HIMSS13 Meaningful Use Symposium

One of  the hot topics at this year’s Annual HIMSS Conference is Meaningful Use (“MU”). There are several sessions and exhibit hall activities dedicated to providing attendees with a better understanding and more guidance on meeting requirements of the various stages of MU.  On Sunday, March 3rd HIMSS will host a MU Pre-Conference Symposium, “Transform MU from an IT Project to an Organizational Initiative”. Throughout the day many experts will present informative sessions to review the lessons learned and challenges of MU Stage 1 and Stage 2, educate and prepare attendees for MU audits, as well as identify future requirements and implications.

CynergisTek encourages attendees to take advantage of these informative sessions and cordially invites attendees to Mac McMillan’s MU Symposium presentation, “Meaningful Use Audits – What Your Provider Organization Needs to Know”.  During this hour long session Mr. McMillan will provide insight on what a MU audit looks like, required documentation and how to be prepared for one.  Attending the session will also give attendees a much better understanding of MU regulation, compliance and security risks.

What: Meaningful Use Audits – What Your Provider Organization Needs to Know

When: March 2, 2013, 2:30 PM – 3:30 PM

Where: Ernest N. Morial Convention Center, Room 280

Need more info?  Click here to visit HIMSS13 Conference Event Details.

Attestation To Audit: A Serious Responsibility

Written by Mac McMillan, FHIMSS, CISM | February 15, 2013

The final statement in the Attestation that Healthcare providers have to sign says it all.  “I certify that the foregoing information is true, accurate and complete.  I understand the Medicare/Medicaid EHR incentive program payment I requested will be paid from Federal Funds, that by filing this attention I am a claim for Federal Funds, and the use of any false claims, statements, or documents, or the concealment of a material fact used to obtain Medicare/Medicaid EHR incentive program payment, may be prosecuted under Federal or State criminal laws and may also be subject to civil penalties.”  And the Federal government is beginning to get serious about making sure those statements are indeed accurate.   If they are not, it puts the organization at risk of having to return incentive payments received, as some have had to do already, or worse face additional fines or criminal penalties.  At a time when the industry is struggling with small operating margins, the cost of implementing CEHRT and other technologies, and additional compliance related costs we can ill afford to have this happen.

So what is required to meet the privacy and security requirements of Meaningful Use for Stage 1?  Essentially organizations must meet Core Measures 12 and 15 and be able to demonstrate three things.  The first is that they have acquired and implemented a Certified Electronic Health Record Technology (CEHRT) in a meaningful way.  Meaningful way, as it relates to security, is defined as fully implemented and using all of the security functionality (technical controls) that the system offers.  Second, they must demonstrate the ability to provide access to the patient’s medical record and information upon request in accordance with Core Measure 12 and the Privacy Rule requirements around proper uses and disclosures.  Third, they must conduct or review a risk analysis in accordance with the original HIPAA Security Rule requirement prior to attesting and address remediation of gaps identified during the attestation period.  The reason the requirement specifically says “conduct or review” is because if the organization has already completed a risk analysis, which they should have to meet HIPAA compliance, then they are not required to conduct a full blown risk analysis, but simply review the one they have already completed taking into consideration for their CEHRT system.  Essentially there is nothing in Meaningful Use Stage 1 that is not already required by HIPAA.

Meaningful Use Stage 2 builds on Stage 1 and makes minor changes and additions to the security requirements, but again it does not change the basic requirements specified in HIPAA.  For Stage 2 the Risk Analysis requirement is broadened to include documentation of encryption use and it becomes an annual requirement in conjunction with the attestation year.  The basic requirement however remains the same, conduct or review a risk analysis in accordance with the HIPAA Security Rule standard.  Stage 2 adds the requirement for both Eligible Providers (EP) and Hospitals (EH) to demonstrate the ability to communicate securely with patients and provide secure access to their medical information.  For EPs there is a measureable component to this requirement for a small percentage of patients to use secure communications with them.  Stage 2 also rearranges some of the functionality requirements of the CEHRT, but it does not change them.  The basic technical controls called for in the HIPAA Security Rule are still required.  Procedurally there are a couple of changes, such as identifying specifically who can activate the Emergency Access Procedure, as opposed to simply having an emergency access procedure.  Again there is nothing required here that is not already present in HIPAA.

