How to Leverage HIPAA for Meaningful Use

Transcription

1 How to Leverage HIPAA for Meaningful Use The overlap between HIPAA and Meaningful Use requirements 2015 SecurityMetrics

2 How to Leverage HIPAA for Meaningful Use 2 About this ebook Who should read this ebook? Officers, practitioners, and managers in charge of HIPAA compliance and data security in small, medium, and large covered entities Anyone involved in Meaningful Use Incentive Program attestation What does this ebook include? A brief overview of HIPAA and Meaningful Use Overlap of Meaningful Use and HIPAA requirements Instructions on how to accomplish data security requirements for HIPAA and Meaningful Use Who is SecurityMetrics? SecurityMetrics has helped over one million organizations comply with HIPAA, PCI DSS, and other mandates. Our solutions combine innovative technology that streamlines validation with the personal support you need to fully understand compliance requirements. You focus on the business stuff we ve got compliance covered. Learn more about us at

3 How to Leverage HIPAA for Meaningful Use 3 Introduction No matter the size of your healthcare organization you have many requirements, mandates, laws, policies, etc. to comply with and worry about. This is all on top of providing health care services to patients, the reason you got into healthcare in the first place. As most of you know, covered entities that handle protected health information (PHI) are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). Many healthcare professionals like you and the entities you work for also participate in Medicare and Medicaid EHR Incentive Programs. Both HIPAA and Meaningful Use s complex and time consuming requirements fall under the other stuff on your to do list. How this ebook helps This ebook covers the overlap between HIPAA and Meaningful Use, including two important security protocols to help protect patient data. The goal of this ebook is to help you save time, money, and other resources by leveraging your HIPAA compliance requirements for Meaningful Use attestation.

4 How to Leverage HIPAA for Meaningful Use 4 Meaningful Use Basics What is Meaningful Use? The Centers for Medicare and Medicaid Services (CMS) created incentive programs, commonly known as Meaningful Use, to encourage practices and hospitals to handle all their records electronically. Eligible professionals (EP), eligible hospitals (EH), and critical access hospitals (CAH) can qualify for Meaningful Use programs. You are only allowed to participate in one incentive program, so if you qualify for both the Medicare and Medicaid EHR Incentive Programs you must choose which program to participate in. Meaningful Use programs are divided into three stages. Each new stage increases requirements and measures to further practice and hospital implementation of their Certified EHR Technology (CEHRT). The CEHRT is the actual system used to electronically handle PHI. Meaningful Use Alphabet Soup CMS = Centers for Medicare and Medicaid Services EHR = Electronic Health Records CEHRT = Certified EHR Technology CQMs = Clinical Quality Measures EP = Eligible Professional EH = Eligible Hospitals CAH = Critical Access Hospitals NQS Domains = National Quality Strategy Domains

5 How to Leverage HIPAA for Meaningful Use 5 Incentive Amounts The incentive payments are what makes going through the pain of CEHRT implementation and Meaningful Use attestation worth it. We don t like to call these kickbacks, but that s kind of what they are. Essentially, the government gives you money to become CEHRT users and Meaningful Use participants. Maximum payout for EPs in the Medicare Incentive Program if you started in 2011 is $43,720. See tables 1 and 2 for more detailed information. Incentive payments for EHs and CAHs are more complicated than for EPs. Medicare and Medicaid payments have a maximum payout of $6,370,400 for EHs and CAHs. See EHR Incentive Program for Medicare Hospitals: Calculating Payments and Medicaid Hospital Incentive Payments Calculations for a detailed breakdown of the formulas. Payments for Eligible Professionals Table 1 Medicare Payments* 2011 $43, $43, $38, $23,520 *Based on the year you start program Table 2 Medicaid Payments Year 1 $21,250 Year 2-6 $8,500 Max payout $63,750

6 How to Leverage HIPAA for Meaningful Use 6 Stages and Measures Each attestation stage has a number of measures that EPs, EHs, and CAHs must complete and attest to each year. These measures are broken into three categories: core measures, menu measures, and clinical quality measures. Core measures are all required. Healthcare organizations must choose a certain number of menu objectives to complete. For example, in Stage 1 EPs must meet 5 menu measures from a total list of 9. Which stage are you in? See which stage you are in based on your program participation start year. 1st year Stage of Meaningful Use TBD TBD TBD TBD In addition to core and menu measures, there are clinical quality measures (CQMs). CQMs are tools that help measure and track the quality of health care services provided by EPs, EHs, and CAHs. Starting in 2014, the CQMs chosen must cover at least 3 of the 6 National Quality Strategy (NQS) domains. NQS domains represent the Department of Health and Human Services (HHS) priorities for health care quality improvement. To receive an incentive payment, providers are required to submit CQM data from their CEHRT. Table 3 Measures for EP EH and CAH Stage 1 Stage 2 Stage 1 Stage 2 Core measures Menu measures Clinical quality measures 5 of 9 3 of 6 5 of 10 3 of 6 9 of 64 9 of 64 All of TBD TBD TBD TBD TBD TBD TBD TBD TBD TBD

