How to Leverage HIPAA for Meaningful UseThe overlap between HIPAA and Meaningful Use requirements

copy 2015 SecurityMetrics

How to Leverage HIPAA for Meaningful Use | 2

Share this ebook

About this ebookWho should read this ebookbull OfficerspractitionersandmanagersinchargeofHIPAAcomplianceanddatasecurityinsmallmediumandlargecoveredentities

bull AnyoneinvolvedinMeaningfulUseIncentiveProgramattestation

What does this ebook includebull AbriefoverviewofHIPAAandMeaningful

Use bull OverlapofMeaningfulUseandHIPAArequirements

bull InstructionsonhowtoaccomplishdatasecurityrequirementsforHIPAAandMeaningful Use

Who is SecurityMetricsSecurityMetrics has helped over one million organizations comply with HIPAA PCI DSS and other mandates Our solutions com-bine innovative technology that stream-lines validation with the personal support you need to fully understand compliance requirements You focus on the business stuffmdashwersquove got compliance covered

Learn more about us atwwwsecuritymetricscomhipaa

How to Leverage HIPAA for Meaningful Use | 2

Share this ebook

About this ebookWho should read this ebookbull OfficerspractitionersandmanagersinchargeofHIPAAcomplianceanddatasecurityinsmallmediumandlargecoveredentities

bull AnyoneinvolvedinMeaningfulUseIncentiveProgramattestation

What does this ebook includebull AbriefoverviewofHIPAAandMeaningful

Use bull OverlapofMeaningfulUseandHIPAArequirements

bull InstructionsonhowtoaccomplishdatasecurityrequirementsforHIPAAandMeaningful Use

Who is SecurityMetricsSecurityMetrics has helped over one million organizations comply with HIPAA PCI DSS and other mandates Our solutions com-bine innovative technology that stream-lines validation with the personal support you need to fully understand compliance requirements You focus on the business stuffmdashwersquove got compliance covered

Learn more about us atwwwsecuritymetricscomhipaa

How to Leverage HIPAA for Meaningful Use | 3

Share this ebook

IntroductionNomatterthesizeofyourhealthcareorganizationyou have many requirements mandates lawspoliciesetctocomplywithandworryaboutThisisallontopofprovidinghealthcareservices topatientsthereasonyougotintohealthcareinthefirstplaceAsmostofyouknowcoveredentitiesthat handle protected health information (PHI)arerequiredtocomplywiththeHealthInsurancePortabilityandAccountabilityAct(HIPAA)Manyhealthcareprofessionalslikeyouandtheentitiesyou work for also participate in Medicare andMedicaid EHR Incentive Programs BothHIPAAand Meaningful Usersquos complex and time con-suming requirements fall under lsquotheother stuffrsquoonyourtodolist

How this ebook helpsThis ebook covers the overlap between HIPAAand Meaningful Use including two importantsecurity protocols to help protect patient dataThegoalofthisebookistohelpyousavetimemoney andother resourcesby leveraging yourHIPAAcompliancerequirements forMeaningfulUseattestation

How to Leverage HIPAA for Meaningful Use | 4

Share this ebook

What is Meaningful UseThe Centers for Medicare and Medicaid Ser-vices (CMS) created incentive programs com-monly knownasMeaningfulUse toencouragepracticesandhospitalstohandlealltheirrecordselectronically

Eligibleprofessionals(EP)eligiblehospitals(EH)andcriticalaccesshospitals(CAH)canqualifyforMeaningfulUseprogramsYouareonlyallowedtoparticipateinoneincentiveprogramsoifyouqualifyforboththeMedicareandMedicaidEHRIncentiveProgramsyoumustchoosewhichpro-gramtoparticipatein

MeaningfulUseprogramsaredividedintothreestages Each new stage increases requirementsand measures to further practice and hospital

implementationof theirCertifiedEHR Technol-ogy (CEHRT) The CEHRT is the actual systemusedtoelectronicallyhandlePHI

Meaningful Use Basics

Meaningful UseAlphabet SoupCMS = Centers for Medicare and Medicaid Services

EHR = Electronic Health Records

CEHRT = Certified EHR Technology

CQMs = Clinical Quality Measures

EP = Eligible Professional

EH = Eligible Hospitals

CAH = Critical Access Hospitals

NQS Domains = National Quality Strategy Domains

How to Leverage HIPAA for Meaningful Use | 5

Share this ebook

Incentive AmountsThe incentive payments are what makes goingthroughthepainofCEHRTimplementationandMeaningful Use attestation worth it We donrsquotliketocallthesekickbacksbutthatrsquoskindofwhatthey are Essentially the government gives youmoneytobecomeCEHRTusersandMeaningfulUseparticipantsMaximumpayoutforEPsintheMedicareIncentiveProgramifyoustartedin2011is$43720Seetables1and2formoredetailedinformation

