Last Chance to Review Your Security Risk Analysis

Similar documents
February 9, *Merit-based Incentive Payment System

22 Days til MIPS Data Submission! Get Ready!

Denise Hudson, NR-CMA Health Informatics Specialist Health Services Advisory Group (HSAG) August 10, 2018

Denise Hudson, NR-CMA Health Informatics Specialist Health Services Advisory Group (HSAG) April 13, 2018

Tips in Selecting Quality Measures

Improvement Activities: What You Have To Do

2017 Transition Year Flexibility Advancing Care Information (ACI) Category Options

MACRA and MIPS. How Medicare Meaningful Use and PQRS are Changing

Meaningful Use 2016 and beyond

IMPLICATIONS OF THE 2018 FINAL RULE FOR SOLO PRACTITIONERS AND SMALL GROUP PRACTICES

Sevocity v Advancing Care Information User Reference Guide

Meaningful Use: Today and in the Future VMGMA Spring Conference Richmond, VA March 21, 2016

Thank you, and enjoy the webinar.

QualityNet Security Administrator Roles and Responsibilities and ecqm Validation Pilot Project

Overview of Quality Payment Program

PBSI-EHR Off the Charts Meaningful Use in 2016 The Patient Engagement Stage

Promoting Interoperability Performance Category Fact Sheet

Meaningful Use Reporting period for 2017: Change: Any consecutive 90 days in 2017 for Medicaid customers only.

MIPS Advancing Care Information: Tips, Tools and Support Q&A from Live Webinar March 29, 2017

Meaningful Use What You Need to Know for December 6, 2016

Quality Innovation Network-Quality Improvement Organization (QIN-QIO) April Update

MACRA and the Quality Payment Program. Frequently Asked Questions Edition

Troubleshooting Audio

MEANINGFUL USE 2015 PROPOSED 2015 MEANINGFUL USE FLEXIBILITY RULE

2016 MEANINGFUL USE AND 2017 CHANGES to the Medicare EHR Incentive Program for EPs. September 27, 2016 Kathy Wild, Lisa Sagwitz, and Joe Pinto

THE ECONOMICS OF MEDICAL PRACTICE UNDER HIPAA/HITECH

Advancing Care Information Measures Data Validation Criteria. Reporting Requirement: Yes/No or Numerator/Denominator

Status Check On Health IT

Michelle Brunsen & Sandy Swallow May 25, , Telligen, Inc.

2017 Transition Year Flexibility Improvement Activities Category Options

Meaningful Use Virtual Office Hours Webinar for Eligible Providers and Hospitals

Welcome to the Reducing Readmissions Preparation Program: Understanding Changes in Readmission Measures for Nursing Homes

HIPAA Privacy & Security

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

Stage 3 and ACI s Relationship to Medicaid MU Massachusetts Medicaid EHR Incentive Program

FCSRMC 2017 HIPAA PRESENTATION

MACRA, QPP, MIPS... more alphabet soup anyone?

HITECH Act. Overview and Estimated Timeline

2018 Employee HIPAA Orientation (EHO) Handbook

Office of the Chief Privacy Officer. Privacy & Security in an App Enabled World HIMSS, Tuesday March 1, 2016, Las Vegas, NV

EHR Incentive Programs for Eligible Professionals: What You Need to Know for 2016 Tipsheet

Copyright Scottsdale Institute All Rights Reserved.

MACRA Open Call December 5 th, 2016

Troubleshooting Audio

Moving MACRA-MIPS Forward: Role by Role

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

Take Action Now to Avoid Medicare Penalties

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Under the MACRAscope:

Health Partners Plans Medicare FDR Requirements Frequently Asked Questions (FAQs)

Outpatient Antibiotic Stewardship Initiative Open Office Hours

Frequently Asked Questions

MACRA Quality Payment Program

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Advanced HIPAA Communications and University Relations

HCCA Institute Privacy Officer Round Table Discussion

WHITE PAPER. Taking Meaningful Use to the Next Level: What You Need to Know about the MACRA Advancing Care Information Component

MIPS Program: 2018 Advancing Care Information Category

Medicaid EHR Incentive Program What You Need to Know about Program Year 2016

Troubleshooting Audio

Washington Update. Agenda

Medicare Compliance and HIPAA Updates With Mario Fucinari DC, CCSP, CPCO, MCS-P, MCS-I Sponsored by NCMIC

