To improve the quality and efficiency of health care for all stakeholders in the Santa Cruz community. To deliver technology assistance, guidance and information on best practices to providers with the goal of creating a healthcare delivery system that offers a seamless, integrated experience for patients and providers. Provide services and tools to participating healthcare providers to become meaningful users of EHRs connected to the Santa Cruz Health Information Exchange. These are foundational for Accountable Care, Clinical Integration, Medical Home Model and surviving payment reform as independent physicians

Privacy refers to patients’ health information and their right to have that information kept confidential. Security refers to the storage, use and electronic exchange of patient health information in a secure environment. Protecting patients’ privacy and securing their health information is a core requirement for the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program referred to as “Meaningful Use Program” (MU). All Providers must comply with HIPAA, not just those with EHR’s or seeking MU incentives

On January 17, 2013, the Department of Health and Human Services (HHS) issued a final rule modifying the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement rules, including changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The rule contains sweeping changes to privacy regulatory requirements which are intended to improve protection and control of personal health information. 4 main topics changed in this final rule: Business associate obligations. – A BA is now defined as any person that Creates, Receives, Maintains or Transmits PHI. New template available March 2013 Enhanced protections for PHI – Limitations on use of disclosure for marketing & fundraising Expanded individual rights – Patients have the right to electronic copies f PHI, and the right to RESTRICT PHI to health plan where the patient has paid out of pocket. Enhanced penalties and enforcement – Penalties are capped at max of $1.5 per violation Modified breach notification protocol – Entities no longer have discretion in deciding whether an incident was a “breach”. You must report The Final Rule is effective on March 26, 2013, and compliance is required by September 23, 2013

Your practice is responsible for taking the steps needed to protect the confidentiality, integrity and availability of health information, to comply with HIPAA Policies that are already in place, and to comply with CMS Meaningful Use Requirements.

To facilitate the electronic exchange of patient information a secure and professionally maintained internet connection is a necessity, not an option. To gain patients’ trust, it is important to ensure that all security measures and policies are up-to- date and enforced.

 Surgeons of Lake County – Server taken over  Billing service recycles paper PHI – Doctors fined $140K  Hospice of North Idaho – Laptop stolen $50K fine  Common Themes ◦ “did not adequately implement sufficient protections to ensure security of electronic protected health information” ◦ “failed to manage business associate relationships”

 Build and manage infrastructure.  Departmentalize staff & set security levels.  Manage vendor relationships; have BAA’s when required (new laws effective 2013), audit annually.  Develop security awareness programs and training, repeating regularly. Keep documentation for audit purposes.  Each Practice MUST have a Privacy AND a Security Officer – and they must fulfill their responsibilities  Anticipate and Address Patient Privacy Concerns.

To fulfill requirements for Stage 1 Meaningful Use EP’s needed to attest they have met certain requirements regarding use of the EHR for patient care. The attestation for Core Measure 15 is a confirmation, on the part of the EP, that those requirements have been met. CMS is actively conducting audits on information systems (IS) to ensure those requirements have been successfully met and documented. You are required to conduct a security risk analysis, implement security updates and identify security deficiencies.

CalOHII provides several unique tools to help California patients, providers, and health information organizations understand secure exchange of health information. There is a very valuable FREE tool available to you to perform a self-security audit. The HIPAA Security Toolkit is designed to assist medium to small providers with understanding HIPAA security standards requirements and for them to ascertain their organization’s HIPAA security needs. Click on the link Create a user account Allow approximately. 1-2 hours to complete Review report. You will be able to go back into the system and update your answers as you identified gaps and develop processes, policies and procedures. Self-Assessment Security Audit Tool

Resources It is highly recommended that you conduct a security self-audit. CalOHII has a free tool available to guide you through the process and provide you with reports which allows you to save and update as you correct areas of compliance concerns. Other resources available:  Health Information Privacy, Security, and Your EHR: professionals/ehr-privacy-securityhttp:// professionals/ehr-privacy-security  Communicating with your patients about health information privacy:  Healthcare Info Security:

 Public Website with the entire series of webinars and documents in February  PMG “Blue Portal”  PMG Technology Support

What’s Next? CHEQ Interface Grant Announcement – Webinar Mon, Feb 4, 2013 Choosing an EHR – Webinar Fri, Feb 15, 2013 Direct Messaging – Webinar Tues, Feb 19, PMG Electronic Citizenship – Webinar, Thurs, Feb 28, 2013

Questions?

Thank you for attending ! Please complete the survey that you will be receiving shortly We welcome your feedback and comments! Contact: PMG IT Depart