In the early part of 2012 the General Accounting Office conducted a review and called for better oversight of incentive payments under Meaningful Use, citing that CMS was not actively verifying that healthcare organizations applying for such funds were providing accurate information during the attestation process.  In response CMS launched an audit program with an outside audit firm to collect information concerning attestations.  Coincidentally the HHS OIG also launched a survey, which by the nature of its questions regarding CEHRT implementation and barriers to, also provides insight into the accuracy of those attestations. Many are already saying that the audits do not go far enough to verify these attestations.  Audits in the future may take on more of an OCR HIPAA audit like approach involving on-site review, interviews as well as documentation review.  The point is that this is a serious responsibility with potentially serious consequences.  Organizations need to ensure that security readiness is an integral component of their Meaningful Use compliance projects.  The good news is that this should not be a major challenge if an organization is already meeting their HIPAA Security Rule requirements.  The Office of the National Coordinator for Health IT has produced an excellent guide to help organizations understand and meet these requirements.

Guide to Privacy and Security of Health Information: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

HITECH Stage 2 Rules Unveiled

EHR Incentive Program Regulations Address Encryption

By Howard Anderson, August 23, 2012.

The two final rules for Stage 2 of the HITECH Act’s electronic health record incentive program, which address encryption and other privacy and security issues, were released on the Federal Register Electronic Public Inspection Desk Aug. 23. Both rules from the Department of Health and Human Services are slated to be officially published in the Federal Register on Sept. 4.

The meaningful use rule spells out the requirements for how hospitals and physicians must use EHRs to qualify for a second round of incentives, beginning in 2014. The software certification rule spells out the requirements for EHR applications that qualify for Stage 2.

The HITECH Act incentive program, part of the economic stimulus package, is providing billions of dollars in incentives to hospitals and physician groups that meet the requirements for meaningfully using EHRs. The incentives are slated to be paid out in several stages.

Meaningful Use

The Stage 2 meaningful use rule, developed by HHS’ Centers for Medicare and Medicaid Services, requires that participants conduct a risk assessment, as was required in Stage 1. However, the Stage 2 rule specifically requires that the analysis address “the encryption/security of data stored in CEHRT [certified electronic health records technology].” The rule also requires providers to “implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”

“We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA,” an explanation within the rule states. “We only emphasize the importance of a [physician/other professional] or hospital including in its security risk analysis an assessment of the reasonable[ness] and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

The Privacy and Security Tiger Team, an advisory group that recommended the provision, said it was necessary to help call attention to the importance of protecting “data at rest” because so many major health information breaches have involved the loss or theft of unencrypted devices that stored patient information.

The meaningful use rule “continues to reaffirm the importance of doing security assessments and mitigation,” says Farzad Mostashari, M.D., who heads the HHS Office of the National Coordinator for Health IT. “People really rely legally, and in terms of the professional ethos, on an expectation that their providers will keep their information confidential and secure. And as they’re transitioning to electronic health records, they have to make sure they’re following all the administrative and physical safeguards, as well as technical safeguards.”

Software Certification

The Stage 2 software certification rule, developed by Mostashari’s office, requires that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

“The general policy we express in this certification criterion requires EHR technology designed to locally store electronic health information on end-user devices to encrypt such information after use of EHR technology on those devices stops,” the rule states. The rule also states that locally stored “is intended to mean the storage actions that EHR technology is programmed to take (i.e., creation of temp files, cookies, or other types of cache approaches) and not an individual or isolated user action to save or export a file to their personal electronic storage media. … We have clarified that in this scenario, the EHR technology must be set by default to perform this capability and, unless this configuration cannot be disabled by any user, the ability to change the configuration must be restricted to a limited set of identified users.”

