Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Becoming HITECH - 9/2009
1. Becoming HITECH
Review of the HITECH Act and its role in a
holistic approach to compliance
September 30, 2009
2. Agenda
• About Us
• Obligations of Healthcare Providers
• Review of HIPAA and Red Flags Rule Objectives
• Discussion on HITECH
– Objectives and Requirements
– Placement in ARRA
– Funding Opportunities
• Rethinking your Patient Privacy, Security, and
Protection Strategy
Becoming HITECH
4. • Management consulting firm
• Founded in 1953
• Headquartered in Pittsburgh, PA
• Affiliated with several consulting firms across the
United States
About Us
Becoming HITECH
5. • Strategy
• Operations and Process Improvement
• Performance and Diagnostic Measurement
• Organizational Development
• Workforce and Economic Development
Strategy
Our Services
Becoming HITECH
8. Security and Protection Obligations
• These obligations include ensuring the
following:
– Completeness
– Accuracy
– Confidentiality
– Protection
• Additional areas of data management not
addressed are:
– Availability
– Reliability
Healthcare providers are obligated to secure all data accepted from patients for
treatment or other health care operations and to ensure that the privacy of that
information is upheld.
Becoming HITECH
9. • Purpose: Require the implementation
of administrative, technical, and
physical safeguards to:
– Ensure data integrity and confidentiality
– Protect against reasonably anticipated
• Threats or hazards to the security or integrity of data
• Unauthorized use or disclosure
HIPAA Purpose
Becoming HITECH
10. • Privacy policies and procedures
• Privacy notice
• Privacy official
• Workforce training and enforcement
• Mitigation process
• Complaint process
• Implement safeguards
– Administrative
– Technical
– Physical
• Retain policies, procedure, notices for six years
HIPAA Requirements
Becoming HITECH
11. • Purpose: Preventing an individual
with unauthorized data from
obtaining unauthorized services
• Four Elements of Compliance for the Red Flags Rule:
1. Identify Red Flags for covered accounts and incorporate those red flags into the
Program
2. Detect Red Flags that have been incorporated into the Program
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate
identity theft
4. Update the Program at least annually to reflect changes in risks to customers or
to the safety and soundness of the financial institution or creditor from identity
theft
• Compliance Date: November 1, 2009
Red Flags Purpose and Requirements
Becoming HITECH
13. • Health Information Technology for Economic and Clinical Health Act
– Title XIII and Title IV of Division B of the American Recovery and
Reinvestment Act of 2009
• Objective: “Utilization of an electronic health record for each person in the
United States by 2014”
– Requirements for Achievement:
• Confidence in Systems
• Confidence in Organizations
• Funding for Implementation
• Effective Date: September 23, 2009 but enforcement
will be delayed until February 22, 2010
HITECH Overview
Becoming HITECH
14. HITECH: Supplements to HIPAA
• Extension of “covered entity” requirements
to the “business associate”
• State Attorney General Enforcement
• Establishes breach notification
requirements
• Breach – “Unauthorized acquisition, access,
use, or disclosure of protected health
information which
compromises the security or privacy of such
information”
Becoming HITECH
15. • Perform Risk Assessment to:
– Define the “harm threshold”
– Determine if breach falls into one of the seven exception
criteria
• Disclosure to the Individual
• Disclosure for Treatment, Payment and Health Care Operations
(TPO)
• Opportunity to Agree or Object
• “Incident to”
• Limited Data Set / De-identified Data
• Has Authorization
• Public Policy (Legal Requirement, Law Enforcement, etc.)
HITECH: Identifying a Breach
Becoming HITECH
16. • HITECH requires that notification be communicated within 60 from the
day the breach is:
– Known by someone in the organization (other than the person committing the
breach)
– By exercising reasonable diligence would have been known
– Must provide notification without “unreasonable delay”
• Business Associate (BA) Notification Requirement
– Notify affected covered entity/entities of breach
– The covered entity is then required to notify individuals (unless contract states
otherwise)
• If BA is agent of covered entity
– Must notify individuals within 60 days of BA discovery
• If BA is independent contractor
– Must notify individuals within 60 days of being notified
HITECH: Breach Requirements
Becoming HITECH
17. HITECH: Required Notification
• The required notification activities depend upon:
– Number of individuals impacted
– Location in which the individuals reside
• The breach notification must include the following in “plain language”:
– Brief description of what happened
– Types of information involved
– Steps affected individuals should take to protect themselves
– Definition of the steps the covered entity is taking to mitigate harm to individuals
– Contact procedures for individuals with additional questions
Becoming HITECH
18. HITECH: Notification Req.
I d e n t if y B r e a c h
N o t if y I n d iv id u a l
N o t if y P u b lic
S t a r t
E n d
60Days
Once potential breach has been identified, perform
risk assessment to determine if “harm threshold”
indicates breach occurred.
Notify the individuals affected by the breach using a
written notice, including appropriate information. If
individual(s) cannot be reached, follow substitute
notice procedure.
Determine if need exists to notify
major media outlets, HHS Secretary, and/or credit
reporting agencies of breach.
Refer to Decision Tree for Additional Detail
Becoming HITECH
19. • Title IV – Medicare and Medicaid Health Information Technology;
Miscellaneous Medicare Provisions of the ARRA includes the
following provisions:
– Additional funding for eligible professionals adopting EHR prior to 2014
– Penalties for professionals not adopting by 2014
• “Meaningful Use” Requirement for Adoption
– Connected in a manner that provides for electronic exchange of health
information
– Provider is able to generate and submit measurements of EHR use in their
practice
• A “significant hardship” exemption exists
HITECH: Incentives for EHR
Becoming HITECH
20. HITECH: The “Carrot” and the “Stick”
MU Year 2011 2012 2013 2014 2015 2016 2017 2018 2019 Total
2011 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000
2012 $18,000 $12,000 $8,000 $4,000 $2,000 $44,000
2013 $15,000 $12,000 $8,000 $4,000 $39,000
2014 $12,000 $8,000 $4,000 $24,000
2015
None - 1% - 2% - 3% - 4% - 5% - ??
Becoming HITECH
22. Risk Assessment Process
• HIPAA, Red Flags, and HITECH require the performance of a risk
assessment to determine the necessary safeguards
• When performing this assessment, the following should be
considered for each risk area:
– Likelihood
– Impact
– Effectiveness
• Prevention
• Detection
• Mitigation
Becoming HITECH
23. Risk Assessment Areas
• Areas to Consider:
– Current Policies / Procedures
• Design Effectiveness
• Operating Effectiveness
– Application Risks
• Role-based Access
• Application Controls
– Data Assessment (Create, Transmit, Store, Dispose)
• Creation
• Storage (primary and secondary)
• Transmission
• Disposal
– Organization
– External Risks
• Environmental Risks (Flood, Power Failure)
• Liability – Business Associate/Vendor Agreements
Becoming HITECH
24. Remediation Efforts
• No policy, procedure, or application should be implemented solely for
regulatory purposes
• People and Process are still the critical components to a efficient, effective,
and compliant organization
– The individuals who own the information may be your most effective (and least
costly) detective control
• Physical / Technical safeguards should be integrated into the processes
utilizing the technology to increase efficiency, reliability, and utilization of
the information
• Compliance practices should be customized to the organization
Becoming HITECH
26. Thank You
If you have any additional questions, please feel free to
contact me:
Scott A. Rogerson, CISA, CAPM
412-722-1111
srogerson@hillgroupinc.com
The Hill Group, Inc.
2 East Main Street
Carnegie, PA 15106-2456 USA
www.hillgroupinc.com
Becoming HITECH