meaningful use - acp...from your ehr system that ties to your attestation). • if you are providing...
TRANSCRIPT
Meaningful Use
Sarah Corley, MD, FACP, FHIMSS
CME Disclosures ◦ Conflict of interest:
◦ Employee and stockholder
NextGen Healthcare
Vision for Meaningful Use
• Enable significant and measurable
improvements in population health
through a transformed healthcare
delivery system
• Improve quality, safety, and efficiency
• Engage patients and their families
• Improve care coordination
• Improve population and public health
• Ensure privacy and security
protections
Congress Specified 3 Requirements
• Use of certified EHR technology in a
meaningful manner
• The certified EHR is connected for the
electronic exchange of health
information to improve the quality of
care
• The provider reports on clinical quality
measures and such other measures
selected by the Secretary
Medicare
Eligible Practitioner Overview
• Physicians, some Dentists, Podiatrists,
Optometrists, & Chiropractors
• Participate under the physician fee
schedule
• Five year program, started in 2011
• Maximum $44,000
• 10% more for HPSA designation -$48,400
• Decreased payments for starting after 2012
• Penalties start in 2015
Medicaid
Eligible Practitioner Overview • Physicians, Dentists, CNMs, NPs, PAs
(only in a rural health clinic or FQHC led by a PA)
• 30% by volume Medicaid, 20% for Pediatricians
• Six year program through 2021
• Maximum $63,750
• Front loaded- 1st year $21,250, following years $8,500
• No Reporting the first year, just adopt, implement, or upgrade
Health IT-Enabled Health Reform A Phased, Incremental Approach
Stage 1: Capture data in coded format
Stage 2: Expand exchange of information in the most structured format possible
Stage 3: Focus on CDS for high priority conditions, patient self management, and access to comprehensive data
CMS EHR Incentive Program Medicare Incentives for Eligible Professionals
First
Year
Maximum Payment (EPs) PFS
Penalty
2011 2012 2013 2014 2015 2016 Total
2011 $18,000
1
$12,000
1
$8,000
1
$4,000
2
$2,000
2
-
3 $44,000
2012 $18,000
1
$12,000
1
$8,000
2
$4,000
2
$2,000
3 $44,000
2013 $15,000
1
$12,000
1
$8,000
2
$4,000
2 $39,000
2014 $12,000
1
$8,000
1
$4,000
2 $24,000
2015 $0 -1%
2016 $0 -2%
2017+ $0 -3%
CMS EHR Incentive Program Medicaid Incentives for Eligible
Professionals
First
Year
Medicaid EHR Payments (EPs) Total
2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
2011 $21,250 $8,500 $8,500 $8,500 $8,500 $8,500 - - - - - $63,750
2012 $21,250 $8,500 $8,500 $8,500 $8,500 $8,500 - - - - $63,750
2013 $21,250 $8,500 $8,500 $8,500 $8,500 $8,500 - - - $63,750
2014 $21,250 $8,500 $8,500 $8,500 $8,500 $8,500 - - $63,750
2015 $21,250 $8,500 $8,500 $8,500 $8,500 $8,500 - $63,750
2016 $21,250 $8,500 $8,500 $8,500 $8,500 $8,500 $63,750
Payment Adjustments
• EPs must be a meaningful user
before October 1, 2014 to avoid
adjustment in payments
• To avoid Payment Adjustments EPs
must continue to demonstrate
meaningful use every year to avoid
payment adjustments in subsequent
years
• Payment adjustments are based on
prior year reporting
Payment Adjustments
Exceptions • Exemption for hospital-based
physicians or other eligible
professionals (EP)
• Lack of availability of internet access
or barriers to obtaining IT
infrastructure
• A time-limited exception for newly
practicing EPs
• Unforeseen circumstances such as
natural disasters
Payment Adjustments
Payment Adjustment Year 2015 2016 2017 2018 2019 2020
Based on 90 day EHR Reporting Period 2014
Based on Full Year EHR Reporting Period
2013
2015
2016
2017
2019
For an EP who demonstrates meaningful use in 2013 for the first
time: Payment Adjustment Year 2015 2016 2017 2018 2019 2020
Based on 90 day EHR Reporting Period 2013 2014
Based on Full Year EHR Reporting Period
2015
2016
2017
2019
For an EP who has demonstrated meaningful use in 2011 or 2012:
