florida’s medicaid ehr incentive program · addressing the security (to include encryption) of...
TRANSCRIPT
Fall 2017
Kim Davis-Allen Outreach [email protected]
Pamela KingHIE Outreach [email protected]
Florida’s Medicaid EHR Incentive Program
1
Fall 2017 Provider Workshops
Fall 2017
Today’s Agenda• The Importance of Health IT
• Florida’s Health IT Initiatives
• EHR Incentive Program– Highlights– Program Changes– Modified Stage 2 Meaningful Use– Stage 3 Meaningful Use– Security and Privacy Issues– MAPIR Changes
• Quality Payment Program
• Question and Answers
2
What is Health IT?Connecting people, data and diverse systems . . .
Interlinking a system, information or workflow
Capability of two or more networks, systems, devices, applications or components
Externally exchange and readily use information securely and effectively
Health IT is Interoperability
Who is Involved?• Patients
• Health Care Providers
• Caregivers
• Insurance Companies
• Health Technology Vendors• EHR Systems
• Telehealth
• HIEs
Why Interoperability?• Informed Decision Making
• Customer Expectations• Patient Portals• Information following the patient – not the patient
following the information
• Quality Payment Programs• PCMH• MACRA• ACOs• Meaningful Use• Value Based Care
And for Florida . . .
TelehealthHB 7087 (2016) / 2016-240 L.O.F.
1. Telehealth Advisory Council: 15 members including the Secretary of AHCA (Chair) and the Surgeon General (member)
2. Survey for current capabilities, utilization and coverage levels:• AHCA to survey licensed health care facilities• DOH to survey licensed health care practitioners• OIR to survey health plans and HMOs
3. AHCA to submit a report of survey findings to the Governor, Senate President, and Speaker of the House by 12/31/2016
4. Final Advisory Council report of recommendations to increase the use and accessibility of telehealth services by 10/31/2017
31%
60%
60%54%
37%
20%22%
8% 7%Broader access to specialists
Better care coordination
Patient convenience
Better patient outcomes
Reduced hospitalreadmissionsWider population access
“What benefits has your facility attained as a result of implementing telehealth services? (Select all that apply)”
Benefits Reported by Facilities
Barriers to ImplementingComparison of Current and Former
0% 10% 20% 30% 40% 50% 60%
Lack of health insurance…
Inability to electronically exchange…
Unable to determine return on…
Inability to secure support from…
Lack of funding
Inability to develop partnerships with…
Inability to develop partnerships with…
Inability to get Medical Malpractice…
Lack of community/patient…
Restrictions related to health…
Inability to obtain practitioner…
Limitation related to on-line prescribing
Concerns related to privacy and security
Lack of facility executive support
Inability to connect at needed internet…
Formerly UsedTelehealth
12
Barriers for Practitioners
13
Barriers for Health Insurers
14
Example Telehealth Programs
• Florida Adventist partners with Advanced ICU Care, a provider of Tele-ICU services, to provide 24/7 care
• Two-way video access in each patient’s room enables face to face consultations between the bedside and practitioners for evaluations or when called on by a caregiver
Example Telehealth Programs
16
• A Mayo Clinic medical specialist located at a distance from the patient connects via technology with local care teams to assess, diagnose and treat patients
• Enhancing the telemedicine services it offers to the more than 45 hospitals across nine states served by Mayo Clinic’s emergency telemedicine services
Example Telehealth Programs
• Memorial Healthcare System unveiled a direct-to-consumer tool in 9/2016
• Provides consumers the ability to connect 24/7 with a Memorial doctor and get diagnosed online for non-emergency cases quicker than if the patient was sitting in the emergency room seeking that same level of care
• In some cases, the $49 fee to connect with MemorialDocNow may be even more affordable than a co-pay for ER or Urgent Care visits
17
Example Telehealth Programs
18
• The University of Miami Pediatric Mobile Clinic provides medical care to uninsured children in need - was awarded a $105,000 grant from the Florida Association of Free and Charitable Clinics (FAFCC) via the Florida Department of Health in 2015
• The Pediatric Mobile Clinic offers well visits, sports physicals, immunizations, management of chronic conditions, urgent care, mental health and social work
• Services were expanded to include store and forward consults - allowing onsite physicians to upload patient information, including images, documents and videos, to a secure web portal where an offsite specialist can later download the information and make diagnoses or treatment recommendations
Telehealth Advisory Council Recommendations
• Definition• Health Insurance
• Coverage• Reimbursement
• Licensure• Interstate Licensure• Standards of Care
• Patient Safety• Patient-Practitioner
Relationship• Consent• Prescribing
• Technology
19
• Legislation• Senate Bill 280
• Policy Changes• Medicaid Fee for Service Rules• Network Adequacy• Regulatory Board Rules
• Education• Medical & Allied Health
Schools• Health Care Practitioners• Health Care Facilities
20
Telehealth Resources
Current and pending laws, Federal and all states
Regional telehealth education and technical assistance services
21
Patient Look-Up (PLUS)Powered by
• Built on the nationwide eHealth Exchange platform• Allows providers to query for patient clinical records• Federated network with no centralized data repository• Common data standards, legal agreement, and governance• Covers 100M patients nationwide
• Assists in meeting the health information exchange requirements of Meaningful Use, which includes• Electronically exchanging summary of care records• Incorporating electronic summary of care records into an EHR• Performing clinical reconciliation using received summary of care
records
• For more information, visit• https://www.florida-hie.net/plu/• http://sequoiaproject.org/ehealth-exchange/about/
Direct Messaging Service Powered by
• Affordable, secure, HIPAA-compliant exchange• Push model of exchange• Uses industry-developed Direct standards• Strict identity verification standards for users• Supports transport of documents of any format
• DirectTrust accreditation means that users can exchange with a trusted nationwide network of over 1.3 million users.