IncentivepaymentsforEHsandCAHsaremorecomplicatedthanforEPsMedicareandMedicaidpaymentshaveamaximumpayoutof$6370400forEHsandCAHsSeeEHR Incentive Program for Medicare Hospitals Calculating Payments and Medicaid Hospital Incentive Payments Calculations for a detailed breakdown of theformulas

Medicaid PaymentsYear1 $21250Year2-6 $8500

Maxpayout $63750

Medicare Payments2011 $437202012 $434802013 $382202014 $23520

Basedontheyearyoustartprogram

Payments for Eligible ProfessionalsTable 1

Table 2

HowtoLeverageHIPAAforMeaningfulUse|6

Stages and MeasuresEachattestationstagehasanumberofmeasuresthat EPs EHs and CAHs must complete andattest to each year Thesemeasures arebrokenintothreecategoriescoremeasuresmenumea-sures and clinical qualitymeasures Coremea-sures are all required Healthcare organizationsmust choose a certainnumberofmenuobjec-tives to complete For example in Stage 1 EPsmustmeet5menumeasuresfromatotallistof9

In addition to core andmenumeasures thereare clinical quality measures (CQMs)CQMsaretools thathelpmeasureand track thequalityofhealth care services provided by EPs EHs andCAHsStartingin2014theCQMschosenmustcoveratleast3ofthe6National Quality Strategy (NQS)domainsNQSdomainsrepresenttheDe-partmentofHealthandHumanServicesrsquo (HHS)prioritiesforhealthcarequalityimprovementToreceive an incentive payment providers are re-quiredtosubmitCQMdatafromtheirCEHRT

Measures for EP EH and CAHStage 1 Stage 2 Stage 1 Stage 2

Coremeasures 13 17 12 16

Menu measures 5of9 3of6 5 of 10 3of6

Clinicalqualitymeasures 9of64 9of64 All 15 16of29

Table 3

1st year

Stage of Meaningful Use2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021

2011 1 1 1 2 2 3 3 TBD TBD TBD TBD

2012 1 1 2 2 3 3 TBD TBD TBD TBD

2013 1 1 2 2 3 3 TBD TBD TBD

2014 1 1 2 2 3 3 TBD TBD

2015 1 1 2 2 3 3 TBD

2016 1 1 2 2 3 3

2017 1 1 2 2 3

Which stage are you inSee which stage you are in based on your program participation start year

HowtoLeverageHIPAAforMeaningfulUse|7

Share this ebook

Data Security MeasuresStage 1 Data Security MeasureWithin themeasures thatorganizationsmustat-testtothereareafewmeasuresthatspecificallycover data security Because we are discussinghowMeaningfulUserelatestoHIPAAspecifical-lytheSecurityRuleitrsquosimportantyouunderstandthesemeasures

OntheMeaningfulUseworksheetsitlistsanob-jective foreachmeasureThedata security coreobjective (measure 13 for EPs and12 for EHs and CAHs) is ldquoprotectelectronichealth informa-tion createdormaintainedby the certifiedEHRtechnologythroughtheimplementationofappro-priatetechnicalcapabilitiesrdquoThemeasureforthisobjectiveisldquoconductorreviewasecurityriskanal-ysis in accordance with the requirements under45CFR(codeof federal regulations)164308(a)(1)andimplementsecurityupdatesasnecessary

andcorrectidentifiedsecuritydeficienciesaspartofitsriskmanagementprocessrdquoTheCFRrequire-mentreferencedinthemeasureistheHIPAAriskanalysisrequirementBasedonhowtheseMean-ingfulUsemeasuresarewrittenyoucanseethatMeaningfulUseandHIPAAarerelatedWersquolldis-cusshowtheyarerelatedinmoredetailinothersections

Stage 2 Data Security MeasureInStage2 thedatasecurityobjective isessen-tially the same as Stage 1 (measure 9 for EPs and7 for EHs and CAHs)butthemeasuresareexpandedNotonlyareEPsEHsandCAHsre-quiredtoconductorreviewasecurityriskanal-ysis they are to ldquoimplement security updatesasnecessaryandcorrect identifiedsecurityde-ficienciesaspartof theproviderrsquos riskmanage-mentprocessrdquoInHIPAAthisiscommonlyknownasariskmanagementplanWersquolldiscusstherisk

How to Leverage HIPAA for Meaningful Use | 8

managementplanmoreintheHIPAAsectionCMS also added another HIPAA requirementin themeasure forStage2which is ldquoaddressingtheencryptionsecurityofdata stored inCEHRT

in accordance with requirements under 45 CFR164312 (a)(2)(iv) and45CFR164312 (d)(3)rdquoEn-cryption protects sensitive data that is stored ortransmittedtomakeitunreadable

