HHS HITECH Compliance

Overview

Healthcare organizations across the US understand the importance of the Health Insurance Portability and Accountability Act (HIPAA)HIPAA, and related legislation, however, has been a ‘moving target’.   HIPAA has had a very positive impact, including prescribing and enforcing the protection and security of patient health records.  Despite this, HIPAA has created  a ‘mountain of work’ for health care providers to deliver on the requirements, and protect themselves from financial sanctions because of an ePHI breach.

 

HIPAA wasn’t always a complex piece of legislation. When introduced and signed by President Clinton in 1996, it was only 337 words.    By 2002, however, HIPAA legislation had grown to over 100,000 words and 500 pages, and healthcare providers were buried.    Many healthcare organizations needed to employ multiple individuals, at each site, just to keep track of new and changing requirements.  

Before we move to a discussion of HITECH, which is the technology related legislation serving as an addendum to HIPAA,  let’s review HIPAA Title II.    

HIPAA and Information Technology/Cloud

Not surprisingly, a HIPAA compliant IT service provider will be most concerned with HIPAA Title II.    Title II establishes and describes these five elements;

  • National Provider Identifier Standard – 10-digit NPI (national provider identifier) numbers must be assigned to all healthcare entities.
  • Transactions and Code Set Privacy Standard – this objectively approved protocol must be used in electronic data interchange (EDI).
  • HIPAA Privacy Rule – Ensuring that Patient Health Information (PHI) is protected. The Privacy Rule is actually short-hand for the “Standards for Privacy of Individually Identifiable Health Information.”
  • HIPAA Security Rule – This rule delineates expectations for the safeguarding of patient data. The Security Rule is short-hand for the “Security Standards for the Protection of Electronic Protected Health Information.”
  • HIPAA Enforcement Rule – This subsection of the law provides parameters with which companies should be investigated for potential or alleged violations.

The HIPAA Security Rule will be reviewed below.  (For a review of the Privacy Rule and the Enforcement Rule, and penalties for violating HIPAA, please go here;   HHS HIPAA Compliance

The Security Rule includes three safeguards components;

  • Technical safeguards 
  • Physical safeguards   
  • Administrative safeguards

 

HIPAA Security Rule

The HIPAA Security Rule defines the requirements for the protection of electronic patient health information.    The Security Rule refers to “Security Standards for the Protection of Electronic Protected Health Information.”      These are ‘safeguards’, and there are three of them;

  • Technical       
  • Physical       
  • Administrative

 

Technical safeguards;

  • Network encryption – All ePHI must be encrypted so as to meet NIST cryptographic standards any time it is transmitted over an external network. (Required)
  • Control access – Each user is assigned a centrally-controlled unique username and PIN code/password to access the systems. Procedures must also be in place to govern when to release or disclose ePHI if during an emergency. (Required)
  • Authenticate ePHI – You must identify and authenticate ePHI and protect it from corruption, unauthorized changes, and accidental destruction. (Recommended)
  • Encrypt devices –  All end-point devices that access the system should be able to encrypt and decrypt data.  Critical for mobile and laptop devices. (Recommended)
  • Control activity audits – Detailed logging is needed to track all ePHI access attempts and to monitor how ePHI data is manipulated. (Recommended)
  • Enable automatic logoff – Users must be auto logged out after a certain set time-frame, usually between 30 seconds and 3 minutes, based on the application or system. (Recommended)

 

Physical safeguards;

  • Control facility access – Must carefully track the specific individuals who have physical access to data storage.   This does apply to just health care workers or engineers, but also repair people and even custodians.   A plan of action to block unauthorized entry must be developed. (Required)
  • Manage workstations – A policy must be drafted that limits which computer workstations (and other devices) have access to health data, describes how a screen should be guarded from being viewed at a distance, and specifies appropriate workstation use. (Required)
  • Remove mobile device ePHI– Define a mobile device policy that deletes ePHI before a device is transferred to another user. (Required)
  • Track computer servers – Create an inventory of your server and device infrastructure, including current physical location. Before moving a server or device, data should be copied.  (Recommended)

 

Administrative safeguards;

  • Risk assessment – Identify, analyze and define risk elements and probabilistic outcomes.  Complete a comprehensive risk assessment for all health data.   Create and put into place action plans to resolve outcomes in line with the defined risk assessments. (Required)
  • Systematic ongoing risk management – Risk assessment is an ongoing process that must be reviewed at regular intervals with recalibrated measures put in place to reduce the risks to an appropriate level. A sanctions policy must be introduced for employees who fail to comply with HIPAA regulations. (Required)
  • Train staff – Employees need to be trained on all ePHI access protocols andon  how to recognize potential cybersecurity risks such as phishing, hacking, and deception. A record of these sessions must be kept. (Recommended)
  • Build contingencies – Implement ongoing business continuity, responding to potential disasters with a preparation process that keeps data safe. (Required)
  • Test contingencies – Test contingency plan(s) on a regular basis, with relation to all key software. A backup system and restoration policy should be adopted. (Recommended)
  • Block unauthorized access – Be certain that parties that haven’t been granted access, such as subcontractors or parent companies, cannot view ePHI. Sign business associate agreements with all partners. (Required)
  • Document all security incidents – Note that this step is separate from the Breach Notification Rule, which has to do with actual successful hacks. A security incident can be stopped internally before data is breached. Staff should recognize and report these occurrences. (Recommended)

Please note – these elements were all defined before the creation of HITECH.

