protecting health information and clinical decision ... · associates conduct and document sra....
TRANSCRIPT
Protecting Health Information And
Clinical Decision Support Starts on 1 Day
Brenda Simms RN, BSN
Speaker Biography
› Brenda Simms, RN, BSN, CHTS-CP, CMAPBrenda Simms is a Clinical Informatics Specialist at ILHITREC. She works with physicians, practice managers, clinical staff, billing representatives, physicians and EHR vendors to successfully plan, coordinate and implement an electronic health record (EHR) system, as well as assist practices with workflow redesign and development of required quality reporting. Brenda also worked for a time with the Central Illinois Health Information Exchange (CIHIE) to facilitate the implementation and effective adoption of HIE. Brenda has added the role of Quality Improvement Analyst (QIA) with the Great Lakes Transformation Practice Network (GLTPN) working with practices in Illinois to transform clinical practices to prepare and move to Value Based Payment models and MACRA. Brenda is member of HIMSS, AHIMA and IRHA.
Illinois Health Information Technology Regional Extension Center (ILHITREC)
› SUPPORT PROVIDED BY ILHITREC:
› ILHITREC is under contract with the Illinois Department of Health and Family Services (HFS), to provide education, outreach and support to Medicaid providers for the Electronic Health Record Medical Incentive Payment Program (eMIPP). ILHITREC partners with the Illinois Critical Access Hospital Network (ICAHN) and Central Illinois Health Information Exchange (CIHIE) for support in this mission and collaborates with the Chicago Health Information Technology Regional Extension Center based at Northwestern University which serves the City of Chicago.
Learning Objectives› Review PI Objective 1 – Protecting Patient Information› Define what a Security Risk Analysis (SRA) is.› Discuss the importance of a Security Risk Analysis› Review PI Objective 3 - Clinical Decision Support Objective
(CDS)
Protect Patient Health InformationObjective 1
HIPAA BasicsThe Health Insurance Portability and Accountability Act (HIPPA ) 1996 › Main Federal Law that protects privacy and security of identifiable
health information of individuals– HIPPA Privacy Rule covers protected health information (PHI)– HIPPA Security Rules covers electronic protected health information (ePHI)– Protects Patient privacy where records are on paper or electronic– Required to follow all applicable federal, state, and local laws– PI Program has requirements to your practice obligations under HIPPA
Regulatory Agencies
US Department of Health & Human Services (HHS)The office of the National Coordinator for Health Information Technology (ONC)The Office of Civil Rights (OCR)
Objective 1 – Protect Patient Health InformationObjective: Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical capabilitiesMeasure: Conduct or review a security risk analysis in accordance with the requirements in 45 CFR 164.308 (a)(1)
Include:– Addressing the security (including encryption) of ePHI created or maintained by
CEHRT– Implement security updates as necessary– Correct identified security deficiencies as part of the EP’s risk management
process– Referenced CEHRT elements:
› 45 CFR 164.312 (a)(2)(iv)› 45 CFR 164.306(d)(3)
– Remember – Starting in 2019, must be on the 2015 Edition CEHRT
– https://www.healthit.gov/topic/certification-ehrs/2015-edition
Objective 1 – Protect Patient Health Information
Attestation Requirements: Yes or No› Eligible Professionals (EPs) must attest YES to
– Conducting or Reviewing a Security Risk Analysis (SRA)– Implementing security updates as necessary – Correcting identified security deficiencies to meet the measure– There are no exclusions for this measure– Attesting NO, fails the measure
› Change from 2018 Standards to 2019 Standards– EP must be on the 2015 CEHRT Standards to be eligible
Objective 1 – Protect Patient Health InformationAdditional Information:› An analysis must be done upon installation or upgrade to a
new system› Review must be conducted to cover each reporting period› Security updates and deficiencies that are identified should
be included in the provider’s risk management process and implemented or corrected as dictated by that process.– It is acceptable to conduct the review outside of the EHR reporting
period and be unique to the entire reporting period– Must be conducted with the calendar year of the EHR reporting
period (January 1 – December 31st)
5 Basic Steps of Risk Management
Source: Journal of Epidemiology Preventive Medicine
10 Points
1. Set privacy & security risk management & governance programs in place (45 CFR § 164.308(a)(1))
2. Develop & implement HIPAA privacy, security, & breach notification policies & procedures (45 CFR §164.530 and 45 CFR §164.316)
3. Train all members of the workforce (45 CFR §164.530 & 45 CFR §164.316)
4. Complete HIPAA security risk analysis (45 CFR §164.530 and 45 CFR §164.316)
5. Complete HIPAA security risk management (45 CFR §164.308(a)(1)(ii)(B))
6. Complete HIPAA security evaluation (e.g. “compliance assessment”)(45 CFR § 164.308(a)(8))
10 Points
7. Complete technical testing of your environment (45 CFR § 164.308(a)(8))
8. Implement strong, proactive Business Associate Management program (45 CFR §164.502(e) and 45 CFR §164.308(b))
9. Complete Privacy Rule & Breach Rule compliance assessments(45 CFR §164.530 and 45 CFR §164.400)
10. Document & act upon remediation plan(45 CFR §164.530(c) &45 CFR §164.306(a))
Additional Consideration: vulnerability Assessment & Penetration Testing
Business Associate Agreement (BAA)What is a Business Associate?