7 How to Leverage HIPAA for Meaningful Use 7 Data Security Measures Stage 1 Data Security Measure Within the measures that organizations must attest to, there are a few measures that specifically cover data security. Because we are discussing how Meaningful Use relates to HIPAA, specifically the Security Rule, it s important you understand these measures. On the Meaningful Use worksheets, it lists an objective for each measure. The data security core objective (measure 13 for EPs and 12 for EHs and CAHs) is protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. The measure for this objective is conduct or review a security risk analysis in accordance with the requirements under 45 CFR (code of federal regulations) (a) (1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. The CFR requirement referenced in the measure is the HIPAA risk analysis requirement. Based on how these Meaningful Use measures are written, you can see that Meaningful Use and HIPAA are related. We ll discuss how they are related in more detail in other sections. Stage 2 Data Security Measure In Stage 2, the data security objective is essentially the same as Stage 1 (measure 9 for EPs and 7 for EHs and CAHs), but the measures are expanded. Not only are EPs, EHs, and CAHs required to conduct or review a security risk analysis, they are to implement security updates as necessary and correct identified security deficiencies as part of the provider s risk management process. In HIPAA this is commonly known as a risk management plan. We ll discuss the risk

8 How to Leverage HIPAA for Meaningful Use 8 management plan more in the HIPAA section. CMS also added another HIPAA requirement in the measure for Stage 2, which is addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR (a)(2)(iv) and 45 CFR (d)(3). Encryption protects sensitive data that is stored or transmitted to make it unreadable. How encryption works: 1. Data is entered into the computer 2. Before the data is stored/ transmitted, it is transformed into unreadable code 3. Only with a special key does the data become readable once again

9 How to Leverage HIPAA for Meaningful Use 9 Does Meaningful Use Make Sense for You? Although the idea of an incentive program is likely appealing, some professionals are starting to bail out. One reason is there are penalties if EPs, EHs, and CAHs can t meet the measures and CQMs. The penalties for Meaningful Use really boil down to reduced Medicare or Medicaid payments of anywhere between 1-5%. A lot of the smaller physicians we talk to bill around $100,000 a year to Medicaid and Medicare. If they lose 1% of those payments, that s $1,000 per year. If they lose up to 5%, that s $5,000 per year. Does it make sense for them to spend the money and time it takes to complete those Meaningful Use attestations? This is a big question for some providers, especially smaller ones. Incentive program participation decreased 17% in Participants decided it wasn t worth the effort, so they bailed out in We recommend you take a look at your Medicaid and Medicare payments and do what makes sense for your practice.

10 How to Leverage HIPAA for Meaningful Use 10 HIPAA Basics HIPAA Components Most people in the healthcare industry are familiar with the purpose of HIPAA compliance, but not everyone realizes the HIPAA standard is actually a combination of three separate rules: the Privacy Rule, Security Rule, and Breach Notification Rule. Security Rule The Security Rule sets standards for protecting PHI that is stored or transmitted in electronic form. The Security Rule is designed to be flexible and scalable to accommodate healthcare providers of all sizes and technology sophistication. Privacy Rule The Privacy Rule addresses appropriate PHI use and disclosure practices by healthcare organizations, and designates the right for individuals to understand and control how their medical data is used. Breach Notification Rule The Breach Notification Rule details the actions that must take place and the parties that must be notified in the event of a PHI breach.

11 HIPAA Survey by NueMD In October 2014, NueMD conducted a survey of more than 1,100 healthcare professionals to gauge their knowledge of HIPAA and preparedness for an audit. The results showed that only 35% said their business had conducted a mandatory HIPAA risk analysis. How to Leverage HIPAA for Meaningful Use 11 HIPAA Risk Analysis The risk analysis is the keystone of Security Rule compliance and data security efforts. The purpose of the risk analysis is to help covered entities identify and document potential security risks. Every security effort your organization needs to make will be determined by your risk analysis, so it s critical to conduct a complete and thorough analysis. HIPAA Risk Management Plan The risk management plan is the end result of a risk analysis. Your risk management plan should include all the risks found during your risk analysis and how you will evaluate, prioritize, and implement security controls to remediate these risks.

