MEDITECH CUSTOMERS & THE OIG QUESTIONNAIRE

Transcription

1 MEDITECH CUSTOMERS & THE OIG QUESTIONNAIRE Hospitals that have received Medicare incentive payments for meaningful use of electronic health records have been asked by the Office of Inspector General of the Department of Health and Human Services to complete a survey aimed at identifying fraud and abuse vulnerabilities in electronic health record (EHR) systems. The OIG letter went to all hospitals that received an incentive payment between Jan. 1, 2011 and March 31, 2012, directed specifically to the CEO's or administrator's office. The letter requests that responses be submitted by Oct. 26. The OIG will use the information from the survey as part of a report expected out next year. OIG staff have informed the AHA that hospitals may take additional time to respond to the survey if needed. In addition, OIG will allow a health system to complete a single response for all facilities, where the survey responses would be the same for each entity in the system. Health systems that choose to submit a single response for all their facilities should contact Kim Yates at kim.yates@oig.hhs.gov prior to completing the survey to ensure that OIG properly accounts for their system-level response. AHA urges hospitals that respond to the OIG survey to a copy of their responses to the association at oigsurvey@aha.org. The following guide for MEDITECH facilities provides information to assist in correctly responding to specific questions about system functionality. Customers are still responsible for completing the survey and answering questions according to how they set up the system for their own use. Please note survey questions specific to hospital remain blank. 1. Please provide the following information for the individual(s) completing this questionnaire: 2. What type of EHR technology does this hospital use? 3. How many years has the hospital used any EHR technology? 4. Is this hospital part of a network of hospitals that use the same EHR technology? 5. How are diagnoses and procedures coded at this hospital? MEDITECH does allow for E&M coding using physician documentation for notes within EDM and MPM. Site determines whether this feature is in use as part of physician documentation. 6. Does this hospital have plans to adopt computer-assisted coding? 7. Does access to the hospital EHR technology require the following user authentications? A. Unique user ID. For all MEDITECH platforms Magic, Client/Server, 6.0, and 6.1.

2 Administrator users can define usernames based on any standard. The healthcare organization has the flexibility to decide the format of usernames. B. Password MAGIC and Client/Server Platforms To prevent unauthorized users from signing-on to the system, MEDITECH provides comprehensive password requirements for authentication. The healthcare organization also has the option of using network authentication processes (e.g., Active Directory) independent of MEDITECH for password management. 6.0/6.1 Platform All password management is controlled by the healthcare organization network authentication processes and is independent of MEDITECH. As such, so long as a user is defined in the MEDITECH system, his or her network password will also provide authentication to the system. This eliminates the need to remember multiple passwords or re-entering a password to sign into the MEDITECH and other systems. C. Token-based (e.g., identification card) Optional. For all MEDITECH platforms Magic, Client/Server, 6.0, and 6.1. Partnered with Imprivata, Forward Advantage offers advanced authentication options, which include USB tokens for MEDITECH healthcare organizations. D. Biometrics (e.g., fingerprints) Optional. For all MEDITECH platforms Magic, Client/Server, 6.0, and 6.1. Partnered with Imprivata, Forward Advantage offers advanced authentication options, which include biometrics for MEDITECH healthcare organizations. E. Public Key (e.g., PKI, digital certificates) Optional. For all MEDITECH platforms Magic, Client/Server, 6.0, and Has the hospital implemented the following policies and procedures regarding access to the EHR technology? A. Automatic user logoff/session timeout

3 System has this capability for all MEDITECH platforms Magic, Client/Server, 6.0, and 6.1. Site will indicate whether it has implemented policies and procedures for this. MEDITECH provides automatic timeout and suspend capabilities, which suspend a user's session and then can log them off of the system after a user-defined period of inactivity. Suspended users are required to re-enter a PIN number in order to continue with their session. In addition, some MEDITECH customers utilize proximity monitoring devices, which automatically suspend a user's session once they leave the PC and enable them to continue their suspended session when they return. Pop-up warning messages are issued in advance of such disconnection. B. Minimum password configuration rules MAGIC and Client/Server Platforms When passwords are managed and established within the MEDITECH system, they can be alphanumeric and up to fourteen characters. They cannot be the same as the user mnemonic, first or last name of the user, or the same as the one-time password. Healthcare organizations also have the option of using network authentication processes independent of MEDITECH for password management. 6.0 Platform All password requirements are defined within the healthcare organization s network authentication environment. If a user is associated with a network user in the MEDITECH system, then access to the system will be authenticated at the point of initial network log on with no separate sign on required. C. Regular changing of password MAGIC and Client/Server Platforms Within MEDITECH, system administrators can define the number of days that the system will require users to change their passwords. Healthcare organizations also have the option of using network authentication processes independent of MEDITECH for password management. If this is the case, password expiration would be handled in the network authentication environment. Therefore, if a user's network password expires then so will his or her access to MEDITECH. 6.0 Platform All password expiration parameters are defined within the healthcare organization s network authentication environment. Therefore, if a user's network password expires then so will his or her access to MEDITECH.