Connecticut Medicaid EHR Incentive Program Flexibility Checklist for Eligible Professionals for Meaningful Use Last Revision: May 27, 2015

Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

Promoting Interoperability Measures

Meaningful Use Update: Stage 3 and Beyond. Carla McCorkle, Midas+ Solutions CQM Product Lead

Meaningful Use Audits for Medicare and Medicaid. Shay Surowiak, RN, BSN, CHTS-CP HIT Practice Advisor

Title: HIPAA PRIVACY ADMINISTRATIVE

CMS Priorities, MACRA and The Quality Payment Program

HIPAA Training

Review of the 2016 Annual Quality and Resource Use Reports. October 19, 2017

Steps toward Sustainability with the second year of the Quality Payment Program

Meaningful Use - Modified Stage 2. Brett Paepke, OD David Wolfson Marni Anderson

2514 Stenson Dr Cedar Park TX Fax

The Quality Payment Program: Overview & Roles and Responsibilities

Frequently Asked Questions

Updated 2017 Medicaid EHR Incentive Program Requirements For Eligible Providers (EP)

Does HIPAA Satisfy Meaningful Use? Two regulations with one stone

Meaningful Use Audits Strategy for Success!

Information Privacy and Security

An Overview of Eligibility, Registration, and Attestation for the Medicare & Medicaid EHR Incentive Programs Eligible Professionals

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

Preparing for the 2018 EHR Medicaid Incentive Payment Program

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Peek-A-Boo: EHR Access and Compliance

Advancing Care Information- The New Meaningful Use September 2017

MACRA Frequently Asked Questions

From Surviving to Thriving in the QPP World

Troubleshooting Audio

Understanding MU 3 Requirements

Making Sense of Clinical Quality Reporting

Meaningful Use CHCANYS Webinar #1

Meaningful Use and How it Relates to the Quality Payment Program. Erin Dormaier, CHTS-IM, PCMH CCE Transformation Support Services Manager

Using Updox to Succeed with MIPS

Meaningful Use Modified Stage 2 Roadmap Eligible Hospitals

MACRA Implementation: A Review of the Quality Payment Program

OSHA & HIPAA Seminar. Northern Texas Facial & Oral Surgery

The Merit-Based Incentive Payment System (MIPS) Survival Guide. August 11, 2016

Meaningful Use Audit Webinar Series

CIO Legislative Brief

Transcription:

Learning Forum Fridays Countdown to MIPS Data Submission Webinar Series Last Chance to Review Your Security Risk Analysis Emilie Sundie, MSCIS, PMP, CPHIMS Director, Health IT Services Kari Vanderslice, MBA Health Informatics Specialist November 17, 2017

To Submit Questions Via Chat Box: 1. Click the [Chat] option at the top right of the presentation. 2. The Chat panel will open. 3. Indicate that you want to send a question to All Panelists. 4. Type your question in the box at the bottom of the panel. 5. Click [Send]. 2

Learning Objectives At the completion of this training, the attendee will be able to: Identify required elements of a Security Risk Analysis (SRA). Describe the SRA process. Develop/maintain/provide documentation required to demonstrate compliance. Locate essential tools and resources. 3

Acronyms Used In Today s Presentation Acronym ACI ACO CEHRT CMS EHR ephi HIPAA MIPS ONC PHI QPP SRA Definition Advancing Care Information Accountable Care Organization Certified Electronic Health Record Technology Centers for Medicare & Medicaid Services Electronic Health Record Electronic Protected Health Information Health Insurance Portability and Accountability Act Merit-based Incentive Payment System The Office of the National Coordinator for Health Information Technology Protected Health Information Quality Payment Program Security Risk Analysis 4

Today s Presenters from Health Services Advisory Group (HSAG) Emilie Sundie, MSCIS, PMP, CPHIMS Director, Health IT Services Kari Vanderslice, MBA Health Informatics Specialist 5

SRA Defined An SRA is an ongoing process of discovering, correcting, and preventing security problems. Conducting an SRA is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. HIPAA Required Ensures Compliance Helps Reveal Areas at Risk 6 Sources: https://www.healthit.gov/providers-professionals/security-risk-assessment https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

