EHR & HIPAA Managing Compliance & Progress. Agenda. Federal EHR Imperatives & Achieving Meaningful Use. EHR & HIPAA: Managing Compliance & Progress

Transcription

1 EHR & HIPAA Managing Compliance & Progress Presented by Rodney Walsh, Senior Managing Consultant May 20, 2010 Agenda Federal EHR imperatives Certification & meaningful use Management of EHR upgrades & acquisitions Impact of key changes to HIPAA Security solutions Federal EHR Imperatives & Achieving Meaningful Use 1

2 Stimulus Bill - EHR Funding 2009 Stimulus Act (ARRA) $2 billion to Office of National Coordinator for Health Information Technology (ONCHIT) to implement Health Information Technology for Economic & Clinical Health Act (HITECH) for electronic health records (EHR) 53 pages of details in bill EHR for each person in the US by 2014 Nationwide HIT infrastructure EHR Proposed Regulations EHR funding for PPS hospitals, CAHs & physicians is paid only after provider Is meaningful user (MU), Of certified EHR technology Proposed regulations published January 13, 2010, to define both terms Comments were accepted through March 15, 2010 EHR Adoption Rate Healthcare Information & Management Systems Society (HIMSS) EMR Adoption Model - 8 stages, 0 to 7 Q % of hospitals at Stages 0 to 3 Q improvement % Average score All hospitals CAH % improvement per year will not get us there 2

3 Phasing of MU Criteria National Goals vs. Reality Enable health reform Focus on health outcomes, not software Feasibility Balance urgency of health reform with calendar time needed to implement HIT Starting from low adoption rate Sensitive to under-resourced practices, e.g., small practices, community health centers, rural settings HIT essential to achieving health reform in all settings Recovery Act provisions Timelines fixed (2015, ) Funding rules defined (front-loaded incentives) 7 EHR - Moving Target The Secretary shall seek to improve the use of EHR & health care quality over time by requiring more stringent measures of meaningful use selected under this paragraph HIT - Enabled Health Reform Achieving Meaningful Use HIT- Enabled Health Reform HITECH Policies 2011 Meaningful Use Criteria (Capture/share data) 2013 Meaningful Use Criteria (Advanced care processes with decision support) 2015 Meaningful Use Criteria (Improved outcomes) 3

4 Qualifying for Incentives Part One: Certified Systems EHR Technology Certification Section 3001(c)(5) of HITECH provisions grant NCHIT authority to establish certification process (NPRM in March 10, 2010 Federal Register) Intent is to provide assurance to purchasers that EHR system/module is capable of meeting meaningful use criteria NPRM establishes steps to Authorize organizations to become certifying bodies Allow EHR vendors to have systems certified against MU criteria EHR Technology Certification ONC is consulting with NIST on development of two proposed certification programs Temporary certification process ONC will authorize organizations to test & certify EHRs & ERH modules To assure availability of certified systems prior to compliance date Permanent certification process More comprehensive/will replace temporary process Establish requirements related to surveillance of certified EHRs Certify other types of HIT besides EHRs & EHR modules 4

5 Certification Testing - NIST Test Method Rollout Schedule - MU Requirements General Criteria (302); Ambulatory (304); Inpatient (306) Qualifying for Incentives Part Two: Demonstrate Meaningful Use 5

6 Demonstrating Meaningful Use Under HITECH, EP or eligible hospital is considered meaningful EHR user if they Demonstrate use of certified EHR technology in meaningful manner Demonstrate certified EHR technology is connected in manner providing for electronic exchange of health information to improve quality of health care, such as promoting care coordination Using its certified EHR technology submits information on specified clinical quality measures & other measures Achieving Meaningful Use Hospitals must meet 23 objectives to demonstrate meaningful use Attest to compliance during continuous 90-day period during first year, starting in federal fiscal year 2011 (on or after 10/1/10) Must be in compliance for full year in subsequent years Achieving Meaningful Use For Year 1 Medicaid payment Must have installed technology, but do not have to be meaningful user Must be meaningful user for subsequent Medicaid payments Must be meaningful user for ALL Medicare payments Hospitals & physicians must keep documentation supporting their demonstration of meaningful use for 10 years 6

7 Achieving Meaningful Use Physicians & other professionals must meet 25 objectives Compliance measured based on calendar year, starting in continuous days of compliance in first year, full-year compliance thereafter Achieving Meaningful Use Meaningful use stages criteria Payment yrs st payment yr Stage 2 & 3 criteria yet to be defined, but will be significantly more stringent Registration of Meaningful Use Centers for Medicare & Medicaid Services is expanding its current Medicare provider enrollment system to make it easier for physicians to register to receive meaningful use incentives Awarded $1.6 million contract to develop necessary additional functions for Provider Enrollment Chain Ownership System (PECOS), which manages, tracks & validates enrollment of providers & suppliers in Medicare program Physicians & hospitals must attest they have met requirements for meaningful use of electronic health records for 90 days to qualify for incentives available in 2011 Modification of PECOS system will take about 10 months 7

8 Management of EHR Upgrades and/or Acquisitions Managing EHR Acquisitions and Implementations to achieve Meaningful Use Key Questions What activities will be reimbursed? How do you manage such a large project? Can your current systems & technology support EHR? What exactly do you want new HIT/EHR system to do? How do you manage selection process? How can you be sure your new HIT/EHR investment is implemented properly? Stages of Development Preliminary project stage Conceptual formulation of alternatives Evaluation of alternatives Determination of existence of needed technology Final selection of alternatives 8

9 Stages of Development Application development stage Acquisition and design of chosen path, including software configuration & software interfaces Coding Installation of hardware Testing, including parallel processing phase Post-implementation/operation stage Training Maintenance Step One: Support Process Preliminary Project Stage Category Process must be supported by management structure I/S steering committee Blend business planning, budgeting & I/S strategic planning Project team(s) Use project management tools & processes Step Two: Assess Readiness Preliminary Project Stage Category EHR readiness assessment ARRA reimbursement analysis Technical & IT infrastructure inventory Security compliance (HIPAA) & control assessment Current systems capabilities assessment Development of EHR project charter 9

10 Step Three: Document Needs Preliminary Project Stage Category EHR needs assessment/rfp development Understand current state of EHR/HIT options Define your specific needs, requirements & expectations for HIT/EHR Clearly identify system or combination of systems required to demonstrate meaningful use Develop request for proposal (RFP) or request for information (RFI) Step Four: Select Solution Preliminary Project Stage Category System selection Follow structured evaluation & selection process using needs driven metrics Perform due diligence analysis of top two vendors or suites of vendors Understand total cost of ownership (TCO) Perform implementation planning Ensure combination of systems to be acquired meets all meaningful use certification criteria Assess, negotiate & execute contracts Step Five: Manage Implementation Application Development Stage Category Project management office Implement selected solution(s) Use structured project management tools Manage project Vendors Internal staff External staff Control changes 10

11 Post-implementation Management Post-implementation/Operation Stage Category Transition to ongoing vendor & system management Demonstrate meaningful use EHR and HIPAA Compliance Business Associates Enforcement Updates Breach Other HIPAA Changes ARRA - Business Associates HIPAA privacy & security provisions now apply to Business Associates Includes notification to covered entity regarding breaches Extends to civil & criminal penalties Must be incorporated into BA agreements Annual guidance to come from HHS 11

12 ARRA - Business Associates BA definition expanded to those that provide data transmission of PHI, such as RHIO, health information exchanges Recommend - CEs perform BA risk assessment based on nature of PHI/ePHI & role of BA BA audit/security - privacy assessment BA risk ranking (amount of access to PHI, exposure) Independent assessment/sas 70 ARRA - HIPAA Enforcement Periodic HHS CE & BA compliance audits Mandatory penalties for willful neglect Violations made without knowledge $100 up to $25,000 Can apply corrective action without penalty Violations based on reasonable cause $1,000 up to $100,000 Violations due to willful neglect $10,000 up to $250,000 ARRA - HIPAA Enforcement Uncorrected willful neglect $50,000 up to $1.5 million Extends criminal penalties to individual or employee of CE State attorneys general can file civil suit on behalf of residents Effective immediately Recommend - CEs complete HIPAA gap analysis/risk assessment/ba Risk Assessment 12

13 ARRA - Breach Notification What is a breach? Unauthorized acquisition, access, use or disclosure of unsecured PHR compromises security, privacy or integrity of such PHR posing significant risk of financial, reputational or other harm to individual Requires risk assessment to determine if a breach Preempts contrary state law; does not preempt state laws with additional requirements ARRA - Breach Notification Exceptions If above is unintentional by workforce member, in good faith, within scope of employment, without further dissemination Inadvertent disclosure between authorized individuals within facility without further disclosure If employee follows policy & reports incident & follow-up investigation is performed Secured PHR ARRA - Breach Notification Notice to Commission within 10 business days of breach Patient must be notified, by first-class mail or , without unreasonable delay (max 60 days of discovery of breach) 13

14 ARRA - Breach Notification If affects 500 patients or more, must report to HHS & install toll free number Under 500 patients, maintain log, for each breach & notify HHS within 60 days after end of calendar year If 500 patients or more of a state or jurisdiction, must post to website for 90 days & report to media outlet that covers impacted patients Breach - What to Provide Brief description of what happened, including date of breach & date of discovery of breach, if known Description of types of unsecured PHR identifiable health information involved in breach (such as full name, Social Security number, date of birth, home address, account number or disability code) Breach - What to Provide Steps individuals should take to protect themselves from potential harm resulting from breach Brief description of what entity that suffered breach is doing to investigate breach, to mitigate harm & to protect against any further breaches Contact procedures for individuals to ask questions or learn additional information, which shall include toll free telephone number, address, website or postal address 14

15 ARRA - Other HIPAA Changes Accounting for disclosures Right to request restrictions Limited data sets & minimum necessary Prohibitions on sale of PHI/ePHI Marketing communications Access to EHR Opt-out of fundraising Summary We are moving toward interconnected health care system IT has been identified as key enabler Management of these Bet your Business processes & technologies is key Balance of this presentation is in that spirit Management & Compliance Model Security Management 15

16 EMR Data Theft on Rise Numbers are staggering. Nearly 220 million electronic records have been breached since January 2005, according to non-profit consumer information & advocacy organization Source: Privacy Rights Clearinghouse EMR Data Theft on Rise Data theft & other fraudulent activities related to exposure of EMR data more than doubled last year, to 7 percent in 2009, compared to 3 percent in EMRs can be so rich in sensitive data like Social Security numbers, insurance ID numbers, medical history & even payment information & are tremendously valuable to criminals Source: InformationWeek 2010 EMR Data Theft on Rise Criminals tend to use information stolen from medical records for average of 320 days vs. just 81 days for pilfered data from other sources. It takes twice as long to detect medical data fraud than with other forms of identity theft, & costs $12,100 to do so, also more than twice general average Source: InformationWeek

17 Protection & Prevention Proactive - security devices, controls & processes Approach requires technical solutions Implementation can be costly (higher overall costs in early stages) Requires management buy-in Detection & Response Reactive - highly manual Implies activity has already occurred Requires manual interaction (legal, audit, risk management, human resources, privacy) Discovery, legal & regulatory costs can be high Best Approach Protection & Prevention Detection & Response 17

18 Best Practice Approach Data Classification - Understand what data is most sensitive (contains PHI) Data Discovery & Data Flow - Know where this data resides at all points of transaction. Identify all access points & methods, to include application, server operating systems, database systems, transmission devices & all other able impact or capture PHI Risk Assessment - Understand your risk model (ISO 27000, COBIT, IIA) Best Practice Approach EHR Security Strategy & Design - Select appropriate controls based on policy, risk & where sensitive data resides Implementation - Integrate appropriate controls; manage security centrally Continuous Oversight - Audit security to constantly improve 1 - Data Classification Categorize (financial, clinical, marketing, medical history, demographics ) Classification of data to process, system & field levels Criticality & sensitivity ratings Regulatory requirements associated Identify intended data owners, custodians & users Determine retention & destruction periods 18

19 1 - Data Classification Impacts De-identification Minimum necessary requirements BA compliance with breach, privacy & security regulations Scaling incident response Data destruction policies 2 - Data Discovery & Data Flow Flow data throughout its lifecycle Identify all system, applications, databases & devices EHR touches Identify all security & control methods in place Identify ownership & responsibility for each identified touch points 19

20 3 - Risk Assessment Logical & physical security (OS, database, application, segregation of duties) Authorization & appropriateness Configuration & change management Transmissions & sharing (encryption) Include coverage of Business Associates Design Level Risk Assessments Includes scoping/id of technology Maturity assessments Penetration testing Data flow analysis BA Risk Assessment Assess risks posed by Business Associates Understand HIPAA compliance status of key Business Associates Consider services performed for hospital by BA, type of data/phi, technology employed by BA, actions performed with/on PHI Establish appropriate BA agreements 20

21 4 - EHR Security Strategy & Design Based on results of risk assessment & understanding of current environment Can your current systems & resources support EHR? Can your BA chain s current systems & resources support EHR? Buy vs. build? In or outsource? Develop short- & long-term strategy 5 - Implementation Define controls & owners Ensure methods are integrated to detect changes to these controls Include Business Associates where applicable Ensure business & privacy departments maintain oversight of project 6 - Continuous Oversight Internal/external audit of critical controls Operational effectiveness risk assessments Oversight that retention & destruction practices are followed Logs & audit trails of disclosures Penetration testing Develop processes for new EHR requirements & additions 21

22 Related Compliance Solutions IT governance Policy & procedure development SDLC/change management Incident management Encryption Business continuity planning/disaster recovery planning Red flag/pci assistance Questions/Comments Upcoming Webinar The 2009 Form 990: Year Two of the Redesigned Forms Presented by Brian Todd, BKD, LLP Wednesday, May 26, a.m. Central time For more information about this webinar or to register, visit 22

23 Thank You Rodney Walsh, CGEIT Senior Managing Consultant BKD Risk Management Group 120 W. 12 th Street, Suite 1200 Kansas City, MO