HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals



Similar documents
Meaningful Use Crosswalk to the Security Rule

Meaningful Use Stage 2 & HIPAA: The Relationship between HIPAA and Meaningful Use Privacy & Security Regulations View the Replay on YouTube

Certification Guidance for EHR Technology Developers Serving Health Care Providers Ineligible for Medicare and Medicaid EHR Incentive Payments

Mark Anderson, FHIMSS, CPHIMSS Healthcare IT Futurist

Empowering Nurses & Building Trust Through Health IT

HIPAA Privacy & Security White Paper

Top 5 Things to Know About The 2014 Edition ONC HIT Certification Program. Rylla Riverman, RN, CISM, GEIT, CHCQM-Fellow Gorylla Inc.

HL7 & Meaningful Use. Charles Jaffe, MD, PhD CEO Health Level Seven International. HIMSS 11 Orlando February 23, 2011

Meaningful Use: Stage 1 and 2 Hospitals (EH) and Providers (EP) Lindsey Mongold, MHA HIT Practice Advisor Oklahoma Foundation for Medical Quality

Eligible Professional Meaningful Use Core Measures Measure 7 of 17 Stage 2 Date issued: August, 2014

West Virginia Information Technology Summit. November 4, 2009

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Interoperability Testing and Certification. Lisa Carnahan Computer Scientist Standards Coordination Office

How to Use the NYeC Privacy and Security Toolkit V 1.1

Stage 2 Meaningful Use - Public Health

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

How To Help Your Health Care Provider With A Health Care Information Technology Bill

Meaningful Use of Certified EHR Technology with My Vision Express*

Proposed Rule Standards & Certification Criteria 2014 Edition. Steve Posnack, MHS, MS, CISSP Director, Federal Policy Division

Identity: The Key to the Future of Healthcare

Meaningful Use and Release of Information

The basics of Health Information Technology

Privacy for Healthcare Data in the Cloud - Challenges and Best Practices

9/25/2012. Agenda. Defining the interrelation of MU, HIM and Release of Information IOD s partnership approach to MU

Eligible Professionals

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

Meaningful Use the Role of Health Information Exchange (HIE)

HIMSS Interoperability Showcase 2011

Impact of Meaningful Use and Healthcare Transformation On Patient Access

State of New Hampshire. Phase 3 Converging on Solutions discussion deck Business and Technical Operations Workgroup. July 20, 2010

Privacy and Security Challenges of Meaningful Use

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

Privacy and Security: Meaningful Use in Healthcare Organizations

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Navigating the Trends in Health Care Today. MEDITECH Solutions for Meaningful Use and Interoperability

Office of Medical Assistance Programs. Health Information Technology Initiative. Health Information Exchange Support

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Meaningful Use Stage 2 (MU2): The Patient Portal and its Value for Increased Patient Engagement

ConnectVirginia EXCHANGE Onboarding and Certification Guide. Version 1.4

Community Behavioral Health. PW 0214 Executive Summary

Risk and Opportunities in EMR Technology

EHR Incentive Program Stage 3 Objectives & Measures Crosswalk of Stage 3 Proposed Objectives, Measures & Corresponding Stage 2 Measures

Physician Champions David C. Kibbe, MD, & Daniel Mongiardo, MD FAQ Responses

Raj Chaudhary, PE, CGEIT Partner, Crowe Horwath LLP. Chris Reffkin, CISSP Manager, Crowe Horwath LLP

The Do s and Don ts of Medical Device integration

Appendix B: Existing Guidance to Support HIE Implementation Opportunities

Interoperability: White Paper. Introduction. PointClickCare Interoperability January 2014

Interim Final Rule on Standards, Implementation Specifications, and Certification Criteria

SECURITY RISK ASSESSMENT SUMMARY

Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes

EHR Incentive Program Updates. Jason Felts, MS HIT Practice Advisor

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

West Virginia Meaningful Use Registration System Instructions

CHIS, Inc. Privacy General Guidelines

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Medicaid EHR Incentive Program. Focus on Stage 2. Kim Davis-Allen, Outreach Coordinator

VASCO: Compliant Digital Identity Protection for Healthcare

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information

How To Improve Health Information Exchange

Managing Privacy and Security Challenges of Patient EHR Portals

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Health Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps

Meaningful Use Update Eligible Professionals. December 2011

Managing the Privacy and Security of Patient Portals

Carolyn P. Hartley, MLA President, CEO Physicians EHR, Inc

Meaningful Use Audits. NextGen Physician Consulting Services

Business Associate Considerations for the HIE Under the Omnibus Final Rule

MicroMD EMR version 7.6

Nine Network Considerations in the New HIPAA Landscape

ILHIE Direct Secure Messaging Solution

The National Health Information Network & its Implications for a National Rare Disease Patient Registry/case study Dan Russler

How To Improve Health Care Quality

AT&T Healthcare Community Online - Enabling Greater Access with Stronger Security

Health Homes Implementation Series: NYeC Privacy and Security Toolkit. 16 February 2012