• Florida HIE DMS address book includes over 50,000 addresses in Florida, Georgia, and Alabama.
Event Notification Service (ENS)powered by
• Offers timely notice of patient hospital encounters to health care providers and health plans.• Patient-authorized exchange• Improves care coordination and transitions of care• Reduces hospital admissions and readmissions• Supports value-based payment reform models like ACOs
• Participation• 213 hospitals covering over 94% of all acute care hospital beds
in Florida• 8 health plans receiving alerts on over 2.7 million Florida
residents• 24 ACOs receiving alerts on over 300k Florida residents• Over 2.2 million hospital encounter alerts delivered since 2015
Total ENS Alerts Delivered
Fall 2017
EHR Incentive Program
27
Fall 2017
EHR Adoption Stats
According to a 2015 National Electronic Health Records Survey (NEHRS), 87% of physicians reported using an EHR
system and 78% reported using a Certified EHR system.
The states with the highest adoption rates are Wyoming (79%), South Dakota (77%), Utah (75%), Iowa (75%), and North Dakota (74%).
Physician specialties with the highest adoption rates are internal medicine / pediatrics (76%), nephrology (75%), family practice (75%) and urology (74%).
Since 2008, office-based physician adoption of an EHR has nearly
doubled, from 42% to 87%.
Source: https://www.practicefusion.com/blog/ehr-adoption-rates/
33
Fall 2017
National Milestones
• As of August 2017, there have been 533,517 payments
• 202,786 unique EPs paid to date
• Almost $6 billion incentive dollars paid to EPs through Medicaid
EHR Incentive Program
Source: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/August2017_SummaryReport.pdf
28
Fall 2017
Florida Milestones
• Status as of October 27, 2017
• Payment information as of October 20, 2017– Total Eligible Professionals (EP) Paid: 14,959
– Unique Eps Paid: 8,805
*PY = Program Year
Application Status PY16*
Submitted and Pending 735
Incomplete 575
Approved/Paid 1,210
29
Fall 2017
Applications by Program Year
0
500
1000
1500
2000
2500
3000
3500
4000
4500
2011 2012 2013 2014 2015 2016
Program Year
Yr 6
Yr 5
Yr 4
Yr 3
Yr 2
Yr 1
30
Fall 2017
Program Changes – Effective 10/1/2017
Program Year 2017
• Eligible Professionals (EPs) will be allowed to use a 90-day reporting period for Clinical Quality Measures (CQMs), regardless of the submission method.
• EPs will report any 6 CQMs relevant to their scope of practice.
– No longer required to report 9
CQMs across 3 domains.
• Number of available CQMs reduced from 64 to 53.
Program Year 2018
• EPs will be allowed to use a 90-day EHR reporting period.
• EPs have flexibility to use 2014-certified edition or 2015-certified edition or combination of 2014 edition and 2015 edition.
– EPs will have the option to attest
to Modified Stage 2 or 3 objectives
as long as the EHR technology
supports the objectives and
measures to which they attest.
32
Fall 2017
Overview of Modified Stage 2 Requirements
33
A single set of objectives and
measures
Must be using 2014 or 2015
CEHRT technology
Protect Electronic Health
Information
Clinical Decision Support
Computerized Provider Order Entry (CPOE)
E-Prescribing
Health Information
Exchange
Patient Specific Education
Medication Reconciliation
Patient Electronic Access
Secure Electronic Messaging
Public Health Reporting
https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/TableofContents_EP_Medicaid_ModifiedStage2.pdf
Fall 2017
Protect Patient Health Information
• Measure: Conduct or review a security risk analysis (SRA) in accordance with the requirements 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of electronic protected health information (ePHI) created or maintained in CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process
• Exclusion: None
34
Fall 2017
Protect Patient Health Information –Additional Information
• Timing– For PY17, the SRA must occur
within PY17
– Analysis must cover the full EHR reporting period
– An EP cannot use the same SRA for more than one PY
• EPs are now required to upload their SRA or review with their application
– Several audits resulted in a finding because the EP/practice had not completed an SRA or completed an inadequate one
– Acceptance of the uploaded document does not guarantee it will be acceptable in an audit
– Documentation must include an asset inventory and the final report
35
Fall 2017
What is an Asset Inventory?
