Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use...

MU Security Objectives

Direct Messaging

Questions

Meaningful Use Webcast

October 3, 2013

Security’s Importance to Meaningful Use

The Security Objective

Satisfying the Objective

Security Mechanisms in the EHR Software


MU Security Objective

October 3, 2013

• Patient’s Privacy

• Trustworthiness

• Interoperability Goals

How Important is Security?

• EH / CAH -> 42 CFR §495.6(l)(15)

• EP -> 42 CFR §495.6(j)(16)

Core Objective



October 3, 2013

• Protect electronic health information created or maintained by the CEHRT through implementation of appropriate technical capabilities.

The Objective

• Not Percentage-based

• Satisfied through attestation

Items to Note



October 3, 2013

• Conduct or review a security Risk Analysis in accordance with the requirements under 45 CFR 164.308(a)(1) including addressing the encryption / security of data stored in the Certified EHR Technology in accordance with requirements under 45 CFR 164.132(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct any identified security deficiencies as part of the EH’s, CAH’s or EP’s Risk Management process

The Measure



October 3, 2013

• All EHs, EPs, and CAHs must conduct (or review a previous SRA) per HIPAA Security Administrative standard during the attestation period.

• Address the Security / Encryption of Data stored and in use in accordance with HIPPA Technical Standards.

• Implement security updates as necessary

• Correct any identified security deficiencies as a part of the risk management process.

What is being asked by CMS?



October 3, 2013

• When should the SRA be conducted?

• We already perform one yearly as a part of our hospital policy, do we have to do another or does that one count?

• Do all findings need to be mitigated by the end of the attestation perioed?

• How do you conduct a security risk analysis?

Questions Frequently Asked of CPSI



October 3, 2013

• National Institute of Standards and Technology (NIST)

• Assessing Risk – A Path to Action www.trubridge.net/webinars

How to conduct a Security Risk Analysis



October 3, 2013

Risk Management

Risk Analysis

Data Gathering

Control Assessment

Planning

Implementation

Monitoring

The Assessment Process

Risk

Identification

Source: Assessing Risk: A Path to Action


Implementation Monitoring



System Screen

Rule Based Security

Data Encryption

Employee Log

Patient Log

October 3, 2013

• CPSI Meaningful Use Security Roadmap

• http://www.healthit.gov/providers-professionals/ehr-privacy-security

• ONC’s Guide to Privacy Security and Security of Health Information

• Chapter 2 specifically addresses MU

Where can I find out more?



October 3, 2013


Direct Messaging

Questions


October 3, 2013

What is Direct Messaging

Objectives that Incorporate the use of Direct Messaging


Direct Messaging

October 3, 2013

• Requires a HISP (Health Information Service Provider).

• Allows sharing of information in a secure way

Direct Messaging


Direct Messaging

October 3, 2013

•Simple

•Secure

•Scalable

•Standards-Based

Direct Messaging


Direct Messaging

October 3, 2013

Diagram of HISP (Health Information Service Provider)

What is a HISP?

Sender to Sender HISP

Sender’s HISP to Receiver’s HISP

Receiver's HISP to Receiver

Get the Message

Sender’s HISP Receiver’s HISP Push the Message

Routing Information

Directory

Locate the Servers

Push the Message

• Transition/Summary of Care

• View Download Transmit

Objectives Using Direct Messaging


Direct Messaging

October 3, 2013

• Measure A: The eligible hospital that transitions or refers their patient to another setting of care or referral provides a summary of care record for more than 50% of transitions/referrals.

Transfer/Summary of Care


Direct Messaging

October 3, 2013

• Measure B: The eligible hospital that transitions or refers their patient to another setting of care or referral provides a summary of care record for more than 10% of such transitions and referrals electronically (via Direct)



Direct Messaging

October 3, 2013

• Measure C: The eligible hospital must satisfy one of the following Criteria:

• Conducts a successful electronic exchange of measure B with a recipient who has EHR technology designed by a different vendor than the senders OR

• Conducts a successful electronic exchange of measure B with the CMS designated test EHR during the reporting period. (EHR-Randomizer)



Direct Messaging

October 3, 2013

• Contact facilities to obtain Direct Addresses.

• Determine how your facility will exchange information for Measure C:

• Exchange with a facility who was designed by a different EHR Vendor

• Exchange with the CMS designated EHR-Randomizer.

How can I Prepare?


Direct Messaging

October 3, 2013

• Measure A: More than 50% of all unique patients discharged during the reporting period have their information available online within 36 hours of discharge

View, Download, Transmit


Direct Messaging

October 3, 2013

• Measure B (Stage 2 Only): More than 5% of all patients (or authorized representatives) who are discharged view, download or transmit to a 3rd party their information during the reporting period.

View, Download, Transmit


Direct Messaging

October 3, 2013

• Set-Up and Registration of Direct Messaging

• Onboarding and Onboarding Process for an organization.

• Use of Direct Messaging with Non- Certified EHR’s

Future Webcast


Direct Messaging

October 3, 2013


Direct Messaging

Questions


October 3, 2013

Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use...

Documents

Transcript of Meaningful Use Webcast - 166.78.170.144166.78.170.144/sites/default/files/Meaningful Use...