The rule points out that an EHR technology developer would not have to demonstrate that its EHR technology can encrypt electronic health information locally stored on end-users devices “if the EHR technology is designed to prevent electronic health information from being locally stored on end-user devices after use of EHR technology on those devices stops.”

(Marianne Kolbasuk McGee contributed to this story).

It’s Official…CMS Audits of Meaningful Users Commence

From Ober Kaler’s Health Law Alert Newsletter, 2012: Issue 12 – Focus on HIPAA/Privacy we learn from James B. Wieland and Joshua J. Freemire that it is “unofficially official” – audits of meaningful users have begun.

Are Mandatory 14/15 the chink in a meaningful user’s armor?  After all, the other core measures are explicit and require daily measurement.  Most meaningful users have cracked the code on such measurement and reporting.  But what is the measurement to demonstrate that your organization is “protecting electronic health information” with the same vigilance and accountability as you perform against the other core measures?

Did you perform or review a risk analysis consistent with the ONC’s published guidance?  A real risk analysis?

Do you have a documented plan to remediate any deficiencies or unacceptable risks? 

How do you document your performance against that plan?  It is probably unrealistic, impractical or of little value to measure daily, but can we agree that a monthly “status” is reasonable?  If so, is your organization performing to that level?

Do not let the simplicity of the “check box” for Mandatory 14/15 on the attestation profile fool you into a false sense of security (no pun intended) about your organization’s performance.  In fact, in its simplicity it may represent the greatest risk to your organization in the event of an audit.

The cost/benefit analysis here is really a no-brainer when you consider the penalty for a fraudulent attestation could be as much as 3x the stimulus your organization has received.  If there is any doubt in your organization’s mind that you have met the requirement of Mandatory 14/15, now is the time to take action.

Wieland and Freemire write:

A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS’s auditor for the EHR Incentive Program (the “Program” or “Meaningful Use Program”), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials.

The letters from Figloiozzi and Company, as the Department of Health and Human Services (HHS) Secretary’s designee, request four categories of information:

• Audited entities are asked to produce a copy of their certification from the HHS Office of the National Coordinator for Health Information Technology for the technology they used to meet Program requirements. Presumably, this documentation will be used to demonstrate that the entity “possesses” a certified Electric Health Record technology system as required under Program rules.
• Audited entities are asked to provide documentation to support the method (observation services or all emergency department visits) they chose to report emergency department admissions. This distinction plays a large role in several of the Program requirements as it determines which patients were included in the denominators of certain meaningful use core and menu items.
• Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to core set objectives and measures. While the audit letter’s request is not specific, it would appear that this request is intended to solicit information beyond that already provided to CMS as part of the attestation process. A hospital might consider, for instance, producing reports substantiating the encounters that gave rise to the calculation relied upon to successfully attest. Such reports should be deidentified.
• Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to “menu set” or voluntary, objectives and measures. Again, the information request appears to solicit a level of information beyond that provided in the attestation documents themselves.

Based on questions from recipients, an amended version of the audit letter has been sent out, adding “(i.e., a report from your EHR system that ties to your attestation)” to the latter two categories of requested documentation. This clarifies that the audit letters seek additional detailed information but are not, at this time, requesting identifiable or detailed patient records.

The audit letters do not provide audited entities much time to respond – a short, two-week response time is specified. Unfortunately, it is also unclear how audit candidates are selected, so hospitals and professionals will not be able to “plan ahead” for an audit they can be certain is coming.

You may also appreciate an article on FierceEMR today by Marla Durben Hirsch on this topic:  CMS starts Meaningful Use attestation audits – FierceEMR http://www.fierceemr.com/story/cms-meaningful-use-attestation-audits-providers/2012-07-23#ixzz21VMMAsFc

To learn more:
– here’s some general information from CMS
– read the GAO report
– check out the FAQ

ONC Publishes Guide to Privacy and Security of Health Information

The Department of Health and Human Services’ Office of the National Coordinator for Health IT has published a comprehensive guide to keeping health information private and secure.