SRA Is a Process, Not a Document Assess Risk Correct deficiencies Implement updates 7

SRA: An ACI Base Score Requirement Conducting an SRA is a Base Score requirement under the Advancing Care Information (ACI) category of the Quality Payment Program (QPP). QPP ACI ACI Base Measures SRA 8

Attesting Yes to the SRA The SRA measure is a required ACI base measure. To meet the ACI measure, Merit-based Incentive Payment System (MIPS)-eligible clinicians must attest Yes to: Conducting or reviewing an SRA. Implementing security updates. Correcting identified deficiencies. If the measure is not met, the entire ACI score will be zero. 9

What is the Actual Requirement? Objective Protect Patient Health Information (PHI) 10

2017 SRA Transition Objective and Measure Objective Protect Patient Health Information (PHI) Measure 1. Conduct or review a security risk analysis (SRA) according to 45CFR 164.308(a)(1) a. Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology (CEHRT)* 11 *In accordance with 45CFR 164.312(a)(2)(iv) and 45CRF 164.306(d)(3)

2017 SRA Transition Objective and Measure (cont.) Objective Protect Patient Health Information (PHI) Measure 1. Conduct or review a security risk analysis (SRA) according to 45CFR 164.308(a)(1) a. Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology (CEHRT) 2. Implement security updates 12

2017 SRA Transition Objective and Measure (cont.) Objective Protect Patient Health Information (PHI) Measure 1. Conduct or review a security risk analysis (SRA) according to 45CFR 164.308(a)(1) a. Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology (CEHRT) 2. Implement security updates 3. Correct identified security deficiencies 13

SRA According to 45CFR 164.308(a)(1) Standard Implement policies and procedures to: Prevent Detect Contain Correct security violations. Implementation The implementation specifications require that a security management process be in place. Process is the operative word 14

Implementation Elements of a Security Management Process Risk Analysis: Conduct an assessment of electronic PHI (ephi) Risk Management: Implement security measures Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply Information System Activity Review: Regularly review records of activity such as access reports and audit logs 15 SRA According to 45CFR 164.308(a)(1)

Risk Analysis Required

Risk Analysis: Who? Who does it? You or a qualified outside party 17

Risk Analysis: What? Who does it? You or a qualified outside party Analysis or review? Analysis upon installation or upgrade Review covering each performance period 18

Risk Analysis: Constraints Who does it? HIPAA You or a qualified outside party SRA Analysis or review? Analysis upon installation or upgrade Review covering each performance period Constraints? Unique for each performance period Includes the whole performance period Conducted within the calendar year of the performance period 19

Risk Analysis: Identifying Risk Where is ephi? What is the threat/ vulnerability? How likely is it to occur? What is the impact? Impact x Likelihood = Risk Low: Accept Risk/Minimal Action Medium: Respond/Look at Controls High: Take Action Now! 20

Risk Analysis: Identifying Risk Where is ephi? What is the threat/ vulnerability? THREAT LIKELIHOOD How likely is it? What is the impact? Impact x Likelihood = Risk IMPACT Low (10) Medium (50) High (100) High (1.0) Low 10 x 1.00 = 10 High 100 x 1.0 = 100 Medium (0.5) Medium 50 x.05 = 25 Low (0.1) Low: Accept Risk/Minimal Action Medium: Respond/Look at Controls High: Take Action Now! 21

Use a Tool, Not a Checklist The Office of the National Coordinator for Health Information Technology s (ONC s) SRA tool, for example, will help you to: Identify Standards. Find detailed Implementation Specifications. Consider options. Recognize possible threats. Provides examples of safeguards Document activities and remediation plans. 22 Source: https://www.healthit.gov/sites/default/files/attachmentasecurity_risk_assessment_tool_user_guide_v6.pdf

Requirement to Address Encryption Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology.* Standards are identified as Required or Addressable. Encryption of data is Addressable. 23 *In accordance with 45CFR 164.312(a)(2)(iv) and 45CRF 164.306(d)(3)

Requirement to Address Encryption (cont.) Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology.* Standards are identified as Required or Addressable Encryption of data is Addressable Options for Addressable Specifications: Implement if reasonable and appropriate Implement an equivalent alternative if specification is unreasonable and inappropriate, and there is an alternative 24 *In accordance with 45CFR 164.312(a)(2)(iv) and 45CRF 164.306(d)(3)

