EHNAC AccreditationWednesday, August 20, 2014

Disclaimer: Nothing that we are sharing is intended as legally binding or prescriptive advice. This presentation is a synthesis of publically available information and best practices.

• Electronic Healthcare Network Accreditation Commission

• Founded in 1993 as a federally recognized standards development organization

• Purpose: improve transactional quality, operational efficiency, and data security in healthcare

• EHNAC accredited organizations improve business processes, improve quality of service, ensure regulatory compliance with HIPAA and state regulations, encourage innovation

EHNAC Accreditation - Overview

• Demonstrates adherence to high standards of quality, privacy, security, confidentiality, data management.

• Ensures compliance with HIPAA, state rules and regulations

• Important step in remaining competitive and fostering future business opportunities, and reducing risk of PHI breach.

• Uses industry standards NCPDP, X12, HL7, etc.

• Encourages improvements in products, services and workflow.

• Fosters reduction of operating costs via greater efficiency.

• Regular re-evaluation of business and risk assessment.

• Provides a comprehensive assessment of data transmission, security, accuracy, system availability and capacity, physical safety.

EHNAC - Benefits

• Pre-Application: submit this form online

• Submit application and signed agreements for each desired accreditation program

• Mail application fee– based on revenue, # of programs applied for

• Complete the Self-Assessment package at least 4 months prior to expiration date. – Fees are added for each month this package is late (based on

revenue).

– Late submission can mean penalties ranging from being temporarily removed from EHNAC’s website until payment is received, to needing to restart the entire application process.

EHNAC – Accreditation Process

• If sufficient documentation has been provided, a site visit will be performed.– Evaluates the accuracy of submitted documentation

– Reviewer conducts an interview with employees responsible for the documentation and any others deemed necessary by organization to summarize the site visit.

• Mail payment of site visit fees– based on revenue, # of sites

• Approve site visit report

• EHNAC Commission reviews and votes on site visit report, approving or denying accreditation by majority rule.

• Approved accreditation is effective for 2 years.

EHNAC – Accreditation Process (cont)

• Electronic Healthcare Networks (EHN)

• ePrescribing Networks

• Third-party Administrators (TPA)

• Financial services organizations

• Managed Service Organizations (MSO)

• Medical billers

• Health Information Exchanges (HIE, HIO, ACO)

• Outsourcers (data centers, printing, scanning...)

• Practice Management Systems vendors

• HISPs

EHNAC – Who Can Be Accredited

• ACOAP: Accountable Care Organization Accreditation Program

• DTAAP: Direct Trusted Agent Accreditation Program for HISPs, Certification or Registration Authorities

• ePAP-EHN: ePrescribing Accreditation Program

• EPSCSP: ePrescribing of Controlled Substances Certification Program for Pharmacy Applications or Prescribing Applications

• FSAP: Financial Services Accreditation Program for Electronic Health Networks or Lockbox services

• HIEAP: Health Information Exchange Accreditation Program

EHNAC – Programs

• HNAP-EHN: Healthcare Network Accreditation Program for Electronic Health Networks, Medical Billers, Payers, or Third-Party Administrators

• MSOAP: Management Service Organization Accreditation Program

• OSAP: Outsourced Services Accreditation Program for Call Centers, Data Centers, Disaster Recovery facilities, Health Information Exchanges, Media Storage facilities, Network Administrator services, Printing, Product development, or Scanning

EHNAC – Programs (cont)

• Documentation is required in 8 sections. Each section should contain details on what is requested in that section of the Self-Assessment package

• Don’t go overboard in providing detail that may be only remotely informative or related to the topic or specific item within the topic.

• Don’t included other information just to cover all the bases.

EHNAC – MSOAP Overview

• 1: Introduction to Environment

– Covers topics on data center and sites

– Details to include: data center diagrams, data flow diagrams, sites details and how they are connected to data center, also information on each site’s function

EHNAC – MSOAP Overview (cont)

• 2: Qualifying Events

– Covers topics on EHR software

– Details to include: details the EHR software in use, as well as connection to an HIE, IT personnel and their work location.

EHNAC – MSOAP Overview (cont)

• 3: Privacy and Confidentiality

– Details to include: policies regarding privacy, security, handling of PHI, breaches, password management, encryption/decryption, malicious software, software patch management, software auditing, shredding

– Also helpful to include sample upgrade project plans, maintenance plans

EHNAC – MSOAP Overview (cont)

• 4: Technical Performance

– Details to include: proof of Helpdesk software in use, also policies on service levels, problem escalation, system availability, redundancy, helpdesk availability, downtime procedures and user contact methods, system monitoring methods, backups, system expansion policies, proof of backup/restore testing, prevention of PHI breach, data loss, firewalls, connectivity, VPN, bandwidth details, risk assessments, intrusion prevention and monitoring

EHNAC – MSOAP Overview (cont)

• 5: Business Practices

– Covers topics on organization’s interaction with other businesses and employees

– Details to include: trading partner agreements, proof of service level attainment, performance improvement details, employee handbook, mission statement and related documentation, participation agreements, disclosure statements, list of organization’s services

EHNAC – MSOAP Overview (cont)

• 6: Resources

– Covers topics on hardware, software, and personnel resources

– Details to include: hardware and software inventory, site details, SLAs, data storage reports, summary of key personnel with brief bios, employee training and continuing education, hiring process, security systems, data center alarms and monitoring systems, fire extinguishers, cleanliness of data center

EHNAC – MSOAP Overview (cont)

• 7: Security

– Details to include: compliance with fed/state security rules, PHI risk assessment, policies for security enforcement, auditing of access, reporting security issues, access requests, withdrawal of access, security awareness training, passwords, responding to emergencies, disaster recovery plans and periodic testing, data cleansing, breach prevention/notification, emergency access, session termination, confidentiality.

EHNAC – MSOAP Overview (cont)

• 8: Operations

– Details to include: adoption plan for new providers and practices in the organization, plans for maximizing EHR functionality, hardware assessments, helpdesk policies and availability to users, details on how users/practices can customize systems, training documentation, workflow review methods, training of users on regulations/incentive programs/HIPAA compliance, annual provider satisfaction survey

EHNAC – MSOAP Overview (cont)

Q&A

jeff.pruitt@quirkhealthcare.com