Ver.9.28 1 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

PBSI-EHR – “Off the Charts”

HITECH/ARRA “Meaningful Use” Criteria – Stage 1

“How to accomplish Meaningful Use and obtain the information for attestation”

PBSI documentation for practices will provide guidance on how to attain each measure criteria listed in the program. PBSI will provide guidance for selection of the Clinical Quality Measures on which to report PBSI provides the “Provider Calculation” reports to obtain the numbers used for reporting Eligible Provider’s achievement % for criteria with % goal and

provides Clinical Quality Measure/NQF reports to obtain the Eligible Provider’s achieved denominators and numerators, etc. These % achieved and Clinical Quality Measure/NQF result numbers will be entered from these reports onto the CMS attestation screens.

In addition, PBSI will contact the Practice during their measurement period to assist them in conduction of a test of the following data exchanges. The

practice will collect and archive documentation of the test so that the practice may attest to having conducted the required test. 1. Core (14) Exchange Key Clinical Information with another provider (not required for 2013) 2. Menu (9) Submit Electronic data to Immunization Registries 3. Menu (10) Submit Electronic syndromic surveillance data to public agencies

Finally, the practice must conduct a Security Risk Analysis according to CMS guidelines and attest to having completed the assessment.

This document contains:

List of each Core and Alternative measures and how to meet them using your PBSI-EHR. Provider Calculation report Clinical Quality Measure ( NQF) report List of each Security Risk assessment section with advice on how to complete your assessment

The main website for the CMS EHR Incentive Program is:

http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/ An Introduction to the Medicaid EHR Incentive Program for Eligible Professionals

https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/Medicaid-EHR-Guide.pdf

And for Medicare https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads//Beginners_Guide.pdf

Ver.9.28 2 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

A recording of an hour and a half long webinar that provides a basic foundation of information. After clicking on the link, hit the play button (grey box). http://www.pahcom.com/education/ehr-incentive-training.html Each Eligible Provider will complete their attestation following their 3 month measurement period. This CMS internet site is used for BOTH Medicare and Medicaid attestation after they complete their measurement period.

https://www.cms.gov/EHRIncentivePrograms/Downloads/EHRMedicareEP_RegistrationUserGuide.pdf

This is a link to the CMS Incentive program that we will cover on the next several pages. http://www.cms.gov/EHRIncentivePrograms/Downloads/EP-MU-TOC.pdf

Ver.9.28 3 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Terminology:

Eligible provide r(EP) The program is designed to evaluate the meaningful use by one provider who is eligible to participate in the program

Unique Patients A patient that was seen during the measurement period, regardless of the number of visits

How measures are designed:

Some measures must be performed for a unique patient seen during the period

Some measures must be performed for every patient visit.

Some measures require that a function or alert be in place throughout the measurement period.

Some measures require you to perform a specific action once within the measurement period to demonstrate ability to do so. Themes: Stage 1 of Meaningful Use is foundational and sets the stage for future requirements. The main focus is data collection. You will see that many measures overlap and require these elements to be maintained and reported throughout the program: Patient demographics Medication Lists and use of E-rx Problem Lists Allergy Lists Lab Results Many requirements align with subsequent Clinical Quality Measure reporting. Ability to calculate the Clinical Quality Measures and reports is being tested. The program also tests the ability to exchange data electronically although does not require ongoing exchanges at this time. The program places emphasis on Security of all Electronic Patient Health Information (EPHI) When you are preparing to attest, this worksheet contains all information required except the NQF reports and allows you to compile the needed information in advance and makes the actual process easier.

https://www.cms.gov/EHRIncentivePrograms/Downloads/EP_Attestation_Worksheet.pdf

Ver.9.28 4 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

PBSI-EHR – “Stimulus Ready”

HITECH/ARRA “Meaningful Use” Criteria – Final Rule

Note: A unique patient means that the information must be entered at least once for that patient during your measurement period.

15 Core Measures - Practice must meet all 15.

Core Measures

Objective

Practice

Measurement Requirements

How to

1 Click link for

detail

CMS1

CPOE for medications

Computerized Provider Order Entry, enter orders for medications.