 

HITECH As An Addendum to HIPAA

HITECH is the acronym associated with the Health Information Technology for Economic and Clinical Health Act of 2009.  The legislation, signed into law by President Obama on February 17, 2009, was intended to accelerate the transition to electronic health records (EHR). It was actually included within the American Recovery and Reinvestment Act of 2009 (ARRA), which was geared toward stimulating the economy during the Great Recession.

The Office of the National Coordinator for Health Information Technology (ONC), part of the HHS Department since 2004, is responsible for the administration and creation of standards related to HITECH.   Of course,  HIPAA hosting providers deploying electronic health records (EHR) must satisfy the requirements defined by ONC, while simultaneously complying with the HIPAA Privacy and Security Rules.    Effectively, HITECH  is an addendum to HIPAA.

 

Electronic Health Record & Meaningful Use

The HITECH Act included the concept of electronic health records – meaningful use [EHR-MU], an effort led by Centers for Medicare & Medicaid Services(CMS) and the Office of the National Coordinator for Health IT (ONC). HITECH proposed the meaningful use of interoperable electronic health records throughout the United States health care delivery system as a critical national goal.

Meaningful Use(MU) was defined by the following two components;

  • use of certified EHR  technology in a meaningful manner (for example electronic prescribing) 
  • ensuring that certified EHR technology connects in a fashion that provides for the electronic exchange of health information to improve the quality of care.

By using certified EHR technology(CEHRT), the provider has agreed to submit to the Secretary of Health & Human Services (HHS) information on the quality of care and other measures. The concept of Meaningful Use(MU) rested on the five(5) key components of health outcomes policy priorities, namely:

  1.  Improving quality, safety, efficiency, and reducing health disparities
  2.  Engage patients and families in their health
  3.  Improve care coordination
  4.  Improve population and public health
  5.  Ensure adequate privacy and security protection for personal health information

Historically, the Meaningful Use directive has consisted of three stages:

  • Stage 1 established the basis by establishing requirements for the electronic capture of clinical data, including providing patients with electronic copies of health information.
  • Stage 2 expanded upon the Stage 1 criteria with a focus on advancing clinical processes and ensuring that the meaningful use of EHRs supported the aims and priorities of the National Quality Strategy. Stage 2 criteria encouraged the use of Certified Electronic Health Record Technology (CEHRT) for continuous quality improvement at the point of care and the exchange of information in the most structured format possible.
  • In October 2015, CMS released a final rule that established Stage 3 in 2017 and beyond, which focused on using CEHRT to improve health outcomes.

Quality Payment Program (QPP) Precursor – Sustainable Growth Rate (SGR)

Prior to the Quality Payment Program (QPP), payment increases for Medicare services were set by the Sustainable Growth Rate (SGR) law. This capped spending increases according to the growth in the Medicare population, and a modest allowance for inflation.  However, as clinicians increased their utilization of services, the reimbursement for each unit of service had to be adjusted downward to hold costs constant. As a result, the SGR would have resulted in large decreases in the Physician Fee Schedule, which was not sustainable. To avoid these decreases in reimbursement,  Congress had to pass a new law every year authorizing the current fee schedule and a small increase for inflation. 

The Quality Payment Program (QPP) Became Operational January 1, 2017.

In 2015, Congress passed the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA).  This law eliminated SGR, and replaced it with the Quality Payment Program.   The new focus is to reward high-value, high-quality Medicare providers with payment increases, while at the same time reducing payments to those providers who aren’t meeting performance standards. 

Of course, without the implementation of Certified Electronic Health Record Technology (CEHRT), the QPP would have been impossible, given the missing electronic health records which server as the basis for QPP metrics. 

Clinical providers now have two tracks to choose from, as defined in the Quality Payment Program based on their practice size, specialty, location, or patient population:

  • Merit-based Incentive Payment System (MIPS) or
  • Advanced Alternative Payment Models

MIPS goes into effect based on minimum threshold volumes (patients and dollars charged to CMS).    The advanced APM  is a track of the Quality Payment Program that offers a 5 percent incentive for achieving threshold levels of payments or patients.

 

 

 

 

We WILL deliver the solution that you  need !

As a first step, we will be delighted to answer any and all of your questions !

   Contact Us Today !

Contact-Us