For an EP who demonstrates meaningful use in 2014 for the first
time:
Payment Adjustment Year 2015 2016 2017 2018 2019 2020
Based on 90 day EHR Reporting Period
2014* 2014
Based on Full Year EHR Reporting Period
2015
2016
2017
2019
*In order to avoid the 2015 payment adjustment attestation must be done no later than October 1,
2014, That means starting the reporting period
no later than July 1, 2014
MU EHR Certifications
Current MU certification remains valid
through 9/30/2013
2014 certification is biennial, not by
Stage
After FFY/CY 2013 ALL users
(regardless of stage) are required to
be on same certified version
Stage 2 Timelines
• Stage 2 reporting start dates • January 1st 2014 for EPs • October 1st 2013 for EHs
• Reporting requirements for 2014 • 90 days for everyone • Quarterly for Medicare after year 1 • Any 90 days for Medicaid or Year 1
Medicare
Reporting Mechanism
• Report through an online secure portal
• Tracked by NPI
• Paid to TIN
• Rolling payments first year after qualifying by reporting for 90 days AND billing $24K in allowable charges
• Annual payments every year after EXCEPT 2014 where they are rolling quarterly payments
CMS Self-Service
Registration
& Attestation Tracking • This newly enhanced secure tracking system option allows you to:
• Obtain registration status
• Acquire attestation status
• Review payment information
• Check progress towards meeting the $24,000 threshold amount
• https://ehrincentives.cms.gov/hitech/loginCredentials.action
CMS Self-service
Registration
& Attestation Tracking • Dial (888) 734 6433
• Press 3 for Self Service
• Enter the authentication elements:
• Individual National Provider Identifier
(NPI)
• Last five digits of your Tax Identification
Number (TIN)
• EHR registration ID
• Proceed to select tracking options
CMS Meaningful Use Audits
• Contracting with private
organizations to complete
random audits
• Requesting all supporting
materials
• Follow-up requests for more
information are following a
consistent pattern
Keep an Audit File
• Keep documentation for every measure
• All screen shots must show vendor
name to appropriately identify the EHR
product
• Do not show PHI in screen shots
• Keep a copy of office policies &
procedures with your audit
documentation
Example Letter
Initial Audit Requests
General Information • As proof of possession of a certified
Electronic Health Record technology
system, provide a copy of the Office of
the National Coordinator of Health
Information Technology (ONC)
certification
• Provide licensing agreements with the
vendor or invoices from the time the
system was purchased.
Initial Audit Requests
General Information
• At how many offices/facilities do
you see your patients?
• Do you utilize EHR software in all
of these facilities?
Stage 1 and 2
Minimum Use of EHR • 50 % or more patient encounters
during the reporting period must
occur at a practice/location
equipped with certified EHR
technology.
• An EP can meet the 50 %
threshold through a combination
of practices/locations
Initial Audit Requests
General Information • Documentation that 50% or more of
patient encounters during the reporting
period have been entered into the
EHR
• An appointment log demonstrating all
appointments that took place during
the reporting period
• as well as
• A list of patient encounters from your
EHR system
Initial Audit Requests
Core Measures • Provide documentation used in the completion of
the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation).
• If you are providing a summary report from your EHR system as support for your numerators/ denominators, ensure that we can identify that the report has actually been generated by your EHR (i.e. your EHR logo is displayed on the report, or step by step screenshots which demonstrate how the report is generated by your EHR are provided.)
• To support Y/N attestation measures, please supply documentation such as screenshots from your EHR system.
