ADDING VALUE BY AUDITING HEALTH INFORMATION IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA

Transcription

1 1 ADDING VALUE BY AUDITING HEALTH INFORMATION EXCHANGE IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA PROTIVITI AHIA 31 st Annual Conference August 26-29, 2012 Philadelphia PA

2 Speakers Alex Robison Alex is a Managing Director and serves as Protiviti s Western Region Healthcare Practice Leader and is part of the firm s National Healthcare Industry Revenue Assurance and Compliance practice. He has more than 15 years professional experience in providing operational, financial, information technology and regulatory consulting and internal audit services to the healthcare id industry. Pi Prior to entering consulting, li Alex worked for a large multi-regional i l healthcare h system responsible for integrating Managed Care HMO protocols with Federally regulated Medicare guidelines for Health Care delivery. David Zavala David is a Senior Manager in Protiviti s Dallas office. He has 11 years of experience in technology; specializing in design, implementation, and management of healthcare information systems. David has spent the last 6 years working with healthcare organizations undergoing large-scale Health Information Exchange initiatives. Prior to this, David was responsible for overseeing EHR implementations for large multi-hospital systems as well as smaller communitybased ambulatory practices. 2

3 The culture of an industry That it will ever come into general use, notwithstanding its value, is extremely doubtful because its beneficial application requires much time and gives a good bit of trouble, both to the patient and to the practitioner because its hue and character are foreign and opposed to all our habits and associations. i The London Times, in 1834, commenting on... 3

4 The culture of an industry the stethoscope. 4

5 The culture of an industry 5

6 6 Background

7 The ARRA and HITECH The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act includes more than $19 billion to help develop a robust IT infrastructure and data exchange capabilities for healthcare, as well as to assist providers and other entities in adopting and using Health Information Technology (Health IT), including the implementation and Meaningful Use of Electronic Health Records (EHR). 7

8 Demonstrating Meaningful Use Under the HITECH Act and the Medicare and Medicaid EHR Incentive Program, federal incentive payments will be available to doctors and hospitals when they adopt EHRs and demonstrate use in ways that can improve the quality, safety, and effectiveness of care. This is commonly referred to as demonstrating Meaningful Use. The three primary components of Meaningful Use are: 1. The use of a certified EHR in a meaningful manner, such as e-prescribing. 2. The use of certified EHR technology for electronic exchange of health information to improve quality of health care. 3. The use of certified EHR technology to submit clinical quality and other measures to CMS. 8

9 Meaningful Use The Road Ahead The criteria for Meaningful Use will be staged over the course of the next several years. Stage 1 (2011 and 2012) sets the baseline for electronic data capture and information sharing using EHRs. Stage 2 (delayed until 2014) will focus on data sharing, patient engagement, and Health Information Exchange. Stage 3 (expected to begin in 2015) and will continue to expand on previous baselines to improve clinical outcomes, presumably with enhanced quality reporting measures. 9

10 What is Health Information Exchange? The ONC defines Health Information Exchange as The electronic exchange of healthcare information across organizations within a region, community or hospital system, according to nationally recognized standards. HIEs provide the capability to electronically move clinical information among disparate health information systems in an effort to facilitate efficient and effective access to a complete patient record. 10

11 Critical Challenges of Health Information Exchange Developing a sustainable business model Addressing government policy and mandates Defining the value-add to the users of HIE Addressing privacy and confidentiality issues (e.g., HIPAA, patient consent) Addressing technical aspects including architecture, applications and connectivity Data Integrity Addressing organization and governance issues Development of the NwHIN 11

12 Providing Value through Health Information Exchange Effective health information exchange brings clinical and administrative benefits: Providers will be able to improve quality of care, increase efficiency of clinical and administrative processes, and reduce costs by improving reimbursement management. Payers will realize significant cost savings by improving administrative efficiency and reducing readmissions, testing and acute care episodes while also helping to create stickiness with providers. Public Health Organizations will be empowered to improve long-term health outcomes. 12