36
• Any asset that processes, transmits, or stores ePHI should be included in the asset inventory
• This includes computers, servers, routers, iPads, cell phones, possibly faxes and copiers, and any other asset that is used to receive, save, or transmit ePHI
• The purpose of the SRA is to help ensure the safety of ePHI. If you don’t know where it may be located, you may not be able to help ensure it’s safety
Fall 2017
Clinical Decision Support
37
Measure 1
• Implement five clinical decision support interventions related to four or more clinical quality measures at a relevant point in patient care for the entire EHR reporting period. Absent four clinical quality measures related to an EP’s scope of practice or patient population, the clinical decision support interventions must be related to high priority health conditions
• Exclusion: None
Measure 2
• The EP has enabled and implemented the functionality for drug-drug and drug allergy interaction checks for the entire EHR reporting period
• Exclusion: Any EP who writes fewer than 100 medication orders during the EHR reporting period
Fall 2017
Computerized Provider Order Entry (CPOE)
38
Measure 1
Medication Orders
• Measure: More than 60 percent of medication orders created by the EP during the EHR reporting period are recorded using CPOE
• Exclusion: Any EP who writes fewer than 100 medication orders during the EHR reporting period
Measure 2
Laboratory Orders
• Measure: More than 30 percent of laboratory orders created by the EP during the EHR reporting period are recorded using CPOE
• Exclusion: Any EP who writes fewer than 100 laboratory orders during the EHR reporting period
Measure 3
Radiology Orders
• Measure: More than 30 percent of radiology orders created by the EP during the EHR reporting period are recorded using CPOE
• Exclusion: Any EP who writes fewer than 100 radiology orders during the EHR reporting period
Fall 2017
Electronic Prescribing (e-Rx)
• Measure: More than 50 percent of permissible prescriptions written by the EP are queried for a drug formulary and transmitted electronically using CEHRT
• Exclusions: – EP who writes fewer than 100 permissible prescriptions during the EHR
reporting period; or
– EP who does not have a pharmacy within his or her organization and there are no pharmacies that accept electronic prescriptions within 10 miles of the EP's practice location at the start of his or her EHR reporting period
39
Fall 2017
Health Information Exchange (HIE)
• Measure: The EP that transitions or refers their patient to another setting of care or provider of care must (1) use CEHRT to create a summary of care record; and (2) electronically transmit such summary to a receiving provider for more than 10 percent of transitions of care and referrals
• Exclusion: Any EP who transfers a patient to another setting or refers a patient to another provider less than 100 times during the EHR reporting period
40
Fall 2017
HIE – Additional Information
• In cases where providers share access to CEHRT, transition may still count if referring provider creates the summary of care document in CEHRT and sends the summary of care document electronically
• No longer required that the Summary of Care document be transmitted using Direct Protocol
• The exchange must comply with the privacy and security protocols under ePHI under Health Insurance Portability and Accountability Act (HIPAA)
• The referring provider must have reasonable certainty of receipt by the receiving provider to count the action toward the measure
41
Fall 2017
HIE – Additional Information cont.
• The Florida Health Information Exchange’s Direct Messaging Service meets the security requirements
– Providers can use the Florida HIE’s Direct Messaging Service to meet the measure
– From their Direct Messaging Service account, a provider can send the summary of care to any email address
– When the receiving email address is not a Direct email, the message is a secure message with instructions on creating a log in to receive the summary of care document
• The EHR may not calculate the sending of the summary of care into the numerator if it was not sent from the EHR
– EPs will have to provide documentation to support the numerator if different from their EHR report
42
Fall 2017
Health Information Exchange – Resources
• CMS FAQ #12817 – use of a third party
• CMS FAQ #9690 – sharing of CEHRT
• CMS Tip Sheet at https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/HIE_FactSheet.pdf
43
Fall 2017
Patient Specific Education
• Measure: Patient specific education resources identified by CEHRT are provided to patients for more than 10 percent of all unique patients with office visits seen by the EP during the EHR reporting period
• Exclusion: Any EP who has no office visits during the EHR reporting period
44
Fall 2017
Medication Reconciliation
• Measure: The EP performs medication reconciliation for more than 50 percent of transitions of care in which the patient is transitioned into the care of the EP
• Exclusion: Any EP who was not the recipient of any transitions of care during the EHR reporting period
45
Fall 2017
Patient Electronic Access
Measure 1
• Measure: More than 50 percent of all unique patients seen by the EP during the EHR reporting period are provided timely access to view online, download, and transmit to a third party their health information subject to the EP's discretion to withhold certain information
• Exclusion: An EP who neither orders nor creates any of the information listed for inclusion as part of the measures except for “Patient Name” and “Provider’s name and office contact information”
Measure 2
• Measure: For an EHR reporting period in 2017, more than 5 percent of unique patients seen by the EP during the EHR reporting period (or patient-authorized representative) views, downloads or transmits to a third party his or her health information during the EHR reporting period