Core/Menu Structure MU Stage 1 vs. Stage 2
Stage 2 Changes
• Thresholds increased
• Menu items became core
• New objectives added
• Exclusions changed
• Details refined
Stage 1 and 2 Core Measure
• Medications- Check for drug-drug interactions and drug-allergy interactions
• Functionality must be enabled for the entire reporting period
• For Stage 2 it is unchanged except that it is reported with the CDS measures
Drug Interaction Checking
Audit • They are asking for proof that
drug interaction checking was
enabled for the entire attestation
period • Screen shot of system admin showing
minimum DUR is at least a 1 or higher
• Screen shots of DUR overrides from
assorted dates
• SQL query to show all DUR activity
Stage 1 Core Measure
CPOE • >30% of all patients seen with
at least one medication present
in the medication list, must
have at least one medication
order entered by the provider
using CPOE
Stage 1 Changes
• The EP does not have to be the one
who entered the prescription, any
licensed provider counts
• For 2011-2012 they count any
prescription dispensed ever that is still
active
• For 2013 and beyond only
medications dispensed in the reporting
period count
Stage 2 Core Measures
CPOE
• More than 60 % of medications, 30% of
laboratory, and 30% of radiology orders
are recorded using CPOE
• Only ordered in reporting period
• Any externally credentialed individual
can count for the measure
• EP must be selected as ordering MD to
count
Stage 1 Core Measure
e-Prescribing • ePrescribe >40% of eligible
prescriptions
• Excludes OTCs
• Excludes narcotics
• But not patient preference
• A Formulary must be available
• But not required to be checked
Stage 1 Menu Measure
Formularies • Implement drug formulary
checking
• Access to at least one internal or
external formulary
• Formularies are available through
e-prescribing functionality
• Attestation only
Drug Formulary Audit
Stage 1 • Provide documentation that the
formulary was available for the entire
reporting period
• A screenshot showing that the
provider has access to a drug
formulary including the NextGen name
• Run a query that will show that
formularies have been installed on the
system
Stage 2 Core Measure
e-Prescribing • More than 50 % of all prescriptions
are transmitted electronically • A query for availability of a drug
formulary must be done in order to count
• You may choose to include or exclude controlled substances
• OTC medications don’t count • Only actual orders count for
denominator (printed, faxed, or e-prescribed)
Stage 1 Core Measure
Record Demographics • More than 50 % of all unique
patients seen by the EP have
demographics recorded as
structured data • Sex
• DOB
• Ethnicity
• Race
• Language
• You may use refused or undetermined
• All 5 demographics must be recorded
Stage 2 Core Measure
Record Demographics • More than 80 % of all unique
patients seen by the EP have
demographics recorded as
structured data
• Multiple races may be selected
• Constrained list of codes
Stage 1 Core Measures
Vital Signs • Record vital signs for 50% of patients
seen including height (length) and
weight for all patients, and blood
pressure for all patients over the age of
2
• You can use self reported values and
carried forward values
• If neither vital sign is relevant to your
specialty you can attest to that
• Does not need to be done every visit
Changes to Vital Signs
Stage 1 • Vital Sign Age Limit
• Age three for blood pressure, no age
limit for Height/Weight (Optional in 2013,
required starting in 2014)
• Vital Sign Exclusion
• Allows BP to be separated from
height/weight (Optional in 2013, required
started in 2014)
Stage 2 Core Measures
Vital Signs • More than 80% of all unique patients
age 3 and over have blood pressure
recorded
• More than 80% have height/length
and weight (for all ages) recorded as
structured data
• Length and height radio buttons
added
• Length used for children under age
2
• May exclude either Ht/Wt or BP
Stage 1 Core Measures
Smoking Status • Record smoking status on more than
50% of all patients over the age of 13
• Must use specific language for reporting
current every day smoker
current some day smoker
former smoker
never smoker
smoker, current status unknown
unknown if ever smoked
Stage 2 Core Measure
Smoking Status
• More than 80% of all unique patients
