redspin february 17 2011 webinar - meaningful use
DESCRIPTION
· EHR Meaningful Use Incentive Program: Progress to Date · What's New on the Security Front · Navigating Meaningful Use Amidst a Changing Political Landscape · Case Studies · Mapping Your Internal Security Program for Compliance and Long Term Success · The Challenges of Creating a Secure, Private Cloud EnvironmentTRANSCRIPT
Meaningful Use and IT Security A Live Update from the RSA Conference in San Francisco
Daniel W. Berger, Executive Vice President, Redspin, [email protected]
(805) 576-7158
2/17/2011 http://www.redspin.com
So yes, I was at RSA….
2/17/2011 2http://www.redspin.com
Agenda
- EHR Meaningful Use Incentive Program
Progress to Date
- Navigating “Meaningful Use” Amidst a Changing
Political Landscape
- Assessing Your Internal Security Program for
Compliance and Long Term Success
- What's New on the Security Front
- The Challenges of Creating a Secure, Private
Cloud Environment
- Case Study: Beth Israel Deaconess Medical Ctr
2/17/2011 3http://www.redspin.com
Where Did It All Start?
• American Recovery and Reinvestment Act
(ARRA)
– Established new Medicare and Medicaid
incentives to stimulate critically needed
investments in health information technology
(health IT)
• Two key concepts determine whether
providers qualify for health IT incentives:
– must make "meaningful use" of IT
– use a "qualified or certified EHR" (electronic
health record).
2/17/2011 4http://www.redspin.com
The ONC Mandate
“Americans will benefit from
electronic health records as
“part of a modernized,
interconnected, and vastly
improved system of care
delivery.”
Dr. David Blumenthal, Office of National Coordinator (ONC) for Health
Information Technology (Outgoing Head)
2/17/2011 5http://www.redspin.com
“Meaningful Use” – A Quick Review
- Use of a certified EHR in a meaningful manner
(e.g. e-prescribing)
- Use of certified EHR technology for electronic
exchange of health information to improve
quality of health care
- Use of certified EHR technology to submit
clinical quality and other measures
2/17/2011 6http://www.redspin.com
Eligible Entities
– Eligible professionals (EPs)
– Eligible hospitals
– Critical access hospitals
– Certain Medicare Advantage
Organizations whose affiliated EPs and
hospitals are meaningful users of certified
EHR technology
2/17/2011 7http://www.redspin.com
Criteria and Standards
– Is the practice or hospital is making adequate
use of EHRs?
– Has a risk analysis been conducted?
– Is their a platform for staged implementation?
To achieve meaningful use, providers must:
– Provide and monitor privacy and security
protection of confidential PHI through operating
policies, procedures, and technologies
– Comply with all applicable federal and state laws and regulations
– Provide transparency of data sharing to patients
2/17/2011 8http://www.redspin.com
CMS Meaningful Use Goals
Improve quality, safety, and
efficiency of health care and reduce
health disparities
Engage patients and families
Improve care coordination
Improve population and public
health, and
Ensure adequate privacy and
security protections for personal
health information
2/17/2011 9http://www.redspin.com
CMS Requirements
• Healthcare providers must demonstrate by the end of
2011 (September 30th for hospitals) a 90-day contiguous
meaningful use of an electronic health record (EHR) for
Medicare transactions
• Either adopt, implement or upgrade an EHR for Medicaid
also within 90 days.
• Hospitals can receive payments for both, but physicians
only one.