30% goal Done for more than 30% unique patients with at least 1 med in their med list seen by the EP (eligible provider). (relates to #7 on the Provider Calculation report)

1. Create prescriptions from a superbill during the patient visit. 2. Current Meds: set flag to Prescribed by us or NOT prescribed by us.

2 Click link for

detail

CMS2

Drug screening Real-time alerts for drug-drug interactions and drug-allergy contraindications.

The EP (eligible provider) has enabled this functionality for the entire EHR reporting period.

1. These alerts are always active within your PBSI-EHR. You will need to maintain the patient’s current medication and allergy list to ensure the value of these alerts.

3 Click link for

detail

CMS3

Maintain problem list of current and active diagnoses

Enable user to manage problem lists that span multiple visits.

80% goal Maintain problem list for more than 80% of unique patients seen by the EP or an indication that no problems are known. Select ‘No Problems’ button (relates to #1 on the report)

1. For every unique patient that you see you must make an entry in the PROBLEM list from MEDs/ALLERGY/PROBLEM. 2. If the patient has no problems, click NO PROBLEMS. 3. If the patient’s history indicates a chronic or current problem, you must select the problem using the ICD search and enter each one in the problem list. 4. If the doctor diagnoses a problem during the visit, when that ICD is posted on the superbill, be sure to check the CRN checkbox and this ICD will automatically be entered onto the patient’s problem list.

4 Click link for

detail

CMS4

E-Rx Transmit prescriptions electronically

Enable e-prescribing. 40% goal More than 40% of all permissible prescriptions transmitted electronically using certified EHR technology. (relates to #8 on the report)

1. Use E-prescribing for all of your prescriptions where the system will allow it. The software will not allow a controlled drug to be sent electronically and will not attempt an electronic script if the pharmacy indicates that it does not accept electronic prescriptions.

5 Click link for

detail

CMS5

Maintain active medication list

a. Enable user to manage an active medication list. b. Enable user to manage a medication history that

80% goal Maintain active medication list for more than 80% of unique patients seen by the EP or an indication that no meds are

1. For every unique patient that you see you must make an entry in the MEDS list from MEDS/ALLERGY/PROBLEMS. 2. If the patient is on no meds, click the NO CURRENT MEDS button.

Ver.9.28 5 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Core Measures

Objective

Practice

Measurement Requirements

How to

spans multiple visits. known. Select ‘No current Meds’ button (relates to #2 on the report)

3. If the patient is on any medication, then select the medication from the MULTUM search option and enter it into the patient’s MED list. You will need to record whether that medication was prescribed by a doctor in your practice or was NOT prescribed by us. 4. As any medication is prescribed using the EHR system, these are auto added to the patient’s med list.

6 Click link for

detail

CMS6

Maintain active medication allergy list

a. Enable user to record, modify, & retrieve an active medication allergy list. b. Enable user to manage an allergy history that spans multiple visits

80% goal Maintain active allergy list for more than 80% of unique patients seen by the EP or an indication of no known drug allergies (NKDA). Select ‘NKDA’ button (relates to #3 on the report)

1. For every unique patient that you see you must make an entry in the ALLERGY list from MEDS/ALLERGY/PROBLEMS. 2. If the patient has no allergy, click the NKDA button. 3. Select an allergy and the reaction and severity using the selection options.

7 Click link for

detail

CMS7

Record demographics

Enable user to manage patient demographic data. a. Preferred language b. Gender c. Race d. Ethnicity e. Date of Birth

50% goal More than 50% of all unique patients seen by EP have demographics recorded as structured data. *Religion is not required. (relates to #4 on the report)

1. For every unique patient that you see: From DOC or from Patient Info record:

date of birth gender race ethnicity language

NOTE: (for timely access measure later: activate the patient for Patient Portal Access from Patient Info)

record the patient’s EMAIL address, update it, and click on WEB ENABLE to send an activation code to the patient and activate their web account.

record the patient’s communication preference by clicking on PREFERENCE to the right of email.