13 years old or older seen by the EP
have smoking status recorded as
structured data
• Added additional smoker status
descriptions for light and heavy
smokers
• These will be mapped based on
quantity smoked per day
Stage 1 Core Measure
Clinical Decision Support
(CDS) • Implement at least 1 clinical
decision support rule related to a high priority or specialty relevant condition including diagnostic test ordering
• Not including drug-drug or drug-allergy interaction checking
• But Drug-Disease, Geriatric, or Pediatric interactions can count
Clinical Decision Support
Audit • Identify one particular clinical decision
support rule that the physician followed
• Screen shots of the decision support
• Run a report to show compliance with
that item by the provider
• Make sure the report covers the entire
reporting period
• Implement 5 CDS Interventions
• Drug-drug and drug-allergy interaction
checking must be enabled
• 4 must be related to 4 or more of the CQMs
that you report
• The 5th must be related to improved
healthcare efficiency
• Such as avoiding antibiotics for viral infections
• The EHR must support links to evidence
Stage 2 Core Measure
Clinical Decision Support (CDS)
Stage 1 Menu Measure
Labs • >40% of all labs ordered that have
results that are numeric or
positive or negative need to be
entered in structured data
• This would exclude things like pap
smears, microbiology, pathology
Stage 2 Core Measure
Labs
• >55% of all labs ordered that
have results that are numeric or
positive or negative need to be
entered in structured data
Stage 1 Menu Measure
Patient List
• Generate at least one report of a
list of patients with a given
condition
• Relevant to specialty
Stage 1 Menu Measure
Patient List Audit • Provide a screen shot of the set
up of the report showing the
vemdor name
• Provide a copy of the report
• Blank out PHI
• You can use the same report for
your clinical decision support
Stage 2 Core Measure
Patient List
• Generate at least one report listing patients with a specific condition related to a CQM selected
• Certification requires reports to include a minimum set of data elements
• Problems Preferred contact
• Lab results Demographics
• Meds Allergies
Stage 1 Menu Measure
Reminders • Send reminders for follow-up or
preventive services to 20% of all
patients over age 65 or under age
5
• Requires secure electronic
communication
• Sent once during reporting
period
• Appointment reminders don’t
count
Stage 2 Core Measure
Preventive Reminders
• More than 10% of all unique patients
who have had 2 office visits with the
EP within the 24 months prior to the
beginning of the EHR reporting
period were sent a reminder, per
patient preference
• Reminders for appointments are not
counted
Stage 1 Menu Measure
Timely Access
• At least 10% of patients need to have timely electronic access to their data (Labs, problem lists, med list, and allergies)
• Personal health record, patient portal
• Information must be posted within 4 business days of it being updated
• You can exclude some information
• If you allow CCD download you do not need to push data
Stage 2 Core Measure
Patient Access
• More than 50% of all unique patients
seen by the EP during the EHR
reporting period are provided timely
online access to their health
information subject to the EP's
discretion to withhold certain
information (Stage 1 was 10%, menu
set)
• Timely access is within 4 business
days after the information is available
to the EP
Stage 1 Core Measure
Electronic Copy Of Record • Provide at least 50% of all patients who
request an electronic copy of their health
information within 3 business days
• Need to track requests
• There are fields on the PHI log template
to document request and fulfillment
• The report uses the date requested field
and the date processed for the
numerator
Stage 2 Core Measures
Patient Access-New • More than 5 % of all unique patients
seen by the EP during the EHR
reporting period (or their authorized
representatives) view, download, or
transmit to a third party their health
information
• Requires patients to complete
enrollment and access at least once
• Replaces timely access & provide an
electronic copy of health record
Stage 1 Core Measure
Clinical Summaries
• Provide clinical summaries for 50% of
visits within 3 business days.
