MHCC Certification of Electronic Health Networks



Similar documents
Overview of the HIPAA Security Rule

HIPAA Security Rule Compliance

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA PRIVACY AND SECURITY AWARENESS

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Dental EDI Review. EDI Review M C H C M H C C. EDI Review. Center for Health Information Technology

Healthcare Management Service Organization Accreditation Program (MSOAP)

COMPLIANCE ALERT 10-12

BUSINESS ASSOCIATE AGREEMENT ( BAA )

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Type of Personal Data We Collect and How We Use It

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

This form may not be modified without prior approval from the Department of Justice.

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

New HIPAA regulations require action. Are you in compliance?

M E M O R A N D U M. Definitions

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

what your business needs to do about the new HIPAA rules

Introducing the NASW Updated Sample HIPAA Privacy Forms and Policies

HIPAA Awareness Training

University Healthcare Physicians Compliance and Privacy Policy

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

SCDA and SCDA Member Benefits Group

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information

Nine Network Considerations in the New HIPAA Landscape

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Security Education. Updated May 2016

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA Compliance Guide

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Lessons Learned from HIPAA Audits

HIPAA Compliance for Students

Business Associate Agreement (BAA) Guidance

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

HIPAA Compliance: Are you prepared for the new regulatory changes?

Statement of Policy. Reason for Policy

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Isaac Willett April 5, 2011

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

The Basics of HIPAA Privacy and Security and HITECH

Enclosure. Dear Vendor,

HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

My Docs Online HIPAA Compliance

Business Associates, HITECH & the Omnibus HIPAA Final Rule

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

SECURE EDI ENROLLMENT AGREEMENT INSTRUCTIONS. Select if this is a new application, change of submitter, update.

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals

HIPAA/HITECH Act Implementation Guidance for Microsoft Office 365 and Microsoft Dynamics CRM Online

Richard Gadsden Information Security Office Office of the CIO Information Services

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

BUSINESS ASSOCIATE AGREEMENT

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Data Breach, Electronic Health Records and Healthcare Reform

HIPAA and Mental Health Privacy:

Business Associate Agreement

How to Use the NYeC Privacy and Security Toolkit V 1.1

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

Transcription:

1 MHCC Certification of Electronic Health Networks

Overview This presentation is designed to assist EHNs by providing information regarding: What is an EHN? EHN Certification Regulations About the EHN Certification Process Steps to Certification and Renewal Certification standards, including Privacy & Confidentiality, Security, Technical Performance, and Business Processes Additional Notifications 2

What is an EHN? An Electronic Health Network (EHN) is defined by Maryland COMAR 10.25.07.02 as an entity involved in the exchange of electronic health care transactions between electronic health networks, payors, providers, vendors, or other entities. 3 Electronic health care transactions means health care transactions that have been approved by a nationally recognized health care standards development organization to support health care informatics, information exchange, systems integration, and other health care applications. Additional information is available at: http://www.dsd.state.md.us/comar/subtitlesearch.aspx?search=10.25.07.*

EHN Regulation COMAR 10.25.07, Certification of Electronic Health Networks and Medical Care Electronic Claims Clearinghouses, states that the Maryland Health Care Commission (MHCC) is responsible for certifying all electronic health networks (EHNs) and medical care electronic claims clearinghouses operating in Maryland Payers that accept electronic health care transactions originating in Maryland may only accept electronic transactions from EHNs or medical care electronic claims clearinghouses that obtain MHCC certification 4

EHN Regulation (cont) If a payer is notified that an EHN is not certified, the payer has 60 calendar days to ensure that the EHN becomes certified in that time period or to contract with a different EHN. If the payer does not comply with this regulation, they are liable for a monetary penalty of $1,000 per day. For substantial reasons shown, the Commission may suspend, reduce, or waive any penalty imposed under this chapter. The regulations are located at: http://www.dsd.state.md.us/comar/subtitlesearch.aspx?search=10.25.07 & http://www.dsd.state.md.us/comar/subtitlesearch.aspx?search=10.25.09.* 5

About EHN Certification The initial EHN-certification, and the subsequent renewal of certification, is valid for two years from the date of certification To obtain certification, the EHN must provide documentation to the MHCC that it is accredited or certified by a qualified accreditation or certification organization such as the Electronic Healthcare Network Accreditation Commission (EHNAC) or an organization recognized by the MHCC that has established standards of quality 6

