Dear Fellow HIPAAcrats, Regarding the PHI/data flow mapping tool that has been the subject of so many postings and requests, Dr. McGuinness has generously posted the tool, and guidelines for its use, to his website, as noted below. (Thank you, Dr. McGuinness!)
Please note that, although this tool works well for us, it may not be useful in other organizational structures. Also, although we have been successful (so far) at accomplishing this project internally, without the help of a consultant, this is an enormous task and were we a larger county agency we would likely have had to hire professionals to accomplish it. It is important to me that I provide some explanation of how we are conducting this project to those who may want to use our tool. So, what follows is a brief, and oversimplified, description of the "Data Flow Mapping Project" here at Napa County Health and Human Services Agency. Although I created the original tool, the actual mapping project was developed by our HIPAA Project Manager, who also wrote the guidance for using the tool, and deserves much credit and appreciation for all the work and time he has devoted to HIPAA. (Thank you, Karl!!) The project is monitored by our internal task force, which is chaired by the HIPAA Project Manager, and includes managers, with decision making authority, from every department or program. An inventory of all programs was conducted and each program and the task force member responsible for it was documented in order to ensure no processes were unaccounted for. Each task force member then assigned the actual mapping process to individuals in those programs. In some cases every individual within a program completed the matrix for all data activities he or she performs. In other programs it was possible to determine that some activities were performed identically by multiple individuals so only one matrix for each data type and activity was completed. In those cases the task force member responsible would document the decision to do so and the reasons therefore. Upon completion of the matrices each responsible task force member then reviewed the results from his/her programs for accuracy and clarity and the final results were brought back to the task force. We included an audit process in the project, as well, which is just underway. Following completion of the data mapping matrices by the individuals in each program, teams of three members of the task force will visit each of the programs and literally walk through each matrix to verify accuracy and completeness. The teams consist of impartial task force members - no member audits the results from his or her own programs. In addition, each team will include either the HIPAA Project Manager or the County Privacy Officer. During this audit process each of the three team members brings with him or her a Security/Privacy checklist of things to look for or ask about while visiting each program. The members are also asked to include recommendations as to how to resolve security/privacy issues they discover and document. These checklists serve as preliminary risk assessments to be brought back to the task force for review, consolidation, and recommended action, and then forwarded to the Security Officer. The copies of the policies/procedures that accompany each matrix are compared to and used to supplement our initial policy/procedure inventory. We are now in the process of using each verified linear data flow map to create a series of multidimensional flow charts using Microsoft Visio. (Again, Thank You Karl!!) The flow charts will include all relevant policies, or notations that the subject activity has no associated written policy. The series of flow charts itself will also be multidimensional in that some portions may actually "connect" to several other portions. An index will be created to document such. If any listserv members have any questions about our data flow mapping project, the tool, or the guidelines for using it, feel free to contact me. (But, if your question is "how can I hire Karl, the Marvelous HIPAA Project Manager?", don't even expect a response.) Cheri Huber Napa County Privacy Officer 707-253-4523 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 7:34 PM To: Huber, Cheri; [EMAIL PROTECTED] Subject: I found Kristi and Her Magic PHI Flow Files! << File: Tim McGuinness Ph. D..vcf >> I found Kristi's magic files! www.hipaahelpnow.com/download.htm Courtesy of Cheri Huber! Tim McGuinness, Ph.D. Consulting Specialist in Regulatory Privacy, Security, and Application Compliance (HIPAA/ASCA/FDA/CMS-HCFA/ICH/ADA 508c), [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> President, HIPAA Help Now [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> www.hipaahelpnow.com <http://www.hipaahelpnow.com/> Executive Co-Chairman for Privacy, HIPAA Conformance Certification Organization (HCCO) www.hipaacertification.org <http://www.hipaacertification.org> __________________________________________________________________ Phone: 727-787-3901 Cell: 305-753-4149 Fax: 240-525-1149 Instant Messengers: ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] - Yahoo IM timmcguinness - AOL IM: mcguinnesstim __________________________________________________________________ =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. specifically prohibited. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
