ADDING VALUE BY AUDITING HEALTH INFORMATION IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA

Similar documents
a physicians guide to security risk assessment

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

Meaningful Use Audit Process: Focus on Outcomes and Security

Top 5 Must Do IT Audits

Delivered by Sandra Fuller, MA, RHIA, FAHIMA. April 29, 2009

Taking the HITECH Ground. Understanding Meaningful Use, Health Information Exchange and the Future of Lab Outreach

Preparing for an OCR Audit: What is Expected of You

Unified SaaS Solution for Cybersecurity and Risk. Curran Data Technologies

These seminars are a collaborative work of NIATx, SAAS and The National Council supported by SAMHSA.

OCR Audits: 2012 Results Overview

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

Our comments include three recommendations and the associated rationale:

Citi Institutional Clients Group - Business Continuity Management

Leveraging Internal Audit and Corporate Compliance for Effective Risk Management

December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:

Industry Planning for Implementation of HIPAA Modifications: Versions 5010, D.0, 3.0 and the ICD-10 code sets

Big Data, Security and Privacy: The EHR Vendor View

REGULATORY HOT TOPIC Third Party IT Vendor Management

Operational Recovery in Healthcare Using Virtual Technologies. CareTech Solutions

Clearwater and Encompass Case Study Creating an OCR-Quality Risk Management Plan

Physician Group Case Study: An Effective Approach to Creating a Comprehensive Compliance Program

Compliance Plans. Kelly S. McIntosh July 20, 2017

HITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance

Meaningful Use: Compliance Management Best Practices. David Morton, Adventist Health Jay Fisher, Meaningful Use Monitor May 20, 2015

COMMUNICATING WITH THE AUDIT & COMPLIANCE COMMITTEE OF THE BOARD: LEADING PRACTICES

Proven Strategies for Overcoming Business Continuity Challenges for Healthcare Organizations

Practice Transformation Readiness Assessment

The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be

Impact of the Stimulus Package on Health IT Marketplace

GE Healthcare. Centricity Advance for Regional Extension Centers

HIPAA Compliance. Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant!

Emerging Technology and Security Update

You Might Have a HIPAA Breach. Now What?

You Might Have a HIPAA Breach. Now What?

Create interoperability in a MEDITECH environment

Welcome and Introductions and Update on Implementation Timeline for ICD-10 and Transactions and Code Sets

Real World Experiences in Achieving "Meaningful Use" Mark D. Sugrue, RN-BC

Labour Evaluating Occupational Health and Safety Systems Follow-up

HITRUST CSF Assurance Program

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Created for mike elfassi

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

The Art of Putting It Together STANDARDIZE PROCESSES BEFORE CONSOLIDATING REVENUE CYCLE OPERATIONS

Lab Outreach Connectivity

Contents. Primer Series: HIPAA Privacy, Security, and the Omnibus Final Rule

BHS CCD Exchange Success Story

We know doctors. isalus.

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

The Path to Clinical Enterprise Maturity DEVELOPING A CLINICALLY INTEGRATED NETWORK

Driving healthy growth

2013 HIMSS Leadership Survey Senior IT Executive Results

High Value Revenue Cycle Audits

Project Risk Management (PRM)

IT S TIME! PRIMARIS OPERATIONAL EFFICIENCY SOLUTION. Using Lean Thinking to Save Time & Money. Benefits of Operational Efficiency. Why Primaris?

PREPARING A RISK BASED AUDIT WORK PROGRAM

Claim (and other) Attachment Standards and Operating Rules: Current Developments and Future Directions

The Relationship Between HIPAA Compliance and Business Associates

HCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.

Improving Your Revenue Cycle Health: Why Continual Check-ups Are More Crucial than Ever

Text. What the Heck is a HIPAA AUDIT? Presented by Sue Miller

W207: How should you leverage internal audit? October 26, 2016

VIRTUA DATE OF LAST REVIEW 5/11; 4/14, 8/16

ACA Operating Rules Update and Implementation Plans. Gwendolyn Lohse, CAQH Priscilla Holland, NACHA

Do I Have to Attest? What Actions Are Required?

Ensuring the health of endpoints in healthcare IT

ANSI What providers need to know. ANSI 5010 What providers need to know

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

Venn Health Partners. Venn Health Partners, 906 Oak Tree Ave, Suite R, South Plainfield New Jersey, 07080,

The Rye Ambulatory Surgery Center, LLC Compliance Plan

Best Practices in EHR Implementations

Navigating the New Health Economy

Successful healthcare analytics begin with the right data blueprint

Preparing For & Managing a RADV Audit

WEDI 2015 Health Information Exchange Value and ROI Survey

Implementing a Compliance Monitoring Program. January 29, 2014

Office of Internal Audit. The University of Texas Southwestern Medical Center Business Continuity/Disaster Recovery. Internal Audit Report 16:32

Meaningful Use Audits

Will Your Company Pass a Privacy Audit?