8 Click link for

detail

CMS8

Record vital signs Record change in vital signs: a. Height b. Weight c. Blood pressure d. Calculated body mass index (BMI) e. Patient growth charts 2-20 years old including BMI

50% goal Record vital signs as structured data for more than 50% of unique patients age 2+ seen by EP. (relates to #9 on the report)

1. For every unique patient that you see: ENCOUNTER/ VITALS you must enter:

Height weight BP

(The BMI will be auto calculated from the HGT/WGT) If an EP does record height and weight, then they will also need to record blood pressure. An exclusion only applies if all 3 have no relevance.

Ver.9.28 6 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Core Measures

Objective

Practice

Measurement Requirements

How to

9 Click link for

detail

CMS9

Record smoking status for patients 13 and over

Record smoking status for patients 13 and over

50% goal Record smoking status for more than 50% of unique patients age 13+ seen by EP, recorded as structured data (relates to #10 on the report)

1. For every unique patient seen over age of 12: From Patient Info or Vitals or Social History:

select smoking status from selection list

10 Click link for

detail

CMS10

Report quality measures to CMS or states

Must select 6 clinical quality measures (3 core & 3 additional)

Link to clinical quality measures choices.

Numerator and denominator provided by attestation.

See the attached rules for each measure that you are required to report upon or those that you select.

11 Click link for

detail

CMS11

Implement one clinical decision support rule, other than drug-drug interactions, drug-allergy contraindications, based on demo- graphic data, diagnosis, conditions, test results, and/or medication list

a. Real-time alerts based on rules and evidence b. Track number of alerts that were responded to

Document use of one clinical decision support rule.

Define a rule that describes what the provider should perform or advise when a patient who meets the selection criteria is being seen. Rules can be used for all or a specific EP. 1. Using Patient List option enter the rule criteria from any or all of the following selection options:

demographics vitals medications allergies problems labs

2. Enter the CDSS text to describe what decision support information should be presented to the provider 3. Save the rule.

12 Click link for

detail

CMS12

Provide patients with an electronic copy of their information within 4 business days

a. Test results b. Problem list c. Medication list d. Medication allergy list

50% goal Provide an electronic copy of information requested by patients within 48 business hours for at least 50% of patients. The denominator is the number of patients who request the electronic information. Request for paper copies are not part of this measure. (relates to #11 on the report)

1. If the patient asks for an ELECTRONIC copy you must do this within 4 business days! Access the patient chart and enter and ORDER to track the activity.

select the category: request for records select item: patient request from the order/ select PRINT CHART/CCD

o use the CCD section to Create CCD o go to HISTORY to view the CCD o Highlight and SEND the ccd o at Prompt enter the folder for saving the

CCD to your PC. o Use CD burning software to burn these

files to a CD and provide to patient o

Ver.9.28 7 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Core Measures

Objective

Practice

Measurement Requirements

How to

13 Click link for

detail

CMS13

Provide a clinical summary for each visit

a. Diagnostic test results b. Medication list c. Medication allergy list d. Problems

50% goal Provide clinical summary for at least 50% of office visits. The denominator is the number of unique patients seen. (relates to #12 on the report)

You MUST provide a summary to the patient within 3 days of their visit with you! 1. If the patient is WEB ENABLED they may access their visit summary using the portal. This will meet the criteria 2. If the patient is NOT then you must print the summary at the end of the visit using the Pt Sum Print option from the SUPERBILL. The system will automatically check this for you if the provider has not set the HOLD from patient flag or if you have not already created the summary.

14 Click link for

detail

CMS14

Exchange clinical information electronically with other providers (not required for 2013)

Receive/Send: a. diagnostic test results b. problem list c. medication list d. medication allergy list

** Perform at least one test of

exchanging key clinical information. Can be done at any time, including prior to the reporting period. Group practices only need to perform one test per EHR.

PBSI will assist you with performing this test and collecting the documentation to support the test event.

15 Click link for

detail

CMS15

Security Risk Analysis

a. Assign a unique identifier to users and control access b. Enable emergency access to authorized users c. Enable session timeouts. d. Encrypt per local policy e. Encrypt exchanged data per local policy f. Maintain record-level audit logs g. Verify integrity of health information sent/received h. Verify user identity

Conduct or review a security risk analysis and implement security updates as necessary.