• Include lab and diagnostic test orders,
procedures, medication list, &
instructions
• CCD or paper
• Labs only required if available at the time
the summary is generated
• If you have enabled Patient Portal CCD
download, no active actions needed
Stage 2 Core Measure
Visit Summaries • Provide office visit summaries to
patients within 24 hours for more
than 50% of office visits
• Many data elements added
• CCD acceptable
• Only have to include labs if they are
back at the time the patient visit
summary is generated
Stage 1 Menu Measure
Patient Education • Provide patient specific education
to at least 10% of patients seen
• Per patient, not per visit
• No requirement for form of
education
• Software should be able to suggest
education but not required to use it
Stage 2 Core Measure
Patient Education
• Patient-specific education
resources suggested by Certified
EHR Technology are provided to
patients for more than 10 % of all
office visits by the EP
• Can only count patient education
that was suggested
• Info Buttons added in Medication,
Allergy, & Problem Module
Stage 1 Menu Measure
Medication Reconciliation • Perform medication reconciliation 50%
of the time when there is a transition of
care into the practice
• Manual review for care transitions not in
EHR
• New patients
• Patients who have had care elsewhere
• Tracked by completion of interim care
information
Stage 2 Core Measure
Medication Reconciliation
• Medication reconciliation for more
than 65 % of transitions into care
• Any new patient or any patient for
whom you receive a CCD needs to
be reconciled
• The EHR will also support
reconciling allergies and problems
from outside sources
Stage 1 Core
Test of Exchange of Clinical
Information
• Using the Medical Summary Utility
• Exchange must be outside of your
enterprise but can use the same
EHR
• Must be sent electronically
• Can use test patients
Stage 1 Core Audit
Test of Exchange of Clinical
Information
• Keep copy of CCD/CCR sent (no PHI,
use test patient)
• Keep copy of CCD/CCR received
• Document name, date, and software
your data exchange partner was
using
• Get a letter from exchange partner
confirming test of exchange
Health Information Exchange
• MU Stage 1 removed the “one test”
core requirement effective 2013
Stage 1 Core Measure
Medication List • 80% of patients seen must have an
active medication list or have none
indicated
• No requirement for the EP to have
added the medication
Stage 1 Core Measure
Allergy List • 80% of patients seen must have
allergies recorded or indication they
have none
Stage 1 Core Measure
Problem List
• 80% of patients seen must have an
“up to date” Problem List
• The report looks for an active
diagnosis in the diagnosis module
or an indication that they have no
active problems
Stage 1 Menu Measure
Summary of Care Record • Provide a summary care record
50% of the time for transitions of
care out of the practice or for
referral generation
• Must track care transitions
• Referral template includes are to
document CCD sent
Stage 2 Core Measure
Summary of Care Record
• Provide a summary of care document for
more than 50% of transitions of care and
referrals with 10 % sent electronically
and at least one sent to a recipient with a
different EHR vendor or successful test
with CMS
• Can be provided either by the patient or by
the referring/transitioning provider or
institution
• The one test only has to be done once per
database install
Consolidated Into Summary
Care Stage 2 Requirement
• Up To Date Lists
• Problem List
• Allergy List
• Medication List
• Test of exchange
Stage 1 Menu Measure
Immunizations • Test capacity to report immunization
data to a registry
• If you can report, you must continue to
do so
• Exemption if you give no
immunizations
• Exemption if your state does not
accept electronic data
• Requires purchase of HL7 interface
Stage 2 Core Measure
Immunizations
• Successful ongoing submission of
electronic immunization data from
Certified EHR Technology to an
immunization registry or
immunization information system for
the entire EHR reporting period
Immunization Registry
Reporting
Audit Documentation • Document the registry name, date you went into production, and get a letter from the registry confirming ongoing transmission
• If you are excluding this measure, document reason
• If you do not give immunizations, state this
• If the state does not have a registry or accept data from your population, get a letter from them confirming this
• If the test failed, document the name of the registry, the date of the test, and provide a letter from the registry confirming the test and failure
Stage 1 Core Measure
Security • Practices must conduct a security risk
analysis per 45CFR 164.308(a)(1) and
implement security updates as
necessary. They can do this anytime
starting now.
