Mac McMillan Speaking at Hawaii-Alaska Chapter of HIMSS

Hawaii-Alaska Chapter of HIMSS Brownbag

October 9, 2012 @ 11:30

HMSA Building Multi-Purpose Room (MPR)

OCR Random Audits: A Look Inside

Presenter: Mac McMillian, HIMSS Privacy and Security Policy Task Force

This presentation will allow attendees the opportunity to discuss the OCR Random audit process, learn ways to assess their program and prepare for an audit.

Ø  During this session participants will:

Ø  Discuss what the audit process looks like and what to expect

Ø  Understand how to prepare your facility/department for the audit process

Ø  Understand how to review your program to understand weaknesses

Ø  Participants will review lessons learned from early audits

Ø  Heightened Enforcement and the Omnibus Rule

Ø  Where enforcement is at today and the signal HHS is sending

Mac McMillian serves as the National Chair for HIMSS Privacy and Security Policy Task Force.  The newly-formed HIMSS Privacy and Security Policy Task Force was established to bring together a group of industry thought leaders to support HIMSS’s formal response to new legislation, regulation, as well as to develop HIMSS policy position papers and tools that relate to healthcare privacy and security. One of the goals of the Task Force is to collaborate with fellow professional organizations like HFMA, MGMA, AHIMA, HCCA, etc. to formulate a broader industry response, when appropriate, as well.

___________________________________________________________

 

This is the fourth Brown-bag luncheon with this year’s theme of

“Bringing Healthcare Information Technology to the Consumer”:

–          July – Hawaii Health Connector (insurance exchange), presented by Coral Andrews, the Connector’s executive director

–         August – Update on HIMSS Advocacy, presented by Lee Castonguay, with Colin Underwood from Alaska

–         September  – Can Smart Cards help the consumer get more engaged in healthcare?, Presented by David King-Hurley of LifeNexus

o           UPCOMING – October 9  – OCR Random Audits: A Look Inside, presented by Mac McMillian, HIMSS Privacy and Security Policy Task Force

•                  Using Technology to Keep Seniors at Home

•                  Personal Health Records in the Cloud

•                  HIE for Everyone

•                  Privacy and Identity is a requirement

•                  MU 2 and 3, impacts on the consumer

•                  HIT Day for Public Policy

•                  Analytics and You

•                  Use of Games in Health Care

Van Zimmerman Presenting, North Central Regional Conference

North Central Regional Conference

October 5th, 2012

Indianapolis, IN

 

http://www.hcca-info.org/Events/EventInfo/sessionaltcd/003_AREA1512.aspx

 

 OCR Random Audits: A Look Inside 

Presenter: Van Zimmerman,  Principal, Privacy & Security, CynergisTek

This presentation will allow attendees the opportunity to discuss the OCR Random audit process, learn ways to assess their program and prepare for an audit.. 

During this session participants will: 

• Discuss what the audit process looks like and what to expect 

• Understand how to prepare your facility/department for the audit process 

• Understand how to review your program to understand weaknesses 

• Participants will review lessons learned from early audits

2012 AHIA ANNUAL CONFERENCE

Independence and Beyond: Assurance, Insight and Value

AHIA, 31st Annual Conference

August 26th – August 29th, 2012 in Philadelphia, Pennsylvania at the Lowes Hotel

Agenda:

Top privacy and security issues found in HHS investigations

Lessons learned from current breach data

How to improve your compliance program

About CynergisTek
CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations. For more information visit http://www.cynergistek.com, call 512.402.8550 or email info@cynergistek.com.

HITECH Stage 2 Rules Unveiled

EHR Incentive Program Regulations Address Encryption

By Howard Anderson, August 23, 2012.

The two final rules for Stage 2 of the HITECH Act’s electronic health record incentive program, which address encryption and other privacy and security issues, were released on the Federal Register Electronic Public Inspection Desk Aug. 23. Both rules from the Department of Health and Human Services are slated to be officially published in the Federal Register on Sept. 4.

