
Cost:
$0.00
2. Annual Post-Project Cost - This section should be completed only if
state government operations costs are expected to be reduced as a result of
project implementation. Quantify all actual state government direct and indirect
costs (personnel, support, equipment, etc.) associated with the activity, system
or process after project implementation. Describe Annual
Post-Project Cost:
Quantify Annual Post-Project Cost:
State Total
FTE Cost(salary plus
benefits):
$0.00
Support Cost (i.e. office supplies,
telephone, pagers, travel, etc.):
$0.00
Other Cost (expense items other than FTEs
& support costs, i.e. indirect costs if applicable,
etc.):
$0.00
Total Annual Post-Project
Cost:
$0.00
3. Citizen Benefit - Quantify the estimated annual value of the
project to Iowa citizens. This includes the "hard cost" value of avoiding
expenses ("hidden taxes") related to conducting business with State government.
These expenses may be of a personal or business nature. They could be related to
transportation, the time expended on or waiting for the manual processing of
governmental paperwork such as licenses or applications, taking time off work,
mailing, or other similar expenses. As a "rule of thumb," use a value of $10 per
hour for citizen time savings and $.325 per mile for travel cost savings.
Travel
Savings
Number of Trips:
$0
Miles per Trip:
0
Trips per Year:
0
Number of Citizens Affected:
0
Rate per Mile
$0.325
Total Travel Savings:
$0
Transaction Savings
Number of annual online transactions:
0
Hours saved/transaction:
0
Number of Citizens affected:
0
Value of Citizen Hour
0
Total Transaction Savings:
$0
Other Savings (Describe)
$0
Total Savings:
$0
4. Opportunity Value/Risk or Loss avoidence - Quantify the estimated
annual non-operations benefit to State government. This could include
such items as qualifying for additional matching funds, avoiding the loss of
matching funds, avoiding program penalties/sanctions or interest charges,
avoiding risks to health/security/safety, avoiding the consequences of not
complying with State or Federal laws, providing enhanced services, avoinding the
consequences of not complying with enterprise technology standards, etc.
Response: The avoidance of fines attributed to
HIPAA; law suits around non compliance and/or decertification from Medicare and
Medicaid participation with corresponding loss of revenue which would be a loss
of $22 million for Title XIX.
5.Benefits Not Readily Quantifiable - List and summarize the overall
non-quantifiable benefits (i.e., IT innovation, unique system application,
utilization of new technology, hidden taxes, improving the quality of life,
reducing the government hassle factor, meeting a strategic goal, etc.).
Response: The spirit of HIPAA include benefits to
citizens across the nation as well as within our own state. These benefits will
be the reduction of Medicare/Medicaid fraud, insurance fraud, and making
insurance available to a citizen no matter where they should go in the country
through standardization. The document management solution would be utilizing new
technology and would support attaining our goal of serving the citizens of Iowa
(some of whom live at our facility). This system would make data more readily
available for management to make data-driven decisions.
Rate the overall non-quantifiable benefits on a "1 - 10" basis, with "10"
being of highest importance: 10
Benefits Not Readily
Quantifiable
ROI Financial Worksheet
A. Total Annual Pre-Project cost (State Share from
Section II B1):
$0
B. Total Annual Post-Project cost (State Share from
Section II B2):
[This section to be scored by
application evaluator.]
Evaluation (10 Points Maximum)
Generates 0% annual return on investment (0 points)
Generates 1-3% annual return on investment (1 point)
Generates 4-6% annual return on investment (2 points)
Generates 7-10% annual return on investment (3 points)
Generates 11-15% annual return on investment (4 points)
Generates 16-20% annual return on investment (5 points)
Generates 21-25% annual return on investment (6 points)
Generates 26-44% annual return on investment (7 points)
Generates 45-63% annual return on investment (8 points)
Generates 64-82% annual return on investment (9 points)
Generates over 83% annual return on investment (10 points)
Note: For projects where no State Governmment Benefit,
Citizen Benefit, or Opportunity Value or Risk/Loss Avoidance Benefit is
created due to the nature of the project, the Benefit/Cost Ratio and
Return on Investment values are set to Zero.
