Does HIPAA Satisfy Meaningful Use? Two regulations with one stone

Similar documents
Medicaid Electronic Health Records Meaningful Use. Lisa Reuland, Program Manager October 15, 2015

Medicare & Medicaid EHR Incentive Programs. Stage 2 Final Rule Travis Broome AMIA

THE MEANING OF MEANINGFUL USE CHANGES IN THE STAGE 2 MU FINAL RULE. Angel L. Moore, MAEd, RHIA Eastern AHEC REC

Meaningful Use Stages 1 & 2

Connecticut Medicaid EHR Incentive Program Flexibility Checklist for Eligible Professionals for Meaningful Use Last Revision: May 27, 2015

Meaningful Use Stage 2

Meaningful Use Participation Basics for the Small Provider

CMS EHR Incentive Programs Overview

Stage 1 Meaningful Use Objectives and Measures

Medicaid Provider Incentive Program

Meaningful Use Stage 2 For Eligible and Critical Access Hospitals

Emerging Healthcare Issues:

Transforming Health Care with Health IT

Medicaid EHR Incentive Program What You Need to Know about Program Year 2016

Medicare and Medicaid EHR Incentive Program. Stage 3 and Modifications to Meaningful Use in 2015 through 2017 Final Rule with Comment

Agenda 2. EHR Incentive Programs 3/5/2015. Overview EHR incentive programs Meaningful Use Differences between Stage 1 and Stage 2

PROPOSED MEANINGFUL USE STAGE 2 REQUIREMENTS FOR ELIGIBLE PROVIDERS USING CERTIFIED EMR TECHNOLOGY

Meaningful Use Hello Health v7 Guide for Eligible Professionals. Stage 1

Prime Clinical Systems, Inc

Meaningful Use Hello Health v7 Guide for Eligible Professionals. Stage 2

Medicaid EHR Incentive Program Health Information Exchange Objective Stage 3 Updated: February 2017

Medicare & Medicaid EHR Incentive Programs. Stage 2 Final Rule Pennsylvania ehealth Initiative All Committee Meeting November 14, 2012

Meaningful Use and PCC EHR. Tim Proctor Users Conference 2017

Measures Reporting for Eligible Hospitals

2015 MEANINGFUL USE STAGE 2 FOR ELIGIBLE PROVIDERS USING CERTIFIED EMR TECHNOLOGY

MEANINGFUL USE 2015 PROPOSED 2015 MEANINGFUL USE FLEXIBILITY RULE

Medicare & Medicaid EHR Incentive Programs. Stage 2 Final Rule Updates October 2, 2012 Rick Hoover & Andy Finnegan

Meaningful Use: Review of Changes to Objectives and Measures in Final Rule

Webinar #5 Meaningful Use: Looking Ahead to Stage 2 and CPS 12

Eligible Professionals (EP) Meaningful Use Final Objectives and Measures for Stage 1, 2011

Medicare & Medicaid EHR Incentive Programs

CHIME Concordance Analysis of Stage 2 Meaningful Use Final Rule - Objectives & Measures

EHR Incentive Programs for Eligible Professionals: What You Need to Know for 2016 Tipsheet

Meaningful Use and Care Transitions: Managing Change and Improving Quality of Care

of 23 Meaningful Use 2015 PER THE CMS REVISION TO THE FINAL RULE RELEASED OCTOBER 6, 2015 CHARTMAKER MEDICAL SUITE

Meaningful Use: Introduction to Meaningful Use Eligible Providers

CMS Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule Overview

Updates to the EHR Incentive Programs Jason Felts, MS, CSCS HIT Practice Advisor

during the EHR reporting period.