Requirement to Address Encryption (cont.) Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology.* Standards are identified as Required or Addressable Encryption of data is Addressable Options for Addressable Specifications: Implement if reasonable and appropriate Implement an equivalent alternative if specification is unreasonable and inappropriate, and there is an alternative Document the decision in writing, including factors considered and basis for the decision 25 *In accordance with 45CFR 164.312(a)(2)(iv) and 45CRF 164.306(d)(3)

Risk Management Required

Implement Security Measures Establish and implement security measures by: Using SRA findings to identify/track risk remediation. Applying system and security updates as recommended. Risk ID 1 Description Status Responsible Party Risk Rating Mitigation Action Action Date No defined management process for user access re: terminations or change in responsibilities Closed HR - John Phillips Medium Policy for disabling user accounts developed and approved 09/15/2017 HR/IT Training on Policy 09/23/2017 Policy Implemented 10/01/2017 2 Media is compromised due to ineffective handling procedures In Progress CIO - Mark Waters High Media Handling Policy reviewed and updated 11/12/2017 Encryption Software for laptops procured 11/25/2017 27

Sanction Policy Required

Sanction Policy It is important to ensure that you have a Sanction Policy in place that: Defines the purpose of the policy. Defines the violations of the policy. Delineates possible disciplinary actions. Is freely available/known to all members of the organization. Sample policies are readily available from government and professional sources. 29

Sample Sanction Policy Acknowledgement 30

Information System Activity Review Required

Information System Activity Review You must implement procedures for regular activity review. Review who, what, when, and actions taken with: Audit logs Access reports Security Incidents Sample uses include: Detection of unauthorized access Tracking of PHI disclosures Demonstrating compliance 32

Data Validation Criteria

Data Validation for the SRA Measure The Centers for Medicare & Medicaid Services (CMS) conducts an annual data validation and audit process. If selected for data validation or audit, you will have 45 calendar days to complete data sharing, as requested. You must retain documentation related to your QPP participation for six years, including all documentation related to your SRA. Important Note: Failure to meet requirements for the SRA measure has been the most common cause of audit failure. 34

Data Validation Criteria Document The Data Validation Criteria document, available through the QPP Resource Library, is the current resource for accessing specific data validation criteria. 35 https://www.cms.gov/medicare/quality-payment-program/resource- Library/Resource-library.html

Data Validation Criteria Document (cont.) The Data Validation Criteria states that documentation needs to be from CEHRT and be inclusive of: Dates during the selected continuous 90-day or year long performance reporting period. Clinician identification, e.g., National Provider Identifier (NPI). Documentation of, at minimum, one patient. Suggested documentation includes: A document assessing potential risks and vulnerabilities (SRA). Evidence that you have addressed encryption/security of data stored in CEHRT, including proof: That an SRA was performed for the clinician s system. Of implementation of security updates and correction of identified security deficiencies 36

Examples of Past SRA Criteria Evaluated Appropriate date for the Risk Analysis 37

Examples of Past SRA Criteria Evaluated (cont.) Appropriate date for the Risk Analysis Tangible SRA document 38

Examples of Past SRA Criteria Evaluated (cont.) Appropriate date for the Risk Analysis Tangible SRA document Tangible risk/remediation register 39

Examples of Past SRA Criteria Evaluated (cont.) Appropriate date for the Risk Analysis Tangible SRA document Tangible Risk/Remediation Register Proof of security updates 40

Essential Tools and Resources

Questions for Your EHR Vendor Ask your vendor these questions: Where is my data stored? How do I access/generate audit logs? What security policies and procedures do you have in place? How can I confirm my software updates? Don t forget other vendors: faxes, copiers, scanning workstations 42

Government Resources HHS.gov Guidance on Risk Analysis https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis National Institute of Standards and Technology (NIST) Toolkit NIST HIPAA Security Toolkit Application Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) Tool HIPAA Security Risk Assessment (SRA) Tool (downloadable & paper-based) ONC Health IT Playbook, Privacy & Security Section https://www.healthit.gov/playbook/privacy-and-security/ Other Resources: Professional Organizations, Security Vendors, ACOs 43

Revisiting the Value of YES The SRA measure is a required ACI base measure. If the measure is not met, your ACI score will be zero. To meet the ACI measure, Merit-based Incentive Payment System (MIPS)-eligible clinicians must attest YES to: Conducting or reviewing an SRA. Implementing security updates. Correcting identified deficiencies. 44

Key Takeaways The important points to remember about SRA are that you must: 1. Assess a. Identify/track threats and vulnerabilities b. Address encryption 2. Implement a. Develop policies and procedures b. Apply updates 3. Correct Deficiencies a. Enforce policies, procedures b. Remediate risks Correct Assess Implement 45

HSAG QPP Service Center Available www.hsag.com/qpp 46

QPP Technical Assistance Resource Guide https://qpp.cms.gov/docs/qpp_technical_assistance_resource_guide.pdf 47 Source: The Centers for Medicare & Medicaid Services

Next Learning Forum Friday Event: December 1, 2017 Strategize to Report Your Best Performance For additional event topics and registration information please visit: www.hsag.com/lff Topics and dates are subject to change, so please check the webpage for up-to-date information. 48

General Resources CMS Quality Payment Program Website https://qpp.cms.gov Subscribe to the QPP ListServe Medicare Learning Network Learning Management System Booklet (LMS) FAQs https://www.cms.gov/outreach-and-education/medicare- Learning-Network-MLN/MLNProducts/Downloads/LMPOS-FAQs- Booklet-ICN909182.pdf Associations Offering Credit for MLN Events and Training https://www.cms.gov/outreach-and-education/medicare- Learning-Network-MLN/MLNGenInfo/CE-Associations.html 49

CMS and HSAG Announcements Virtual Groups Public Webinar Date: Tuesday, November 21 st Time: 1 2 p.m. ET Registration Link: https://engage.vevent.com/rt/cms/index.jsp?seid=920 HSAG MIPS Readiness Professional Certificate Program coming soon! QPP Year Two Final Rule comment period ends January 2, 2018, 5 p.m. ET. For more information visit: https://goo.gl/oyo2dw 50

CE Approval This program has been pre-approved for 1.0 CE unit for the following professional boards: National o Board of Registered Nursing (Provider #16578) Florida o Board of Clinical Social Work, Marriage & Family Therapy and Mental Health Counseling o Board of Nursing Home Administrators o Board of Dietetics and Nutrition Practice Council o Board of Pharmacy Please Note: To verify CE approval for any other state, license, or certification, please check with your licensing or certification board. 51

CE Credit Process 1. Register in HSAG s Learning Management Center (LMC) at https://goo.gl/bazdzs. 2. Once you have registered in the LMC, you must complete the evaluation that will appear in WebEx at the conclusion of the webinar. a. Following the event, please do not close the WebEx evaluation window. You will not be able to access the evaluation and request CE if you close the window. b. CEs are only available to attendees that participate in the live event. c. If for some reason you completed the evaluation and do not have the link to the new user registration, please refer to Step #1 or contact Debra Price at dprice@hsag.com for CE certificate questions. 52

CE Credit Process: Existing User To login to your existing LMC account click https://goo.gl/9mez2r. 53

CE Credit Process (cont.) Following the conclusion of the webinar, you will also receive a Thank You for Attending email using the email address provided during registration. You will be requested to register in the HSAG Learning Management Center (LMC). This is a separate registration from WebEx. Please use your personal email so you can receive your certificate. Your organization may have firewalls up that block our certificates. 54

CE Certificate Problems If you do not immediately receive a response to the email that you signed up with in the Learning Management Center, you have a firewall up that is blocking the link that was sent. Please go back to the New User link and register your personal email account. Personal emails do not have firewalls. 55

HSAG QPP Technical Assistance Line Toll free: 1.844.472.4227 Monday Friday 8 a.m. to 8 p.m. ET HSAG QPP Email Support: HSAGQPPSupport@hsag.com 56

This material was prepared by Health Services Advisory Group, Inc., the Medicare Quality Improvement Organization for Arizona, under contract with the Centers for Medicare & Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services. The contents presented do not necessarily reflect CMS policy. Publication No. QN-11SOW-D.1-11142017-01

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback