4. HITECH/EHR Overview
• HC IT Project Drivers: Incentives
ARRA HITECH – ―EHR … by 2014‖
Nationwide HIT infrastructure
Meaningful Use HIPAA security requirements
Changing EHR MU Stage 2 & 3 requirements
Upcoming ACO requirements
• HC IT Project Drivers: Sanctions
PHI breach notification
HIPAA enforcement
5. HIPAA and PHI Data Breaches
• Ponemon Institute: Data breaches cost hospitals nearly $6
billion/year1
• Medical-related data breaches listed in Privacy Rights
Clearinghouse2
116 breaches listed in 2007-2008
229 breaches listed in 2009-2010
• 86% of large-hospital employees surveyed believe the number of
data breaches discovered will increase under HITECH3
• The Department of Justice secured ―$2.5 billion in health care
fraud recoveries—the largest in history,‖ for the fiscal year
ending 9-30-20104
1- Source: Benchmark Study on Patient Privacy and Data Security, November 9, 2010, Ponemon Institute LLC.
2- Source: http://www.privacyrights.org/
3- Source: 2009 HIMSS Analytics Report:―Taking a Pulse on HITECH, Are Hospitals and Business Associates Ready?‖ November 17, 2009.
4- Source: Department of Justice, November 22, 2010, http://www.justice.gov/opa/pr/2010/November/10-civ-1335.html
5
6. Enforcement Updates
HIPAA Sanctions
• Periodic HHS CE & BA HIPAA Compliance Audits
• Violations range from $100 to $1.5 million (willful
neglect)
• Extends criminal penalties to individual or employee of
CE
• State attorneys general can file civil suit on behalf of
residents
7. Enforcement Updates
OCR Commitment to HIPAA Enforcement
Program Increases
• Regional Office Privacy Advisors (+$2.283 million)
• Enforcement of the HIPAA Security Rule (+$1 million)
• Investigation of the HITECH Breach Reports (+$1.335 million)
• Compliance Review Program (+$1 million)
8. Enforcement Updates
HIPPA Enforcement Activities
• Cignet Health, 2011: $4.3 million – Denying access to
medical records & refusing to cooperate with OCR
investigation
http://www.hhs.gov/news/press/2011pres/02/20110222a.html
• Massachusetts General Hospital Settles HIPAA Violations,
2011: $1 million – Documents left on subway by employee
http://www.hhs.gov/news/press/2011pres/02/20110224b.html
• Health Net, 2011: $55,000 + mandatory data-security audit 2
years – Lost portable drive & misrepresentation of risk
http://www.healthdatamanagement.com/news/breach_hipaa_privacy_security_hitech_lawsuit-39645-
1.html
• Rite Aid, 2010: $1 Million – Poor disposal practices
http://www.hhs.gov/news/press/2010pres/07/20100727a.html
10. HITECH/EHR Services & Solutions
Outsourced Project Management
• Assist management with development of project plan to manage all phases of EHR
implementation project
• Assist management with overseeing project milestones
• Periodic project status & project risk reports
EHR System Selection
• Assist management with identifying & evaluating an EHR-compliant system
• Demonstration scorecards—basis for purchase decisions
• Total cost of ownership—three-year estimates that include software, equipment &
implementation fees
EHR Readiness Assessment
• IT & infrastructure inventory
• EHR current capabilities assessment
• IT Governance & process maturity measurements
• Security compliance assessment
10
11. HITECH/EHR Services & Solutions
ARRA Reimbursement Analysis
• Develop reimbursement projections
• Develop multi-year cash flow analysis mapping EHR project timeline with federal
funding timeline projections
EHR Meaningful Use Attestation Assistance
• Review meaningful use objectives management has decided to report against
• Develop audit procedures to determine if selected objectives are being met
• Provide findings & recommendations based on executed audit procedures
HIPAA Data Security & Privacy Assessment
• Data-flow analysis
• Risk & control identification
• IT Governance & process maturity measurements
• Control design & effectiveness testing
11
13. Health Information Technology
Risks
• Developing clinical system & sub-system
inventory
• Understanding flow of data in a healthcare
system
• Identifying risks & controls
13