= AUDIO. Meaningful Use Audits for Medicare and Medicaid. An Important Reminder. Mission of OFMQ 9/23/2015. Jason Felts, MS HIT Practice Advisor

HITECH* Update Meaningful Use Regulations Eligible Professionals

EHR Incentive Programs: 2015 through 2017 (Modified Stage 2) Overview

CMS Incentive Programs: Timeline And Reporting Requirements. Webcast Association of Northern California Oncologists May 21, 2013

2016 MEANINGFUL USE AND 2017 CHANGES to the Medicare EHR Incentive Program for EPs. September 27, 2016 Kathy Wild, Lisa Sagwitz, and Joe Pinto

MEANINGFUL USE FOR THE OB/GYN. Steven L. Zielke, MD 6/13/2014

Meaningful Use: Today and in the Future VMGMA Spring Conference Richmond, VA March 21, 2016

MEANINGFUL USE STAGE FOR ELIGIBLE PROVIDERS USING CERTIFIED EMR TECHNOLOGY

Meaningful Use Update: Stage 3 and Beyond. Carla McCorkle, Midas+ Solutions CQM Product Lead

Status Check On Health IT

Measures Reporting for Eligible Providers

Meaningful Use Audits for Medicare and Medicaid. Shay Surowiak, RN, BSN, CHTS-CP HIT Practice Advisor

American Recovery & Reinvestment Act

Meaningful Use Stage 2. Physicians February 2013

Meaningful Use for Eligible Providers. Session Four: ARRA Meaningful Use Reporting, Registration, and Attestation

Eligible Professional s Guide to the Michigan Medicaid EHR Incentive Program

The three proposed options for the use of CEHRT editions are as follows:

PBSI-EHR Off the Charts Meaningful Use in 2016 The Patient Engagement Stage

New Medicaid EHR Incentive Program Attestation System Overview. September 21, 2017 Kelly Hernandez Medicaid EHR Incentive Program Coordinator

Meaningful Use CHCANYS Webinar #1

Centers for Medicare and Medicaid CMS Updates. Christol Green, Anthem Inc.

The HITECH EHR "Meaningful Use" Requirements for Hospitals and Eligible Professionals

Alaska Medicaid Program

Medicaid Electronic Health Record (EHR) Incentive Program:

Overview of the EHR Incentive Program Stage 2 Final Rule published August, 2012

Legal Issues in Medicare/Medicaid Incentive Programss

CMS Meaningful Use Proposed Rules Overview May 5, 2015

HCCA Institute Privacy Officer Round Table Discussion

Meaningful Use Modified Stage 2 Roadmap Eligible Hospitals

THE ECONOMICS OF MEDICAL PRACTICE UNDER HIPAA/HITECH

Recent and Proposed Rule Changes for Meaningful Use

Medicare & Medicaid EHR Incentive Program Specifics of the Program for Hospitals. August 11, 2010

2015 Meaningful Use and emipp Updates (for Eligible Professionals)

NEW HAMPSHIRE MEDICAID EHR INCENTIVE PROGRAM

Welcome to the MS State Level Registry Companion Guide for

Stage 2 Eligible Professional Meaningful Use Core and Menu Measures. User Manual/Guide for Attestation using encompass 3.0

Final Meaningful Use Objectives for 2017

Meaningful Use Stage 2 Timeline Monday, 27 August :29

Meaningful Use Stage 2

Meaningful Use 2016 and beyond

Practice Director Modified Stage MU Guide 03/17/2016

AHLA. H. Preparing for a Meaningful Use Audit. Jill M. Girardeau Womble Carlyle Sandridge & Rice LLP Atlanta, GA

Stage 2 Meaningful Use: Preparing an Advocacy Strategy. The Consumer Partnership for ehealth

Modified Stage 2 Meaningful Use: Objective #5 Health Information Exchange (Summary of Care) Massachusetts Medicaid EHR Incentive Payment Program

Stage 2 Meaningful Use Final Rule CPeH Advocacy Opportunities

Preventative Care (Patient Reminders) Stage 2 Core Measure - 12 of 17

Agenda. Meaningful Use: What You Really Need to Know. Am I Eligible? Which Program? Meaningful Use Progression 6/14/2013. Overview of Meaningful Use

Medical Assistance Provider Incentive Repository. User Guide. For Eligible Hospitals

Meaningful Use What You Need to Know for December 6, 2016

9/28/2011. Learning Agenda. Meaningful Use and why it s here. Meaningful Use Rules of Participation. Categories, Objectives and Thresholds

A Lawyer s Take on Meaningful Use. By Steven J. Fox & Vadim Schick

Meaningful Use Stage 2. Physician Office October, 2012

Medicare & Medicaid EHR Incentive Programs HIT Policy Committee May 6, 2014

Computer Provider Order Entry (CPOE)

Proposed Meaningful Use Content and Comment Period. What the American Recovery and Reinvestment Act Means to Medical Practices

Meaningful Use Virtual Office Hours Webinar for Eligible Providers and Hospitals

Meaningful Use Audits Strategy for Success!