The meaningful use rule spells out the requirements for how hospitals and physicians must use EHRs to qualify for a second round of incentives, beginning in 2014. The software certification rule spells out the requirements for EHR applications that qualify for Stage 2.

The HITECH Act incentive program, part of the economic stimulus package, is providing billions of dollars in incentives to hospitals and physician groups that meet the requirements for meaningfully using EHRs. The incentives are slated to be paid out in several stages.

Meaningful Use

The Stage 2 meaningful use rule, developed by HHS’ Centers for Medicare and Medicaid Services, requires that participants conduct a risk assessment, as was required in Stage 1. However, the Stage 2 rule specifically requires that the analysis address “the encryption/security of data stored in CEHRT [certified electronic health records technology].” The rule also requires providers to “implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”

“We did not propose to change the HIPAA Security Rule requirements, or require any more than is required under HIPAA,” an explanation within the rule states. “We only emphasize the importance of a [physician/other professional] or hospital including in its security risk analysis an assessment of the reasonable[ness] and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

The Privacy and Security Tiger Team, an advisory group that recommended the provision, said it was necessary to help call attention to the importance of protecting “data at rest” because so many major health information breaches have involved the loss or theft of unencrypted devices that stored patient information.

The meaningful use rule “continues to reaffirm the importance of doing security assessments and mitigation,” says Farzad Mostashari, M.D., who heads the HHS Office of the National Coordinator for Health IT. “People really rely legally, and in terms of the professional ethos, on an expectation that their providers will keep their information confidential and secure. And as they’re transitioning to electronic health records, they have to make sure they’re following all the administrative and physical safeguards, as well as technical safeguards.”

Software Certification

The Stage 2 software certification rule, developed by Mostashari’s office, requires that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

“The general policy we express in this certification criterion requires EHR technology designed to locally store electronic health information on end-user devices to encrypt such information after use of EHR technology on those devices stops,” the rule states. The rule also states that locally stored “is intended to mean the storage actions that EHR technology is programmed to take (i.e., creation of temp files, cookies, or other types of cache approaches) and not an individual or isolated user action to save or export a file to their personal electronic storage media. … We have clarified that in this scenario, the EHR technology must be set by default to perform this capability and, unless this configuration cannot be disabled by any user, the ability to change the configuration must be restricted to a limited set of identified users.”

The rule points out that an EHR technology developer would not have to demonstrate that its EHR technology can encrypt electronic health information locally stored on end-users devices “if the EHR technology is designed to prevent electronic health information from being locally stored on end-user devices after use of EHR technology on those devices stops.”

(Marianne Kolbasuk McGee contributed to this story).

Patients worried about medical records going digital

Many Americans — 85% in a new survey — report having fears about the privacy of their records as more physician practices adopt EHRs.

By PAMELA LEWIS DOLAN, amednews staff. Posted Aug. 20, 2012.

It took some time to get a majority of physicians in the U.S. to agree that it would be beneficial to implement electronic health records in their practices. Now, a survey finds, the most skeptical audience for EHRs is patients.

A survey of more than 2,100 patients by Xerox found that only 26% want their medical records to be digital, down two percentage points from a year ago. Only 40% believe EHRs will result in better, more efficient care. And 85% expressed concern about digital records. Their main worries: privacy and security of their information.

When asked what, specifically, worries them about EHRs, respondents said they were concerned that their information could be stolen by a hacker (63%), the files could be lost, damaged or corrupted (50%), their personal information could be misused (51%), or a power outage or computer problem could prevent doctors from accessing their information (50%). Fifteen percent said they had no worries.

There are many things in medicine that patients tolerate but don’t necessarily like. If most physicians will be electronic soon anyway, some physicians may wonder why it’s important to convince their patients that EHRs are a good thing instead of just letting them learn to live with them.

As the health care system shifts from one that focuses on acute care and treating patients who are sick to one that promotes wellness, “We need the patients as active participants,” said Philip Payne, PhD, chair of the Ohio State University College of Medicine’s Dept. of Biomedical Informatics. The EHR is an important tool to engage patients, he said.