• Exclusion 1: An EP who neither orders nor creates any of the information listed for inclusion as part of the measures except for “Patient Name” and “Provider’s name and office contract information”; or
• Exclusion 2: An EP who conducts 50 percent or more of his or her patient encounters in a county that does not have 50 percent or more of its housing units with 4Mbps broadband availability according to the latest information available from the FCC on the first day of the EHR reporting period
46
Fall 2017
Secure Messaging
• Measure: For an EHR reporting period in 2017, for more than 5% of unique patients seen by the EP during the EHR reporting period, a secure message was sent using the electronic messaging function of CEHRT to the patient (or the patient- authorized representative), or in response to a secure message sent by the patient (or the patient-authorized representative) during the EHR reporting period
• Exclusion: Any EP who has no office visits during the EHR reporting period, or any EP who conducts 50 percent or more of his or her patient encounters in a county that does not have 50 percent or more of its housing units with 4Mbps broadband availability according to the latest information available from the FCC on the first day of the EHR reporting period
47
Fall 2017
Public Health Reporting Measures
• The EP is in active engagement with a public health agency to submit immunization data
Measure Option 1 – Immunization Registry Reporting
• The EP is in active engagement with a public health agency to submit syndromic surveillance data
Measure Option 2 – Syndromic Surveillance Reporting
• The EP is in active engagement to submit data to a specialized registry
Measure Option 3 – Specialized Registry Reporting
48
Fall 2017
Active Engagement
49
Co
mp
lete
d R
egis
trat
ion
to
Su
bm
it D
ata
EP has registered to submit data. Registration was completed within 60 days after the start of the EHR Reporting period and the provider is awaiting an invitation to begin testing and validation.
Test
ing
and
Val
idat
ion
EP is in the process of testing and validation of the electronic submission of data. Providers must to respond to requests from the sponsor of the registry within 30 days; failure to respond twice within an EHR reporting period would result in the EP not meeting the measure.
Pro
du
ctio
n
EP has completed testing and validation of the electronic submission and is electronically submitting production data.
Fall 2017
Public Health Reporting
• In PY17, EPs must attest to at least two measures from the public health reporting measures.
• An exclusion for a measure does not count toward the total of two measures. Instead to meet this objective, an EP would need to meet two of the total number of measures available to them.
• EPs must register within 60 days after the start of their EHR reporting period unless they registered for a previous reporting period.
• Identification
– Determine if the jurisdiction (state, territory, etc.) endorses or sponsors a registry; and
– Determine if a National Specialty Society or other specialty society with which the provider is affiliated endorses or sponsors a registry
– If neither has a registry the provider can report, an exclusion can be claimed
50
Fall 2017
Florida’s Specialized Registries
• The Florida Cancer Registry can accept electronic reporting for providers who diagnose or treat cancer
• Florida’s Prescription Drug Monitoring Program has a specialized registry, E-FORCSE
– Providers who dispense controlled substances to patients ages 16 and older are required to electronically report
– Providers who prescribe controlled substances to patients ages 16 and older can register and search the database prior to prescribing a controlled substance
• CMS has approved the searching for a patient prior to prescribing as meeting the specialized registry measure
51
Fall 2017
Florida Registry Links
Cancer Registry
http://fcds.med.miami.edu/inc/welcome.shtml
E-FORCSE
http://www.floridahealth.gov/statistics-and-data/e-forcse
Florida SHOTS
https://www.flshots.com/
52
Fall 2017
Documentation Requirements
• Evidence of active engagement– Registration
– Testing and validation emails
– Production files
• Florida SHOTS– Receive monthly and yearly documentation
– Register to receive automatic notification
• E-FORCSE– System report demonstrating search history
• Specialized Registry documentation will vary
53
Fall 2017
CMS Centralized Repository
• Centralized source of information for public health, clinical data, or specialized* registry electronic reporting options.
– https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/CentralizedRepository-.html
• It is not the authoritative source of all reporting options currently available.
• The absence of an entry on the CMS Centralized Repository is not sufficient documentation for claiming an exclusion and does not prevent a provider from attesting to reporting to a registry.
– Providers must still check with jurisdictional public health agencies or specialty societies to which they belong and document that information to satisfy Medicare or Medicaid reporting.
– For more information on steps providers have to take to determine if there is a specialized registry available for them, or if they could instead claim an exclusion, please review FAQ 13657 and FAQ 14117.
*For more information on what can count as a specialized registry, please review FAQ 13653.
54
Fall 2017
Clinical Quality Measures (CQMs)
55
EPs – report 6
No longer required to cross Quality Domains
No threshold that must be met
90 day reporting for PY17
Effective October 1, 2017
Fall 2017
Looking Ahead to Stage 356
Fall 2017
Overview of Stage 3
57
Timing
• Stage 3 is optional for Eligible Professionals (EPs) attesting in Program Year (PY)17.