Section III. Technology
A. Current Software Technology
1) Software (Client Side / Server Side / Mid-Range / Mainframe ) :
a) Application Software
N/A
b) Operating system software PC - Windows 95,98,2000
Server: Windows NT, SQL Midrange: UNIX/GCOS
c) Major interfaces to other systems, both
internal and external N/A
d) Other N/A
2) Hardware (Client Side / Server Side / Mid-Range / Mainframe ) :
a) Platform, operating
system Server: NT
b) Storage and physical environment These computers are in locked temperature controlled room with 4mm
tape drives for backup.
c) Connectivity and bandwidth T1 lines(ICN) --
fiber-multimode; cat 5 to the desktop
d) Logical and physical connectivity Cisco switches
e) Major interfaces to other systems, both internal and external
N/A
f) Other N/A
B. Proposed Technology
1) Software (Client Side / Server Side / Mid-Range / Mainframe ) :
a) Application Software
For the HIPAA project - we will need server software and
software to monitor unauthorized access to the system. We have discussed with
vendors that we would want the request for record to be encrypted.. The software
that we are requesting is LaserFiche.
b) Operating system software NT
c) Major interfaces
to other systems, both internal and external N/A
d) General
parameters if specific parameters are unknown or to be determined N/A
e) Other
N/A
2) Hardware (Client Side / Server Side / Mid-Range / Mainframe ) :
a) Platform, operating
system 3 scanning workstations/2000 - 1 server - NT/Server
2000
b) Storage and
physical environment In the locked temperatured control
room (server). An uninterrupted power supply unit will be attached to the
server.
For the paper records, they will be in a secure, locked area
with appropriate environmental controls. Money would need to be allocated to
insure the storage and physical environments meet all HIPAA requirements
c) Connectivity and
bandwidth N/A
d) Logical and physical connectivity N/A
e) Major interfaces to
other systems, both internal and external N/A
f) General parameters if
specific parameters are unknown or to be determined N/A
g) Other UPS and heavy-duty shredder.
C. Data Elements
N/A
D. Security / Data Integrity / Data Accuracy / Information Privacy
1) List the Security
Requirements of the project 1) Administrative - formal
practices to manage security and personnel (including a disaster recovery plan)
2) Physical - Protection of paper and electronic medical records 3)
Technical Service - Safeguards to control and monitor information access 4)
Technical Mechanisms - Technology to secure data in transit
2) Describe how the
security requirements will be integrated into this project and tested. 1) Administrative - Review and revision of current policies and
procedures to meet HIPAA guidelines. HIPAA training for all staff. 2)
Physical -A records management storage system to be implemented. This would
limit and track access of paper medical records, who has seen, and time limits
of use. 3) Technical Service - An independent source will conduct a survey
on the hospital network. The computer system will contain a application to
monitor unauthorized access on a daily basis. 4) Technical Mechanisms - ITD
and ICN will provide secure lines for transmission. The vendor will also have to
meet HIPAA requirements
3) Describe what measures will be taken to insure data integrity, data
accuracy and information privacy. 1) Administrative - Each
year training will be held on privacy and security of patient information 2)
Physical - Being able to track access of a particular paper chart will allow us
to do a periodic review of who has access to equipment and records to insure
only designated individuals will have access to patient information. 3)
Technical Service - Daily monitoring of network to insure against unauthorized
access 4) Technical Mechanisms - Upgrades of hardware and software to insure
privacy
E. Project Schedule
Describe general time lines, resources, tasks, checkpoints, deliverables,
responsible parties, etc. The Administrative Simplication
portion of HIPAA has a compliance deadline of 10/16/2003 (with the extention
requested).
The Privacy portion of HIPAA has a compliance deadline of
April, 2003.
The Security portion of HIPAA has not yet been published so
the deadline is unknown as of this writing.
Section IV. Auditable Outcome Measures
For each of the below categories, list the auditable metrics
for success after implementation and identify how they will be measured.
1. Improved customer
service We reside on a 300-acre campus and right now,
people who wish to view records have to go to the Record Room and sign in on a
hand-written log that they have viewed a record in the Medical Records Office.
There is no log at all for anyone viewing records at the houses. The new system
would have an audit trail that would track who viewed the record, from where,
and for how long. The comparison of these two logging systems and audit trails
would be an indication of improved customer service (that the record was
available to those with access from various locations and that they did not have
to go to the record room in person to view a record.)
2. Citizen impact An
audit trail would be able to be printed out for the clients and/or their
families at their request that shows who has reviewed their records per HIPAA
regulations.
3. Cost
Savings None
4. Project reengineering Policies and
Procedures reviewed and revised to meet HIPAA guidelines with the revision date
noted on the policies/procedures. These policies and procedures would also
contain a statement that indates "reviewed for HIPAA complaince" to ensure that
the policy/procedure was, in fact, reviewed per HIPAA regulations.
5. Source of funds
(Budget %) N/A
6. Tangible/Intangible benefits Potential annual savings of $22. million due to Title XIX penalty
avoidance.