13 13 Implementation Practices

14 Application Implementation Practices 14

15 Understanding Implementation Risk Risk is defined as the possibility of a loss or a diminished level of success. Risk Management is the process of defining, identifying, addressing, and eliminating risk items before the items become threats or require major rework. It can be seen as an advanced preparation p for possible adverse future events, rather than responding as the event happens. This advanced planning provides the project team the opportunity to select an alternative action plan which will still enable project objectives to be achieved successfully. The Goal is to identify project risks and develop strategies that either significantly reduce the risks, provide guidelines in an effort to avoid the risks, or at a minimum minimize the impact of risk results. The Critical Success Factor in this process is to successfully complete the project in a way in which the risks associated with the project are managed

16 Common Barriers to Successful HIE Implementations Inadequate executive oversight Insufficient software selection practices Vendor implementation methodologies are only as good as you help make them. Deficiencies with vendor support Lack of involvement/acceptance by physicians and employees Lack of appropriate go-forward decision milestones Staffing and the perception of asking too much from already-taxed employees Employee turnover Disconnects frequently exist in communication between leadership and departmental personnel 16

17 Common Barriers to Successful HIE Implementations An effective mechanism or process is not in place to consistently capture, evaluate, and respond to questions and concerns of personnel Insufficient training and/or advance scheduling along with sufficiency of backfill/agency personnel Insufficient attention is paid to security configuration requirements and appropriate stakeholders are not consistently included Loose interpretation of regulatory requirements Operational workflow designs do not have sufficient detail or appropriately address future-state needs Formal workflow approval checkpoints for appropriate operational representatives are not incorporated Inability to align workflow with the application 17

18 Common Barriers to Successful HIE Implementations Insufficient planning for all processes directly or indirectly affected Post go-live practice deviates from intended design and manual paper processes persist Project plans and issue tracking tools are not effectively utilized to facilitate overall project management/oversight into the validation process Lack of sufficient project manager competence and/or sufficient PMO oversight Insufficient testing performed and insufficient guidance (e.g., test script development) provided to ensure consistency Insufficient change management practices The configuration of application controls is not sufficiently considered (undervalued and underutilized) 18

19 19 HIPAA

20 Hot Topic - Meaningful Use Risk Analysis The Protect Electronic Health Information Core Objective for eligible hospitals and eligible professionals includes the following: Protect Electronic Health Information Objective Measure Exclusion Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. No exclusion. 20

21 Meaningful Use Risk Analysis (cont d) Big picture - certified EHR data is not the only important data, all ephi should be addressed so don t fall into this trap All ephi Required by HIPAA ephi contained in EHR Must attest for Meaningful Use Include in your risk analysis/mgmt 21

22 HIPAA Security now has teeth!

23 HIPAA Security The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthens civil and criminal enforcement of the HIPAA rules. Security Breach Notifications for Covered Entities For breaches affecting >500 individuals within one state, the organization must notify the following without unreasonable delay and no later than 60 days after discovering the breach Local media outlets HHS Secretary The affected individuals Annually required to report all breaches affecting < 500 individuals to the HHS Secretary Accountability HHS is now required to report to Congress on compliance activity and to conduct periodic audits Penalties increased for violations, up to $50,000 for each violation with a maximum fine of $1,500,000 per year + the cost of resolution agreements 23

24 Enforcement is here OCR is committed to compliance and enforcement Reviewing every submitted complaint HIPAA Privacy and Security Compliance review for every entity that has a breach that affects >500 individuals Hired KPMG to conduct audits of up to 150 covered entities in 2012 (pilot process to be expanded) First 20 Covered Entities Selected: 10 Healthcare Providers 8 Health Plans 2 Healthcare Clearinghouses Through investigations, voluntary dispute resolution, enforcement, technical assistance, policy development and information services, OCR will protect the civil rights of all individuals who are subject to discrimination in health and human services programs and protect the health information privacy rights of consumers. ~ OCR Vision Statement 24

25 HIPAA Security Key focus areas Third-party risk management (e.g., Business Associate Agreements) Encryption is becoming more pervasive but you still need to know your ephi inventory State legislation targeted to Healthcare IT innovation and compliance may have advance HIPAA compliance The stimulus package has significantly expanded the scope of existing HIPAA privacy and security rules 25