• Audit trails
• Policies & procedures
• Security officer
• Workforce training for security
Stage 2 Core Measure
Security
• Conduct or review a security risk
analysis in accordance with the
requirements under 45 CFR
164.308(a)(1)
• Added data at rest as a particular
focus
• Conducting random audits
Stage 2 Menu Measure
Images- New • More than 40 % of all scans and
tests whose result is an image
ordered by the EP during the EHR
reporting period are accessible
through Certified EHR Technology
Stage 2 Menu Measure
Family History- New • More than 20 % of all unique patients
seen by the EP during the EHR reporting
period have a structured data entry for
one or more first- degree relatives
• Coded to SNOMED
Stage 1 Menu Measure
Syndromic Surveillance • Test capacity to report electronic
syndromic surveillance data to
public health agencies
• If your local agencies accept them,
you must continue to report • Requires purchase of an HL7 interface
• Exemption if your state does not accept
electronic data
Stage 2 Menu Measure
Syndromic Surveillance • Successful ongoing submission of
electronic syndromic surveillance
data to a public health agency for the
entire EHR reporting period
• Stage 1 was a single test
• ONC plans to provide a resource to
easily see who is ready to accept
Syndromic Surveillance
Audit Documentation • Provide the name of the public health agency,
the date it went into production and a
confirmation letter from the agency
• If the test failed, provide date of test, name of
agency, and get confirmatory letter
• If you are excluding this measure, you will
need a letter from your public health agency
confirming they are not accepting data at this
time
Stage 2 Menu Measures
Cancer Registry-New
• Successful ongoing submission of cancer
case information to a cancer registry for
the entire EHR reporting period
• Adding coded fields
• Usual Industry
• Occupation
Stage 2 Menu Measures
Specialized Registry- New
• Successful ongoing submission of
specific case information to a
specialized registry for the entire
EHR reporting period
• Can include any registry
• Can exclude if no National or
Specialty specific registry is
available
Stage 2 Menu Set Measures
Progress Notes-New
• Enter an electronic progress note for
>30% of unique patients
• Notes must be searchable
Diagnoses
• Billing codes are reported using ICD10 • Problems are now reported using
SNOMED codes • Will need to remap chronic conditions • Will need to remap diagnoses
associated with medications
• Can designate chronic conditions • Can select which ones you want to
follow • Can save favorites
• Similar to medication module
Changes to CQMs Reporting
Report 6 out of
44 CQMs
• 3 core or alt. core
• 3 menu
Report 9 out of 64 CQMs
Selected CQMs must cover at least 3 of the 6 NQS domains
Recommended core CQMs: 9 for adult populations 9 for pediatric populations
Report 15 out of
15 CQMs
Report 16 out of 29 CQMs
Selected CQMs must cover at
least 3 of the 6 NQS domains
CQM Reporting 2014 and Beyonds
• Medicare EPs after year 1 of MU
must electronically report CQM
data to CMS
• Medicaid providers will
electronically report their CQM
data to their state
Stage 2 Measures
CQMs • Clinical Quality Measures (CQMs) are
not included as a core or menu
objective
• CQMs are included in the definition of
Meaningful EHR User
• Beginning in 2014, all Medicare-
eligible providers beyond their first
year of demonstrating meaningful use
must electronically report their
CQM data to CMS
CQM Reporting Options
Using PQRS Measures • Report individually
• Electronic submission of samples of patient-level data in the Quality Reporting Data Architecture (QRDA) Category I format
• Report as a group
• Using PQRS GPRO tool
• Electronic submission of aggregate-level data in QRDA Category III format
*Using this PQRS option will meet both their EHR Incentive Program and PQRS
reporting requirements
Proposed Stage 3
Requirements • Improving quality, safety, and
reducing health disparities
• Engaging patients and families
• Improving care coordination
• Improving population and public
health
• Information exchange
Proposed Stage 3
Requirements • Thresholds increased, menu
items become core, exclusions
changed
• New objectives added
• Complex CDS
• Additional standards
• Dashboards
Proposed Stage 3
Increased Focus on HTN • Use EHR to identify patients meeting
criteria for hypertension who are not
yet diagnosed and managed for the
disorder
• Use EHR to achieve improvements in
hypertension control across their
practice
• Report the adequacy of blood
pressure control
Proposed Stage 3
Increased Focus on Tobacco • Use EHR to refer tobacco users to
public health sponsored tobacco quit-
line services
• Certification criteria: Ability to
automatically populate a referral form
for specific purposes, including a
referral to a smoking quit line
Proposed Stage 3 Security
• Two factor (or higher)
authentication for provider users
to remotely access PHI • Access from outside your private
network
• Access from an unrecognized IP
address
• Access across an unsecure network
(such as across the open Internet or