• If EPs are not ready to attest to Stage 3 in PY18, they may attest to Modified Stage 2 .
• Providers will have a 90 day EHR reporting period for PY 17 and PY 18.
Objectives
• For EPs, there are 8 objectives. All EPs are required to attest to a single set of objectives and measures.
System Requirements
• To meet Stage 3 requirements, all providers must use technology certified to the 2015 edition.
• A provider who has technology certified to a combination of the 2015 edition and 2014 edition may potentially attest to the Stage 3 requirements, if the mix of certified technologies would not prohibit them from meeting the Stage 3 measures.
• However, a provider who has technology certified to the 2014 edition only may not attest to Stage 3.
Fall 2017
Overview of Stage 3 Objectives
58
A single set of objectives and measures
Must be using 2015 CEHRT technology or a combination of 2014 and 2015
Protect Patient Health Information
E-Prescribing
Clinical Decision Support
Computerized Provider Order Entry (CPOE)
Patient Electronic Access
Coordination of Care
Health Information Exchange
Public Health Reporting
https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/TableofContents_EP_Medicaid_Stage3.pdf
Fall 2017
Stage 3 Flexibility with Objectives
• Stage 3 includes flexibility within certain objectives to allow providers to choose the measures most relevant to their patient population or practice.
• The Stage 3 objectives with flexible measure options include:– Coordination of Care through Patient Engagement – EPs must attest to all
three measures and must meet the thresholds for at least two measures to meet the objective.
– Health Information Exchange – EPs must attest to all three measures and must meet the thresholds for at least two measures to meet the objective.
– Public Health Reporting – EPs must report on two measures.
59
Fall 2017
Stage 3 - Protect Patient Health Information
• Measure: Conduct or review a security risk analysis (SRA) in accordance with the requirements 45 CFR 164.308(a)(1), including addressing the security (to include encryption) of electronic protected health information (ePHI) created or maintained in CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the EP’s risk management process
• Exclusion: None
60
Fall 2017
Stage 3 - Electronic Prescribing (e-Rx)
• Measure: More than 60 percent of permissible prescriptions written by the EP are queried for a drug formulary and transmitted electronically using CEHRT
• Exclusions: – EP who writes fewer than 100 permissible prescriptions during the EHR
reporting period; or
– EP who does not have a pharmacy within his or her organization and there are no pharmacies that accept electronic prescriptions within 10 miles of the EP's practice location at the start of his or her EHR reporting period
61
Fall 2017
Stage 3 - Clinical Decision Support
62
Measure 1
• Implement five clinical decision support interventions related to four or more clinical quality measures at a relevant point in patient care for the entire EHR reporting period. Absent four clinical quality measures related to an EP’s scope of practice or patient population, the clinical decision support interventions must be related to high priority health conditions
• Exclusion: None
Measure 2
• The EP has enabled and implemented the functionality for drug-drug and drug allergy interaction checks for the entire EHR reporting period
• Exclusion: Any EP who writes fewer than 100 medication orders during the EHR reporting period
EPs must satisfy both the following measures in order to meet the objective:
Fall 2017
Stage 3 - Computerized Provider Order Entry (CPOE)
63
Measure 1
Medication Orders
• Measure: More than 60 percent of medication orders created by the EP during the EHR reporting period are recorded using CPOE
• Exclusion: Any EP who writes fewer than 100 medication orders during the EHR reporting period
Measure 2
Laboratory Orders
• Measure: More than 60 percent of laboratory orders created by the EP during the EHR reporting period are recorded using CPOE
• Exclusion: Any EP who writes fewer than 100 laboratory orders during the EHR reporting period
Measure 3
Radiology Orders
• Measure: More than 60 percent of radiology orders created by the EP during the EHR reporting period are recorded using CPOE
• Exclusion: Any EP who writes fewer than 100 radiology orders during the EHR reporting period
An EP, through a combination of meeting the thresholds and exclusions (or both), must satisfy all three measures for this objective.
Fall 2017
Stage 3- Patient Electronic Access
Measure 1
• Measure: More than 80 percent of all unique patients seen by the EP during the EHR reporting period are provided timely access to view online, download, and transmit his or her health information; and the provider ensures the patient’s health information is available for the patient to access using any application of their choice that is configured to meet the technical specifications of the Application Programming Interface (API) in the provider’s CEHRT
• Exclusion 1: An EP may exclude from the measure if they have no office visits during the EHR reporting period; or
• Exclusion 2: Any EP who conducts 50 percent or more of his or her patient encounters in a county that does not have 50 percent or more of its housing units with 4Mbps broadband availability according to the latest information available from the FCC on the first day of the EHR reporting period
Measure 2
• Measure: The EP must use clinically relevant information from CEHRT to identify patient-specific educational resources and provide electronic access to those materials to more than 35 percent of unique patients seen by the EP during the EHR reporting period
• Exclusion 1: An EP may exclude from the measure if they have no office visits during the EHR reporting period; or
• Exclusion 2: Any EP who conducts 50 percent or more of his or her patient encounters in a county that does not have 50 percent or more of its housing units with 4Mbps broadband availability according to the latest information available from the FCC on the first day of the EHR reporting period
64
EPs must satisfy both measures in order to meet this objective:
Fall 2017
Stage 3 - Coordination of Care
65
Measure 1
•Measure: For an EHR reporting period in 2017 and 2018, more than 5 percent of all unique patients (or their authorized representatives) seen by the EP actively engage with the electronic health record made accessible by the provider and either –
•View, download or transmit to a third party their health information; or
•Access their health information through the use of an API that can be used by applications chosen by the patient and configured to the API in the provider’s CEHRT; or
•A combination of (1) and (2)
•Exclusion 1: An EP may exclude from the measure if they have no office visits during the EHR reporting period; or
•Exclusion 2: Any EP that conducts 50 percent of more of its housing units with 4Mbps broadband availability according to the latest information available from the FCC on the first day of the EHR reporting period may exclude the measure.