You MUST conduct a security risk analysis and provide documentation for each specific requirement section in order to comply with this measure.

** PBSI will coordinate and guide you

through this test. PBSI will contact you to schedule this test.

Ver.9.28 8 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

10 Menu Measures – Practice must choose and meet any 5 of 10 objectives. (one choice must be either: Submit data to Immunization Registries or submit syndromic surveillance data to public health agencies)

Menu Measures

Objective

Practice

Measurement

How to

1 Click link for

detail

Menu1

Drug formulary checks

Implement drug-formulary checks

The EP has enabled this functionality and has access to at least one internal or external drug formulary for the entire EHR reporting period.

PBSI-Eprescribing utilizes the Eligibility and formulary checks within the application when installed. You must NOT inactivate the Eligibility function during the reporting period.

2 Click link for

detail

Menu2

Lab results a. Receive structured results and display in readable format b. Display results containing LOINC codes c. Enable user to change a patient's record based on a lab result

40% goal At least 40% of test results whose result can be expressed as positive/negative or as a number are stored in the EHR as structured data. The denominator is the number of lab tests ordered.

Not utilized at this time.

3 Click link for

detail

Menu3

Generate patient lists based on specific conditions.

a. Patient demographics b. Medication list c. Specific conditions d. Lab results

Generate at least one report listing patients of the EP who have been diagnosed with a specific condition.

1. Use the Patient List function to generate a list of patients with a specific ICD or problem code. 2. Save the list for documentation.

4 Click link for

detail

Menu4

Send reminders to patients based on their preferences and selected by specific criteria.

a. Patient demographics b. Medication list c. Specific conditions d. Lab results

20% goal More than 20% of all unique patients 65 years or older or 5 years old or younger were sent an appropriate reminder during the EHR reporting period. (relates to #15 on the report)

Define a health maintenance reminder using: Using the Patient List function:

define the patient demographics enter the reminder that is to be generated

for that population create the patient list (these patients will

receive the reminders) Click on GENERATE REMINDERS(this will

generate a reminder that can be sent according to the patient’s communication preference

5 Click link for

detail

Menu5

Provide patients with electronic access to their information within 4 business days.

a. Lab results b. Problem list c. Medication list d. Medication allergy list

Provide timely electronic access to health information for at least 10% of unique patients. The denominator is the number of patients seen. (relates to #6 on the report)

To activate a patient for Patient Portal access: record the patient’s EMAIL address, update

it, and click on WEB ENABLE to send an activation code to the patient and activate their web account.

record the patient’s communication preference by clicking on PREFERENCE to the right of email.

Ver.9.28 9 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Menu Measures

Objective

Practice

Measurement

How to

6 Click link for

detail

Menu6

Identify patient specific education resources

Provide patient with specific education resources

10% goal Generate patient education for more than 10% of all unique patients seen by the EP. (relates to #5 on the report)

Provide a patient specific education based on EHR recommendation found in the Patient Ed section of the superbill.

7 Click link for

detail

Menu7

Perform medication reconciliation – transfers in

Compare and merge two or more lists into a single list

50% goal Medication reconciliation is performed for at least 50% of relevant encounters and transitions of care. The denominator is the number of relevant encounters and transitions of care. (relates to #13 on the report)

When a patient transfers in to you: When the ENCOUNTER is added, check the

Transfer Of Care checkbox on the General tab.

From Current Meds display, compare the current meds on file with the new meds list from the patient or inbound resource.

Click on the UPD next to Medication Reconciliation when completed.

8 Click link for

detail

Menu8

Provide summary of care record

Summary of care for transferred patients

50% goal Provide summary of care record for at least 50% of transitions of care and referrals. Denominator is the number of transitions of care for which the EP was the transferring or referring provider. (relates to #14 on the report)

When the EP transfers a patient to another provider or setting:

Create an order for the referral or activity such as speech therapy, etc.

