Sunday March 30, 2014, 9am noon HCCA Conference, San Diego



Similar documents
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

HIPAA Security Risk Analysis for Meaningful Use

Security. aspen advisors. An Often Overlooked Meaningful Use Requirement. July 2011

CMS AND ONC FINAL REGULATIONS DEFINE MEANINGFUL USE AND SET STANDARDS FOR ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA Security Rule Compliance

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Ensuring Privacy & Security of Patient Information

Santa Rosa Presents Webinar Series Electronic Health Records & Meaningful Use Incentives: Medicare & Medicaid

HIPAA and HITECH Compliance for Cloud Applications

Meaningful Use Stage 2. Meeting Meaningful Use Stage 2 with InstantPHR TM.

Meaningful Use and Security Risk Analysis

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

The Medicare and Medicaid EHR incentive

Joe Dylewski President, ATMP Solutions

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

How to Leverage HIPAA for Meaningful Use

Preparing for HIPAA and Meaningful Use Compliance Audits

Health Homes Implementation Series: NYeC Privacy and Security Toolkit. 16 February 2012

HIPAA: Compliance Essentials

Empowering Nurses & Building Trust Through Health IT

HIPAA COMPLIANCE PLAN FOR 2013

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA Compliance and the Protection of Patient Health Information

InfoGard Healthcare Services InfoGard Laboratories Inc.

Bridging the HIPAA/HITECH Compliance Gap

HIPAA Compliance Guide

Interim Final Rule on Standards, Implementation Specifications, and Certification Criteria

The HIPAA Audit Program

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

HIPAA Compliance Guide

Sustainable Compliance: A System for Ongoing Audit Readiness

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

The HIPAA Omnibus Final Rule

Participation Agreement Medicaid Provider Program

Compliance, Incentives and Penalties: Hot Topics in US Health IT

What is required of a compliant Risk Assessment?

HIT Audit Workshop. Jeffrey W. Short.

EMR and Meaningful Use. How to Prepare for Audits and Avoid Penalties

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Meaningful Use EHR Incentive Program

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

OCR/HHS HIPAA/HITECH Audit Preparation

Meaningful Use Audits. NextGen Physician Consulting Services

Answering to HIPAA. Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM. Brought to you by.

How to Use the NYeC Privacy and Security Toolkit V 1.1

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

HIPAA: AN OVERVIEW September 2013

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

MU Security & Privacy Risk Assessments: What It Is & How to Approach It

Assessing Your HIPAA Compliance Risk

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Objectives 5/5/2015. Quality Health Associates (QHA) of ND

NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

OIG Security Audit: What You Need To Know

Stage 2 Meaningful Use What the Future Holds. Lindsey Wiley, MHA HIT Manager Oklahoma Foundation for Medical Quality

Data Breach, Electronic Health Records and Healthcare Reform

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Security Is Everyone s Concern:

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

HIPAA in an Omnibus World. Presented by

Business Associate Management Methodology

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

Healthcare and IT Working Together KY HFMA Spring Institute

HIPAA Audits and Compliance: What To Expect From Regulators and How to Comply

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

Mark Anderson, FHIMSS, CPHIMSS Healthcare IT Futurist

HIPAA Compliance: Are you prepared for the new regulatory changes?

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Securing Patient Portals

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Privacy and Security Challenges of Meaningful Use

Overview of the HIPAA Security Rule

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Audits Are Happening. eroi

University Healthcare Physicians Compliance and Privacy Policy

HITECH and Meaningful Use - An Overview - To Enrich Lives Through Effective And Caring Service

Transcription:

Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose of HIPAA Understand what meaningful use is and how it affects HIPAA Gain an understanding of the key provisions and learn how to complete a risk analysis for meaningful use and HIPAA Your questions answered 2 1