using an unsecure wireless connection
Proposed Stage 3
Certification Requirements • Occupation and industry codes
• Sexual orientation, gender identity
(optional fields)
• Disability status
• Differentiate between patient
reported & medically determined
data
Proposed Stage 3
Up To Date Lists • EHR systems should help maintain up-
to-date, accurate lists
• Provide decision support to suggest adding diagnoses based upon existing data
• On an oral hypoglycemic but no diagnosis of diabetes or PCOS
• Provide reminders about medications that should be removed
• On an antibiotic for a year with no diagnosis of acne
Stage 3 CDS
• 15 CDS rules related to 5 or more CQMs • Preventative care (including immunizations)
• Chronic disease management (e.g., diabetes,
hypertension, coronary artery disease)
• Appropriateness of lab and radiology orders
• Advanced medication-related decision support* (e.g.,
renal drug dosing)
• Ability to track CDS triggers and how the
provider responded
• Ability to flag preference-sensitive
conditions and provide decision support
materials for patients • Such as circumcision or sterilization
Patient Engagement
• Allow patients the ability to amend information online
• Submit patient-generated health information
• Provide the ability to pre-set automated & on-demand summary of care documents to patient-identified recipients
• Provide patient-specific education materials in at least one of the top 5 non-English languages spoken nationally
Dashboards
• Generate lists of patients for multiple
specific conditions
• Near real-time patient-oriented
dashboards to use for quality
improvement, reduction of disparities,
research, or outreach reports
• Incorporated into the EHR’s clinical
workflow
• Must be actionable
Research
• Capability for EHR to query
research enrollment systems to
identify available clinical trials
• No use requirements until future
stages
Coordination of Care
• Electronically acknowledge
referrals and completion of them
• Send electronic notification of a
significant healthcare event the
patient’s care team
• Bidirectional immunization
interfaces
• Send standardized forms &
reports
Undetermined Stage
• Support externally maintained list of DDIs with higher predictive value
• Create generic ability to consume interventions to support CDS interventions
• Advanced medication reconciliation to check for formulary compliance
• Patient input to reconciliation of problems • Use other EHR data such as medications
filled or dispensed, or free text searching for medications to support maintenance of up-to-date and accurate medication lists
Undetermined Stage
• Reconciliation of contraindications
• Prior authorization support
• Closed loop order management
• Up-to-date interdisciplinary problem list
inclusive of versioning
• Retrieve external medication fill history for
medication adherence monitoring
• Electronically send adverse event reports
Security Risk Analysis
• Practices must conduct a
security risk analysis per 45CFR
164.308(a)(1)
• Implement security updates as
necessary
• Can start now
Security Risk Analysis
• HIPAA requirement, not just MU
• Ongoing process
• Periodically evaluate the effectiveness
of security measures put in place
• Regularly reevaluate potential risks to
e-PHI
• Random audits are already occurring
• Fines are being assessed
New HIPAA Audit Program
• US Department of Health and Human
Services new HIPAA audit program
• Performed 115 audits of covered
entities between November 2011 and
December 2012 (“pilot phase”)
• http://www.hhs.gov/ocr/privacy/hipaa/en
forcement/audit/auditpilotprogram.html
HIPAA Audit Pilot Results
Initial Wave (20)
• Majority of findings in the security
area (65%)
• Majority of findings among
Providers
• Majority of findings in the area of
Administrative Safeguards
Security Issues By Area
Initial 20 Findings
From: The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS)
Risk Analysis Includes
But Is Not Limited To • Evaluate the likelihood and impact of
potential risks to e-PHI
• Implement appropriate security measures
to address the risks identified
• Document the chosen security measures
and the rationale for adopting those
measures
• Maintain continuous, reasonable, and
appropriate security protections
• Review records to track access to e-PHI
and detect security incidents
Conduct Risk Assessment
• Assess whether formal or informal policies
or practices exist to conduct an accurate
assessment of potential risks and
vulnerabilities to the confidentiality, integrity,
and availability of ePHI.
• Obtain and review relevant documentation
and evaluate the content relative to the
specified criteria for an assessment of
potential risks and vulnerabilities of ePHI
Conduct Risk Assessment continued
• Evidence risk assessment process or methodology considers the elements in the criteria and has been updated or maintained to reflect changes in the environment
• Determine if the risk assessment has been conducted on a periodic basis
• Determine if the covered entity has identified all systems that contain, process, or transmit ePHI.