“Transfer of Care TOC” indicator o If the order is a referral the order

“transfer of care” indicator will be auto checked.

o If the order is sent to a facility, you will need to check the “transfer of Care” indicator when this applies

Use the PRINT CHART/CCD button to: o generate a clinical summary and

print and mail or fax to the recipient

o or generate a CCD to be sent or saved onto a CD for providing to the recipient

o check the SENT checkbox to indicate that this has been completed

To Monitor the order SENT status: o Use Order Management to view

any referral orders that may need a Summary of Care sent.

9 Click link for

detail

Submit data to immunization registries

Record, retrieve, and transmit ** Perform at least one test of submitting immunization data. Can be done at any time, including prior to the reporting period. State

PBSI will schedule with the practice and will provide guidance

Ver.9.28 10 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Menu Measures

Objective

Practice

Measurement

How to

Menu9 Medicaid requirements may supersede. Group practices only need to perform one test per EHR. Not required if the immunization registry to which the practice or hospital submits information does not have the capability to receive it electronically.

10 Click link for

detail

Menu10

Submit syndromic surveillance data to public health agencies

Record, retrieve, and transmit ** Perform at least one test of submitting electronic

syndromic surveillance data. Can be done at any time, including prior to the reporting period. State Medicaid requirements may supersede. Group practices only need to perform one test per EHR. Not required if the public health agencies to which the practice or hospital submits information do not have the capability to receive it electronically.

PBSI will schedule with the practice and will provide guidance

** PBSI will coordinate and guide you through this

test. PBSI will contact you to schedule this test.

The Notice of Proposed Rule Making (NPRM) details these metrics that a physician will need to report on, in order to qualify as a Meaningful User of Electronic Health Records (EHR), along with the threshold that they would need to meet.

Ver.9.28 11 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Monitor the EP’s performance with the Provider Calculation option. To monitor the EP’s achievements of those measures that require a %goal be met, the Provider Calculations option is provided. You may view the results, view and print a report of the results, or use the DETAIL option to examine the details behind the measure.

Select the EP or All Select the Participation year and enter the dates from and to that defines your measurement period. Select the measure or ALL and click CALCULATE to launch the programs that will calculate the % Achieved for the time period selected. Please note that the calculations run after the panel is redisplayed. It will take 2 to 10 minutes to run depending on your size. Do not hit

<Calculate> more than once. Hit <Refresh> to see progress. As each report run, initially the Calculated date will be updated to today and the % Achieved will show as 0. Once each calculation is complete, the % Achieved will be updated.

The reports should be run during periods of light activity as they can prevent other tasks from completing. REPORT: The report will highlight in RED with an indicator, any EP measure % that fall below the goal that should be achieved. DETAIL: Use to examine the details of the calculations. filtered by YES, NO or ALL.

Ver.9.28 12 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

DETAIL: Use to examine the details of the calculations. Filter by YES, NO or ALL

Click on patient to view the record and to make updates if permissible.

Ver.9.28 13 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Monitor the EP’s performance with the Provider Calculation option. (cont.)

REPORT: The report will highlight in RED with an indicator, any EP measure % that fall below the goal that should be achieved. The report can be run for a single EP or for all of the EP’s in the practice.

Ver.9.28 14 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Report Clinical Quality Measures : (NQF reports) Each EP will report on a set of Clinical Quality Measures. (There are no specific performance goals defined in the incentive program criteria that the EP must achieve.) Each EP will select the measures to which they will report and will obtain performance numbers using the PBSI-EHR NQF calculation reports. Each CQM has a defined patient population, denominator and numerator specified. Alerts are provided during the Patient encounter to remind the EP to consider providing the suggested quality measure recommendations. These alerts appear as a red NQF button that can be used to view the requirements of the measure. This is an example of the NQF 0013 measure report that will be used to calculate the values used for attestation.

To Run:

From the Menu select – Work with NQF Reports (right below Provider Calculations) Hit <Add>; select report type and Start and End Date and hit <Add> Hit <Refresh> When complete hit <Report> to view report Wait until each report completes before you run the next one.