The guide is designed to help healthcare organizations, especially smaller ones, better understand the role privacy and security play in the use of electronic health records as they participate in the HITECH Act EHR incentive program. “We issued the guide to provide organizations with a useful tool to help them integrate privacy and security into their organizations as they achieve [EHR] meaningful use,” says Joy Pritts, ONC’s chief privacy officer.

This resource could not come at a better time.  As the OIG readies its audit program for meaningful users and as OCR continues to roll out its HIPAA Audit Program, organizations need to remain steadfast in their privacy and security management efforts.

Some weekend reading for you all!

ONC-Privacy and Security Guide

CynergisTek to Showcase HIPAA Audit Readiness Solution Portfolio at 2012 HCCA Compliance Institute

Company Co-Designed Solution Series with Davis Wright Tremaine LLP; Drew Upon Firsthand Experience Providing Consulting and Advisory Services Under HIPAA Audit Pilot Program

Las Vegas, April 26, 2012 – HCCA Booth #205— CynergisTek™, an authority in enterprise security and privacy solutions and services for healthcare organizations, today announced that the company will feature its new joint offering, the HIPAA Audit Readiness Solution Portfolio, at the 16^th Annual HCCA Compliance Institute from April 29 through May 2 in Las Vegas. The CynergisTek experts designed the solution series in collaboration with the health information technology (HIT) and HIPAA team of national law firm, Davis Wright Tremaine LLP (DWT).

At the HCCA booth, experts from each organization, including CynergisTek CEO, Mac McMillan, and DWT Partner, Adam Greene, will be on hand discussing the new audit readiness portfolio, which was architected specifically to evaluate and improve an organization’s compliance with HIPAA/HITECH based on OCR’s HIPAA Audit Program. The companies will highlight the portfolio’s customized services designed to accommodate the different audit readiness objectives of every healthcare organization with components covering the full scope of audit preparation, from training and risk assessment to a full mock audit. In addition, McMillan and Greene will host “Ask the Expert” informal breakfast briefings in the the exhibit hall on the mornings of April 30th and May 1st.

“The experience CynergisTek gained working with one of the hospitals selected for OCR’s HIPAA Audit Pilot Program provided us an opportunity to glimpse into the upcoming phase of compliance and enforcement that will soon become a reality for all healthcare organizations,” said McMillan. “In developing the solution series with DWT, we wanted to address new complexities that are being added to the already-daunting challenges facing compliance professionals today. In unveiling the HIPAA Audit Readiness Portfolio and engaging in discussions with our colleagues at the HCCA Compliance Institute, we hope to make strides in ensuring all healthcare organizations are equipped to handle OCR’s impending enforcement.”

CynergisTek will also be featuring its additional solutions and services, which are specifically designed to help healthcare organizations improve their security and privacy posture, facilitate compliance, advance operational efficiency and foster trust. CynergisTek’s managed and on-demand solutions address the fundamental elements of information security management, including:

• Strategy and Governance
• Compliance and Risk
• Infrastructure
• Technical Vulnerability Management
• Audit
• Managed Security Solutions

To learn more about the CynergisTek-DWT HIPAA Audit Readiness Solution Portfolio and CynergisTek’s range of enterprise security and privacy solutions and services for healthcare organizations, visit HCCA booth #205.

About CynergisTek

CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations. For more information visit http://www.cynergistek.com, call 512.402.8550 or email info@cynergistek.com.

About Davis, Wright Tremaine LLP

The national healthcare practice of Davis Wright Tremaine provides clients with comprehensive regulatory and transactional services, along with real estate, labor/employment, benefits, litigation, financing (including tax-exempt financing, bankruptcy and tax work. Most healthcare clients also face intense challenges in electronic health records and information management. The health information technology and HIPAA team of Davis Wright Tremaine is deeply involved in helping clients take advantage of emerging technical opportunities and cope with related obligation, including the ongoing HIPAA audits.  Learn more at www.dwt.com or contact Adam Greene directly at adamgreene@dwt.com.

###

Media Contact:

Megan Malarkey

Senior Account Executive

Aria Marketing

(617) 332-9999, x215

mmalarkey@ariamarketing.com