the$brave$new$world$of$health$care:$$ …...stage$2$mu$for$you?$ •...
TRANSCRIPT
The Brave New World of Health Care: MU, HIPAA, and their Audits
Sco@ Jens, OD
Overview
• MU • HIPAA • Audits
Stages of MU
• Improving paGent care through advanced clinical processes
• UlGmately, improving outcomes
Stage 2 MU for You?
• Stage 2 MU always occurs in the doctor’s 3rd year of MU
• In 2014, it is required for any providers who did Stage 1 for the first Gme in 2011 or 2012
Stage Timing First Year With EHR
Stage of MU
2011 2012 2013 2014 2015 2016 2017
2011 1 1 1 2 2 2 3
2012 1 1 2 2 2 3
2013 1 1 2 2 3
2014 1 1 2 2
2015 1 1 2
2016 1 1
2017 1
Medicare Payments First Year With EHR
Maximum Incentive Payments (Medicare EP) – 75% bonus on Medicare Allowable Charges for calendar year
2011 2012 2013 2014 2015 2016 Total
2011 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000
2012 0 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000
2013 0 0 $15,000 $12,000 $8,000 $4,000 $39,000
2014 0 0 0 $12,000 $8,000 $4,000 $24,000
2015 0 0 0 0 Penalty Penalty
**2% reduction due to sequester must be calculated
Medicaid Payments
Year 1 Year 2 Year 3 Year 4 Year 5 Year 6
Adopt, Implement, Upgrade
1 1 2 2 3
$21,250 $8,500 $8,500 $8,500 $8,500 $8,500
2014 Update
• Must use 2014 version of EHR (RevEHR v6.2) • One calendar quarter to perform MU • Stage 1 first-‐year in any 90 days of the year! • A@estaGon done by Feb. 28, 2015 • Automated calculaGon and submission of CQM
New Rule, Aug. 29
• If unable to fully implement all of the funcGons of the 2014 CerGfied EHR Technology due to issues related to availability delays, may perform Stage 1 MU in 2014 even if due to perform Stage 2.
Stage 2 Core ObjecGves
Stage 2 Menu ObjecGves
Clinical Quality Measures
• CQMs are stand-‐alone from Core / Menu • From at least 3 of 6 health domains
1. PaGent and Family Engagement 2. PaGent Safety 3. Care CoordinaGon 4. PopulaGon/Public Health 5. Efficient Use of Healthcare Resource 6. Clinical Process/EffecGveness
MU2 Effort Items
• These MU2 objecGves require forethought but can be accomplished with focused effort:
» PaGent V/D/T from PHR » Incorporate Lab Results Electronically » MedicaGon ReconciliaGon » Summary of Care Record for Referrals » Secure Messaging from PaGents » Imaging Results for Orders » Clinical Quality Measures » Security Risk Assessment (SRA)
HIPAA Privacy and Security
• Privacy Policy required for years • Security Policy less well known unGl MU: evaluate security vulnerabiliGes associated with EHR, rank threats and vulnerabiliGes
• Develop an acGon plan to miGgate top risks and document progress
• Complete an SRA annually
HIPAA is a Responsibility
• You are a Covered EnGty; RevoluGonEHR is your Business Associate
• You are responsible for HIPAA Compliance within the pracGce
• MU’s “Protect Health InformaGon” objecGve added a HIPAA compliance objecGve by requiring management of electronic protected health informaGon (ePHI)
HIPAA ResponsibiliGes
• Assess any and all places where ePHI is vulnerable
• Create miGgaGon plans to correct deficiencies • Develop breach noGficaGon plans, even for unforeseen issues
• Secure data at rest with encrypGon • Develop clear pracGce protocols for proper use of access controls
When the SRA Ma@ers
• Community Health Systems had 4.5 million records breached in August 2014 – Chinese hackers using highly sophisGcated methods to bypass security systems
• Names, DOBs, addresses, SSNs • NoGficaGons and protecGon of paGents esGmated to cost $20 million
MU Audits
• Performed by Figliozzi • 10-‐20% MU a@estaGons will be audited • More common to happen pre-‐payment • Mailed or emailed noGces, requesGng
– Numerators and denominators for each measure – Time period of MU – Evidence that the informaGon is for the provider – Evidence that the report came from CerGfied EHR
MU Audit Failures
• The single biggest point of failure is misinterpretaGon of the complexity of an SRA and the lack of performing a true SRA
• DocumentaGon of an SRA and the associated implementaGon including any miGgaGon plan and dates of updates are required
• Also need the same denominator for all objecGves for unique paGents
MU Audit Resources
• Official 2014 CMS audit documentaGon – h@p://www.cms.gov/RegulaGons-‐an-‐Guidance/LegislaGon/EHRIncenGvePrograms/Downloads/Stage2_AuditGuidance.pdf
• Tipsheet – h@p://www.cms.gov/RegulaGons-‐and-‐Guidance/LegislaGon/EHRIncenGvePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf
HIPAA Audits
• Round 2 begin in Oct. 2014; Office of Civil Rights is assessing 350-‐400 health care businesses – 2012: broad compliance assessment, on-‐site, KPMG – 2014: focus on SRAs, desk audits, OCR staff – 2016: will focus on encrypGon and decrypGon; facility and physical access control
• Privacy Policy is sGll important
HIPAA Audit Resources
• h@p://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
• h@p://www.healthcareinfosecurity.com/hipaa-‐audits-‐round-‐2-‐details-‐revealed-‐a-‐6747
Cardiac surgery center audit
• $100,000 se@lement • Failed to implement adequate policies and procedures to safeguard paGent informaGon
• Failed to train employees on Privacy & Security • Failed to idenGfy a security officer and conduct an SRA
• Failed to obtain BAAs
Dermatology clinic
• $150,000 payment • Lost an unencrypted thumb drive with ePHI • Didn’t have wri@en policies on breach noGficaGon unGl aqer situaGon
• Proof of a policy created aqer the event did not shield the covered enGty from OCR enforcement
NEXT: Vendor Breakout Sessions, 11 and 11:30