How encryption works1 Data is entered into the

computer2 Before the data is stored

transmitted it is transformed into unreadable code

3 Only with a special key does the data become readable once again

HowtoLeverageHIPAAforMeaningfulUse|9

Share this ebook

Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations

This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice

HowtoLeverageHIPAAforMeaningfulUse|9

Share this ebook

Does Meaningful Use Make Sense for YouAlthoughtheideaofanincentiveprogramislikelyappealingsomeprofessionalsarestartingtobailoutOnereasonistherearepenaltiesifEPsEHsandCAHscanrsquotmeetthemeasuresandCQMsThepenaltiesforMeaningfulUsereallyboildownto reducedMedicare orMedicaidpayments ofanywherebetween1-5Alotofthesmallerphy-sicianswetalk tobillaround$100000ayear toMedicaidandMedicareIftheylose1ofthosepayments thatrsquos$1000peryear If they loseupto5thatrsquos$5000peryearDoesitmakesenseforthemtospendthemoneyandtimeittakestocompletethoseMeaningfulUseattestations

This isabigquestionforsomeprovidersespe-ciallysmalleronesIncentive program participa-tion decreased 17 in 2011Participantsdecid-ed itwasnrsquotworth theeffort so theybailedoutin2012WerecommendyoutakealookatyourMedicaidandMedicarepaymentsanddowhatmakessenseforyourpractice

How to Leverage HIPAA for Meaningful Use | 10

Share this ebook

HIPAA ComponentsMostpeopleinthehealthcareindustryarefamiliarwith thepurposeofHIPAA compliancebut noteveryone realizes theHIPAA standard is actuallyacombinationofthreeseparaterulesthePrivacyRuleSecurityRuleandBreachNotificationRule

Privacy RuleThe Privacy Rule addresses appropriate PHI useand disclosure practices by healthcare organiza-tions and designates the right for individuals tounderstandandcontrolhowtheirmedicaldataisused

Security RuleThe Security Rule sets standards for protectingPHIthatisstoredortransmittedinelectronicformTheSecurityRule isdesigned tobeflexibleandscalabletoaccommodatehealthcareprovidersofallsizesandtechnologysophistication

Breach Notification RuleThe Breach Notification Rule details the actionsthatmusttakeplaceandthepartiesthatmustbenotifiedintheeventofaPHIbreach

HIPAA Basics

How to Leverage HIPAA for Meaningful Use | 11

HIPAA Surveyby NueMD

In October 2014 NueMD conducted a sur-vey of more than 1100 healthcare profes-sionals to gauge their knowledge of HIPAA and preparedness for an audit The results showed that only 35 said their business had conducted a mandatory HIPAA risk analysis

HIPAA Risk AnalysisTheriskanalysis is thekeystoneofSecurityRulecompliance and data security efforts The pur-poseoftheriskanalysisistohelpcoveredentitiesidentify and document potential security risksEvery security effort yourorganizationneeds tomakewillbedeterminedbyyourriskanalysissoitrsquoscritical toconductacompleteandthoroughanalysis

HIPAA Risk Management PlanTheriskmanagementplanistheendresultofarisk analysis Your riskmanagementplan shouldincludealltherisksfoundduringyourriskanalysisandhowyouwillevaluateprioritizeand imple-mentsecuritycontrolstoremediatetheserisks

How to Leverage HIPAA for Meaningful Use | 12

Share this ebook

Two Birds With One StoneWillyourMeaningfulUseattestationcount100forHIPAA complianceNoWillHIPAA compli-ancecount100forMeaningfulUseattestationNoThereisnocompleteoverlapbetweenMean-ingfulUseandHIPAA

Howeverthereisenoughoverlaptomakeasig-nificantimpactAriskanalysisisonemainrequire-ment that applies to bothMeaningfulUse andHIPAA

Common Risk Analysis Questions Both HIPAA andMeaningful Use require a riskanalysis All stages of Meaningful Use includesomeelementofariskanalysisanddatasecurity

WillyourMeaningfulUseriskanalysiscoveryourHIPAAriskanalysisUnfortunately toooftentheanswer is no Entities get hung up on thinkingthatMeaningfulUseisfocusedjustontheCEH-RTWillyourHIPAAriskanalysiscoveryourMean-ingfulUseriskanalysisNormallyyesaslongasyoursquovedoneacompleteand thoroughanalysisTheHIPAAriskanalysisencompassestheCEHRTaswellasallPHIincludingpaperrecordsemailscalendars other systems etc Because the riskanalysis includes the CEHRT it also counts forMeaningfulUsemeasures