Measure 2
•Measure: For an EHR reporting period in 2017 and 2018, more than 5 percent of all unique patients seen by the EP during the EHR reporting period, a secure message was sent using the electronic messaging function of CEHRT to the patient (or the patient authorized representative), or in response to a secure message sent by the patient or their authorized representative. In 2018 and subsequent years the resulting percentage must be more than 25 percent in order for an EP to meet this measure.
•Exclusion 1: An EP may exclude from the measure if they have no office visits during the EHR reporting period; or
•Exclusion 2: Any EP that conducts 50 percent of more of its housing units with 4Mbps broadband availability according to the latest information available from the FCC on the first day of the EHR reporting period may exclude the measure.
Measure 3
•Measure: Patient generated health data or data from a nonclinical setting is incorporated into the CEHRT for more than 5 percent of all unique patients seen by the EP during the EHR reporting period.
•Exclusion 1: An EP may exclude from the measure if they have no office visits during the EHR reporting period; or
•Exclusion 2: Any EP that conducts 50 percent of more of its housing units with 4Mbps broadband availability according to the latest information available from the FCC on the first day of the EHR reporting period may exclude the measure.
Providers must attest to all three measures and must meet the thresholds for at least two measures to meet the objective:
Fall 2017
Stage 3 - Health Information Exchange (HIE)EPs must attest to all three measures and must meet the threshold for at least two measures to meet the objective.
• Measure 1: For more than 50 percent of transitions of care and referrals, the EP that transitions or refers their patient to another setting of care or provider of care:
– Creates a summary of care record using CEHRT; and– Electronically exchanges the summary of care record
• Measure 2: For more than 40 percent of transitions or referrals received and patient encounters in which the provider has never before encountered the patient, the EP incorporates into the patient’s EHR an electronic summary of care document
• Exclusion: A provider may exclude from the measure if any of the following apply:
– Any EP who transfers a patient to another setting or refers a patient to another provider less than 100 times during the EHR reporting period is excluded from this measure; or
– Any EP that conducts 50 percent or more of his or her patient encounters in a county that does not have 50 percent or more of its housing units with 4Mbps broadband availability according to the latest information available from the FCC on the first day of the EHR reporting period may exclude the measures.
66
Fall 2017
Stage 3 - HIE – Continued
• Measure 3: For more than 80 percent of transitions or referrals received and patient encounters in which the provider has never before encountered the patient, the EP performs a clinical information reconciliation. The provider must implement clinical information reconciliation for the following three clinical information sets:
– Medication. Review of the patient’s medication, including the name, dosage, frequency, and route of each medication.
– Medication allergy. Review of the patient’s known medication allergies.
– Current problem list. Review of the patient’s current and active diagnoses.
• Exclusion: Any EP for whom the total of transitions or referrals received and patient encounters in which the provider has never before encountered the patient, is fewer than 100 during the EHR reporting period is excluded from this measure.
67
Fall 2017
Stage 3 - Public Health Reporting Measures
Measure Option 1 –Immunization Registry
Reporting
Measure Option 2 –Syndromic Surveillance
Reporting
Measure Option 3 –Specialized Registry
Reporting
Measure Option 4 –Public Health Registry
Reporting
Measure Option 5 –Clinical Data Registry
Reporting
68
• EPs must attest to at least 2 out of the 5 measures.
Fall 2017
Stage 3 - Immunization Registry Reporting• Measure 1: Immunization Registry Reporting: The EP is in active
engagement with a public health agency to submit immunization data and receive immunization forecasts and histories from the public health immunization registry/immunization information system (IIS).
• Exclusions for Measure 1: Any EP meeting one or more of the following criteria may be excluded from the immunization registry reporting measure if the EP:
– Does not administer any immunizations to any of the populations for which data is collected by its jurisdiction's immunization registry or immunization information system during the EHR reporting period;
– Operates in a jurisdiction for which no immunization registry or immunization information system is capable of accepting the specific standards required to meet the CEHRT definition at the start of the EHR reporting period; or
– Operates in a jurisdiction where no immunization registry or immunization information system has declared readiness to receive immunization data from the EP as of 6 months prior to the start of the EHR reporting period.