Quality Reporting: select 3 core (or 3 alternate core (if any of the core have a zero denominator)) and 3 additional Quality Reporting Core:

NQF0013 Hypertension: BP measurement NQF0028-a, -b Preventative Care: Pair a) tobacco use assessment b) tobacco cessation intervention NQF0421 Adult weight screening and follow-up

Ver.9.28 15 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Qualtiy Reporting Alternative Core:

NQF0024 Weight assessment and Counseling for Children and Adolescents NQF0041 Preventative Care and Screening: Influenza Immunization for Patients 50 years old or older NQF0038 Childhood Immunization Status

Additional Clinical Quality Measures: NQF0059 Diabetes: HbA1c Poor Control NQF0061 Diabetes: Blood Pressure Management NQF0064 Diabetes: LDL Management and Control NQF0018 Controlling High Blood Pressure NQF0074 Coronary Artery disease (CAD):Drug Therapy for Lowering LDL NQF0575 Diabetes: HbA1c Control (<8%) (NQF0575) In summary, to gain credit for the numerators of these reports, the key items are:

o Record vitals – height, weight, and BP o Provide smoking cessation counseling to smokers -CPT of 99406 or 99407 o Provide follow-up plan for BMI management – ICD of V65.3 for those in under and over BMI ranges o Record problems / diagnosis especially for diabetes and hypertension o For NQF0024, assess BMI and record a V85.x ICD code, counseling for nutrition – V65.3 and counseling for physical activity – V65.41 if

applicable

Ver.9.28 16 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

The following is from the CMS website FAQs and speaks to the questions about reporting of additional measures….

If the certified EHR technology generates 0 denominators for all CQMs in the additional set that it can calculate, is the EP responsible for

determining whether they have 0 denominators or data for any remaining.....

https://questions.cms.hhs.gov/app/answers/detail/a_id/10648

Published 05/23/2011 09:46 AM | Updated 05/23/2011 10:29 AM | Answer ID 10648

For the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs, if the certified EHR technology possessed by an eligible professional (EP) generates zero

denominators for all clinical quality measures (CQMs) in the additional set that it can calculate, is the EP responsible for determining whether they have zero denominators or data

for any remaining CQMs in the additional set that their certified EHR technology is not capable of calculating?

No, the EP is not responsible for determining the status of CQMs that their certified EHR technology is not capable of calculating. The certification criterion for ambulatory CQMs

sets a minimum threshold in order for the certification criterion to be met. An EHR technology must be certified to the 6 core CQMs (3 core and 3 alternate core CQMs in Table 7 of

the final rule) and at least 3 CQMs from the additional set (Table 6 of the final rule). In the final rule, we stated that it was our expectation that EPs would seek out certified EHR

technologies that include and were certified for CQMs relevant to their scope of practice. In later stages of meaningful use and the corresponding certification requirements, we will

seek to address situations where an EP does not obtain certified EHR technology that would enable the EP to report on CQMs that are relevant to their practice.

Ver.9.28 17 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Perform Security Risk Assessment:

This is a good article regarding the importance of the security risk assessment as well as maintaining the documentation for all of these activities.

http://www.hitechanswers.net/meaningful-use-attestation-process-and-ehr-incentive-audits/

Link to website that contains link to full Guide to Privacy and Security of Health Information (pdf link below)

http://www.healthit.gov/providers-professionals/ehr-privacy-security/10-step-plan

http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

Included in the above guide is ONC’s checklist for small practices.

http://healthit.hhs.gov/pdf/cybersecurity/Basic-Security-for-the-Small-Healthcare-Practice-Checklists.pdf

This checklist is to be used only to assist healthcare providers in Privacy and Security of Health Information awareness.

It is the responsibility of each provider to assess and comply with Privacy and Security Information Meaningful Use Rules and Regulations as is appropriate.

PBSI is not responsible for providers becoming compliant.

Ver.9.28 18 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

Standard Sample Implementation Specifications (R)= Required, (A)= Addressable

Sample Question PBSI Notes

SECURITY MANAGEMENT PROCESS § 164.308(a)(1) “Implement policies and procedures to prevent, detect, contain and correct security

RISK ANALYSIS (R) § 164.308(a)(1)(ii)(A) “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

Have you identified the EPHI within your organization? This includes EPHI that you create, receive, maintain or transmit. Please note that EPHI may be resident on computer workstations, servers or on portable devices such as laptops, and PDAs.

PHI resides on the following: 1. PBSI-DOC server 2. PBSI-EHR server Client PC running EHR do not store EHR data except temporarily when an image is viewed on that PC PHI may reside on: 1. Office PC where backup Location charts are stored. (these are password protected files) 2. Office PC's that are used for scanning may temporaritly house records containing PHI 3. Office PC's that are used for Patient Photo may temporarily house photos 4. Physician PC and/or laptops may contain dictated content

RISK MANAGEMENT (R) §164.308(a)(1)(ii)(B) “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

What security measures are already in place to protect EPHI – this can be a comprehensive view of all measures, whether administrative, physical or technical, such as an over arching security policy; door locks to rooms where EPHI is stored; or the use of password-protected files.

1. Servers housing our PM and EHR data reside in a locked room/cage. 2. Backup charts that are stored on local PC's are password protected and deleted at the end of each day. 3. Backup tapes are locked in ___ 4. Access to all EPHI is obtained by use of unique UserID and Passwords

Ver.9.28 19 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

SANCTION POLICY (R) § 164.308(a)(1)(ii)(C) “Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

Have you developed, applied and implemented policies specific to violations of the security policies and procedures? If so, do they provide appropriate sanctions for workforce members who fail to comply with your security policies and procedures? (i.e., have you included your sanction policy in your workforce manual and trained your staff on the policy?)

1. Employees are given copies of rules for protecting EPHI with they sign upon agreement to compliance with all rules set forth. 2. If employees fail to maintain the protection rules in employee handbook, ____

WORKFORCE SECURITY§ 164.308(a)(3)(i)“Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, and to prevent those workforce members who do not have access from obtaining access to electronic protected health information.”

AUTHORIZATION AND/OR SUPERVISION (A)§ 164.308(a)(3)(ii)(A)“Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.”

Are the procedures used by your workforce consistent with your access policies (i.e., do people who should have access actually have that access? Are people who should not have access prevented from accessing the information?)

1, Access to all EPHI is obtained by use of unique UserID and Passwords

SECURITY AWARENESS AND TRAINING § 164.308(a) (5) (i) “Implement a security awareness and training program for all members of its workforce (including management).”

PASSWORD MANAGEMENT (A) § 164.308(a)(5)(ii)(D) “Implement procedures for creating, changing, and safeguarding passwords.”

Does your workforce training address topics such as not sharing passwords with other workforce members or not writing down passwords and leaving them in open areas?

1. Management and Employee guidelines state that no access credentials are to be shared among others. 2. Passwords for accessing the EHR that contains the EPHI, automatically expire every 30 days and must be updated.

CONTINGENCY PLAN § 164.308(a) (7) (i) “Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

DATA BACKUP PLAN (R) § 164.308(a)(7)(ii)(A) “Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.”

Do your procedures identify all sources of EPHI that must be backed up such as patient accounting systems, electronic medical or health records, digital recordings of diagnostic images, electronic test results, or any other electronic documents created or used that contain EPHI?

1. Critical parts of a patient's electronic health record has been identified by each provider. 2. A zipped and password protected copy of those charts are generated for the next day's scheduled patient onto a designated local PC to serve as backup in cases of a system or commuications failure. 3. These copies are automatically deleted by the next days scheduled patient copies.

Ver.9.28 20

Client Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS § 164.308(b)(1) “A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.”

WRITTEN CONTRACT OR OTHER ARRANGEMENTS (R) § 164.308(b)(4) “Document the satisfactory assurances required by this section through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a) [(the Business Associate Contracts or Other Arrangements Standard)].”

Do you have contracts in place with outside entities entrusted with health information generated by your office? If so, do the contracts provide assurances that the information will be properly safeguarded? For example, if you contract with a software vendor for your practice management system, what assurances do you have that the vendor’s products are HIPAA compliant

1. Business Associate Contracts are in place with our software vendor and all 3rd party and hardware providers that may access or come into contact with EPHI. These contracts requires compliance by the Entity and all of their employees with HIPAA rules for EPHI protection and destruction.