Understand the statutory and regulatory background and purpose of HIPAA 3 HIPAA Requirements Under the Health Information Technology for Economic and Clinical Health Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), one of the core Meaningful Use (MU) measures for both Eligible Professionals and Eligible Hospitals alike is the requirement for healthcare providers to Conduct or review a security risk analysis and implement security updates as necessary, and correct identified security deficiencies prior to or during the EHR reporting period to meet this measure. This measure is, therefore, a key task healthcare providers must conduct before attesting to their ability to meet all Stage 1 requirements. Additionally, the risk analysis requirement in the HIPAA Security Rule is not only an integral part of meeting meaningful use for HITECH but also for being in compliance with the law. All e PHI created, received, maintained, or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e PHI. Risk analysis is the first step in that process. 4 2

HIPAA Requirements The Security Rule requires entities to evaluate risks and vulnerabilities in their technology environments and to implement reasonable and appropriate security measures to protect e PHI. The Office for Civil Rights (OCR), the security watchdog for the Department of Health and Human Services (HHS), in particular, is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule. The OCR is also the body responsible for ensuring CEs are complying with the intent of the security rule. From a compliance perspective then, it may seem especially wise to take heed to what the OCR is saying. 5 Understand what meaningful use is and how it affects HIPAA 6 3

Meaningful Use The enhanced set of protections finalized in the omnibus HIPAA privacy and security rule now becomes the new baseline for anyone who handles health information. It does not change meaningful use requirements, but combined, the two may drive more providers to protect patient data. 7 Meaningful Use Meaningful use (MU), in a health information technology (HIT) context, defines the use of electronic health records (EHR) and related technology within a healthcare organization. Achieving meaningful use also helps determine whether an organization will receive payments from the federal government under either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program. According to the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, organizations that are eligible for the Medicare EHR Incentive Program and achieve meaningful use by 2014 will be eligible for incentive payments; those who have failed to achieve that standard by 2015 may be penalized. To receive the maximum reimbursement, physicians and hospitals must achieve Stage 1 of meaningful use of EHR for at least a 90 day period within the 2011 or 2012 federal fiscal year and for the entire year thereafter. 8 4

Meaningful Use Those eligible for the Medicaid program must demonstrate meaningful use by 2016 in order to receive incentive payments. The Centers for Medicare Medicaid Services (CMS) worked with the Office of the National Coordinator for Health IT and other parts of Department of Health and Human Services (HHS) to establish regulations for Stage 1 of the meaningful use incentive program. The working group will also establish criteria to determine Stages 2 and 3 of meaningful use. Criteria for Stage 2 of meaningful use will begin in 2014, and criteria for Stage 3 of meaningful use will be defined at a later date. 9 How Do I Comply with Meaningful Use Requirements? Your EHR or EHR components must meet ONC s standards and implementation specifications, at a minimum, to be certified to support the achievement of meaningful use Stage 1 by eligible health care providers under the EHR Incentive Program regulations. Along with many other criteria, ONC requires that an EHR meet nine security criteria to be certified. 10 5

How Do I Comply with Meaningful Use Requirements? To receive the incentive payments, you must also demonstrate that you have met the criteria for the EHR Incentive Program s privacy and security objective. This objective, ensure adequate privacy and security protections of personal health information, is the fifth and final health policy priority of the EHR Incentive Program. The measure for Stage 1 aligns with HIPAA s administrative safeguard to conduct a security risk assessment and correct any identified deficiencies. In fact, the EHR Incentive Program s only privacy and security measure for Stage 1 is to: Conduct or review a security risk assessment of the certified EHR technology, and correct identified security deficiencies and provide security updates as part of an ongoing risk management process. 11 How Do I Comply with Meaningful Use Requirements? Attest to the security risk analysis MU objective. HIPAA privacy and security requirements are embedded in CMS EHR Incentive Programs. As a result, eligible providers must attest that they have met certain measures or requirements regarding privacy and security of health information on their EHRs. So conduct your security risk analysis, then register and attest. Remember you are attesting to have corrected and deficiencies identified during the risk analysis. Document your changes/corrections, as you could be audited. NOTE: Reviews are required for each EHR period (1 year/90 days). 12 6