COLORADO MULTI-PAYER COLLABORATIVE

TAG Certified Against Fraud Guidelines. Version 1.0 Released May 2016

The following topics will be covered in this course: 1) Don t let pressure influence ethics and reasoning 2) Be careful about rationalizations 3)

Four Rights Can t Be Wrong:

Developing Staff and Resource Infrastructure to Support Value-Based Reimbursement. NCHICA Annual Conference 2016

Drive Your Business. Four Ways to Improve Your Vendor Risk Program

PHYSICIAN PRACTICE SOLUTIONS

THE BODY OF KNOWLEDGE FOR MEDICAL PRACTICE MANAGEMENT

The Road to ICD-10 Readiness Less than One Year to Go

Government Relations (GR) Strategic Plan February 2017

An Insider's Perspective: How URAC's New Core 4.0 Accreditation Standards Align with Best Practices in Today's Changing Healthcare Environment

Carequality Governance Charter

Optimization: The Next Frontier

CHHS Master Data Management Strategy

Health Solutions. Commercial Health Solutions Overview EXPANDING INSIGHT. ENSURING VALUE. IMPROVING OUTCOMES.

RE: HIT Policy Committee: Recommendations regarding Stage 3 Definition of Meaningful Use of Electronic Health Records (EHRs)

Innovative technology. Advancing patient care.

View the Recording. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update. November 17 th, FairWarning, Inc.

Overview of Health Information Exchange (HIE) in the Era of Meaningful Use December, 2010

Success in Joint Ventures: Sustained Compliance and Audit Oversight

MODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

Georgina Verdugo, JD Office for Civil Rights U.S. Department of Health and Human Services Attention: HIPAA Privacy Rule Accounting for Disclosures

Transcription:

1 ADDING VALUE BY AUDITING HEALTH INFORMATION EXCHANGE IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA PROTIVITI AHIA 31 st Annual Conference August 26-29, 2012 Philadelphia PA www.ahia.org

Speakers Alex Robison Alex is a Managing Director and serves as Protiviti s Western Region Healthcare Practice Leader and is part of the firm s National Healthcare Industry Revenue Assurance and Compliance practice. He has more than 15 years professional experience in providing operational, financial, information technology and regulatory consulting and internal audit services to the healthcare id industry. Pi Prior to entering consulting, li Alex worked for a large multi-regional i l healthcare h system responsible for integrating Managed Care HMO protocols with Federally regulated Medicare guidelines for Health Care delivery. David Zavala David is a Senior Manager in Protiviti s Dallas office. He has 11 years of experience in technology; specializing in design, implementation, and management of healthcare information systems. David has spent the last 6 years working with healthcare organizations undergoing large-scale Health Information Exchange initiatives. Prior to this, David was responsible for overseeing EHR implementations for large multi-hospital systems as well as smaller communitybased ambulatory practices. 2

The culture of an industry That it will ever come into general use, notwithstanding its value, is extremely doubtful because its beneficial application requires much time and gives a good bit of trouble, both to the patient and to the practitioner because its hue and character are foreign and opposed to all our habits and associations. i The London Times, in 1834, commenting on... 3

The culture of an industry the stethoscope. 4

The culture of an industry 5

6 Background

The ARRA and HITECH The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act includes more than $19 billion to help develop a robust IT infrastructure and data exchange capabilities for healthcare, as well as to assist providers and other entities in adopting and using Health Information Technology (Health IT), including the implementation and Meaningful Use of Electronic Health Records (EHR). 7

Demonstrating Meaningful Use Under the HITECH Act and the Medicare and Medicaid EHR Incentive Program, federal incentive payments will be available to doctors and hospitals when they adopt EHRs and demonstrate use in ways that can improve the quality, safety, and effectiveness of care. This is commonly referred to as demonstrating Meaningful Use. The three primary components of Meaningful Use are: 1. The use of a certified EHR in a meaningful manner, such as e-prescribing. 2. The use of certified EHR technology for electronic exchange of health information to improve quality of health care. 3. The use of certified EHR technology to submit clinical quality and other measures to CMS. 8

Meaningful Use The Road Ahead The criteria for Meaningful Use will be staged over the course of the next several years. Stage 1 (2011 and 2012) sets the baseline for electronic data capture and information sharing using EHRs. Stage 2 (delayed until 2014) will focus on data sharing, patient engagement, and Health Information Exchange. Stage 3 (expected to begin in 2015) and will continue to expand on previous baselines to improve clinical outcomes, presumably with enhanced quality reporting measures. 9

