Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Transcription

1 Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit Wednesday, November 20, , ext. 222 info@khareach.org

2 Objectives EHR Incentive Program Meaningful Use Core Measure OCR Audit Protocol Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Purpose, Content, Process Resources Q & A 2

3 EHR Incentive Program Meaningful Use Core Measure Eligible Hospitals/CAH Core Measure #13 Eligible Professionals Core Measure #14 Eligible hospitals and CAHs /Eligible professionals must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure. 3

4 Objectives EHR Incentive Program Meaningful Use Core Measure OCR Audit Protocol Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Purpose, Content, Process Resources Q & A 4

5 Audit Protocol The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review. 5

6 What the Audit Protocol Covers Privacy Rule requirements for: (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures. Security Rule requirements for administrative, physical, and technical safeguards Requirements for the Breach Notification Rule 6

7 Categories of Standards Addressable the CE must assess the reasonableness and appropriateness of the safeguard to protect the ephi: Size, complexity & capability of the CE CEs technical infrastructure, hardware and software security capabilities Cost of security measures Probability and criticality of potential risks to ephi Required the CE must comply with the standard & implement policies &/or procedures that meet the requirement 7

8 Four Distinct Parts of Security Rule Administrative Safeguards administrative actions, including the establishment of policies & procedures, to manage the activities needed to establish security measures that protect ephi. Security Management Process Risk Analysis (Required) Risk Management (Required) Sanction Policy (Required) IS Activity Review (Required) Assigned Security Responsibility Designate Security Officer (Required) Workforce Security Authorization and/or Supervision (Addressable) Workforce Clearance Procedure (Addressable) Termination Procedures (Addressable) 8

9 Distinct Parts, cont Physical Safeguards physical measures and policies & procedures, including policies & procedures to protect electronic information systems & related buildings & equipment from natural & environmental hazards & unauthorized intrusion Facility Access Controls Contingency Operations (Addressable) Facility Security Plan (Addressable) Access Control & Validation Procedures (Addressable) Workstation Use (Required) Workstation Security (Required) Device & Media Controls Disposal (Required) Media Reuse (Required) Accountability (Addressable) Data Backup & Storage (Addressable) 9

10 Distinct Parts, cont. Technical Safeguards the technology, including policies & procedures for its use, that protect ephi & control access to it. Access Control Unique User Identification (Required) Emergency Access Procedure (Required) Automated Logoff (Addressable) Encryption & Decryption (Addressable) Audit Controls (Required) Integrity Mechanism to Authenticate ephi (Addressable) Person or Entity Authentication (Required) Transmission Security Integrity Controls (Addressable) Encryption (Addressable) 10

11 Distinct Parts, cont. Organizational Safeguards arrangements made between organizations to protect ephi, including Business Associate Agreements Business Associate Contracts or Other Arrangements Business Associate Agreements (Required) Other Arrangments (Required) Requirements for Group Health Plans Implementation Specification (Required) Policies & Procedures (Required) Mechanism to Authenticate ephi (Addressable) Documentation Time Limit (Required) Availability (Required) Updates (Required) 11

12 Objectives EHR Incentive Program Meaningful Use Core Measure ONC Audit Protocol Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Purpose, Content, Process Resources Q & A 12

13 REACH HIPAA Readiness Review Service Focus of the Service Eligibility Criteria REACH Clients: Active SLA Site has to be included on SLA Has not met MU or still has an RHC that has not met MU You must have completed your security risk assessment on the certified version of your EHR to be eligible for this service Non-REACH Clients: Fee-for-Service Offering amount to be determined by scope of work 13

14 REACH HIPAA Readiness Review Purpose OCR performing HIPAA Privacy & Security audits Figliozzi & Company performing meaningful use audits up to 20% pre- or post-payment audits This service has been designed to help clients make sure they have all elements for HIPAA Privacy & Security in place. REACH s assistance and guidance does not ensure you will pass an audit or that auditors will not ask for additional information unanticipated by REACH. 14

15 REACH HIPAA Readiness Review Content Tools, education, and assistance related to your organization s completion of the HIPAA security risk assessment Conduct a review and readiness assessment of your organization s security risk assessment required for HIPAA (since 2005). REACH s assessment includes a review of your: Most recent HIPAA security risk assessment HIPAA privacy and security policies and procedures Business continuity and disaster recovery plans Business associate agreements Privacy and security staff education program A report will be provided including suggestions for areas that would benefit from greater focus and attention from your organization. Privacy and security tools will be provided to assist you in your work. 15

16 REACH HIPAA Readiness Review Process Contact REACH or, if a current client, contact your REACH Consultant Complete an intake form A series of calls will be set up Initial Follow up Final (followed by final report) 16

17 Objectives EHR Incentive Program Meaningful Use Core Measure OCR Audit Protocol Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Purpose, Content, Process Resources Q & A 17

18 OCR/CMS Resources securityruleguidance.html Administrative- Simplification/HIPAAGenInfo/index.html?redirect=/HIPAAGenInf o/04_privacystandards.asp 18

19 Other Resources a-security-requirements.php , ext

20 QUESTIONS? 20

21 Key Health Alliance Stratis Health, Rural Health Resource Center, and The College of St. Scholastica. REACH is a project federally funded through the Office of the National Coordinator, Department of Health and Human Services (grant number EP-HIT )