Meaningful Use and HIPAA Overlap

How to Leverage HIPAA for Meaningful Use | 13

Share this ebook

Elements of a Risk AnalysisLetrsquosmakesureweareonthesamepagewhenwetalkaboutariskanalysisAriskanalysisfindssecurityissuesinyourPHIenvironmentthroughtheanalysisof3componentsvulnerabilitiesthreatsandrisks

Avulnerability isaflaworweaknessinasystemprocedure implementation or security controlthat could result in a security breach Vulnera-bilities canbe either technical or non-technicalTechnical vulnerabilities can be holes flaws orweaknesses in IT systemsNon-technical vulner-abilitiescanbeineffectiveornon-existentproce-durespoliciesstandardsandguidelines

Athreatissomeforceorpersonthatmightinten-tionallyorunintentionallytriggeraspecificvulner-abilityOftentimesthreatsarethoughtofintermsof computer systems and attackers exploiting

thosesystemsButyoualsoneedtobeawareofthreatswithinyourowninternalsystemsTechni-cally yourstaff isa threatAworkforcemembercould unintentionally or intentionally do some-thingtotriggeroneofyourvulnerabilities

Risk Analysis Deep Dive

Vulnerability = a flaw or weakness in a system procedure or security control that could result in a security breach

Threat = some force or person that might intentionally or unintentionally trigger a specific vulnerability

How to Leverage HIPAA for Meaningful Use | 14

Share this ebook

Riskisthelikelihoodthatoneofthesethreatsacci-dentallyorintentionallytriggersthevulnerabilityRisksarereallywhatauditorslookatduringHIPAAaudits

Ariskanalysisidentifiesvulnerabilitiesthatexposeyourorganization topotential risk Thiswill helpyoudetermineandprioritize themost threaten-ingriskstotakecareoffirstandwhichrisksmaynotevenbeworthaddressing inyour riskman-agementplan

TheHHShasnrsquotgivenaspecificriskanalysispro-cesstousebutdidsuggestusingtheNIST 800-30 guide

Risk Analysis Process

Identify the scope of the analysis

Gather data

Identify and document potential vulnerabilities and threats

Assess current security objectives

Determine the likelihood of threat occurrence

Determine the potential impact of threat occurrence

Determine the level of risk

Identify security objectives and finalize documentation

How to Leverage HIPAA for Meaningful Use | 15

Share this ebook

Risk Management PlanBothMeaningfulUseandHIPAArequireyoutocorrectyoursecurityproblemsTheHHSrecog-nizesthatmanyorganizationsarenotcomplete-lysecureTheyunderstandmostofushaveriskswehavenrsquotfullyremediatedTheyjustwanttoseeforwardmovementwithHIPAAandpatientdatasecurity

Encrypt Encrypt EncryptMeaningfulUseStage2expandedpatientdatasecurity requirementseven furtherNotonlydoyouneedtoremediaterisksfoundduringtheriskanalysisbutyoualsoneedtoincludeencryptionandsecurityofdatastoredintheCEHRTWhilespeaking at the HIMSS Privacy and Security

Forum Linda Sanches from HHS spoke aboutencryptionashermostimportantadvicetoavoidabreach

EncryptionneedstogobeyondtheCEHRTandisrequiredforallstoreddataunderHIPAABasedontheHHSWallofShamedataasof2014near-ly55ofbreacheswerecausedbylossortheftNotallofthesebreachescouldhavebeenavoid-edbyenablingencryptionbutmanycouldhave

Remediating Risks Deep Dive

HowtoLeverageHIPAAforMeaningfulUse|16

Share this ebook

Wersquove learned that your HIPAA risk analysis willcover yourMeaningfulUse risk analysis require-mentWersquove also learned thatbothHIPAAandMeaningfulUse require you to secure your pa-tientdata

WearenotsurewhattheMeaningfulUseStage3coremeasureswillbebutitissafetosaytherewillbearequirementbasedonprotectingpatientdatathatwilloverlapwithHIPAAAlthoughMean-ingfulUseattestationcomesdowntocheckingayesornoboxthereisalotthatgoesintothatonecheckboxIt isimportanttogothroughacom-pleteandthoroughriskanalysisremediaterisksand implementencryption soyoucan truly sayyoursquoreprotectingpatientdata

Conclusion

HIPAA compliance can be a complicated and time-consuming project SecurityMetrics HIPAA services help you tackle compliance with simple steps at your own pace

Contact us for a free HIPAA compliance consultation

8019956550 I hipaasecuritymetricscom

SecurityMetrics gave me the support and

help to quickly review my HIPAA compliance

A great and easy experiencerdquo

ndash David HuntElevate Fitness and Rehab