How Do I Comply with Meaningful Use Requirements? The EHR Incentive Program and the HIPAA Security Rule do not mandate how the risk analysis and updates should be done. Instead, this is left up to the provider or organization. There are numerous methods for performing risk analysis and risk management. Below are commonly recommended steps for performing these tasks: Indentify the scope of the analysis Gather data Identify and document potential threats and vulnerabilities Assess current security measures Determine the likelihood of threat occurrence Determine the potential impact of threat occurrence Determine the level of risk Identify security measure and finalize documentation Develop and implement a risk management plan Implement security measures Evaluate and maintain security measures 13 How Do I Comply with Meaningful Use Requirements? The risk analysis and risk management process must be conducted at least once prior to the beginning of the EHR reporting period. You will need to attest to CMS or your State that you have conducted this analysis and have taken any corrective action that needs to take place in order to eliminate the security deficiency or deficiencies identified in the risk analysis. Your local REC can be a resource in identifying the tools and performing the required risk analysis and mitigation. 14 7

How Do I Comply with Meaningful Use Requirements? In meaningful use Stage 2, providers have two security requirements: Perform a security risk assessment and attest to that, and explicitly address encryption. Those things are not affected by any changes in HIPAA. The security rule remains structurally the same. It s risk based. The increased enforcement in the final rule, including audits, increased penalties and the expansion to business associates to comply like covered entities. 15 HIPAA & Meaningful Use Quiz 16 8

Gain an understanding of the key provisions and learn how to complete a risk analysis for meaningful use and HIPAA 17 Risk Analysis The Office of Civil Rights (OCR) is responsible for issuing guidance on the provisions in the HIPAA Security Rule (45 CFR 164.302 318). Guidance covers administrative, physical and technical safeguards for secure E PHI. The risk analysis requirement is laid out in 164.308 (a). All E PHI created, received, maintained or transmitted is subject to the HIPAA Security Rule. Risk analysis is one of four required implementation specifications. 18 9

Risk Analysis Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with the standards and specifications in the Security Rule. One size does not fit all. You need to determine the most appropriate way to achieve compliance. The Security Rule does not prescribe a specific risk analysis methodology and focuses on the objectives of the analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. 19 Risk Analysis The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. The information/results of the risk analysis should be used to ensure: Personnel screening processes Data backup and how Data authentication to protect data integrity Protect health information transmissions 20 10

Elements of a Risk Analysis Scope Data Collection Identify and Document Potential Threats and Vulnerabilities Assess Current Security Measures Determine Likelihood of Threat Occurrence Determine Potential Impact Determine Level of Risk Document Periodic Review and Update to the Risk Assessment 21 Best Practices for a Risk Analysis Document, Document, Document Process Results Remediation Conduct the Risk Analysis Develop action plans to address risks, threats and vulnerabilities Address the 5 components Administrative Physical Technical Policies and Procedures Organizational Standards Manage the risks Educate and train your workforce Develop communication protocols Update any contracts with patients and third party agreements 22 11

Document, Document, Document Keep all relevant records that support attestation Completed checklists/questionnaires Risk analysis final report Remediation plans, and any updates BAA support Training/education efforts Results of testing, monitoring and review Policies, procedures Does not have to be electronic Document your decision Keep everything together 23 Considerations Cloud Computing Where is your data? Who has it? ASP s Impacts of major change Practice Electronic system (i.e. HIEs) Reassessments are expected Continuous monitoring element to the overall program Contingency planning Checklist as a security preview/preliminary sense/help everyone get ready. 24 12

A Mini Case Study 25 Your Questions Answered Sue Ulrey, Principal Sue.Ulrey@CLAconnect.com (317) 569 6110 26 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information