4 . D. User Agreements or contracts to prevent sharing of passwords 9. Does this hospital allow any outside entity (such as a payer) access to the EHR technology? 10. How does the hospital allow outside entities access to the EHR technology? *12 and 13 have no questions.* 14. To what extent does the hospital consider the following to be barriers to allowing outside entities access to EHR technology? 15. Does the audit log record data for the following events? A. Each entry or access to the EHR B. Signature event (the proactive or auto default completion of a patient encounter) C. Export of EHR document (printed, electronically exported, ed) MEDITECH patient audit log allows for tracking of exported data. However, this may be suppressed by MEDITECH upon request of the site. D. Amendments, corrections, or modifications of data E. Import of data F. Disabling of audit log, audit log cannot be disabled. G. Release of encounter for billing

5 H. Access by an authorized outside entity 16. Does the audit log record the following data? A. National Provider Identifier (NPI) B. Date/Time/User stamps C. Access type (creating, editing, viewing, printing, etc.), however print is suppressed by default unless requested by site to be on. D. Internet Protocol (IP)/ Media Access Control (MAC) address E. Network Time Protocol (NTP)/ Simple Network Time Protocol (SNTP) synchronized time F. Method of data entry (direct entry, speech recognition, automated, copy/import, copy forward, dictation) G. Date/Time/User stamp of original author when data are copied H. Date/Time/User stamp of original author if data are entered on behalf of another (e.g., an assistant enters clinical information for a physician) I. Other

6 Please specify: Date/Time/User stamp of original author, for emulation event and co-sign. 17. Is the audit log operational whenever the EHR technology is available for updates or viewing? 18. To what extent does the hospital consider the following to be barriers to having the audit log operational at all times? 19. Can the audit log be disabled? There are no commands to enable or disable audit logs all information is available to authorized users at any time. In addition, there is no limit to the amount of data stored in the MEDITECH system. 20. Who can disable the audit log? Other Please specify: The audit log cannot be disabled. 21. Can the audit log be deleted? The amount of days user audit logs are kept in the LIVE system is typically days. This is up to the healthcare organization and is defined as a parameter. We recommend periodically archiving this data, so that even if the data from a few years ago is not sitting on the LIVE servers it can be pulled back from the archive. This allows you to always have the data at your disposal. 22. Who can delete the audit log? Other Please specify: specific person can delete the audit log. The amount of days user audit logs are kept in the LIVE system is typically days. This is up to the healthcare organization and is defined as a parameter. 23. Can the audit log be edited?

7 24. Who can edit the audit log? Other Please specify: one can edit the audit log. 25. How long are audit log data stored? Data can be stored indefinitely. ARRA requirement is 6 years. There is no limit to the amount of data stored in the MEDITECH system. 26. Does the EHR technology allow for the destruction of EHR and audit log data according to the hospital's data retention policies? Best practice recommendations are to archive audit information, which will be file maintained by the transactional system. 27. Can the EHR technology produce a user friendly version of the audit log (i.e., a summary of audit data in a readable format or embedded in an electronic form) for transmitting, printing, or exporting? MEDITECH provides standard audit reports, which can be easily tailored to meet specific audit criteria. User and dictionary activity audit information is available and can be instantly viewed on screen, downloaded, printed, or ed. Search parameters and reports also can be adjusted accordingly. Reports/logs can be downloaded utilizing Windows Print Manager. These reports can then be sent to an audit engine. Audit reports also can be exported into an audit engine in the appropriate format using our Data Repository, which provides a separate ODBC compliant database. 28. Does anyone at the hospital analyze the audit log data? 29. Which of the following individuals at the hospital analyzes the audit log data? 30. How often is the audit log data reviewed and analyzed?

8 31. To what extent does the hospital consider the following to be barriers to analyzing audit log data? 32. To what extent are physician progress notes handwritten and/or dictated instead of directly entered into the EHR at this hospital? 33. How are these physician progress notes maintained? 34. Why are physician progress notes not directly entered into the EHR? 35. How are physician progress notes entered into the EHR? 36. To what extent are narrative nursing notes handwritten instead of directly entered into the EHR at this hospital? 37. How are these narrative nursing notes maintained? 38. Why are narrative nursing progress notes not directly entered into the EHR? 39. How are narrative nursing notes entered into the EHR? 40. Are there limits on which EHR users are authorized to electronically export, transfer, or print EHR documents? 41. Does the EHR technology require the user to document why an EHR document was electronically exported, transferred, or printed? 42. Does the EHR technology have the capability to disable the Print Screen function?, via MS Windows print manager. 43. Does the hospital disable the Print Screen function for the EHR technology? 44. Do patients have the following electronic access to their EHR data? to pertinent selected sections. 45. To what extent does the hospital consider the following to be barriers to allowing patient access to their EHR data?

9 46. What procedures does the hospital require to identify patients upon check-in? 47. For each patient check-in, does the EHR technology have the capability to record which identification procedure was used to confirm patient identity? 48. Can an EHR document be modified after it has been finalized by a "signature event" (i.e., the proactive or auto default completion of a patient encounter)? 49. Are the original unmodified EHR data retained?, in draft status. 50. Can the following features be customized in the EHR technology? Copy/Paste Templates 51. Does the hospital have a policy regarding the use of the copy/paste feature in EHR technology? 52. Please describe the hospital's copy/paste policy: 53. Has the hospital implemented any of the following safeguards? 54. Please describe any other procedures, policies, or capabilities specific to the EHR technology that your hospital has implemented in order to maintain data integrity and prevent fraud.