IT Systems and Services Hardware, Software, or Services needed to adequately
protect information
• Inquire as to whether formal or informal
policy and procedures exist covering the
specific features of the HIPAA Security Rule
information systems §164.306(a) and (b)
• Obtain and review policies and procedures
and evaluate the content
• Determine if the covered entity's formal or
informal policy and procedures have been
approved and updated on a periodic basis
Considerations on Necessity
• Applicability of the IT solutions to the
intended environment
• The sensitivity of the data
• The organization's security policies,
procedures, and standards
• Other requirements such as resources
available for operation, maintenance,
and training
Information System Activity Review
Process
• Ask whether formal or informal policy and
procedures exist to review information
system activities; such as audit logs,
access reports, and security incident
tracking reports
• Obtain and review formal or informal policy
and procedures and evaluate the content in
relation to specified performance criteria to
determine if an appropriate review process
is in place of information system activities
Information System Activity
Review Process continued
• Obtain evidence for a sample of
instances showing implementation of
covered entity review practices
• Determine if the covered entity policy
and procedures have been approved
and updated on a periodic basis
Implement a Risk Management
Program
• Ask whether current security measures are
sufficient to reduce risks and vulnerabilities to
a reasonable and appropriate level
• Obtain and review security policies and
evaluate the content relative to the specified
criteria
• Determine if the security policy has been
approved and updated on a periodic basis
• Determine if security standards address data
moved within the organization and data sent
out of the organization
Select a Security Official for
HIPAA Security
• Assign responsibility for the HIPAA security
to a Security Official to oversee the
development, implementation, monitoring,
and communication of security policies and
procedures
• Obtain and review the assigned Security
Official's responsibilities(e.g., job description)
and evaluate the content in relation to the
specified criteria
• Determine if the responsibilities of Security
Official have been clearly defined
Assign and Document the
Individual's Responsibility • Are roles and responsibilities of the
assigned individual or organization properly
documented in a job description and
communicated to the entire organization
• Obtain and review the Security Official's job
description and evaluate the content in
relation to the specified criteria
• Determine that the roles and responsibilities
of the Security Official have been clearly
identified in a job description
Workforce Security
• Are levels of authorization and/or
supervision of workforce members
established
• Obtain and review the entity's
organizational chart or other formal
documentation and evaluate the
content to determine the existence of
chains of command and lines of
authority
Workforce Security
• Is a formal document in place identifying
levels of access to information systems that
houses ePHI
• Obtain and review documentation to
determine that levels of access are granted
based on business need
• Obtain and review evidence that this is
appropriately approved and communicated
• Obtain and review relevant job descriptions
and determine that roles and responsibilities
are defined and correlate with job function
Workforce Security
• Do staff members have the necessary
knowledge, skills, and abilities to fulfill
particular roles
• Obtain and review formal
documentation
• Obtain and review documentation
demonstrating that management
verified the required
experience/qualifications of the staff
Workforce Security
• Do procedures exist for granting access to
ePHI
• Obtain and review policy and procedures
• Obtain and review evidence of approval or
verification of access to ePHI
• If the covered entity has chosen not to fully
implement any of these specifications, the
entity must have documentation on where
they have chosen not to fully implement this
specification and their rationale for doing so
General Security Standards
• Ensure the confidentiality, integrity, and
availability of all electronic protected health
information
• Protect against any reasonably anticipated
threats or hazards to the security or
integrity of such information
• Protect against any reasonably anticipated
uses or disclosures of such information that
are not permitted or required
• Ensure compliance with this by its
workforce
Information System Activity
Review
• Regularly review records of
information system activity, such
as audit logs, access reports,
and security incident tracking
reports
Risk Analysis
• Conduct an accurate and
thorough assessment of the
potential risks and
vulnerabilities to the
confidentiality, integrity, and
availability of electronic
protected health information
held by the covered entity
Security Risk Analysis
Process
Review existing security of PHI
and e-PHI
Identify threats and
vulnerabilities
Assess risks for likelihood and
impact
Mitigate security risks
Monitor results
ONC's New Guide on Health
Information, Privacy and
Security and Meaningful Use
http://www.healthit.gov/sites/default/file
s/pdf/privacy/privacy-and-security-
guide.pdf
QUESTIONS???