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

Expanded Support for Medicaid Health Information Exchanges

Engage Mobile Security Whitepaper

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

MICROMD EMR VERSION OBJECTIVE MEASURE CALCULATIONS

NATIONAL HEALTH POLICY FORUM. January 2010

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

Indiana Council of Community Mental Health Centers. October 14, 2013

The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security

Getting Hip to the HIPAA and HITECH Act Compliance

Faculty Disclosure. Pharmacist Learning Objectives. Pharmacy e-hit: The Future of Pharmacy and Patient Care

Enabling Patients Decision Making Power: A Meaningful Use Outcome. Lindsey Mongold, MHA HIT Practice Advisor Oklahoma Foundation for Medical Quality

Health Care - Meaningful Use of HITECH

Meaningful Use Stage 2 Administrator Training

Stage 2 Meaningful Use What the Future Holds. Lindsey Wiley, MHA HIT Manager Oklahoma Foundation for Medical Quality

Participating in a Health Information Exchange (HIE) Many Faces of Community Health /27/11 Greg Linden

Are You Prepared for a HIPAA Audit? 7 Steps to Security Readiness GUIDE BOOK

Security Compliance, Vendor Questions, a Word on Encryption

Secure & File Transfer Practices in Healthcare 2014 / Sponsored by DataMotion

Essential Skills for Business Analysts in the Healthcare Domain

Patient Controlled Health Records Standards and Technical Track

Transcription:

HIPAA for HIT and EHRs Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals Donald Bechtel, CHP Siemens Health Services Patient Privacy Officer

Fair Information Practices Fair Information Practices (FIP) as a Privacy Framework Code of Fair Information Practices was first developed in the early 1970s by Department Health, Education, and Welfare, now known as Department of Health and Human Services (DHHS) HIPAA Privacy Rules were built on the foundation of FIP Meaningful Use requires that EP and EH must comply with HIPAA privacy and security requirements ONC Adopted the FIP for the Nationwide Health Information Network HIT Policy Committee recommends FIP - to build public trust and participation in health information technology and electronic health information exchange. Individual Access Correction Openness and Transparency Individual Choice or Right to Informed Consent Collection, Use, and Disclosure Limitation Data Quality and Integrity Security Safeguards Accountability Availability Page 3

ONC s EHR Standards, Implementation Specifications, and Certification Criteria Final Rule versus HIPAA Identified nine privacy and security criteria for a certified EHR System 170.302(o) Access Controls - Unique User ID and Tracking 170.302(p) Emergency Access 170.302(q) Automatic Log-off 170.302(r) Audit Log (stronger than HIPAA specific content) 170.302(s) Integrity (stronger than HIPAA requires hashing standard) 170.302(t) Authentication 170.302(u) General Encryption (stronger than HIPAA required method) 170.302(v) Encryption when Exchanging ehi (stronger than HIPAA required) 170.302(w) Accounting of Disclosures (Optional for Stage 1) These also tie very well with HIPAA Security Safeguards New NIST test scripts version 1.1 were recently issued Page 4

Protect Electronic Health Information Access Controls vs Data Controls Access Controls, User ID and Passwords (authentication of user) Policies and procedures to assign and remove user IDs Page 5 Termination procedures executed immediately Policies and procedures for strong password requirements Policies and procedures to designate and maintain user authorizations Optionally support for tokens or smart cards User authentications procedures through global logon to authorized apps Network access controls Firewalls, routers, etc. Environmental security controls Restricted access to users and applications Vendor s application in-depth security controls Data at Rest restricted access controls Optionally encryption based on risk assessments Data in transit must be encrypted, including private point-to-point lines Audit logs capture and report information, detection and alerts

Connectivity User and System Authentication (trusted trading partners) Cross enterprise access controls Individual identification remains a key concern Trading Partner Agreements or other contracts between organizations Should help to spell out controls for interconnectivity and authentication HISPs, HIOs (a.k.a. HIEs) RHIOs, etc will need to develop these agreements and define the methods that they will support. As with HIPAA today, ensure that all entities are protecting data equally, and are only using and disclosing health information as permitted With the new HITECH rules it is now clear that Business Associations when in possession of PHI must protect it with the same safeguards as a Covered Entity. Sending encrypted email and documents has challenges NHIN and NHIN Direct are working on these issues Page 6

Sharing documents (individually identifiable health information) What information should be sent for minimum necessary OCR to issue Guidelines (still pending) Should rely on standards like HL7 and CDA Templates and others where available Medication list, Allergy List, Vital Signs, Lab Results, Submission to Immunization Registries, Public Health Surveillance Ensure that the information is protected when sent (encrypted) Will patient consent be required for Stage I documents? Currently, under HIPAA guidelines the above reports should not require consent, when sent in the context of treatment, payment, or healthcare operations More guidance on consent may come from the HIT Policy Committee We must know the entity requesting data and be able to authenticate them Page 7

Role of the Provider Implement the necessary policies and procedures to maintain an EHR system EHR systems provide the tools to preserve data privacy and security, but they won t work without the provider s policies and procedures to enable them. For things like: Access controls Authorizations Identity management Patient consent management And so on Page 8

Page 9 Questions

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information