A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information
What is a Business Associate Contract/Agreement?
A business associate contract, or business associate agreement, is a written arrangement that specifies each party’s responsibilities when it comes to PHI
A Business Associate is required to comply with HIPPA rules.
Security Rule Requirements
ONC Security Risk Assessment Tool
Recommendation
Security Risk Assessment Tool
› The tool is designed to help small to medium size entities and business associates conduct and document SRA.
› The tool runs on your computer and does not transmit information to DHS, ONC or The Office of Civil Rights
› Sections of the SRA Tool:– Section 1: Security Risk Assessment (SRA) Basics (security management
process)– Section 2: Security Policies, Procedures, & Documentation (defining policies &
procedures)– Section 3: Security & Your Workforce (defining/managing access to systems and
workforce training)– Section 4: Security & Your Data (technical security procedures)– Section 5: Security & Your Practice (physical security procedures)– Section 6: Security & Your Vendors (business associate agreements and vendor
access to PHI)– Section 7: Contingency Planning (backups and data recovery plans)https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
Disclaimer
ONC Security Risk Assessment (SRA) Toolhttps://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment
SRA Tool
Set Up Practice Account
Vendor Information
Completing an Assessment
Threat & Vulnerability Rating
Potential Threat Level
Section Summary
Security Risk Assessment Summary
Risk Report
Detailed Report
References› 2019 Medicaid PI Program Objective Specifications
– https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/TableofContents_EP_Medicaid_2019.pdf
› ONC Certification Standards– https://www.healthit.gov/topic/certification-ehrs/2015-edition
› Free ONC SRA Tool– https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-
assessment-tool
› SRA User Guide– https://www.healthit.gov/sites/default/files/page/2018-
10/SRA_Tool_User_Guide_101518.pdf
› Health Information.gov– https://www.hhs.gov/hipaa/index.html
Clinical Decision Support (CDS)Objective 3
Objective 3 - Clinical Decision Support (CDS)Objective:
Implement clinical decision support (CDS) interventions focused on improving performance on high-priority health conditions.
Measures:
An EP must satisfy both measures for this objective through a combination of meeting the thresholds and exclusions.
Measure 1: Implement five CDS interventions related to four or more clinical quality measures (CQMs) at a relevant point in patient care for the entire EHR reporting period. Absent four CQMs related to an EPs scope of practice or patient population, the CDS interventions must be related to high-priority health conditions.
Measure 2: Enable and implement the functionality for drug-drug and drug-allergy interaction checks for the entire EHR reporting period.
Changes from 2018 to 2019 Specifications – 1 CQM = Outcome Measure
Objective 3 - Clinical Decision Support (CDS)Definition of Terms:
CDS: Health information technology functionality that builds upon the foundation of an EHR to provide persons involved in care processes with general and person-specific information, intelligently filtered and organized, at appropriate times, to enhance health and health care.
Attestation Requirement:Measure Requirement ExclusionMeasure 1
170.315(a)(9) Clinical decision support (CDS
Must Attest “Yes” to implementing five CDS interventions related to four or more CQMs at a relevant point in patient care for the entire EHR reporting period.
None
Measure 2
170.315(a)(4) Drug-drug, drug-allergy interaction checks for CPOE
EPs must attest YES to enabling and implementing the functionality for drug-drug and drug-allergy interaction checks for the entire EHR reporting period.
Any EP who writes fewer than 100 medication orders during the EHR reporting period.
Objective 3 – CDS Additional Information
› Stage 3, Beginning in 2019 all EHRs must be on the 2015 Edition of CEHRT
https://www.healthit.gov/topic/certification/2015-standards-hub
› Implement CDS interventions at relevant points in the clinical workflow when the intervention can influence clinical decision making before diagnostic or treatment action.
› May include, but not limited to, computerized alerts and reminders for patients and families
› Same interventions do not have to be implemented for the entire EHR period as long as the threshold of 5 are maintained.
› If limited CQMs are applicable to EP’s practice, the EP should implement CDS interventions he/she believes will drive improvement in the deliver of care.
› Drug/Drug and Drug/Allergy interaction alerts are separate from the 5 CDS interventions and do not count toward the 5 required for Measure 1
Drug to Drug Drug to AllergyMake sure you can identify Provider and Time Frame If you are unable to obtain a Vendor Verification Letter
Questions?
Contact Information:
Kerri [email protected]
Brenda [email protected]
Lauren [email protected]
[email protected](815) 753-5900
http://www.ilhitrec.org