What is Health Information Exchange? The ONC defines Health Information Exchange as The electronic exchange of healthcare information across organizations within a region, community or hospital system, according to nationally recognized standards. HIEs provide the capability to electronically move clinical information among disparate health information systems in an effort to facilitate efficient and effective access to a complete patient record. 10

Critical Challenges of Health Information Exchange Developing a sustainable business model Addressing government policy and mandates Defining the value-add to the users of HIE Addressing privacy and confidentiality issues (e.g., HIPAA, patient consent) Addressing technical aspects including architecture, applications and connectivity Data Integrity Addressing organization and governance issues Development of the NwHIN 11

Providing Value through Health Information Exchange Effective health information exchange brings clinical and administrative benefits: Providers will be able to improve quality of care, increase efficiency of clinical and administrative processes, and reduce costs by improving reimbursement management. Payers will realize significant cost savings by improving administrative efficiency and reducing readmissions, testing and acute care episodes while also helping to create stickiness with providers. Public Health Organizations will be empowered to improve long-term health outcomes. 12

13 Implementation Practices

Application Implementation Practices 14

Understanding Implementation Risk Risk is defined as the possibility of a loss or a diminished level of success. Risk Management is the process of defining, identifying, addressing, and eliminating risk items before the items become threats or require major rework. It can be seen as an advanced preparation p for possible adverse future events, rather than responding as the event happens. This advanced planning provides the project team the opportunity to select an alternative action plan which will still enable project objectives to be achieved successfully. The Goal is to identify project risks and develop strategies that either significantly reduce the risks, provide guidelines in an effort to avoid the risks, or at a minimum minimize the impact of risk results. The Critical Success Factor in this process is to successfully complete the project in a way in which the risks associated with the project are managed. 15 15

Common Barriers to Successful HIE Implementations Inadequate executive oversight Insufficient software selection practices Vendor implementation methodologies are only as good as you help make them. Deficiencies with vendor support Lack of involvement/acceptance by physicians and employees Lack of appropriate go-forward decision milestones Staffing and the perception of asking too much from already-taxed employees Employee turnover Disconnects frequently exist in communication between leadership and departmental personnel 16

Common Barriers to Successful HIE Implementations An effective mechanism or process is not in place to consistently capture, evaluate, and respond to questions and concerns of personnel Insufficient training and/or advance scheduling along with sufficiency of backfill/agency personnel Insufficient attention is paid to security configuration requirements and appropriate stakeholders are not consistently included Loose interpretation of regulatory requirements Operational workflow designs do not have sufficient detail or appropriately address future-state needs Formal workflow approval checkpoints for appropriate operational representatives are not incorporated Inability to align workflow with the application 17

Common Barriers to Successful HIE Implementations Insufficient planning for all processes directly or indirectly affected Post go-live practice deviates from intended design and manual paper processes persist Project plans and issue tracking tools are not effectively utilized to facilitate overall project management/oversight into the validation process Lack of sufficient project manager competence and/or sufficient PMO oversight Insufficient testing performed and insufficient guidance (e.g., test script development) provided to ensure consistency Insufficient change management practices The configuration of application controls is not sufficiently considered (undervalued and underutilized) 18

19 HIPAA

Hot Topic - Meaningful Use Risk Analysis The Protect Electronic Health Information Core Objective for eligible hospitals and eligible professionals includes the following: Protect Electronic Health Information Objective Measure Exclusion Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. No exclusion. 20

Meaningful Use Risk Analysis (cont d) Big picture - certified EHR data is not the only important data, all ephi should be addressed so don t fall into this trap All ephi Required by HIPAA ephi contained in EHR Must attest for Meaningful Use Include in your risk analysis/mgmt 21

HIPAA Security now has teeth!

HIPAA Security The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthens civil and criminal enforcement of the HIPAA rules. Security Breach Notifications for Covered Entities For breaches affecting >500 individuals within one state, the organization must notify the following without unreasonable delay and no later than 60 days after discovering the breach Local media outlets HHS Secretary The affected individuals Annually required to report all breaches affecting < 500 individuals to the HHS Secretary Accountability HHS is now required to report to Congress on compliance activity and to conduct periodic audits Penalties increased for violations, up to $50,000 for each violation with a maximum fine of $1,500,000 per year + the cost of resolution agreements 23

Enforcement is here OCR is committed to compliance and enforcement Reviewing every submitted complaint HIPAA Privacy and Security Compliance review for every entity that has a breach that affects >500 individuals Hired KPMG to conduct audits of up to 150 covered entities in 2012 (pilot process to be expanded) First 20 Covered Entities Selected: 10 Healthcare Providers 8 Health Plans 2 Healthcare Clearinghouses Through investigations, voluntary dispute resolution, enforcement, technical assistance, policy development and information services, OCR will protect the civil rights of all individuals who are subject to discrimination in health and human services programs and protect the health information privacy rights of consumers. ~ OCR Vision Statement 24