FACILITY ACCESS CONTROLS§ 164.310(a)(1)“Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

FACILITY SECURITY PLAN (A) § 164.310(a)(2)(ii)“Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”

Do your office policies and procedures identify controls to prevent unauthorized physical access, tampering, and theft of EPHI? These could include locked doors, signs warning of restricted areas, surveillance cameras, alarms, and identification numbers and security cables on computers

1. Define your office security systems……2. Some servers are locked in a room and/or cages….

MAINTENANCE RECORDS (A) § 164.310(a)(2)(iv) “Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors and locks).”

Has your office implemented policies and procedures that specify how repairs and modifications to a building or facility will be documented to demonstrate that the EPHI is protected?

1. Define how you identify a visitor to your office and how that visit is logged. Upon entry and exit….

Ver.9.28 21 Client

Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

WORKSTATION USE § 164.310(b) “Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.”

This standard does not have corresponding implementation specifications. However, compliance with the standard itself is required (R).

Do your office policies and procedures specify the use of additional security measures to protect workstations with EPHI, such as using privacy screens, enabling password protected screen savers or logging off the workstation?

1. User workstations are equipped with screen savers and timeout session settings to prevent unauthorized access in the event the user leaves the workstation. The user can also invoke a privacy screen on demand from several functions of the EHR. 2. For workstations where record scanning is performed, the location of workstations where scanning of PHI.... 3. shredders or services ___

DEVICE AND MEDIA CONTROLS § 164.310(d)(1) “Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.”

DISPOSAL (R) § 164.310(d)(2)(i) “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”

Does your office have a method of destroying EPHI on equipment and media you are no longer using? For example, have you considered purchasing hard drive erasure software for a planned upgrade of office computers?

1. PBSI will erase any EPHI from electronic media or devices that are replaced or upgraded. 2. ____

DATA BACKUP AND STORAGE (A) § 164.310(d)(2)(iv) “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.”

Do you have a process in place to create a retrievable, exact copy of EPHI before the equipment on which it is stored is moved?

PBSI Backup Procedures / Processes

ACCESS CONTROL § 164.312(a)(1)“Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4)) [(Information Access Management)].”

UNIQUE USER IDENTIFICATION (R)§ 164.312(A)(2)(I)“Assign a unique name and/or number for identifying and tracking user identity.”

Do you have a process in place to assign each user of your system a unique user identifier? If so, can the identifier be used to track user activity within information systems that contain EPHI? This may or may not be reasonable or appropriate for a solo clinician where access has been granted to all office staff.

1, Access to all EPHI is obtained by use of unique UserID.2. UserID's are maintained in perpetuity and cannot be reassigned or used.3. Audit logs are maintained that record the USERID and the access to EPHI.

AUTOMATIC LOGOFF (A) § 164.312(a)(2)(iii) “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”

Do your current information systems have an automatic logoff capability to ensure that unauthorized users do not access data on unattended workstations?

1. Depending upon the role of the user, a timeout setting is established which will terminate the electronic session after that period of inactivity.

Ver.9.28 22

Client Train

Positive Business Solutions, Inc. 11880 Kemper Springs Dr, Cincinnati, OH 45240 (800) 626-2306 www.pbsinet.com

PERSON OR ENTITY AUTHENTICATION § 164.312(d) “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”

This standard does not have corresponding implementation specifications. However, compliance with the standard itself is required (R).

Does your system require the input of something known only to the person or entity seeking access to EPHI, (such as a password or PIN) prior to granting the requested access?

1. Each newly authorized user is given a unique userID and a password that must be changed by the user upon their first access. This password is only known to that user. 2. Passwords expire every 30 days.

TRANSMISSION SECURITY § 164.312(e)(1) “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”

ENCRYPTION (A) § 164.312(e)(2)(ii) “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”

Based on your required risk analysis, is encryption needed to protect the transmission of EPHI between your office and outside organizations? If not, what measures do you have in place to ensure the protection of this information? Some small providers might consider password protection of documents or files containing EPHI and/or prohibiting the transmission of EPHI via email.

1. Users are prohibited from using email to transmit documents that contain EPHI. 2. Our practice maintains a secure email account with ExchangeDefender that is used to encrypt and securely send EPHI if needed.