2/17/2011 10http://www.redspin.com
Show Me the Money
2/17/2011 11http://www.redspin.com
Meaningful Incentive ProgramMedicare EHR
Participation as early as FY 2011
EPs may receive up to $44,000 over 5 years, plus incentive if in HSPA
Must begin by 2012 to get maximum
Incentives for hospitals may begin in 2011 w/a $2 million base payment
Medicare EPs, hospitals and CAHs who do not show meaningful use will have Medicare payments decrease beginning 2015
Medicaid EHR
Voluntarily offered by individual states
May begin as early as FY 2011
EPs may receive up to $63,750 over 6 years
Incentives for hospitals may begin in 2011
No payment adjustment for providers who do not show meaningful use
2/17/2011 12http://www.redspin.com
Meaningful Use Incentive Program
Progress to Date
2/17/2011 13http://www.redspin.com
Meaningful Use Incentive Program
Progress to Date
Jan 3, 2011 Meaningful Use registration opens
Jan 5, 2011 2-physician medical group in Austin, TX received $42,500 under the Medicaid incentive program for EHR
Feb 11, 2011 >18,000 providers registered under
meaningful use incentive program
> 40,000 providers have registered at 62 regional extension centers for assistance in meeting requirements
May 1, 2011 First payments will go out to qualified Medicare providers
2/17/2011 14http://www.redspin.com
Navigating Meaningful Use Amidst
a Changing Political Landscape
• House vote 245-189 to repeal Patient Protection
and Affordable care act (PPACA)
• Spending Reduction Act HR 408 would imply
rescinding funding for EHR incentives
• Blumenthal’s resignation
• PPACA ruled unconstitutional in a Virginia court
and then again in U.S. district court in Florida
2/17/2011 15http://www.redspin.com
Keep Calm and Carry On
2/17/2011 16http://www.redspin.com
Assessing Your Internal Security Program
for Compliance and Long Term Success
2/17/2011 17http://www.redspin.com
Meaningful Use Stage 1 Core Objective
Protect Electronic Health Information
• Protect electronic health information created or
maintained by the certified EHR technology through the
implementation of appropriate technical capabilities.
• Conduct or review a security risk analysis in accordance
with the requirements under 45 CFR 164.308(a)(1) and
implement security updates as necessary and correct
identified security deficiencies as part of its risk
management process.
2/17/2011 18http://www.redspin.com
2/17/2011 19http://www.redspin.com
Security Rule Standards
Evaluation Standard
Perform a periodic technical and non-technical evaluation,
based initially upon the standards and implemented under this
rule and subsequently, in response to environmental or
operational changes affecting the security of electronic
protected health information, that establishes the extent to
which an entity’s security policies and procedures meet the
requirements of this subpart.” [§164.308(a)(8)]
Security Management Process §164.308(a)(1)(i) Risk Analysis §164.308(a)(1)(ii)(A)
Risk Management §164.308(a)(1)(ii)(B) Information System Activity Review §164.308(a)(1)(ii)(D)
Related Standards
2/17/2011 20http://www.redspin.com
Business Associates
Covered Entity (CE)
A health plan, health care clearinghouse, or health
care provider who transmits any health information in
electronic form in connection with a transaction
covered under the HITECH Act
Business Associate (BA)
Party who performs a function on behalf of a Covered
Entity and has access to PHI in the performance of
that function
2/17/2011 21http://www.redspin.com
.
2/17/2011 22http://www.redspin.com
HIPAA/HITECH Compliance
What are the objectives of a
HIPAA Risk Analysis and
Security Assessments?
Compliance: a HIPAA Risk Analysis
verifies compliance with the standards
defined in the Security Rule of the
Administrative Provisions in Title II of
HIPAA.
Security : Utilizes a risk-based
approach to minimize the risk of a
compromise of Electronic Protected
Health Information (EPHI) triggering
the breach notification requirements.
2/17/2011 23http://www.redspin.com
PHI/PII Risk Indication
2/17/2011 24http://www.redspin.com
Components of Risk
The assets
(what you are trying to protect is PHI)
• You need to know where it is, how it is used, and
how it is transported over the network.
The threats
(what are you afraid of happening?)
• Sophisticated cybercriminals stealing account
credentials, credit card records, or medical
history to file false claims.
• Hackers using application attacks to gain access
to database records.
• Insiders gathering inappropriate data through mis-
configured access control.
The vulnerabilities
(how could the threat occur?)