69
Fall 2017
Stage 3 - Syndromic Surveillance Reporting
• Measure 2 – Syndromic Surveillance Reporting: The EP is in active engagement with a public health agency to submit syndromicsurveillance data from an urgent care setting.
• Exclusions for Measure 2: Any EP meeting one or more of the following criteria may be excluded from the syndromic surveillance reporting measure if the EP:
– Is not in a category of providers from which ambulatory syndromic surveillance data is collected by their jurisdiction's syndromic surveillance system;
– Operates in a jurisdiction for which no public health agency is capable of receiving electronic syndromic surveillance data from EPs in the specific standards required to meet the CEHRT definition at the start of the EHR reporting period; or
– Operates in a jurisdiction where no public health agency has declared readiness to receive syndromic surveillance data from EPs as of 6 months prior to the start of the EHR reporting period.
70
Fall 2017
Stage 3 - Electronic Case Reporting
• Measure 3 – Electronic Case Reporting: The EP is in active engagement with a public health agency to submit case reporting of reportable conditions.
• Exclusions for Measure 3: Any EP meeting at least one of the following criteria may be excluded from the specialized registry reporting measure if the EP:
– Does not diagnose or treat any disease or condition associated with, or collect relevant data that is collected by, a specialized registry in their jurisdiction during the EHR reporting period;
– Operates in a jurisdiction for which no specialized registry is capable of accepting electronic registry transactions in the specific standards required to meet the CEHRT definition at the start of the EHR reporting period; or
– Operates in a jurisdiction where no specialized registry for which the EP is eligible has declared readiness to receive electronic case reporting data as of 6 months prior to the start of the EHR reporting period.
71
Fall 2017
Stage 3 - Public Health Registry Reporting
• Measure 4 – Public Health Registry Reporting: The EP is in active engagement with a public health agency to submit data to public health registries.
• Exclusions for Measure 4: Any EP meeting at least one of the following criteria may be excluded from the specialized registry reporting measure if the EP:
– Does not diagnose or treat any disease or condition associated with a public health registry in their jurisdiction during the EHR reporting period;
– Operates in a jurisdiction for which no public health agency is capable of accepting electronic registry transactions in the specific standards required to meet the CEHRT definition at the start of the EHR reporting period; or
– Operates in a jurisdiction where no public health registry for which the eligible hospital or CAH is eligible has declared readiness to receive electronic registry transactions as of 6 months prior to the start of the EHR reporting period.
72
Fall 2017
Stage 3 - Clinical Data Registry Reporting
• Measure 5 – Clinical Data Registry Reporting: The EP is in active engagement to submit data to a clinical data registry.
• Exclusions for Measure 5: Any EP meeting at least one of the following criteria may be excluded from the specialized registry reporting measure if the EP:
– Does not diagnose or treat any disease or condition associated with a clinical data registry in their jurisdiction during the EHR reporting period;
– Operates in a jurisdiction for which no clinical data registry is capable of accepting electronic registry transactions in the specific standards required to meet the CEHRT definition at the start of the EHR reporting period; or
– Operates in a jurisdiction where no clinical data registry for which the eligible hospital or CAH is eligible has declared readiness to receive electronic registry data as of 6 months prior to the start of the EHR reporting period.
73
Fall 2017 74
Security and Privacy Issues
Fall 2017 75
Security and Privacy Issues
Fall 2017
Five Data Breach Statistics Worth Knowing
1. Since the Target breach, there has been a major data breach discovered almost every month. Those breaches include Michaels Stores, Sally Beauty Supply, Neiman Marcus, AOL, eBay, P.F. Chang’s Chinese Bistro, Yahoo, and Equifax.
2. A recent Ponemon Institute survey estimates 47 percent of all American adults have been affected by data breaches in the last year, with an estimated 432 online accounts being affected.
3. According to a 2017 report from the Ponemon Institute, it costs an average of $380 per record to remediate a health care data breach.
4. The retail industry was the number one target, with nearly 22 percent of network intrusions occurring at retailers, according to the Verizon Data Breach Investigation Report.
5. Cybercrime has cost the global economy $575 billion and the U.S. economy $100 billion annually, making the U.S. the hardest hit of any country, according to a report from Intel Security and the Center for Strategic and International Studies.
76
Six months after the Target data breach, the
statistics are astonishing.
Source: https://www.paymetric.com/uncategorized/5-data-breach-statistics-worth-knowing/
Fall 2017
10 Largest Health Data Breaches - 2016
77
Source: https://www.healthcareinfosecurity.com/analysis-2016-health-data-breaches-whats-ahead-a-9615
Fall 2017
Data Security Incidents and Presumptive Breaches Occur Every Minute
• 90 percent of businesses acknowledge at least 1 data security event in the last year; frequency is greatly understated
• We live in a “Bring Your Own Device” (“BYOD”) world
• 112 smartphones are lost or stolen every minute – that’s 57 million data security incidents per year in the United States
• Add in lost or stolen lap tops, flash drives, etc.