Steps to Certification/Recertification Step 1: Complete the MHCC s EHN Certification/Recertification Application Step 2: Provide documentation that the EHN has received Nationally Qualified Accreditation or Certification Step 3: Submit applicable fees 7

Step 1: The MHCC EHN Application All EHNs applying for Certification/Recertification must complete an application and submit responses to the MHCC for review. The application may be found online at: http://mhcc.maryland.gov/mhcc/pages/hit/hit_ehn/documents/ehn_certification_recertification _Appl.pdf The completed application should be submitted to the MHCC by e-mail at: EHN.Certification@maryland.gov 8

Step 2: National Accreditation EHNs must provide documentation of national accreditation by an organization such as EHNAC. Documentation includes: 1.) responses to the EHNAC self-assessment manual, and 2.) the EHNAC site visit scoring sheet. Documentation must be submitted by one of the following methods: Email the documents to EHN.Certification@maryland.gov. Multiple emails up to 15MB may be sent as needed. 9 The applicant may choose to submit documents online through a LogMeIn account. Please contact the MHCC by email at EHNCertificaton@maryland.gov to receive a password in order to upload documents. The EHN may choose to send a CD to the MHCC. The CD will be uploaded to the MHCC s network and destroyed. If interested in mailing a CD, contact the MHCC at: EHN.Certification@maryland.gov

Step 2: National Accreditation (cont) If the EHN chooses to use a qualified accreditation or certification organization other than EHNAC, the EHN must submit documents that show the network complies with established standards of qualify for electronic health networks and has received either accreditation or certification that meets these standards. 10 If an EHN chooses to use a network other than EHNAC, the MHCC should be contacted at EHN.Certification@maryland.gov for further instructions. Once accreditation has been obtained from a nationally recognized body, the EHN has approximately 2 weeks to submit supporting documents to the MHCC for review.

Step 3: Applicable Fees 11 Per Maryland regulation, the MHCC is required to charge a processing fee for EHN Certification/Recertification. Application Fee Schedule # of Operating Sites Initial Fees Renewal Fees EHN with One Operating Site EHN with Multiple Operating Sites $400 $250 $400 + $200 for each additional site $250 + $125 for each additional site All checks should be submitted to: Bridget Zombro, Director of Administration Maryland Health Care Commission 4160 Patterson Avenue Baltimore, MD 21215

Awarding Certification The MHCC will review all documents submitted by the EHN and will award certification if the EHN s submission is complete. MHCC EHN Certification is valid for 2 years. 12

Timeline & Extension Requests 13 The MHCC will contact the EHN to initiate the recertification process roughly four months in advance of the certification expiration date. In the event of extenuating circumstances, the EHN may request an extension from the MHCC for the application renewal by submitting a request to the MHCC at least 15 days prior to the application due date. Extension requests must include reasons for the extension and a proposed submission date. The MHCC will review extension requests and will respond to the EHN by email.

Certification Standards There are four criteria categories used to determine EHNAC certification. The criteria include standards that cover the following: Privacy and Confidentiality Security Technical Performance Business Process 14 Additional information regarding EHNAC can be found at: http://www.ehnac.org/

Privacy and Confidentiality Assure compliance with HIPAA Privacy Rules Utilize appropriate administrative, technical and physical safeguards relating to the confidentiality of protected health care information (PHI) Implement the proper confidentiality agreements with partners 15

Security Criteria Promote compliance with the HIPAA Security Rule Ensure confidentiality, integrity and availability of electronic PHI Prepare against threats and vulnerabilities Put in place proper authentication and audit controls Employ encryption of electronic PHI 16

Technical Process Criteria Utilization of appropriate communication messages and electronic records 17 Implement measures for capacity monitoring and planning

Business Process Criteria 18 Provide proper education and training for employees Promote effective customer communication

Additional Notifications Under COMAR 10.25.07, EHNs are required to notify the MHCC for the following reasons: 19 Reason for Notification Closure, sale, lease, assignment, or transfer of an MHCC certified EHN to any other person or entity. Change of address Organizational name change Use of an accreditation or certification from a qualified body other than EHNAC Notice Required by MHCC At least 30 days At least 60 days At least 60 days Prior to submission of MHCC certification application

Questions? 20 Contact: The Maryland Health Care Commission Center for Health Information Technology Phone: (410) 764-3460 Fax: (410) 358-1236 E-mail: EHN.Certification@maryland.gov mhcc.maryland.gov