12 How to Leverage HIPAA for Meaningful Use 12 Meaningful Use and HIPAA Overlap Two Birds With One Stone Will your Meaningful Use attestation count 100% for HIPAA compliance? No. Will HIPAA compliance count 100% for Meaningful Use attestation? No. There is no complete overlap between Meaningful Use and HIPAA. However, there is enough overlap to make a significant impact. A risk analysis is one main requirement that applies to both Meaningful Use and HIPAA. Common Risk Analysis Questions Both HIPAA and Meaningful Use require a risk analysis. All stages of Meaningful Use include some element of a risk analysis and data security. Will your Meaningful Use risk analysis cover your HIPAA risk analysis? Unfortunately, too often the answer is, no. Entities get hung up on thinking that Meaningful Use is focused just on the CEH- RT. Will your HIPAA risk analysis cover your Meaningful Use risk analysis? Normally yes, as long as you ve done a complete and thorough analysis. The HIPAA risk analysis encompasses the CEHRT, as well as all PHI including paper records, s, calendars, other systems, etc. Because the risk analysis includes the CEHRT it also counts for Meaningful Use measures.

13 How to Leverage HIPAA for Meaningful Use 13 Risk Analysis Deep Dive Elements of a Risk Analysis Let s make sure we are on the same page when we talk about a risk analysis. A risk analysis finds security issues in your PHI environment through the analysis of 3 components: vulnerabilities, threats, and risks. those systems. But you also need to be aware of threats within your own internal systems. Technically, your staff is a threat. A workforce member could unintentionally or intentionally do something to trigger one of your vulnerabilities. A vulnerability is a flaw or weakness in a system, procedure, implementation, or security control that could result in a security breach. Vulnerabilities can be either technical or non-technical. Technical vulnerabilities can be holes, flaws, or weaknesses in IT systems. Non-technical vulnerabilities can be ineffective or non-existent procedures, policies, standards, and guidelines. Vulnerability = a flaw or weakness in a system, procedure, or security control that could result in a security breach. A threat is some force or person that might intentionally or unintentionally trigger a specific vulnerability. Oftentimes threats are thought of in terms of computer systems and attackers exploiting Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability.

14 How to Leverage HIPAA for Meaningful Use 14 Risk is the likelihood that one of these threats accidentally or intentionally triggers the vulnerability. Risks are really what auditors look at during HIPAA audits. A risk analysis identifies vulnerabilities that expose your organization to potential risk. This will help you determine and prioritize the most threatening risks to take care of first and which risks may not even be worth addressing in your risk management plan. The HHS hasn t given a specific risk analysis process to use but did suggest using the NIST guide. Risk Analysis Process Identify the scope of the analysis Gather data Identify and document potential vulnerabilities and threats Assess current security objectives Determine the likelihood of threat occurrence Determine the potential impact of threat occurrence Determine the level of risk Identify security objectives and finalize documentation

15 How to Leverage HIPAA for Meaningful Use 15 Remediating Risks Deep Dive Risk Management Plan Both Meaningful Use and HIPAA require you to correct your security problems. The HHS recognizes that many organizations are not completely secure. They understand most of us have risks we haven t fully remediated. They just want to see forward movement with HIPAA and patient data security. Encrypt, Encrypt, Encrypt Meaningful Use Stage 2 expanded patient data security requirements even further. Not only do you need to remediate risks found during the risk analysis, but you also need to include encryption and security of data stored in the CEHRT. While speaking at the HIMSS Privacy and Security Forum, Linda Sanches from HHS spoke about encryption as her most important advice to avoid a breach. Encryption needs to go beyond the CEHRT and is required for all stored data under HIPAA. Based on the HHS Wall of Shame data as of 2014, nearly 55% of breaches were caused by loss or theft. Not all of these breaches could have been avoided by enabling encryption, but many could have.

16 How to Leverage HIPAA for Meaningful Use 16 Conclusion We ve learned that your HIPAA risk analysis will cover your Meaningful Use risk analysis requirement. We ve also learned that both HIPAA and Meaningful Use require you to secure your patient data. We are not sure what the Meaningful Use Stage 3 core measures will be, but it is safe to say there will be a requirement based on protecting patient data that will overlap with HIPAA. Although Meaningful Use attestation comes down to checking a yes or no box, there is a lot that goes into that one check box. It is important to go through a complete and thorough risk analysis, remediate risks, and implement encryption, so you can truly say you re protecting patient data. SecurityMetrics gave me the support and help to quickly review my HIPAA compliance. A great and easy experience. HIPAA compliance can be a complicated and timeconsuming project. SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace. Contact us for a free HIPAA compliance consultation. David Hunt Elevate Fitness and Rehab I hipaa@securitymetrics.com