• Add in malicious insiders, criminal and government sponsored hackers (reconnaissance and disruption), and critical infrastructure attacks
• The issue is not if, but when and how often
Source: https://www.slideshare.net/bculver/loving-onedrive-for-business-as-a-productivity-tool
78
Fall 2017
The HIPAA Security Rule The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes a national set of minimum security standards for protecting all ePHI that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit.
The Security Rule contains the administrative, physical, and technical safeguards that CEs and BAs must put in place to secure ePHI.
79
Source: https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide-chapter-4.pdf
Fall 2017
HIPAA
• Has “implementing regulations” – 4 Rules:
80
Generally called the “HIPAA Rules”
Source: https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources
Fall 2017
Components of The HIPAA Security Rule Administrative Safeguards
• Security Management Process
• Security Personnel
• Information Access Management
• Workforce Training and Management
• Evaluation
Physical Safeguards
• Facility Access and Control
• Workstation and Device Security
Technical Safeguards
• Access Control
• Audit Controls
• Integrity Controls
• Transmission Security
Organizational Requirements
• Covered Entity Responsibilities
• Business Associate Contracts
Policies and Procedures
• Adopt reasonable and appropriate policies and procedures
• Updates
81
Source: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Fall 2017
The HIPAA Security Rule
82
Administrative Physical Technical
- Identify Individual Responsible for Security
- Risk Analysis- Risk Management- Sanctions Policy- Info. Systems Activity
Review- Workforce Clearance- Security Awareness and
Training- Data Backup Plan- Disaster Recovery Plan- Business Associate Agr.and more… 45 CFR 164.308(a)
- Facility Security Plan- Maintenance Records- Workstation Use- Workstation Security- Device/Media Disposal- Device/Media Reuse- Data Backup & Storageand more… 45 CFR 164.310
- Unique User Identification- Audit Controls- Emergency Access
Procedures- Auto Logoff- Encryption/Decryptionand more… 45 CFR 164.312
Source: https://www.gpo.gov/fdsys/pkg/CFR-2009-title45-vol1/pdf/CFR-2009-title45-vol1-sec164-308.pdfhttps://www.gpo.gov/fdsys/granule/CFR-2011-title45-vol1/CFR-2011-title45-vol1-sec164-310https://www.gpo.gov/fdsys/granule/CFR-2010-title45-vol1/CFR-2010-title45-vol1-sec164-312
Fall 2017
Use of Your Limited Resources
83
Source: Ponemon Institute, 2017 Cost of a
Data Breach Study (US only data)
1. Plan ahead –
pick a team and
develop an
incident response
checklist
2. Encrypt,
encrypt, encrypt
3. Train staff – low
cost option: share
OCR notices with
your team
4. Buy insurance
5. Data loss
prevention – may
have some tools in
existing
environment (e.g.,
Office 365)
Factors that
Increase the
Remediation Cost
Factors that
Decrease the
Remediation Cost
Source: https://public.dhe.ibm.com/common/ssi/ecm/se/en/sel03130wwen/SEL03130WWEN.PDF
Fall 2017
MAPIR Changes
84
Fall 2017
Activity Dashboard
85
Fall 2017
Enter the CEHRT Number
86
This will dictate your reporting options.
Fall 2017
Options Based on CEHRT Number
87
Fall 2017
Verification of CEHRT and Option
88
Fall 2017
Follow the Tabs for Completion
89
Fall 2017
Meaningful Use Attestation
90
Fall 2017
Clinical Quality Measures
91
Fall 2017
General Requirements
92
Fall 2017
Navigation Change
93
Fall 2017
ONC* “Information Blocking” Questions
94
ONC: Office of the National Coordinator
Fall 2017
ONC “Information Blocking” Questions
95
Fall 2017
ONC Information Blocking Questions
96
Fall 2017
The End Game
97
Fall 2017
Stage 3 Example
98
Fall 2017
Stage 3 Example continued
99
Fall 2017
When Submitting Your Application
100
• Remember to upload:– Documentation of 2014 or 2015 CEHRT
– Patient Volume Report
– Encounter Report for EHR Reporting Period
– Meaningful Use Report – including CQMs
– SRA including Asset Inventory and Final Report
– Additional Documentation Form if practicing at multiple locations utilizing different systems
– For Public Health Reporting
• Documentation of active engagement OR
• Documentation supporting exclusions
– Additional Documentation, as applicable:
• Physician Assistant-Led Attestation
• Medical Record for Advanced Registered Nurse Practitioners (if not billing Medicaid directly)
• Clearly Label Uploads
• Maintain Documentation
Fall 2017
Contacts and Resources
www.ahca.myflorida.com/medicaid/ehr
www.Florida-HIE.net
101
http://www.floridahealthfinder.gov/index.html
http://www.ahca.myflorida.com/SCHS/telehealth/