Interim Final Rule on Standards, Implementation Specifications, and Certification Criteria



Similar documents
HEALTH IT! LAW & INDUSTRY

Interoperability Testing and Certification. Lisa Carnahan Computer Scientist Standards Coordination Office

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Certification Guidance for EHR Technology Developers Serving Health Care Providers Ineligible for Medicare and Medicaid EHR Incentive Payments

Department of Health and Human Services

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

SECURITY RISK ASSESSMENT SUMMARY

Federal Register / Vol. 77, No. 171 / Tuesday, September 4, 2012 / Rules and Regulations

Meaningful Use and Release of Information

itrust Medical Records System: Requirements for Technical Safeguards

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Security Checklist

2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

New Rules for the HITECH Electronic Health Records Incentive Program and Meaningful Use

How Managed File Transfer Addresses HIPAA Requirements for ephi

HIPAA Security Series

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Certificate of EHR Compliance

Data Breach, Electronic Health Records and Healthcare Reform

BUSINESS ASSOCIATE AGREEMENT

Office of the National Coordinator for Health Information Technology Supporting Meaningful Use. July 22, 2010

THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY S OVERSIGHT OF THE TESTING

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

CMS FINALIZES REQUIREMENTS FOR THE MEDICAID ELECTRONIC HEALTH RECORDS (EHR) INCENTIVE PROGRAM

BUSINESS ASSOCIATE AGREEMENT

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Raj Chaudhary, PE, CGEIT Partner, Crowe Horwath LLP. Chris Reffkin, CISSP Manager, Crowe Horwath LLP

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA BUSINESS ASSOCIATE AGREEMENT

The Meaning Behind Meaningful Use Stage 2

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

ONC HIT Certification Program

HIPAA BUSINESS ASSOCIATE AGREEMENT

VMware vcloud Air HIPAA Matrix

Summary of the Proposed Rule for the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program (Eligible Professionals only)

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

University Healthcare Physicians Compliance and Privacy Policy

Authorized. User Agreement

Department of Health and Human Services

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

MEDICARE AND MEDICAID ELECTRONIC HEALTH RECORD (EHR) INCENTIVE PROGRAM: OVERVIEW

Understanding Meaningful Use with a Focus on Testing the HL7 V2 Messaging Standards

Client Alert. CMS Releases Proposed Rule On Meaningful Use Of Electronic Health Record Technology

Drummond Group, Inc. Re: Price Transparency Attestation

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

T he Health Information Technology for Economic

ACO #11 -- Percent of Primary Care Physicians Who Successfully Qualify for an EHR Program Incentive Payment

HIPAA Security. assistance with implementation of the. security standards. This series aims to

NY Medicaid EHR Incentive Program. Eligible Professionals Program Eligibility and AIU Webinar

The Meaningful Use Stage 2 Final Rule: Overview and Outlook

Medicare and Medicaid Programs; EHR Incentive Programs

The Accreditation Association for Ambulatory Health Care (AAAHC) is a Business Associate as defined in the HIPAA Privacy Rule:

Healthcare Management Service Organization Accreditation Program (MSOAP)

Business Associate Agreement

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Transcription:

Interim Final Rule on Standards, Implementation Specifications, and Certification Criteria NIST/OCR Conference Safeguarding Health Information: Building Assurance through HIPAA Security Steven Posnack, ONC

How Does All This Work? Meaningful User of Certified EHR Technology Meaningful Use Regulations & Objectives Measures Certified Complete EHR = Combination of Certified EHR Modules HIT Certification Programs Regulations ONC-ATCB / ONC-ACB Correlated Certification Complete EHR Criteria HIT Standards & Certification EHRs Criteria Modules Regulations 2

ONC Interim Final Rule Initial Set of Standards, Implementation Specifications, and Certification Criteria Definitions Standards and Certification Criteria Relationship to Meaningful Use Proposed Rule Relationship to HIPAA Security Rule 3