26 HIPAA Security How can Internal Audit help? Are sufficient programs in place to support compliance and promote consistency? Can your organization clearly identify what it s doing to comply? Have the assets that hold, store, process and transmit ephi been accurately identified? Has unstructured data, such as that contained in Access databases and Excel spreadsheets, been considered? Is action being taken to address the recent changes? 26

27 What should you do today? Define your Breach Response and Notification processes Evaluate the KPMG audit process take action in a timely manner Perform an Evaluation Measure yourself against the regulations, take inventory of your Policies and Procedures, understand your processes, and determine if there are any deficiencies. Perform this minimally on an annual basis, or when major changes occur in your environment. Implement a robust Risk Analysis and Management Program that proactively manages risk versus reactively addresses issues after they ve materialized Educate. Communicate. 27

28 28 Business Continuity Management

29 I cannot imagine any condition which could cause this ship to flounder. I cannot conceive of any vital disaster happening to this vessel. E.J. Smith, Captain of the Titanic 29

30 Business Continuity Management How long must an interruption to day-to-day operations be before it significantly impacts your organization? Continuity of care is typically outside of the BCM scope based on stringent regulations and historical compliance efforts, however Health information management is now relying much more heavily on technology (e.g., electronic medical records, wireless technologies, PDA s) and the line is graying Impact of regulations/standards specifically addressing BCP/DRP (e.g., HIPAA, JCAHO, etc.) 30

31 Business Continuity Management What is business continuity management? the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging g or potentially fatal loss to the enterprise. 31

32 Business Continuity Management What is a Business Impact Analysis or BIA? A process designed to identify critical business functions and workflow, determine the qualitative and quantitative impacts of a disruption, and to prioritize and establish recovery time objectives The BIA results form the foundation for the all subsequent recovery strategy and planning efforts but this effort is commonly overlooked, undervalued, or insufficiently executed 32

33 Business Continuity Management What activities should we be doing in a BIA? Identify process requirements personnel/skills, facilities, equipment, external relationships, applications and technology, as well as telecommunications Determine impacts (operational, financial, i customer, legal l and regulatory) Identify Interdependencies and single points of failure Define Recovery Point Objectives (RPO), as well as capacity requirements Define Recovery Time Objectives (RTO) Evaluate the process capacity at the RTO Identify the current capability to recover and operate in a manual mode 33

34 Business Continuity Management In the past, the Internal Auditor Checked to see if a plan was in place Reviewed the IT Disaster Recovery plan for timeliness but only if they were truly IT Auditors Asked if tests were performed but didn t review the results Very rarely owned the process 34

35 Business Continuity Management How can Internal Audit add value to BCM? Serve as the internal sales person - make the case for Business Continuity Participate in the Risk Assessment and Business Impact Analysis, don t just audit the results Implement project management standards Assist in defining key business functions Help craft capability maturity levels and definitions Define controls and guide towards process, not just a plan Audit the process - before, during and after (ongoing) g) Assist with lessons learned Keep management informed of progress 35

36 Business Continuity Management What should you look for during an audit? Are all plans up to date? Are all critical business functions and systems covered? Are the plans based on the risks and potential consequences of business interruptions? Are the plans fully documented? Have functional responsibilities been assigned? Is the organization capable of and prepared to implement the plans? 36

37 Business Continuity Management What should you look for during an audit? (cont.) Are the plans tested and revised based on the results? Are the plans stored properly and safely? Is the storage location known? Are the locations of alternate facilities (backup sites) known to employees? Do the plans call for coordination with local emergency services? 37

38 In closing Don t lose sight of the true intent of Health Information Exchange improving patient care. Don t wait to dust off your HIPAA Security practices, when the auditors come knocking it may be too late. Remember that no HIE implementations are exactly alike, and all contain risk. Focus on managing risk versus reacting to problems. Communication is key! 38

39 A little like HIE Implementation 39

40 Please feel free to contact us if you have additional questions. Thank you again for your time! Alex Robison, Protiviti Managing Director Direct: David Zavala, Protiviti Senior Manager Direct:

41 Save the Date: August 25-28, nd Annual Conference Chicago, IL 41