HIT Challenges and Regulatory Requirements

Michele Madison404.504.7621

Learning Objectives

Review of Cyber Security Challenges

Understand the changes to the meaningful use and advancing care information

Discussion of Advancing Care Information and its impact on Hospital physicians

Cyber Security Challenges

Medical Identity Theft

4

• Medical Identity Theft increased 22% in 2014 NBC News and grew Tenfold in 2015

• Medical Identity Theft is an Epidemic –USA Today

• Medical Identity Theft is Low Hanging Fruit—CBS News

• Health records are worth a lot more on the black market — an estimated $50 - $70 vs $2 for a hacked credit card

http://www.greenvilleonline.com/story/news/2017/08/29/medical-identity-theft-growing-threat/572830001/

2017 Data Breaches Reported in Georgia

AU Medical Center 6109—emailNational DCP Health Plan 1190—emailBraun Internal Medicine 680—emailPeachtree Neurological 76,295—ServerGI Care for Kids Endoscopy 1700—ServerAU Medical Center 5600—EmailSkin Cancer Specialists 3365—Server

2016 Breaches in GA

Emory Healthcare 79930 ---HackingPeachtree Orthopaedic 531,000—ServerVascular Surgical 36,496 –ServerAthens Orthopedic 200,000 --Server

RansomwareMore than 4,000 ransomware attacks have occurred every day since the beginning of 2016.

That's a 300% increase over 2015, where 1,000 ransomware attacks were seen per day.

Computer Crime and Intellectual Property Section (CCIPS) of FBI

Security Incident Response

Once the ransomware is detected, the covered entity or business associate must initiate its security incident and response and reporting procedures. See 45 C.F.R. 164.308(a)(6).

Security Incident ResponseBegin with an initial analysis to: • determine the scope of the incident to identify what

networks, systems, or applications are affected; • determine the origination of the incident

(who/what/where/when); • determine whether the incident is finished, is ongoing

or has propagated additional incidents throughout the environment; and

• determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).

http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

Security Incident ResponseSubsequent security incident response activities include : • contain the impact and propagation of the ransomware; • eradicate the instances of ransomware and mitigate or remediate

vulnerabilities that permitted the ransomware attack and propagation;• recover from the ransomware attack by restoring data lost during the

attack and returning to “business as usual” operations; and • conduct post-incident activities, which could include a deeper

analysis of the evidence to determine if the entity has any regulatory, contractual or other obligations as a result of the incident (such as providing notification of a breach of protected health information), and incorporating any lessons learned into the overall security management process of the entity to improve incident response effectiveness for future security incidents.

http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

Security Incident ResponseAfter the Analysis and Investigation is Complete,

determine if PHI was involved.If Yes….

Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

Initiate Breach Notification Protocol(See 45 C.F.R. 164.400-414)

Security RuleAccess Control

§ 164.312(a)(1) Unique User Identification

Emergency Access Procedure

Automatic Logoff

Encryption and Decryption

Auto Controls

§ 164.312(b)

Integrity § 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information

Person or Entity Authentication

§ 164.312(d)

Transmission Security

§ 164.312(e)(1) Integrity Controls

Encryption

Relevant FactsOctober 6th GAO and Inspector General find HHS, FDA and VA among 24 Agencies with Ineffective SecurityFive Key Control Areas: 1. access controls, 2. configuration management, 3. segregation of duties, 4. contingency planning and 5. security management

Challenges for Providers

• Staffing • Technology• Budget• Constant Monitoring/Constant Changing• Human Error• Desire for more Innovation• Global Threat

Cyber Security

Board of Trustees should be informedResources are required to address the security concernsEvaluate Cyberliability insurance coverage Evaluate State resources designed to support Hospitals

Meaningful Use = Advancing Care Information

Meaningful Use

Attestation Moving to QnetStarting in October 2017, CMS will open new user enrollment registration on the QNet portal. Between October and December 2017, you will be able to view your data in the existing CMS EHR Incentive Program’s Registration and Attestation system.

Medicaid 2017 Reporting

Medicaid Only: Hospitals must report on objectives and Eligible Providers on 10 measures

Certified EHR may be one of the following:2014 Certification2015 CertificationCombination of Both

Objectives

1) Protect electronic protected health information (ePHI) created or maintained by the CEHRT through the implementation of appropriate technical capabilities.

2) Use clinical decision support to improve performance on high-priority health conditions.

3) Use computerized provider order entry (CPOE) for medication, laboratory, and radiology orders directly entered by any licensed healthcare professional who can enter orders into the medical record per state, local, and professional guidelines.

4) Generate and transmit permissible discharge prescriptions electronically (eRx).

Objectives

5) Health Information Exchange – The eligible hospital who transitions their patient to another setting of care or provider of care or refers their patient to another provider of care provides a summary care record for each transition of care or referral.