• Targeted social engineering attacks; malware
exploiting Adobe .pdf and MS office .doc
vulnerabilities
• Application vulnerabilities (e.g., SQL injection,
command injection)
• Mis-configured database access controls
Current mitigation
(what is currently reducing the risk?)
• Staff
• Technology
• Processes
2/17/2011 25http://www.redspin.com
Some Types of Assessments
Controls
Data Security
Network Analysis
Physical Security
Systems Analysis
External Pen
Internal Pen
Wireless Pen
Web App
Social Engineering
Other possible assessments:- PCI, if credit cards- Sarbanes-Oxley- Gramm-Leach-Bliley
2/17/2011 26http://www.redspin.com
Business Associate Compliance
Business Associates (BAs):- IT vendors- coding vendors- outsourced call center- subcontractors- insurance companies- pharmacies- hospitals- physicians- e-prescribing ecosystem- CPOE- radiology labs- HIEs- RHIOs- ACOs- lawyers- CPAs- housekeeping services- etc. !!!
CoveredEntity (CE)
Liability:
-BAs are contractually liable to CEs
for breach of BA agreement
-BAs are civilly and criminally liable
to Federal government for violations
Notification:
-BA notify CE of any breach
-CE has obligation to notify patients
and HHS
-If 500+ persons, notify media
serving their area
Recommendations:
-Identify BAs with highest risk
-Communicate expectations to BAs
-Automate contract and BA
agreement files
-Develop auditing and monitoring
process
-Educate executives and key players
on BAs2/17/2011 27http://www.redspin.com
HIPAA Audit Scope Attributions
2/17/2011 28http://www.redspin.com
2/17/2011 29http://www.redspin.com
What’s New on the Security Front
2/17/2011 30http://www.redspin.com
2/17/2011 31http://www.redspin.com
2/17/2011 32http://www.redspin.com
2/17/2011 33http://www.redspin.com
Healthcare ITChallenges of creating a secure cloud environment
2/17/2011 34http://www.redspin.com
What is Cloud Computing?
Many definitions, but key characteristics include:
• Broad Network Access
• Rapid Elasticity
• Measured Service
• On-Demand Service
• Resource Pooling
2/17/2011 35http://www.redspin.com
Most Common Cloud Computing
Deployment Models
Public – Available to the general public is owned by an
organization selling cloud services.
Private – Operated solely for a single organization. It
may be managed by the organization or a third party, and
may exist on-premises or off-premises.
Community – Shared by several organizations and
supports a specific community that has shared concerns.
It may be managed by the organizations or a third party
and may exist on-premises or off-premises.
Hybrid – A composition of two or more clouds.
2/17/2011 36http://www.redspin.com
A Hybrid Model – Most Common
2/17/2011 37http://www.redspin.com
(Diagram courtesy of Symantec)
Security and Compliance Challenge
What should you be worried about?
•Balancing Control Vs. Trust
•Supporting Accessibility
•Protecting the Data
•Proving Your Solution is Secure
2/17/2011 38http://www.redspin.com
Solution: PHI in Cloud Context
How to avoid HHS's Breach List:
• Where is the Data
• Monitor and Log Access
• Encryption in Storage and Transit
• On-going Testing Program
2/17/2011 39http://www.redspin.com
CASE STUDY
Beth Israel Deaconess Medical Center
2/17/2011 40http://www.redspin.com
Profile
• Teaching hospital of Harvard Medical School
• >750,000 patient visits annually (Boston area)
• 631 licensed beds, including 429 medical / surgical
beds, 77 critical care beds and 60 OB/GYN beds
• Approximately 5,000 births a year
• A full range of ER services including a Level 1 Trauma
Center and roof-top heliport
• Medical provider to Boston Red Sox
2/17/2011 41http://www.redspin.com
Source: http://www.bidmc.org/AboutBIDMC/StatsandFacts.aspx
The Middle of the Story - Today
• Beth Israel Deaconess Medical Center (BIDMC) is first
hospital nationally to meet new federal electronic health
record requirements with its own software (January 26,
2011)
• Technology supports all quality, safety and efficiency
goals spelled out in the American Recovery and
Reinvestment Act. (ARRA)
2/17/2011 42http://www.redspin.com
Source: http://www.bidmc.org/News/AroundBIDMC/2011/January/Meaningfuluse.aspx
The Beginning of the Story
• 2+ years ago
• Part of an eClinicalWorks LLC electronic health record
(EHR) deployment to roughly 200 affiliated ambulatory
physicians. Will be 350 by year end.
• BIDMC virtualized servers on VMware
• One at a time, one virtual server -- including the EHR
software integrated with a practice management app and
billing system -- was deployed to each practice.
2/17/2011 43http://www.redspin.com
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
(Jan 10, 2011)
The Result
• Beth Israel Deaconess realized it inadvertently had built
the first -- or one of the first -- private clouds
• Scalable, doesn't require a huge hardware outlay or data
center footprint at the start
• BIDMC has many attributes that are attractive to other
health care networks looking or a model to crib their own
EHR infrastructure.
2/17/2011 44http://www.redspin.com
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
Jan 10, 2011
“We didn't go into this thinking, 'Hey, let's build a
cloud.' It was, 'We want a subscription-type service
in which physicians could get rid of their homegrown
technology and tap into Beth Israel Deaconess'
infrastructure with only an Internet connection and
their desktop machines.
- Bill Gillis
BIDMC eHealth Technical Director
In Their Own Words
2/17/2011 45http://www.redspin.com
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
Jan 10, 2011
In Their Own Words
“It's probably the most complex clinical health information
thing I've ever tried to achieve --more complex than
building this cloud. There are so many moving parts, so
many pieces that need to work and flow. It is challenging.”
- Bill Gillis
BIDMC eHealth Technical Director
2/17/2011 46http://www.redspin.com
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
Jan 10, 2011
The Future at BIDMC
• First step - Let physicians within its private cloud
exchange data.
• Extend Hospital network's HIE project to other area
hospitals and later to the whole country.
• Deploy virtual desktops in a hardware-agnostic way so
physicians could manage apps from their laptops, tablets
and smart phones.
• Interoperability combining data from various proprietary
systems into a patient-accessible HER.
2/17/2011 47http://www.redspin.com
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
(Jan 10, 2011)
http://www.redspin.com/resources/
healthcare/index.php
2/17/2011 48http://www.redspin.com
Appendix
2/17/2011 49http://www.redspin.com
New Enforcement Efforts and Priorities
HHS made changes to the HIPAA regulations to
conform the enforcement component of the
regulations to the statutory revisions made
pursuant to the HITECH Act.
• Civil Monetary Penalties
• Violations categorized
• Tiered ranges of civil money penalty amounts
2/17/2011 50http://www.redspin.com
Penalties – Per Calendar Year
$100 - $50K/violation, not to
exceed $25K - $1.5MM
Person did not know (and by
exercising reasonable due
diligence) would not have
known
$1,000 - $50K/violation, not
to exceed $100K - $1.5MM
Violation due to reasonable
cause and not to willful
neglect
$10K - $50K/violation, not to
exceed $250K - $1.5MM
Due to willful neglect and
violation was corrected
At least $50K/violation, not to
exceed $1.5MM
Due to willful neglect and
violation was not corrected
2/17/2011 51http://www.redspin.com
Penalties – Per Calendar Year
$100 - $50K/violation, not to
exceed $25K - $1.5MM
Person did not know (and by
exercising reasonable due
diligence) would not have
known
$1,000 - $50K/violation, not
to exceed $100K - $1.5MM
Violation due to reasonable
cause and not to willful
neglect
$10K - $50K/violation, not to
exceed $250K - $1.5MM
Due to willful neglect and
violation was corrected
At least $50K/violation, not to
exceed $1.5MM
Due to willful neglect and
violation was not corrected
2/17/2011 52http://www.redspin.com