CHCANYS NYS HCCN ecw Webinar

MEANINGFUL USE STAGE 2

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

Medicare & Medicaid EHR Incentive Programs. Stage 2 Final Rule Jason McNamara Technical Director for Health IT HIMSS Meeting April 25, 2013

Transcription:

Does HIPAA Satisfy Meaningful Use? Two regulations with one stone Tod Ferran, CISSP, QSA Hi There! Tod Ferran 25 years working with IT and physical security 3 years PCI and HIPAA security consulting, performing entity compliance audits SecurityMetrics Assisted >1 million businesses with HIPAA/PCI compliance since 2000 1

Meaningful Use (M/U) Alphabet Soup CMS (Centers for Medicare & Medicaid Services) EHR (Electronic Health Record) CEHRT (Certified EHR Technology) CQMs (Clinical Quality Measures) EP & EH (Eligible Professional & Eligible Hospital) NQS Domains (National Quality Strategy) Quick Overview of Meaningful Use Government incentives to implement and use CEHRT Core objectives Stage 1 Conduct Risk Analysis (2011/2012 Not necessarily HIPAA) Stage 2 Protect ephi (HIPAA) 2

Overview of MU Reqs. (EP) Core measures Stage 1 = 13 Stage 2 = 17 Menu measures Stage 1 = 5 of 10 Stage 2 = 3 of 6 64 clinical quality measures Stage 1 & Stage 2 = 9 of 64 # Measure Information Measure Values 11 Objective: Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, or outreach. Measure: Generate at least one report listing patients of the EP with a specific condition. Note: This measure only requires a yes/no answer. Numerator: N/A YES NO Denominator: N/A MU Worksheet 12 Objective: Use clinically relevant information to identify patients who should receive reminders for preventive/follow-up care and send these patients the reminders, per patient preference. Measure: More than 10 percent of all unique patients who have had 2 or more office visits with the EP within the 24 months before the beginning of the EHR reporting period were sent a reminder, per patient preference when available. Exclusion: Any EP who has had no office visits in the 24 months before the EHR reporting period. Does this exclusion apply to you? Yes No Numerator: Number of patients in the denominator who were sent a reminder per patient preference when available during the EHR reporting period. Denominator: Number of unique patients who have had two or more office visits with the EP in the 24 months prior to the beginning of the EHR reporting period. 13 Objective: Use clinically relevant information from Certified EHR Technology to identify patient-specific education resources and provide those resources to the patient. Measure: Patient-specific education resources identified by Certified EHR Technology are provided to patients for more than 10 percent of all unique patients with office visits seen by the EP during the EHR reporting period. Exclusion: Any EP who has no office visits during the EHR reporting period. Does this exclusion apply to you? Yes No Numerator: Number of patients in the denominator who were provided patient-specific education resources identified by the Certified EHR Technology. Denominator: Number of unique patients with office visits seen by the EP during the EHR reporting period. 14 Objective: The EP who receives a patient from another setting of care or provider of care or believes an encounter is relevant should perform medication reconciliation. Measure: The EP who performs medication reconciliation for more than 50 percent of transitions of care in which the patient is transitioned into the care of the EP. Exclusion: Any EP who was not the recipient of any transitions of care during the EHR reporting period. 6 3