6) Use clinically relevant information from CEHRT to identify patient-specific education resources and provide those resources to the patient.

7) The eligible hospital that receives a patient from another setting of care or provider of care or believes an encounter is relevant performs medication reconciliation.

8) Patient Electronic Access – Provide patients the ability to view online, download, and transmit their health information within 36 hours of hospital discharge.

9) Public Health Reporting – The eligible hospital is in active engagement with a public health agency to submit electronic public health data from CEHRT except where prohibited and in accordance with applicable law and practice.

Advancing Care Information

• Reduced from 11 to 5 measures• Bonus for Public Registry Reporting/Clinical

Data Registries• Patient Electronic Access• Electronic Care Coordination• Health Information Exchange

• Bonus points for reporting to public health or clinical data registries

Advancing Care Information

• In 2017, there are two measure set options for reporting. The option you use to submit your data is based on your electronic health record edition.

• Option 1: Advancing Care Information Objectives and Measures

• Option 2: 2017 Advancing Care Information Transition Objectives and Measures

Advancing Care Information Reporting

• You can report the Advancing Care Information Objectives and Measures:

• If you have technology certified to the 2015 Edition; or

• If you have a combination of technologies from 2014 and 2015 Editions that support these measures.

Certified Electronic Records

• You can report the 2017 Advancing Care Information Transition Objectives and Measures:

• If you have technology certified to the 2015 Edition; or

• If you have technology certified to the 2014 Edition; or

• If you have a combination of technologies from 2014 and 2015 Editions.

Advancing Care Information Reporting

Individual: AttestationQCDRQualified RegistryEHR Vendor

Group:AttestationQCDRQualified RegistryEHR VendorCMS Web Interface (groups larger than 25)

Data Submission

Performance Category Proposed Performance Standard Final Performance Standard

Advancing CareInformation

Based on participation (base score)andperformance (performance score).

Base score: Achieved by meetingthe Protect Patient HealthInformation objective and reportingthe numerator (of at least one) anddenominator or yes/no statement asapplicable (only a yes statementwould qualify for credit under thebase score) for each requiredmeasure.Performance score: decile scale foradditional achievement on measuresabove the base score requirements,plus 1 bonus point.

Based on participation (base score) andperformance (performance score).

Base score: Achieved by meeting the ProtectPatient Health Information objective andreporting the numerator (of at least one) anddenominator or yes/no statement as applicable(only a yes statement would qualify for creditunder the base score) for each requiredmeasure.Performance score: Between zero and 10 or 20percent per measure (as designated by CMS)based upon measure reporting rate, plus up to15 percent bonus score.

Performance Standards 2017

Base ACI Objective and Measures

2017 ACI Transition Objectives

Limited Health Information Exchange

Protect Patient Information

E-Prescribing

Patient Electronic Access

Health Information Exchange

Security Analysis

E-Prescribing

Provide Patient Access

Send Summary of Care

Request and accept as Summary of Care (bonus)

ACI Performance MeasuresAdditional ACI Performance:

Coordination of Care through patient generated data

HIE: Clinical Information Reconciliation

Transition Performance:

Patient Electronic Accesspatient accessview, transmit download

Patient Specific Education

Secure Messaging

Health Information Exchange

Medication Reconciliation

Immunization Registry reporting

5% bonus to report to the following:Syndromic Surveillance ReportingSpecialized Registry ReportingElectronic Case ReportingPublic Registry ReportingClinical Data Registry Reporting

10% Use Certified Electronic System to Report

Bonus Points

• Non patient facing providers = 0%• Insufficient Internet Connectivity• Extreme and Uncontrollable

Circumstances• Lack of control over availability of

– Certified Electronic Health Records

Exceptions to ACI

PICK YOUR PACE

Negative 4%

Submit1 Quality

1 Improvement 

ActivityOr

4‐5 ACI

Submit for full Year

Submit at least 90 Days

Reporting

• Must report by March 31, 2018• Feedback provided• Payment adjustment January 1, 2019

Learning Objectives

Review of Cyber Security Challenges

Understand the changes to the meaningful use and advancing care information

Discussion of Advancing Care Information and its impact on Hospital physicians

Presentation

Michele Madison - Partner, Healthcare, Healthcare IT, Data Security & Privacy Practices atMorris, Manning & Martin, LLPmmadison@mmmlaw.com404.504.7621

DisclaimerThe materials and information presented and contained within this document are provided by MMM as general information only, and do not, and are not intended to constitute legal advice. Any opinions expressed within this document are solely the opinion of the individual author(s) and may not reflect the opinions of MMM, individual attorneys, or personnel, or the opinions of MMM clients.The materials and information are for the sole use of their recipient and should not be distributed or repurposed without the approval of the individual author(s) and Morris, Manning & Martin LLP. This document is Copyright ©2017Morris, Manning & Martin, LLP. All rights reserved worldwide.

36