HIPAA Security Key focus areas Third-party risk management (e.g., Business Associate Agreements) Encryption is becoming more pervasive but you still need to know your ephi inventory State legislation targeted to Healthcare IT innovation and compliance may have advance HIPAA compliance The stimulus package has significantly expanded the scope of existing HIPAA privacy and security rules 25

HIPAA Security How can Internal Audit help? Are sufficient programs in place to support compliance and promote consistency? Can your organization clearly identify what it s doing to comply? Have the assets that hold, store, process and transmit ephi been accurately identified? Has unstructured data, such as that contained in Access databases and Excel spreadsheets, been considered? Is action being taken to address the recent changes? 26

What should you do today? Define your Breach Response and Notification processes Evaluate the KPMG audit process take action in a timely manner Perform an Evaluation Measure yourself against the regulations, take inventory of your Policies and Procedures, understand your processes, and determine if there are any deficiencies. Perform this minimally on an annual basis, or when major changes occur in your environment. Implement a robust Risk Analysis and Management Program that proactively manages risk versus reactively addresses issues after they ve materialized Educate. Communicate. 27

28 Business Continuity Management

I cannot imagine any condition which could cause this ship to flounder. I cannot conceive of any vital disaster happening to this vessel. E.J. Smith, Captain of the Titanic 29

Business Continuity Management How long must an interruption to day-to-day operations be before it significantly impacts your organization? Continuity of care is typically outside of the BCM scope based on stringent regulations and historical compliance efforts, however Health information management is now relying much more heavily on technology (e.g., electronic medical records, wireless technologies, PDA s) and the line is graying Impact of regulations/standards specifically addressing BCP/DRP (e.g., HIPAA, JCAHO, etc.) 30

Business Continuity Management What is business continuity management? the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging g or potentially fatal loss to the enterprise. 31

Business Continuity Management What is a Business Impact Analysis or BIA? A process designed to identify critical business functions and workflow, determine the qualitative and quantitative impacts of a disruption, and to prioritize and establish recovery time objectives The BIA results form the foundation for the all subsequent recovery strategy and planning efforts but this effort is commonly overlooked, undervalued, or insufficiently executed 32

Business Continuity Management What activities should we be doing in a BIA? Identify process requirements personnel/skills, facilities, equipment, external relationships, applications and technology, as well as telecommunications Determine impacts (operational, financial, i customer, legal l and regulatory) Identify Interdependencies and single points of failure Define Recovery Point Objectives (RPO), as well as capacity requirements Define Recovery Time Objectives (RTO) Evaluate the process capacity at the RTO Identify the current capability to recover and operate in a manual mode 33

Business Continuity Management In the past, the Internal Auditor Checked to see if a plan was in place Reviewed the IT Disaster Recovery plan for timeliness but only if they were truly IT Auditors Asked if tests were performed but didn t review the results Very rarely owned the process 34

Business Continuity Management How can Internal Audit add value to BCM? Serve as the internal sales person - make the case for Business Continuity Participate in the Risk Assessment and Business Impact Analysis, don t just audit the results Implement project management standards Assist in defining key business functions Help craft capability maturity levels and definitions Define controls and guide towards process, not just a plan Audit the process - before, during and after (ongoing) g) Assist with lessons learned Keep management informed of progress 35

Business Continuity Management What should you look for during an audit? Are all plans up to date? Are all critical business functions and systems covered? Are the plans based on the risks and potential consequences of business interruptions? Are the plans fully documented? Have functional responsibilities been assigned? Is the organization capable of and prepared to implement the plans? 36

Business Continuity Management What should you look for during an audit? (cont.) Are the plans tested and revised based on the results? Are the plans stored properly and safely? Is the storage location known? Are the locations of alternate facilities (backup sites) known to employees? Do the plans call for coordination with local emergency services? 37

In closing Don t lose sight of the true intent of Health Information Exchange improving patient care. Don t wait to dust off your HIPAA Security practices, when the auditors come knocking it may be too late. Remember that no HIE implementations are exactly alike, and all contain risk. Focus on managing risk versus reacting to problems. Communication is key! 38

A little like HIE Implementation 39

Please feel free to contact us if you have additional questions. Thank you again for your time! Alex Robison, Protiviti Managing Director Direct: 602.273.8022 Email: alex.robison@protiviti.com David Zavala, Protiviti Senior Manager Direct: 469.374.2444 Email: david.zavala@protiviti.com 40

Save the Date: August 25-28, 2013 32 nd Annual Conference Chicago, IL 41

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback