Protecting Health Information And

Clinical Decision Support Starts on 1 Day

Brenda Simms RN, BSN

Speaker Biography

› Brenda Simms, RN, BSN, CHTS-CP, CMAPBrenda Simms is a Clinical Informatics Specialist at ILHITREC. She works with physicians, practice managers, clinical staff, billing representatives, physicians and EHR vendors to successfully plan, coordinate and implement an electronic health record (EHR) system, as well as assist practices with workflow redesign and development of required quality reporting. Brenda also worked for a time with the Central Illinois Health Information Exchange (CIHIE) to facilitate the implementation and effective adoption of HIE. Brenda has added the role of Quality Improvement Analyst (QIA) with the Great Lakes Transformation Practice Network (GLTPN) working with practices in Illinois to transform clinical practices to prepare and move to Value Based Payment models and MACRA. Brenda is member of HIMSS, AHIMA and IRHA.

Illinois Health Information Technology Regional Extension Center (ILHITREC)

› SUPPORT PROVIDED BY ILHITREC:

› ILHITREC is under contract with the Illinois Department of Health and Family Services (HFS), to provide education, outreach and support to Medicaid providers for the Electronic Health Record Medical Incentive Payment Program (eMIPP). ILHITREC partners with the Illinois Critical Access Hospital Network (ICAHN) and Central Illinois Health Information Exchange (CIHIE) for support in this mission and collaborates with the Chicago Health Information Technology Regional Extension Center based at Northwestern University which serves the City of Chicago.

Learning Objectives› Review PI Objective 1 – Protecting Patient Information› Define what a Security Risk Analysis (SRA) is.› Discuss the importance of a Security Risk Analysis› Review PI Objective 3 - Clinical Decision Support Objective

(CDS)

Protect Patient Health InformationObjective 1

HIPAA BasicsThe Health Insurance Portability and Accountability Act (HIPPA ) 1996 › Main Federal Law that protects privacy and security of identifiable

health information of individuals– HIPPA Privacy Rule covers protected health information (PHI)– HIPPA Security Rules covers electronic protected health information (ePHI)– Protects Patient privacy where records are on paper or electronic– Required to follow all applicable federal, state, and local laws– PI Program has requirements to your practice obligations under HIPPA

Regulatory Agencies

US Department of Health & Human Services (HHS)The office of the National Coordinator for Health Information Technology (ONC)The Office of Civil Rights (OCR)

Objective 1 – Protect Patient Health InformationObjective: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical capabilitiesMeasure: Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308 (a)(1)

Include:– Addressing the security (including encryption) of ePHI created or maintained by

CEHRT– Implement security updates as necessary– Correct identified security deficiencies as part of the EP’s risk management

process– Referenced CEHRT elements:

› 45 CFR 164.312 (a)(2)(iv)› 45 CFR 164.306(d)(3)

– Remember – Starting in 2019, must be on the 2015 Edition CEHRT

– https://www.healthit.gov/topic/certification-ehrs/2015-edition

Objective 1 – Protect Patient Health Information

Attestation Requirements: Yes or No› Eligible Professionals (EPs) must attest YES to

– Conducting or Reviewing a Security Risk Analysis (SRA)– Implementing security updates as necessary – Correcting identified security deficiencies to meet the measure– There are no exclusions for this measure– Attesting NO, fails the measure

› Change from 2018 Standards to 2019 Standards– EP must be on the 2015 CEHRT Standards to be eligible

Objective 1 – Protect Patient Health InformationAdditional Information:› An analysis must be done upon installation or upgrade to a

new system› Review must be conducted to cover each reporting period› Security updates and deficiencies that are identified should

be included in the provider’s risk management process and implemented or corrected as dictated by that process.– It is acceptable to conduct the review outside of the EHR reporting

period and be unique to the entire reporting period– Must be conducted with the calendar year of the EHR reporting

period (January 1 – December 31st)

5 Basic Steps of Risk Management

Source: Journal of Epidemiology Preventive Medicine

10 Points

1. Set privacy & security risk management & governance programs in place (45 CFR § 164.308(a)(1))

2. Develop & implement HIPAA privacy, security, & breach notification policies & procedures (45 CFR §164.530 and 45 CFR §164.316)

3. Train all members of the workforce (45 CFR §164.530 & 45 CFR §164.316)

4. Complete HIPAA security risk analysis (45 CFR §164.530 and 45 CFR §164.316)

5. Complete HIPAA security risk management (45 CFR §164.308(a)(1)(ii)(B))

6. Complete HIPAA security evaluation (e.g. “compliance assessment”)(45 CFR § 164.308(a)(8))

10 Points

7. Complete technical testing of your environment (45 CFR § 164.308(a)(8))

8. Implement strong, proactive Business Associate Management program (45 CFR §164.502(e) and 45 CFR §164.308(b))

9. Complete Privacy Rule & Breach Rule compliance assessments(45 CFR §164.530 and 45 CFR §164.400)

10. Document & act upon remediation plan(45 CFR §164.530(c) &45 CFR §164.306(a))

Additional Consideration: vulnerability Assessment & Penetration Testing

Business Associate Agreement (BAA)What is a Business Associate?

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information

What is a Business Associate Contract/Agreement?

A business associate contract, or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI

A Business Associate is required to comply with HIPPA rules.

Security Rule Requirements

ONC Security Risk Assessment Tool

Recommendation

Security Risk Assessment Tool

› The tool is designed to help small to medium size entities and business associates conduct and document SRA.

› The tool runs on your computer and does not transmit information to DHS, ONC or The Office of Civil Rights

› Sections of the SRA Tool:– Section 1: Security Risk Assessment (SRA) Basics (security management

process)– Section 2: Security Policies, Procedures, & Documentation (defining policies &

procedures)– Section 3: Security & Your Workforce (defining/managing access to systems and

workforce training)– Section 4: Security & Your Data (technical security procedures)– Section 5: Security & Your Practice (physical security procedures)– Section 6: Security & Your Vendors (business associate agreements and vendor

access to PHI)– Section 7: Contingency Planning (backups and data recovery plans)https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

Disclaimer

ONC Security Risk Assessment (SRA) Toolhttps://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment

SRA Tool

Set Up Practice Account

Vendor Information

Completing an Assessment

Threat & Vulnerability Rating

Potential Threat Level

Section Summary

Security Risk Assessment Summary

Risk Report

Detailed Report

References› 2019 Medicaid PI Program Objective Specifications

– https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/TableofContents_EP_Medicaid_2019.pdf

› ONC Certification Standards– https://www.healthit.gov/topic/certification-ehrs/2015-edition

› Free ONC SRA Tool– https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-

assessment-tool

› SRA User Guide– https://www.healthit.gov/sites/default/files/page/2018-

10/SRA_Tool_User_Guide_101518.pdf

› Health Information.gov– https://www.hhs.gov/hipaa/index.html

Clinical Decision Support (CDS)Objective 3

Objective 3 - Clinical Decision Support (CDS)Objective:

Implement clinical decision support (CDS) interventions focused on improving performance on high-priority health conditions.

Measures:

An EP must satisfy both measures for this objective through a combination of meeting the thresholds and exclusions.

Measure 1: Implement five CDS interventions related to four or more clinical quality measures (CQMs) at a relevant point in patient care for the entire EHR reporting period. Absent four CQMs related to an EPs scope of practice or patient population, the CDS interventions must be related to high-priority health conditions.

Measure 2: Enable and implement the functionality for drug-drug and drug-allergy interaction checks for the entire EHR reporting period.

Changes from 2018 to 2019 Specifications – 1 CQM = Outcome Measure

Objective 3 - Clinical Decision Support (CDS)Definition of Terms:

CDS: Health information technology functionality that builds upon the foundation of an EHR to provide persons involved in care processes with general and person-specific information, intelligently filtered and organized, at appropriate times, to enhance health and health care.

Attestation Requirement:Measure Requirement ExclusionMeasure 1

170.315(a)(9) Clinical decision support (CDS

Must Attest “Yes” to implementing five CDS interventions related to four or more CQMs at a relevant point in patient care for the entire EHR reporting period.

None

Measure 2

170.315(a)(4) Drug-drug, drug-allergy interaction checks for CPOE

EPs must attest YES to enabling and implementing the functionality for drug-drug and drug-allergy interaction checks for the entire EHR reporting period.

Any EP who writes fewer than 100 medication orders during the EHR reporting period.

Objective 3 – CDS Additional Information

› Stage 3, Beginning in 2019 all EHRs must be on the 2015 Edition of CEHRT

https://www.healthit.gov/topic/certification/2015-standards-hub

› Implement CDS interventions at relevant points in the clinical workflow when the intervention can influence clinical decision making before diagnostic or treatment action.

› May include, but not limited to, computerized alerts and reminders for patients and families

› Same interventions do not have to be implemented for the entire EHR period as long as the threshold of 5 are maintained.

› If limited CQMs are applicable to EP’s practice, the EP should implement CDS interventions he/she believes will drive improvement in the deliver of care.

› Drug/Drug and Drug/Allergy interaction alerts are separate from the 5 CDS interventions and do not count toward the 5 required for Measure 1

Drug to Drug Drug to AllergyMake sure you can identify Provider and Time Frame If you are unable to obtain a Vendor Verification Letter

Questions?

Contact Information:

Kerri Lanumklanum@niu.edu

Brenda Simmsbsimms@niu.edu

Lauren Wisemanlwiseman@niu.edu

ILHITRECinfo@ilhitrec.org(815) 753-5900

http://www.ilhitrec.org