Helping Santa Cruz Providers with Meaningful Use & HIPAA Privacy & Security

January 2013

To improve the quality and efficiency of health care for all stakeholders in the Santa Cruz community.

To deliver technology assistance, guidance and information on best practices to providers with the goal of creating a healthcare delivery system that offers a seamless, integrated experience for patients and providers. 

Provide services and tools to participating healthcare providers to become meaningful users of EHRs connected to the Santa Cruz Health Information Exchange.

These are foundational for Accountable Care, Clinical Integration, Medical Home Model and surviving payment reform as independent physicians

Mission

Privacy refers to patients’ health information and their right to have that information kept confidential.

Security refers to the storage, use and electronic exchange of patient health information in a secure environment.

Protecting patients’ privacy and securing their health information is a core requirement for the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program referred to as “Meaningful Use Program” (MU).

All Providers must comply with HIPAA, not just those with EHR’s or seeking MU incentives

What Is Privacy & Security and Why Does It Matter?

On January 17, 2013, the Department of Health and Human Services (HHS) issued a final rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement rules, including changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The rule contains sweeping changes to privacy regulatory requirements which are intended to improve protection and control of personal health information.

4 main topics changed in this final rule:

• Business associate obligations. – A BA is now defined as any person that Creates, Receives, Maintains or Transmits PHI. New template available March 2013

• Enhanced protections for PHI – Limitations on use of disclosure for marketing & fundraising

• Expanded individual rights – Patients have the right to electronic copies f PHI, and the right to RESTRICT PHI to health plan where the patient has paid out of pocket.

• Enhanced penalties and enforcement – Penalties are capped at max of $1.5 per violation

• Modified breach notification protocol – Entities no longer have discretion in deciding whether an incident was a “breach”. You must report

The Final Rule is effective on March 26, 2013, and compliance is required by September 23, 2013

2013 HIPAA Final Rule

Your practice is responsible for taking the steps needed to protect the confidentiality, integrity and availability of health information, to comply with HIPAA Policies that are already in place, and to comply with CMS Meaningful Use Requirements.

Who is responsible for Privacy and Security?

To facilitate the electronic exchange of patient information a secure and professionally maintained internet connection is a necessity, not an option.

To gain patients’ trust, it is important to ensure that all security measures and policies are up-to-date and enforced.

 

Health Information Exchange

Surgeons of Lake County – Server taken over Billing service recycles paper PHI – Doctors

fined $140K Hospice of North Idaho – Laptop stolen $50K

fine Common Themes

◦ “did not adequately implement sufficient protections to ensure security of electronic protected health information”

◦ “failed to manage business associate relationships”

Examples – Don’t become a headline – “small breaches”

Build and manage infrastructure. Departmentalize staff & set security levels. Manage vendor relationships; have BAA’s when required

(new laws effective 2013), audit annually. Develop security awareness programs and training,

repeating regularly. Keep documentation for audit purposes.

Each Practice MUST have a Privacy AND a Security Officer – and they must fulfill their responsibilities

Anticipate and Address Patient Privacy Concerns.

Conclusion

To fulfill requirements for Stage 1 Meaningful Use EP’s needed to attest they have met certain requirements regarding use of the EHR for patient care.

The attestation for Core Measure 15 is a confirmation, on the part of the EP, that those requirements have been met.

CMS is actively conducting audits on information systems (IS) to ensure those requirements have been successfully met and documented. You are required to conduct a security risk analysis, implement security updates and identify security deficiencies.

MU Core Measure 15

CalOHII provides several unique tools to help California patients, providers, and health information organizations understand secure exchange of health information.There is a very valuable FREE tool available to you to perform a self-security audit.

The HIPAA Security Toolkit is designed to assist medium to small providers with understanding HIPAA security standards requirements and for them to ascertain their organization’s HIPAA security needs.

• Click on the link• Create a user account• Allow approximately. 1-2 hours to complete• Review report. You will be able to go back into the system and

update your answers as you identified gaps and develop processes, policies and procedures.

Self-Assessment Security Audit Tool

Resources

It is highly recommended that you conduct a security self-audit. CalOHII has a free tool available to guide you through the process and provide you with reports which allows you to save and update as you correct areas of compliance concerns.

https://www.ohii.ca.gov/securitytool/downloads/CalOHII_HSR_User_Guide.pdf

http://www.ohii.ca.gov/calohi/PrivacySecurity/ToolstoHelpYou.aspx

Other resources available:

Health Information Privacy, Security, and Your EHR: http://www.healthit.gov/providers-professionals/ehr-privacy-security

Communicating with your patients about health information privacy: http://www.healthit.gov/patients-families

Healthcare Info Security: http://www.healthcareinfosecurity.com

Local resources Public Website with the entire series of

webinars and documents in February PMG “Blue Portal” PMG Technology Support 465-7877

What’s Next?

CHEQ Interface Grant Announcement – Webinar Mon, Feb 4, 2013

Choosing an EHR – Webinar Fri, Feb 15, 2013

Direct Messaging – Webinar Tues, Feb 19, 2013

2013 PMG Electronic Citizenship – Webinar, Thurs, Feb 28, 2013

Questions?

Thank you for attending !

Please complete the survey that you will be receiving shortly

We welcome your feedback and comments!

Contact: info@pmgscc.com PMG IT Depart. 831-465-7877