Learning Forum Fridays Countdown to MIPS Data Submission Webinar Series Last Chance to Review Your Security Risk Analysis Emilie Sundie, MSCIS, PMP, CPHIMS Director, Health IT Services Kari Vanderslice, MBA Health Informatics Specialist November 17, 2017
To Submit Questions Via Chat Box: 1. Click the [Chat] option at the top right of the presentation. 2. The Chat panel will open. 3. Indicate that you want to send a question to All Panelists. 4. Type your question in the box at the bottom of the panel. 5. Click [Send]. 2
Learning Objectives At the completion of this training, the attendee will be able to: Identify required elements of a Security Risk Analysis (SRA). Describe the SRA process. Develop/maintain/provide documentation required to demonstrate compliance. Locate essential tools and resources. 3
Acronyms Used In Today s Presentation Acronym ACI ACO CEHRT CMS EHR ephi HIPAA MIPS ONC PHI QPP SRA Definition Advancing Care Information Accountable Care Organization Certified Electronic Health Record Technology Centers for Medicare & Medicaid Services Electronic Health Record Electronic Protected Health Information Health Insurance Portability and Accountability Act Merit-based Incentive Payment System The Office of the National Coordinator for Health Information Technology Protected Health Information Quality Payment Program Security Risk Analysis 4
Today s Presenters from Health Services Advisory Group (HSAG) Emilie Sundie, MSCIS, PMP, CPHIMS Director, Health IT Services Kari Vanderslice, MBA Health Informatics Specialist 5
SRA Defined An SRA is an ongoing process of discovering, correcting, and preventing security problems. Conducting an SRA is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. HIPAA Required Ensures Compliance Helps Reveal Areas at Risk 6 Sources: https://www.healthit.gov/providers-professionals/security-risk-assessment https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
SRA Is a Process, Not a Document Assess Risk Correct deficiencies Implement updates 7
SRA: An ACI Base Score Requirement Conducting an SRA is a Base Score requirement under the Advancing Care Information (ACI) category of the Quality Payment Program (QPP). QPP ACI ACI Base Measures SRA 8
Attesting Yes to the SRA The SRA measure is a required ACI base measure. To meet the ACI measure, Merit-based Incentive Payment System (MIPS)-eligible clinicians must attest Yes to: Conducting or reviewing an SRA. Implementing security updates. Correcting identified deficiencies. If the measure is not met, the entire ACI score will be zero. 9
What is the Actual Requirement? Objective Protect Patient Health Information (PHI) 10
2017 SRA Transition Objective and Measure Objective Protect Patient Health Information (PHI) Measure 1. Conduct or review a security risk analysis (SRA) according to 45CFR 164.308(a)(1) a. Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology (CEHRT)* 11 *In accordance with 45CFR 164.312(a)(2)(iv) and 45CRF 164.306(d)(3)
2017 SRA Transition Objective and Measure (cont.) Objective Protect Patient Health Information (PHI) Measure 1. Conduct or review a security risk analysis (SRA) according to 45CFR 164.308(a)(1) a. Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology (CEHRT) 2. Implement security updates 12
2017 SRA Transition Objective and Measure (cont.) Objective Protect Patient Health Information (PHI) Measure 1. Conduct or review a security risk analysis (SRA) according to 45CFR 164.308(a)(1) a. Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology (CEHRT) 2. Implement security updates 3. Correct identified security deficiencies 13
SRA According to 45CFR 164.308(a)(1) Standard Implement policies and procedures to: Prevent Detect Contain Correct security violations. Implementation The implementation specifications require that a security management process be in place. Process is the operative word 14
Implementation Elements of a Security Management Process Risk Analysis: Conduct an assessment of electronic PHI (ephi) Risk Management: Implement security measures Sanction Policy: Apply appropriate sanctions against workforce members who fail to comply Information System Activity Review: Regularly review records of activity such as access reports and audit logs 15 SRA According to 45CFR 164.308(a)(1)
Risk Analysis Required
Risk Analysis: Who? Who does it? You or a qualified outside party 17
Risk Analysis: What? Who does it? You or a qualified outside party Analysis or review? Analysis upon installation or upgrade Review covering each performance period 18
Risk Analysis: Constraints Who does it? HIPAA You or a qualified outside party SRA Analysis or review? Analysis upon installation or upgrade Review covering each performance period Constraints? Unique for each performance period Includes the whole performance period Conducted within the calendar year of the performance period 19
Risk Analysis: Identifying Risk Where is ephi? What is the threat/ vulnerability? How likely is it to occur? What is the impact? Impact x Likelihood = Risk Low: Accept Risk/Minimal Action Medium: Respond/Look at Controls High: Take Action Now! 20
Risk Analysis: Identifying Risk Where is ephi? What is the threat/ vulnerability? THREAT LIKELIHOOD How likely is it? What is the impact? Impact x Likelihood = Risk IMPACT Low (10) Medium (50) High (100) High (1.0) Low 10 x 1.00 = 10 High 100 x 1.0 = 100 Medium (0.5) Medium 50 x.05 = 25 Low (0.1) Low: Accept Risk/Minimal Action Medium: Respond/Look at Controls High: Take Action Now! 21
Use a Tool, Not a Checklist The Office of the National Coordinator for Health Information Technology s (ONC s) SRA tool, for example, will help you to: Identify Standards. Find detailed Implementation Specifications. Consider options. Recognize possible threats. Provides examples of safeguards Document activities and remediation plans. 22 Source: https://www.healthit.gov/sites/default/files/attachmentasecurity_risk_assessment_tool_user_guide_v6.pdf
Requirement to Address Encryption Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology.* Standards are identified as Required or Addressable. Encryption of data is Addressable. 23 *In accordance with 45CFR 164.312(a)(2)(iv) and 45CRF 164.306(d)(3)
Requirement to Address Encryption (cont.) Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology.* Standards are identified as Required or Addressable Encryption of data is Addressable Options for Addressable Specifications: Implement if reasonable and appropriate Implement an equivalent alternative if specification is unreasonable and inappropriate, and there is an alternative 24 *In accordance with 45CFR 164.312(a)(2)(iv) and 45CRF 164.306(d)(3)
Requirement to Address Encryption (cont.) Address security (to include encryption) of electronic PHI data created or maintained by certified EHR technology.* Standards are identified as Required or Addressable Encryption of data is Addressable Options for Addressable Specifications: Implement if reasonable and appropriate Implement an equivalent alternative if specification is unreasonable and inappropriate, and there is an alternative Document the decision in writing, including factors considered and basis for the decision 25 *In accordance with 45CFR 164.312(a)(2)(iv) and 45CRF 164.306(d)(3)
Risk Management Required
Implement Security Measures Establish and implement security measures by: Using SRA findings to identify/track risk remediation. Applying system and security updates as recommended. Risk ID 1 Description Status Responsible Party Risk Rating Mitigation Action Action Date No defined management process for user access re: terminations or change in responsibilities Closed HR - John Phillips Medium Policy for disabling user accounts developed and approved 09/15/2017 HR/IT Training on Policy 09/23/2017 Policy Implemented 10/01/2017 2 Media is compromised due to ineffective handling procedures In Progress CIO - Mark Waters High Media Handling Policy reviewed and updated 11/12/2017 Encryption Software for laptops procured 11/25/2017 27
Sanction Policy Required
Sanction Policy It is important to ensure that you have a Sanction Policy in place that: Defines the purpose of the policy. Defines the violations of the policy. Delineates possible disciplinary actions. Is freely available/known to all members of the organization. Sample policies are readily available from government and professional sources. 29
Sample Sanction Policy Acknowledgement 30
Information System Activity Review Required
Information System Activity Review You must implement procedures for regular activity review. Review who, what, when, and actions taken with: Audit logs Access reports Security Incidents Sample uses include: Detection of unauthorized access Tracking of PHI disclosures Demonstrating compliance 32
Data Validation Criteria
Data Validation for the SRA Measure The Centers for Medicare & Medicaid Services (CMS) conducts an annual data validation and audit process. If selected for data validation or audit, you will have 45 calendar days to complete data sharing, as requested. You must retain documentation related to your QPP participation for six years, including all documentation related to your SRA. Important Note: Failure to meet requirements for the SRA measure has been the most common cause of audit failure. 34
Data Validation Criteria Document The Data Validation Criteria document, available through the QPP Resource Library, is the current resource for accessing specific data validation criteria. 35 https://www.cms.gov/medicare/quality-payment-program/resource- Library/Resource-library.html
Data Validation Criteria Document (cont.) The Data Validation Criteria states that documentation needs to be from CEHRT and be inclusive of: Dates during the selected continuous 90-day or year long performance reporting period. Clinician identification, e.g., National Provider Identifier (NPI). Documentation of, at minimum, one patient. Suggested documentation includes: A document assessing potential risks and vulnerabilities (SRA). Evidence that you have addressed encryption/security of data stored in CEHRT, including proof: That an SRA was performed for the clinician s system. Of implementation of security updates and correction of identified security deficiencies 36
Examples of Past SRA Criteria Evaluated Appropriate date for the Risk Analysis 37
Examples of Past SRA Criteria Evaluated (cont.) Appropriate date for the Risk Analysis Tangible SRA document 38
Examples of Past SRA Criteria Evaluated (cont.) Appropriate date for the Risk Analysis Tangible SRA document Tangible risk/remediation register 39
Examples of Past SRA Criteria Evaluated (cont.) Appropriate date for the Risk Analysis Tangible SRA document Tangible Risk/Remediation Register Proof of security updates 40
Essential Tools and Resources
Questions for Your EHR Vendor Ask your vendor these questions: Where is my data stored? How do I access/generate audit logs? What security policies and procedures do you have in place? How can I confirm my software updates? Don t forget other vendors: faxes, copiers, scanning workstations 42
Government Resources HHS.gov Guidance on Risk Analysis https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis National Institute of Standards and Technology (NIST) Toolkit NIST HIPAA Security Toolkit Application Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) Tool HIPAA Security Risk Assessment (SRA) Tool (downloadable & paper-based) ONC Health IT Playbook, Privacy & Security Section https://www.healthit.gov/playbook/privacy-and-security/ Other Resources: Professional Organizations, Security Vendors, ACOs 43
Revisiting the Value of YES The SRA measure is a required ACI base measure. If the measure is not met, your ACI score will be zero. To meet the ACI measure, Merit-based Incentive Payment System (MIPS)-eligible clinicians must attest YES to: Conducting or reviewing an SRA. Implementing security updates. Correcting identified deficiencies. 44
Key Takeaways The important points to remember about SRA are that you must: 1. Assess a. Identify/track threats and vulnerabilities b. Address encryption 2. Implement a. Develop policies and procedures b. Apply updates 3. Correct Deficiencies a. Enforce policies, procedures b. Remediate risks Correct Assess Implement 45
HSAG QPP Service Center Available www.hsag.com/qpp 46
QPP Technical Assistance Resource Guide https://qpp.cms.gov/docs/qpp_technical_assistance_resource_guide.pdf 47 Source: The Centers for Medicare & Medicaid Services
Next Learning Forum Friday Event: December 1, 2017 Strategize to Report Your Best Performance For additional event topics and registration information please visit: www.hsag.com/lff Topics and dates are subject to change, so please check the webpage for up-to-date information. 48
General Resources CMS Quality Payment Program Website https://qpp.cms.gov Subscribe to the QPP ListServe Medicare Learning Network Learning Management System Booklet (LMS) FAQs https://www.cms.gov/outreach-and-education/medicare- Learning-Network-MLN/MLNProducts/Downloads/LMPOS-FAQs- Booklet-ICN909182.pdf Associations Offering Credit for MLN Events and Training https://www.cms.gov/outreach-and-education/medicare- Learning-Network-MLN/MLNGenInfo/CE-Associations.html 49
CMS and HSAG Announcements Virtual Groups Public Webinar Date: Tuesday, November 21 st Time: 1 2 p.m. ET Registration Link: https://engage.vevent.com/rt/cms/index.jsp?seid=920 HSAG MIPS Readiness Professional Certificate Program coming soon! QPP Year Two Final Rule comment period ends January 2, 2018, 5 p.m. ET. For more information visit: https://goo.gl/oyo2dw 50
CE Approval This program has been pre-approved for 1.0 CE unit for the following professional boards: National o Board of Registered Nursing (Provider #16578) Florida o Board of Clinical Social Work, Marriage & Family Therapy and Mental Health Counseling o Board of Nursing Home Administrators o Board of Dietetics and Nutrition Practice Council o Board of Pharmacy Please Note: To verify CE approval for any other state, license, or certification, please check with your licensing or certification board. 51
CE Credit Process 1. Register in HSAG s Learning Management Center (LMC) at https://goo.gl/bazdzs. 2. Once you have registered in the LMC, you must complete the evaluation that will appear in WebEx at the conclusion of the webinar. a. Following the event, please do not close the WebEx evaluation window. You will not be able to access the evaluation and request CE if you close the window. b. CEs are only available to attendees that participate in the live event. c. If for some reason you completed the evaluation and do not have the link to the new user registration, please refer to Step #1 or contact Debra Price at dprice@hsag.com for CE certificate questions. 52
CE Credit Process: Existing User To login to your existing LMC account click https://goo.gl/9mez2r. 53
CE Credit Process (cont.) Following the conclusion of the webinar, you will also receive a Thank You for Attending email using the email address provided during registration. You will be requested to register in the HSAG Learning Management Center (LMC). This is a separate registration from WebEx. Please use your personal email so you can receive your certificate. Your organization may have firewalls up that block our certificates. 54
CE Certificate Problems If you do not immediately receive a response to the email that you signed up with in the Learning Management Center, you have a firewall up that is blocking the link that was sent. Please go back to the New User link and register your personal email account. Personal emails do not have firewalls. 55
HSAG QPP Technical Assistance Line Toll free: 1.844.472.4227 Monday Friday 8 a.m. to 8 p.m. ET HSAG QPP Email Support: HSAGQPPSupport@hsag.com 56
This material was prepared by Health Services Advisory Group, Inc., the Medicare Quality Improvement Organization for Arizona, under contract with the Centers for Medicare & Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services. The contents presented do not necessarily reflect CMS policy. Publication No. QN-11SOW-D.1-11142017-01