Opportunity Knocks:

Modern Healthcare

Information Technology

Agenda

• HITECH/EHR Overview

• HITECH/EHR Services & Solutions

• Health Information Technology Risks

• ANSI PHI Project

HITECH/EHR Overview

HITECH/EHR Overview

HIPAA & PHI Data Breaches

Enforcement Updates

HITECH/EHR Overview

• HC IT Project Drivers: Incentives

ARRA HITECH – ―EHR … by 2014‖

Nationwide HIT infrastructure

Meaningful Use HIPAA security requirements

Changing EHR MU Stage 2 & 3 requirements

Upcoming ACO requirements

• HC IT Project Drivers: Sanctions

PHI breach notification

HIPAA enforcement

5

HIPAA and PHI Data Breaches

• Ponemon Institute: Data breaches cost hospitals nearly $6

billion/year1

• Medical-related data breaches listed in Privacy Rights

Clearinghouse2

116 breaches listed in 2007-2008

229 breaches listed in 2009-2010

• 86% of large-hospital employees surveyed believe the number of

data breaches discovered will increase under HITECH3

• The Department of Justice secured ―$2.5 billion in health care

fraud recoveries—the largest in history,‖ for the fiscal year

ending 9-30-20104

1- Source: Benchmark Study on Patient Privacy and Data Security, November 9, 2010, Ponemon Institute LLC.

2- Source: http://www.privacyrights.org/

3- Source: 2009 HIMSS Analytics Report:―Taking a Pulse on HITECH, Are Hospitals and Business Associates Ready?‖ November 17, 2009.

4- Source: Department of Justice, November 22, 2010, http://www.justice.gov/opa/pr/2010/November/10-civ-1335.html

Enforcement Updates

HIPAA Sanctions

• Periodic HHS CE & BA HIPAA Compliance Audits

• Violations range from $100 to $1.5 million (willful neglect)

• Extends criminal penalties to individual or employee of CE

• State attorneys general can file civil suit on behalf of residents

Enforcement Updates

OCR Commitment to HIPAA Enforcement

Program Increases

• Regional Office Privacy Advisors (+$2.283 million)

• Enforcement of the HIPAA Security Rule (+$1 million)

• Investigation of the HITECH Breach Reports (+$1.335 million)

• Compliance Review Program (+$1 million)

Enforcement Updates

HIPPA Enforcement Activities

• Cignet Health, 2011: $4.3 million – Denying access to medical records & refusing to cooperate with OCR investigation

http://www.hhs.gov/news/press/2011pres/02/20110222a.html

• Massachusetts General Hospital Settles HIPAA Violations, 2011: $1 million – Documents left on subway by employee

http://www.hhs.gov/news/press/2011pres/02/20110224b.html

• Health Net, 2011: $55,000 + mandatory data-security audit 2 years – Lost portable drive & misrepresentation of risk

http://www.healthdatamanagement.com/news/breach_hipaa_privacy_security_hitech_lawsuit-39645-1.html

• Rite Aid, 2010: $1 Million – Poor disposal practices http://www.hhs.gov/news/press/2010pres/07/20100727a.html

HITECH/EHR Services &

Solutions

EHR Related Services BKD Provides

10

HITECH/EHR Services & Solutions

Outsourced Project Management

• Assist management with development of project plan to manage all phases of EHR

implementation project

• Assist management with overseeing project milestones

• Periodic project status & project risk reports

EHR System Selection

• Assist management with identifying & evaluating an EHR-compliant system

• Demonstration scorecards—basis for purchase decisions

• Total cost of ownership—three-year estimates that include software, equipment &

implementation fees

EHR Readiness Assessment

• IT & infrastructure inventory

• EHR current capabilities assessment

• IT Governance & process maturity measurements

• Security compliance assessment

11

HITECH/EHR Services & Solutions

ARRA Reimbursement Analysis

• Develop reimbursement projections

• Develop multi-year cash flow analysis mapping EHR project timeline with federal

funding timeline projections

EHR Meaningful Use Attestation Assistance

• Review meaningful use objectives management has decided to report against

• Develop audit procedures to determine if selected objectives are being met

• Provide findings & recommendations based on executed audit procedures

HIPAA Data Security & Privacy Assessment

• Data-flow analysis

• Risk & control identification

• IT Governance & process maturity measurements

• Control design & effectiveness testing

Health Information

Technology Risks

Understanding HIT Data-flow

Risk Associated with Clinical Systems

Expanded Audit Procedures

13

Health Information Technology

Risks

• Developing clinical system & sub-system

inventory

• Understanding flow of data in a healthcare

system

• Identifying risks & controls

14

Health Information Technology

Risks

15

Health Information Technology

Risks

16

Health Information Technology

Risks

17

Health Information Technology

Risks

Expanded HIT Audit Procedures

• Data-flow analysis

• Computer Assisted Audit Techniques (CAAT)

• Evaluating security at clinical system level

• Evaluating intermediary data repositories &

job scheduling/data integration systems

ANSI/Shared Assessments

PHI Project

Report & tools valuing financial impact

of unauthorized disclosure of protected

health information (PHI)

19

ANSI/Shared Assessments PHI

Project

http://www.ansi.org/standards_activities/standards_boards_panels/idsp/protected_health_information.aspx

Thank You

Matt Lathrom, CISM, CISA, MCP

Managing Consultant

BKD IT Risk Services

mlathrom@bkd.com

816.221.6300