EP Medicare (run by CMS) payments if you start MU in 2011 = $43,720 2012 = $43,480 2013 = $38,220 2014 = $23,520 Medicaid (run by individual states) payments Year 1 = $21,250 (can begin as late as 2016) Each subsequent year (2 6) = $8,500 Max payout = $63,750 EH Medicare (run by CMS) Initial amount < 1,150 discharges = base $2,000,000 Base increased by $200 per discharge from 1,150 up to a maximum payout of $6,370,400 Medicare share formula # of IP Part A Bed Days + # of IP Part C Days Total IP Bed Days x [ Total Charges - Charges Attributable to Charity Care Total Charges ] IP=inpatient Transition factor (ranges from.25 to 1.0) 4

How Are You Doing? If you have a HIPAA compliance program, you re already doing one core requirement for Meaningful Use If not, this is a great time to start a HIPAA program Kill two birds with one stone! If you re not interested in MU, that s OK. However, HIPAA is not optional!? OVERLAP WITH HIPAA 5

Risk Analysis: M/U and HIPAA Both concerned with identifying potential security risks Both require Risk Management Plan Risks to PHI are measured, ranked and prioritized Show demonstrable progress on RMP Differences M/U Risk Analysis Only concerned with the risk of the EHR Only required for those participating in M/U Updated twice (Stage 1 and Stage 2 reporting) HIPAA Risk Analysis Concerned with the entire PHI environment (e.g., EHR, email, etc.) Required of all CE s & BA s Reviewed and updated on a periodic basis (annually) 6

Common Questions Will M/U attestation count for HIPAA compliance? Will HIPAA compliance count for M/U attestation? Will my M/U risk analysis cover my HIPAA risk analysis? Will my HIPAA risk analysis cover my M/U risk analysis? NO! NO! NO! YES! Risk Management Process Both M/U and HIPAA require you to correct security problems as part of your risk management process What if this was your HIPAA Risk Management Plan? 7

M/U Stage 1 Requirements 2011-2012 Conduct or review a security risk assessment of a certified EHR technology, and correct identified security deficiencies and provide security updates as part of an ongoing risk management process. 2014 Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. M/U Stage 2 Requirements 2014 Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. including addressing the encryption/security of data stored in CEHRT 8

M/U Stage 3 Requirements 2016/2017 Final requirements unknown for now? Reporting Challenges Both Stage 1 and Stage 2 = Single check box Yes / No Tip of the iceberg is an understatement 9

Requirements to Yes HIPAA compliance Assign Privacy and Security Officials Conduct a complete and thorough Risk Analysis (RA) Use outside resources Apply industry best practices Show demonstrable progress on Risk Management Plan (RMP) Prioritize RMP based on security and risk Perform assessment of compliance with Security, Breach, and Privacy rules of HIPAA OCR audit protocol Consider outside resources Compliance vs. Security Compliant does not necessarily equal secure Understand what and why we are attacked ID theft, Rx, and provision of health care 10

Importance of Securing PHI Bad PR Fines Loss of trust Patient health and patient safety Bad PR 11

IS THE HHS THE ONLY SHARK SMELLING BLOOD IN THE WATER? Civil Lawsuits Stanford, CA BA passed 20k name/diagnosis codes to subcontractor to graph Subcontractor posted online, looking for help $4.1M civil lawsuit settlement AvMed, FL Lost laptops $3M class action settlement Bryne vs. Avery Center Released her medical records without authorization Negligence based on HIPAA as the Standard of Care 12

State Attorney Generals Kaiser Foundation Delay of breach notification $150K to California AG Triple-S Salud Displayed Medicare numbers on mailings $6.8M to Puerto Rico Health Insurance Administration FTC GMR Transcription Failed to adequately monitor compliance of BA 20k records, $ unknown LabMD Inadequate security $ unknown, company shut down FTC fines up to $16,000/violation GMR fine could reach $320M 13

Loss of Trust 2013 Average breach $2.0M over two years (Ponemon) >2k records compromised Patient loss if breached 46% Insurance co 42% Drug store 40% Doctor/dentist 35% Hospital Patient Health/Safety $19k and 12 months to clean up identity theft Non-perishable data SSN DOB Name Misdiagnosis or mistreatment $359/record 14

Summary MU and HIPAA Distinctly separate MU is optional HIPAA is not optional HIPAA compliance = best practice Negligence and malpractice Questions? tod@securitymetrics.com www.securitymetrics.com 15

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback