Professional Documents
Culture Documents
2/17/2011 http://www.redspin.com
So yes, I was at RSA….
2/17/2011 http://www.redspin.com 2
Agenda
- EHR Meaningful Use Incentive Program
Progress to Date
- Navigating “Meaningful Use” Amidst a Changing
Political Landscape
- Assessing Your Internal Security Program for
Compliance and Long Term Success
- What's New on the Security Front
- The Challenges of Creating a Secure, Private
Cloud Environment
- Case Study: Beth Israel Deaconess Medical Ctr
2/17/2011 http://www.redspin.com 3
Where Did It All Start?
2/17/2011 http://www.redspin.com 5
“Meaningful Use” – A Quick Review
2/17/2011 http://www.redspin.com 6
Eligible Entities
2/17/2011 http://www.redspin.com 7
Criteria and Standards
– Is the practice or hospital is making adequate
use of EHRs?
– Has a risk analysis been conducted?
– Is their a platform for staged implementation?
2/17/2011 http://www.redspin.com 10
Show Me the Money
2/17/2011 http://www.redspin.com 11
Meaningful Incentive Program
Medicare EHR Medicaid EHR
Participation as early as Voluntarily offered by
FY 2011 individual states
EPs may receive up to May begin as early as FY
$44,000 over 5 years, plus 2011
incentive if in HSPA EPs may receive up to
Must begin by 2012 to get $63,750 over 6 years
maximum Incentives for hospitals may
Incentives for hospitals begin in 2011
may begin in 2011 w/a No payment adjustment for
$2 million base payment providers who do not show
Medicare EPs, hospitals meaningful use
and CAHs who do not
show meaningful use will
have Medicare payments
decrease beginning 2015
2/17/2011 http://www.redspin.com 12
Meaningful Use Incentive Program
Progress to Date
2/17/2011 http://www.redspin.com 13
Meaningful Use Incentive Program
Progress to Date
Jan 3, 2011 Meaningful Use registration opens
Jan 5, 2011 2-physician medical group in Austin,
TX received $42,500 under the
Medicaid incentive program for EHR
Feb 11, 2011 >18,000 providers registered under
meaningful use incentive program
> 40,000 providers have registered at
62 regional extension centers for
assistance in meeting requirements
May 1, 2011 First payments will go out to qualified
Medicare providers
2/17/2011 http://www.redspin.com 14
Navigating Meaningful Use Amidst
a Changing Political Landscape
• House vote 245-189 to repeal Patient Protection
and Affordable care act (PPACA)
• Spending Reduction Act HR 408 would imply
rescinding funding for EHR incentives
• Blumenthal’s resignation
• PPACA ruled unconstitutional in a Virginia court
and then again in U.S. district court in Florida
2/17/2011 http://www.redspin.com 15
Keep Calm and Carry On
2/17/2011 http://www.redspin.com 16
Assessing Your Internal Security Program
for Compliance and Long Term Success
2/17/2011 http://www.redspin.com 17
Meaningful Use Stage 1
Core Objective
Protect Electronic Health Information
2/17/2011 http://www.redspin.com 18
2/17/2011 http://www.redspin.com 19
Security Rule Standards
Evaluation Standard
Perform a periodic technical and non-technical evaluation,
based initially upon the standards and implemented under this
rule and subsequently, in response to environmental or
operational changes affecting the security of electronic
protected health information, that establishes the extent to
which an entity’s security policies and procedures meet the
requirements of this subpart.” [§164.308(a)(8)]
Related Standards
2/17/2011 http://www.redspin.com 20
Business Associates
2/17/2011 http://www.redspin.com 21
.
2/17/2011 http://www.redspin.com 22
HIPAA/HITECH Compliance
What are the objectives of a
HIPAA Risk Analysis and
Security Assessments?
2/17/2011 http://www.redspin.com 23
PHI/PII Risk Indication
2/17/2011 http://www.redspin.com 24
Components of Risk
Wireless Pen
Web App
External Pen
Internal Pen
Social Engineering
2/17/2011 http://www.redspin.com 26
Business Associate Compliance
Liability:
-BAs are contractually liable to CEs
for breach of BA agreement Business Associates (BAs):
-BAs are civilly and criminally liable - IT vendors
to Federal government for violations - coding vendors
- outsourced call center
- subcontractors
Notification:
- insurance companies
-BA notify CE of any breach - pharmacies
-CE has obligation to notify patients - hospitals
and HHS - physicians
-If 500+ persons, notify media Covered - e-prescribing ecosystem
serving their area Entity (CE) - CPOE
- radiology labs
- HIEs
Recommendations:
- RHIOs
-Identify BAs with highest risk - ACOs
-Communicate expectations to BAs - lawyers
-Automate contract and BA - CPAs
agreement files - housekeeping services
-Develop auditing and monitoring - etc. !!!
process
-Educate executives and key players
on2/17/2011
BAs http://www.redspin.com 27
HIPAA Audit Scope Attributions
2/17/2011 http://www.redspin.com 28
2/17/2011 http://www.redspin.com 29
What’s New on the Security Front
2/17/2011 http://www.redspin.com 30
2/17/2011 http://www.redspin.com 31
2/17/2011 http://www.redspin.com 32
2/17/2011 http://www.redspin.com 33
Healthcare IT
Challenges of creating a secure cloud environment
2/17/2011 http://www.redspin.com 34
What is Cloud Computing?
2/17/2011 http://www.redspin.com 35
Most Common Cloud Computing
Deployment Models
Public – Available to the general public is owned by an
organization selling cloud services.
Private – Operated solely for a single organization. It
may be managed by the organization or a third party, and
may exist on-premises or off-premises.
Community – Shared by several organizations and
supports a specific community that has shared concerns.
It may be managed by the organizations or a third party
and may exist on-premises or off-premises.
Hybrid – A composition of two or more clouds.
2/17/2011 http://www.redspin.com 36
A Hybrid Model – Most Common
2/17/2011 http://www.redspin.com 37
Security and Compliance Challenge
2/17/2011 http://www.redspin.com 38
Solution: PHI in Cloud Context
2/17/2011 http://www.redspin.com 39
Beth Israel Deaconess
Medical Center
CASE STUDY
2/17/2011 http://www.redspin.com 40
Profile
• Teaching hospital of Harvard Medical School
• >750,000 patient visits annually (Boston area)
• 631 licensed beds, including 429 medical / surgical
beds, 77 critical care beds and 60 OB/GYN beds
• Approximately 5,000 births a year
• A full range of ER services including a Level 1 Trauma
Center and roof-top heliport
• Medical provider to Boston Red Sox
Source: http://www.bidmc.org/AboutBIDMC/StatsandFacts.aspx
2/17/2011 http://www.redspin.com 41
The Middle of the Story - Today
• Beth Israel Deaconess Medical Center (BIDMC) is first
hospital nationally to meet new federal electronic health
record requirements with its own software (January 26,
2011)
Source: http://www.bidmc.org/News/AroundBIDMC/2011/January/Meaningfuluse.aspx
2/17/2011 http://www.redspin.com 42
The Beginning of the Story
• 2+ years ago
• Part of an eClinicalWorks LLC electronic health record
(EHR) deployment to roughly 200 affiliated ambulatory
physicians. Will be 350 by year end.
• BIDMC virtualized servers on VMware
• One at a time, one virtual server -- including the EHR
software integrated with a practice management app and
billing system -- was deployed to each practice.
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
(Jan 10, 2011)
2/17/2011 http://www.redspin.com 43
The Result
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
Jan 10, 2011
2/17/2011 http://www.redspin.com 44
In Their Own Words
- Bill Gillis
BIDMC eHealth Technical Director
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
Jan 10, 2011
2/17/2011 http://www.redspin.com 45
In Their Own Words
- Bill Gillis
BIDMC eHealth Technical Director
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
Jan 10, 2011
2/17/2011 http://www.redspin.com 46
The Future at BIDMC
• First step - Let physicians within its private cloud
exchange data.
• Extend Hospital network's HIE project to other area
hospitals and later to the whole country.
• Deploy virtual desktops in a hardware-agnostic way so
physicians could manage apps from their laptops, tablets
and smart phones.
• Interoperability combining data from various proprietary
systems into a patient-accessible HER.
Source: http://searchhealthit.techtarget.com/tip/How-virtualization-implementation-catalyzes-private-cloud-growth
(Jan 10, 2011)
2/17/2011 http://www.redspin.com 47
http://www.redspin.com/resources/
healthcare/index.php
2/17/2011 http://www.redspin.com 48
Appendix
2/17/2011 http://www.redspin.com 49
New Enforcement Efforts and Priorities
2/17/2011 http://www.redspin.com 50
Penalties – Per Calendar Year
$100 - $50K/violation, not to $10K - $50K/violation, not to
exceed $25K - $1.5MM exceed $250K - $1.5MM
Person did not know (and by Due to willful neglect and
exercising reasonable due violation was corrected
diligence) would not have
known
2/17/2011 http://www.redspin.com 51
Penalties – Per Calendar Year
$100 - $50K/violation, not to $10K - $50K/violation, not to
exceed $25K - $1.5MM exceed $250K - $1.5MM
Person did not know (and by Due to willful neglect and
exercising reasonable due violation was corrected
diligence) would not have
known
2/17/2011 http://www.redspin.com 52