Despite the benefits an EHR might bring, major data breaches are announced on virtually a weekly basis. For example, in the summer of 2012, a computer containing the medical information of 2,500 patients from the Stanford (Calif.) Hospital & Clinics and the School of Medicine was reported stolen. In Connecticut, information on more than 7,461 VNA Healthcare patients and 2,097 Hartford Hospital patients was lost when a computer belonging to a data analysis vendor was stolen. Beth Israel Deaconess Medical Center in Boston announced that the health information of 3,900 patients was put at risk when a physician’s personal laptop was stolen.

How to give assurance

The main message physicians should be spreading to patients who are concerned about breaches is that “people do bad things, whether it’s in paper form or electronic form,” said Mary Griskewicz, senior director of ambulatory health information systems for the Healthcare Information and Management Systems Society.

Michael Hobaugh, MD, PhD, chief of medical staff at La Rabida Children’s Hospital in Chicago, said if patients express concerns about data safety, physicians can tell them that there are many safety features of an EHR that patients never had with paper.

“The biggest assurance that patients have regarding electronic medical records is that anytime anybody looks at something or prints something, there is a record of who did it,” Dr. Hobaugh said. “That was not true of paper charts.”

Christine Bechtel, vice president of the National Partnership for Women and Families, said a survey her organization conducted, similar to the one by Xerox, found respondents rating EHRs higher than paper across the board in various safety and quality measures. She said the survey, released in February, shows that even if patients worry about their own information, many are showing confidence in EHRs in general.

Griskewicz said physicians need to be educated on how and when to engage consumers when it comes to technology adoption. HIMSS launched the HIMSS eConnecting with Consumers Committee this year, whose focus is to provide physicians with tools and education surrounding patient engagement and technology.

Many patient concerns stem from the fact that the value of EHRs has not been made clear to patients, Payne said.

“We really have to figure out how we make the EHR a focal point of collaboration between patients and members of multidisciplinary care teams rather than just a thing that’s in the room that we have to use to document so we can bill,” he said.

What patients think about EHRs

A survey found that patients have concerns when it comes to electronic health records, mainly about risks to their private information.

63%: With EHRs my information could be stolen by a hacker.
51%: My personal information could be misused.
50%: Digital medical records could be lost, damaged or corrupted.
40%: Digital records mean better, more efficient care.
31%: I feel I am adequately informed about when and how my medical records are used.
26%: I want my records to be digital.
26%: EHRs have improved my interactions with my physician office.
24%: My doctor involved me in the conversion from paper to electronic.
21%: I expect EHRs to improve the quality of service I receive.
14%: I think my health care provider is technically savvy enough to use EHRs.

Source: Third annual electronic health records survey, Xerox, July

Alaska DHSS settles HIPAA security case for $1,700,000

The $1.7M fine levied on the Alaska Department of Health and Social Services should peak the interest of compliance officers and risk managers across the healthcare industry.

One stolen USB storage drive.  501 Medicare beneficiaries.  A mandatory report to OCR with its customary investigation. A $1.7M fine. A Resolution Agreement. A Corrective Action Plan.   Three years of independent monitoring of its compliance.

These are the new stakes associated with data breaches. In looking specifically to the Corrective Action Plan documented for the Alaska DHSS, its obligations include:

1.  Remediation, Update and Dissemination of Policies and Procedures

2. Workforce Training

3. Risk Analysis and Risk Management Process Remediation

4. Designation of an Independent Monitory for a period of 3 Years

Visit http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html for the detail on the OCR’s enforcement in this case.

Would a reported breach open a Pandora’s Box in your organization?  Most of you that we speak with have a fair amount of anxiety about the health of your HIPAA/HITECH privacy and security compliance posture, but continue to struggle to get executive sponsorship and budget for activities that you consider essential and fundamental to your operations and compliance mission.

The circumstances of this breach provide you the “conversation starter” that you may need to engage or re-engage your leadership around HIPAA/HITECH compliance.  Further, the comments offered by OCR affirm what we have learned through the HIPAA Audit Program about our industry’s opportunities for improvement and compliance program priorities.

Contact us if we can be of assistance.