Acronym Check CFR: Code of Federal Regulations EHR: Electronic Health Record FACA: Federal Advisory Committee Act IFR: Interim Final Rule ONC: Office of the National Coordinator for Health IT PHSA: Public Health Service Act 4

IFR The Basics Statutory Authority American Recovery and Reinvestment Act of 2009 (Pub. L. 111 5) Title XIII of Division A and Title IV of Division B Health Information Technology for Economic and Clinical Health Act (HITECH Act) The HITECH Act amended the Public Health Service Act (PHSA) and created Title XXX Health Information Technology and Quality Section 3004(b) required the Secretary to adopt an initial set of standards, implementation specifications, and certification criteria by 12/31/2009 Created 45 CFR Part 170 5

Principles that Guide Certification Criteria and Standards Certification Criteria Assure providers that Certified EHR Technology can support achievement of Meaningful Use Key capabilities that can be tested objectively Minimal set supports innovation Standards Incrementally build capacity Establish the foundation for greater interoperability 6

IFR Definitions (1) Certified EHR Technology (Statutory) [A] qualified electronic health record that is certified pursuant to section 3001(c)(5) as meeting standards adopted under section 3004 that are applicable to the type of record involved (as determined by the Secretary, such as an ambulatory electronic health record for office-based physicians or an inpatient hospital electronic health record for hospitals) 7

IFR Definitions (2) Certified EHR Technology (Regulatory) Complete EHR or a combination of EHR Modules, each of which: (1) Meets the requirements included in the definition of a Qualified EHR; and (2) Has been tested and certified in accordance with the certification program established by the National Coordinator as having met all applicable certification criteria adopted by the Secretary. 8

IFR Definitions (3) Complete EHR (Regulatory) EHR technology that has been developed to meet all applicable certification criteria adopted by the Secretary. EHR Module (Regulatory) any service, component, or combination thereof that can meet the requirements of at least one certification criterion adopted by the Secretary. 9

IFR Standards Organized into four categories: Content Exchange Standards Vocabulary Standards Transport Standards Privacy and Security Standards 10

IFR Certification Criteria Certification criteria are aligned with the meaningful use objectives for eligible professionals and eligible hospitals 11

IFR Certification Criteria Deatils General Certification Criteria applicable to all Complete EHRs or EHR Modules Includes privacy and security certification criteria Ambulatory Certification Criteria applicable to Complete EHRs or EHR Modules designed for ambulatory settings Inpatient Certification Criteria applicable to Complete EHRs or EHR Modules designed for inpatient settings 12

IFR Relationship to Meaningful Use Illustrative Crosswalk Meaningful Use Objectives E Rx Certification Criteria Capability to E Rx must be included Standards NCPDP SCRIPT 8.1/10.6 must be used 13

HIPAA Security Rule & Certification Criteria HIPAA Security Rule Focuses on: administrative, physical, and technical safeguards Sets standards for all e-phi created, received, maintained, or transmitted by HIPAA Covered Entities Certification Criteria Focus on technical safeguards Establish requirements for capabilities Apply to Complete EHRs and EHR Modules Do not set organizational policy 14

HIPAA Security Rule & Certification Criteria 45 CFR 164.312 (a)(1) Access control (a)(2)(i) User identification (r) (a)(2)(ii) Emergency access (r) (a)(2)(iii) Automatic logoff (a) (a)(2)(iv) Encryption/decryption (Data at Rest) (a) (b) Audit Controls (c)(1) Integrity (c)(2) Authenticate ephi (a) (d) Person or entity authentication (e)(1) Transmission security (e)(2)(i) Integrity controls (a) (e)(2)(ii) Encryption (transmission) (a) 45 CFR 170.302 (o) Access control (p) Emergency access (q) Automatic logoff (u) Encryption (r) Audit log (s) Integrity (t) Authentication (s) Integrity (u) Encryption 15

What s next? IFR Comment Period Closed March 15, 2010 Working with CMS to align Standards and Certification Criteria Final Rule with Meaningful Use Final Rule To view comments go to: http://www.regulations.gov Keyword health IT standards 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information