WHITEC Services Group Overview • Team of experienced health IT specialists with broad vendor knowledge • Federally designated to assist primary care providers; now expanding services to specialty providers across the country • Have assisted more than 800 providers achieve meaningful use and earn incentives • Recommended provider of Virtual Security Risk Assessments for RevolutionEHR WHITEC Services Group | www.whitec.org 1
Overview of HIPAA and HITECH • 1996: HIPAA passed by Congress • 2003: Privacy Rule went into effect • 2005: Security Rule went into effect • 2009: HITECH enacted as part of ARRA • CMS EHR Incentive Programs • Significant changes to HIPAA • 2013: HIPAA/HITECH Omnibus Final Rule published • Business Associates, Breach Notification WHITEC Services Group | www.whitec.org 2
HITECH: Catalyst for Transformation Paper records HITECH EHRs & HIE Act 2009 2014 Pre 2009 EHR Incentive Widespread adoption A system plagued Program and 62 and meaningful use by inefficiencies Regional Extension of EHRs Centers 3 WHITEC Services Group | www.whitec.org 3
Meaningful Use: Path to better outcomes and quality Stage 3 Stage 2 Improved outcomes Advanced clinical processes Stage 1 Data capture and sharing Better clinical outcomes Improved population health outcomes Increased transparency and efficiency Empowered individuals More robust research data on health system WHITEC Services Group | www.whitec.org 4
Meaningful Use is… Using certified EHR technology 1 to: 1. Improve quality, safety and efficiency 2. Engage patients and families 3. Improve care coordination 4. Improve public and population health 5. *Ensure privacy & security for personal health information* 1 Certification as defined by ONC-Authorized Testing and Certification Body (ONC-ATCB). For more information on certified EHRs and the process of certification, visit http://onc-chpl.force.com/ehrcert . WHITEC Services Group | www.whitec.org 5
MU and Privacy & Security Core Measure (Stage 1): Protect Electronic Health Information Objective Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Exclusion No exclusion. Source : Stage 1 EHR Meaningful Use Specification Sheets for Eligible Providers: http://www.cms.gov/EHRIncentivePrograms/30_Meaningful_Use.asp#BOOKMARK4 WHITEC Services Group | www.whitec.org 6
MU and Privacy & Security Core Measure (Stage 2): Protect Electronic Health Information Objective Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/ security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Exclusion No exclusion. WHITEC Services Group | www.whitec.org 7
HIPAA Security Risk Analysis • Under the Administrative safeguards: • §164.308(a)(1)(ii)(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity • §164.308(a)(1)(ii)(A) Risk management (Required) . Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a) WHITEC Services Group | www.whitec.org 8
MU EHR Security Risk Analysis • Evaluate security vulnerabilities associated with an EHR and focus on meeting federal HIPAA requirements • Rank threats and vulnerabilities and identify your most significant risks • Develop an action plan to mitigate top risks and document progress • SRA needs to be completed every year of participation in EHR Incentive Program WHITEC Services Group | www.whitec.org 9
Preparing for MU Audits • Happening for both Medicare and Medicaid EHR Incentive programs • At minimum 5% of EPs are being audited • If you are unable to support attestation you may be required to return incentive payment • Alternately, you may be audited prior to release of payment WHITEC Services Group | www.whitec.org 10
MU Audit-Required Documentation • Need to maintain documentation for: • Proof of Eligibility • Each core and menu measure • In some cases proving system configuration • Each CQM measure • Security Risk Assessment • Identified Risks • Risk Mitigation plans WHITEC Services Group | www.whitec.org 11
Recommend
More recommend