modern healthcare information technology
DESCRIPTION
A Health Care Information technology overview. Discuss talking points on services & solutions around HITECH/EHR and talk about risks associated.TRANSCRIPT
Opportunity Knocks:
Modern Healthcare
Information Technology
Agenda
• HITECH/EHR Overview
• HITECH/EHR Services & Solutions
• Health Information Technology Risks
• ANSI PHI Project
HITECH/EHR Overview
HITECH/EHR Overview
HIPAA & PHI Data Breaches
Enforcement Updates
HITECH/EHR Overview
• HC IT Project Drivers: Incentives
ARRA HITECH – ―EHR … by 2014‖
Nationwide HIT infrastructure
Meaningful Use HIPAA security requirements
Changing EHR MU Stage 2 & 3 requirements
Upcoming ACO requirements
• HC IT Project Drivers: Sanctions
PHI breach notification
HIPAA enforcement
5
HIPAA and PHI Data Breaches
• Ponemon Institute: Data breaches cost hospitals nearly $6
billion/year1
• Medical-related data breaches listed in Privacy Rights
Clearinghouse2
116 breaches listed in 2007-2008
229 breaches listed in 2009-2010
• 86% of large-hospital employees surveyed believe the number of
data breaches discovered will increase under HITECH3
• The Department of Justice secured ―$2.5 billion in health care
fraud recoveries—the largest in history,‖ for the fiscal year
ending 9-30-20104
1- Source: Benchmark Study on Patient Privacy and Data Security, November 9, 2010, Ponemon Institute LLC.
2- Source: http://www.privacyrights.org/
3- Source: 2009 HIMSS Analytics Report:―Taking a Pulse on HITECH, Are Hospitals and Business Associates Ready?‖ November 17, 2009.
4- Source: Department of Justice, November 22, 2010, http://www.justice.gov/opa/pr/2010/November/10-civ-1335.html
Enforcement Updates
HIPAA Sanctions
• Periodic HHS CE & BA HIPAA Compliance Audits
• Violations range from $100 to $1.5 million (willful neglect)
• Extends criminal penalties to individual or employee of CE
• State attorneys general can file civil suit on behalf of residents
Enforcement Updates
OCR Commitment to HIPAA Enforcement
Program Increases
• Regional Office Privacy Advisors (+$2.283 million)
• Enforcement of the HIPAA Security Rule (+$1 million)
• Investigation of the HITECH Breach Reports (+$1.335 million)
• Compliance Review Program (+$1 million)
Enforcement Updates
HIPPA Enforcement Activities
• Cignet Health, 2011: $4.3 million – Denying access to medical records & refusing to cooperate with OCR investigation
http://www.hhs.gov/news/press/2011pres/02/20110222a.html
• Massachusetts General Hospital Settles HIPAA Violations, 2011: $1 million – Documents left on subway by employee
http://www.hhs.gov/news/press/2011pres/02/20110224b.html
• Health Net, 2011: $55,000 + mandatory data-security audit 2 years – Lost portable drive & misrepresentation of risk
http://www.healthdatamanagement.com/news/breach_hipaa_privacy_security_hitech_lawsuit-39645-1.html
• Rite Aid, 2010: $1 Million – Poor disposal practices http://www.hhs.gov/news/press/2010pres/07/20100727a.html
HITECH/EHR Services &
Solutions
EHR Related Services BKD Provides
10
HITECH/EHR Services & Solutions
Outsourced Project Management
• Assist management with development of project plan to manage all phases of EHR
implementation project
• Assist management with overseeing project milestones
• Periodic project status & project risk reports
EHR System Selection
• Assist management with identifying & evaluating an EHR-compliant system
• Demonstration scorecards—basis for purchase decisions
• Total cost of ownership—three-year estimates that include software, equipment &
implementation fees
EHR Readiness Assessment
• IT & infrastructure inventory
• EHR current capabilities assessment
• IT Governance & process maturity measurements
• Security compliance assessment
11
HITECH/EHR Services & Solutions
ARRA Reimbursement Analysis
• Develop reimbursement projections
• Develop multi-year cash flow analysis mapping EHR project timeline with federal
funding timeline projections
EHR Meaningful Use Attestation Assistance
• Review meaningful use objectives management has decided to report against
• Develop audit procedures to determine if selected objectives are being met
• Provide findings & recommendations based on executed audit procedures
HIPAA Data Security & Privacy Assessment
• Data-flow analysis
• Risk & control identification
• IT Governance & process maturity measurements
• Control design & effectiveness testing
Health Information
Technology Risks
Understanding HIT Data-flow
Risk Associated with Clinical Systems
Expanded Audit Procedures
13
Health Information Technology
Risks
• Developing clinical system & sub-system
inventory
• Understanding flow of data in a healthcare
system
• Identifying risks & controls
14
Health Information Technology
Risks
15
Health Information Technology
Risks
16
Health Information Technology
Risks
17
Health Information Technology
Risks
Expanded HIT Audit Procedures
• Data-flow analysis
• Computer Assisted Audit Techniques (CAAT)
• Evaluating security at clinical system level
• Evaluating intermediary data repositories &
job scheduling/data integration systems
ANSI/Shared Assessments
PHI Project
Report & tools valuing financial impact
of unauthorized disclosure of protected
health information (PHI)
19
ANSI/Shared Assessments PHI
Project
http://www.ansi.org/standards_activities/standards_boards_panels/idsp/protected_health_information.aspx
Thank You
Matt Lathrom, CISM, CISA, MCP
Managing Consultant
BKD IT Risk Services
816.221.6300