The 411 on HITECH and HIPAA IT Compliance

By Judi Grassi

2020 Alliance sponsor feature article courtesy of Carolinas IT: A Logically Company

Most group practices and clinics have adopted the Electronic Health Record (EHR). If you’re one of these organizations, you know how imperative it is to keep your Electronic Protected Health Information (EPHI) safe. Both HIPAA and the HITECH Act lay out very specific requirements about data protection and regardless of your size, you are required to keep your Protected Health Information (PHI) data secure. This is especially imperative if your organization electronically transmits health information for financial or administrative reasons, such as claims processing, benefit eligibility, referral authorization requests, and other transactions defined under the HIPAA Transactions Rule.

Three Areas of HIPAA IT Compliance

HIPAA IT compliance is the responsibility of every administrative and clinical staff member in your organization. To make compliance requirements easier to digest, HHS established three areas of HIPAA IT compliance.

1. 1. Administrative — These measures ensure the integrity of patient data and accessibility only to authorized parties. It requires HCOs to:
      • Implement a security management process that identifies potential risks to EPHI and appropriate security measures to reduce risks and vulnerabilities.
      • Designate a security official who is responsible for ensuring HIPAA and HITECH compliance.
      • Identify who has authorized access to EPHI.
      • Provide appropriate security training to employees and follow through with appropriate sanctions against any employee who violates security policies.
      • Perform a periodic assessment to assess the effectiveness of your security policies.
   2. Physical — These measures ensure the security of facilities and devices that contain EPHI. It provides HCOs to:
      • Limit physical access to their facilities to authorized personnel only and protect against physical intrusion.
      • Ensure secure access to workstations and electronic media. This includes procedures for the transfer, removal, disposal, and re-use of electronic media to ensure appropriate protection of EPHI.
   3. Technical — These measures ensure that your IT systems and networks are secure from data breaches and unauthorized access. It requires HCOs to:
      • Protect their IT systems against digital intrusion and ensure that EPHI is transmitted over a secure network.
      • Only allow authorized individuals to access EPHI and ensure IT systems provide an audit trail to track EPHI access.
      • Ensure EPHI is not improperly or erroneously altered or destroyed.

HITECH Compliance

The HITECH Act of 2009 shored up these privacy and security provisions:

• HCOs, business associates, and service providers are all responsible for the security of EPHI.
• HCOs must promptly notify affected individuals whose PHI was compromised.
• HCOs must report any security breach that affects more than 500 individuals to the HHS Secretary.
• HCO business associates must notify the HCO of any breach at or by the business associate.
• Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis.

How to Comply with HIPAA and HITECH Technical Measures
Whether you are a hospital, clinic, medical practice, HCO business associate, or HCO service provider, you will need to address the following in order to comply with HIPAA and HITECH technical measures.

• Develop policies and procedures for data backup and recovery.
• Back up your data on a regular, frequent basis and ensure you can retrieve exact copies of EPHI and restore any lost data. Follow the 3-2-1 backup rule: 3 copies of your data across 2 media with 1 copy stored offsite.
• Establish acceptable but aggressive Recover Time Objectives (RTOs) and Recovery Point Objectives (RPOs) and develop a disaster recovery plan that meets these objectives.
• Periodically test your disaster recovery plan to be sure it works before a real disaster happens.
• Perform an annual risk assessment to determine whether your systems and data are a security risk and how vulnerable you are to attack.
• Develop a data breach response plan to identify who is responsible for what when a breach occurs, how to communicate with individuals whose PHI was compromised, how to handle the media, minimize further data loss, and remediate the breach.
• Encrypt EPHI data in transit and at rest.
• Ensure HCO business associates and service providers meet HIPAA and HITECH security requirements.

Noncompliance Fines
If you are found in noncompliance with HIPAA and HITECH regulations, it can cost you. Fines are based on the violation category or level of perceived negligence and can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for each violation (see Figure 1).

Figure 1

If you are breached and fined, your organization is listed on the HHS Office for Civil Rights (OCR) Breach Portal and “Wall of Shame” if the breach involves 500 or more individuals. If your organization has a breach of this magnitude, the name of your HCO will be permanently listed.

Final Thoughts

HCOs have two choices when it comes to HIPAA IT compliance requirements: DIY (Do It Yourself) or hire an IT Managed Service Provider (MSP). Whether you are a large or small HCO, you may find that you have limited IT resources and/or skills in-house to ensure your EPHI is private and secure. Therefore, many HCOs look to HIPAA-compliant MSPs to back up their systems, ensure the privacy of EPHI, and provide the best protection from security breaches.

Figure 1: Categories of Violations and Respective Penalty Amounts Available. Source: https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-95

The Cloud and Your Practice

2019 Alliance sponsor article provide courtesy of TriMed Technologies

Is your practice ready to move to the cloud? That can be a tough question to answer. Most respond with, “What exactly is the cloud?” It’s a phrase you hear frequently, but what does it actually mean? We will dive into defining what the cloud means for your practice, then identify the positives and negatives of cloud storage to see if it’s the right fit for you. As you will see, the cloud offers many benefits that simply are not available when you host your own software.

Pretend, for a second, that you take all of the servers in your practice and place them in a secure storage facility. Things work exactly like they did before, but all of your hardware and data are simply hosted somewhere else. Many people believe that this is “the cloud.” In reality, what’s described above – the “your stuff, somewhere else” approach – is simply colocation. Colocation is your data securely stored in server racks with other’s data. This is not a bad option as it allows you to offload physical security and storage, but “the cloud” is so much more than colocation.

The best cloud solutions offer all of the benefits of colocation, but also take full advantage of cloud architecture. With multiple redundant databases for every client, your data is safe in the cloud. The same set of data in your primary zone is simultaneously written to redundant facilities spread across the country. In the event of a catastrophic failure, where one data center is lost, your data would be secure in another location.

A good cloud solution is not dependent on any one server. When load is spread across an array of servers in the cloud, any individual server can experience performance issues (or even crash completely) without affecting users. The affected users will automatically be routed to healthy servers in the array at the first sign of trouble. If you host a server at your practice, this type of setup is not possible. If any one of your primary premise servers crash, your system can go down for hours or even days. In a good cloud environment, the user is completely unaware of the crash.

The cost structure of managing your data completely changes in the cloud. For starters, there is no upfront cost to buy a new server. Practices sink thousands of dollars into on-premise servers that depreciate quickly over time. It is also costly to maintain the operating system on those in-house servers. Then, when you take into account electrical costs, software for protecting your data, and paying an IT company to manage your server, the cost escalates quickly. In the cloud, you pay a monthly fee based on the size of your data. As you grow, your storage space in the cloud grows. Need more storage for your data? The servers automatically scale to fit your needs. You never have to worry about buying a new server, operating system updates, or running out of space.

So what’s the catch? There has to be a negative in moving to the cloud, right? That answer is really practice specific. If you have an extremely weak internet connection, the cloud might not be for you. Luckily, it is rare for a practice to not have access to a reliable internet connection in 2020. Many practices even double up on internet service providers, ensuring that they will have backup access in the unlikely event that their primary internet service goes down. Another drawback could be hardware you already own going unused. If you have recently purchased or upgraded hardware that would be unnecessary in the cloud, this sunk cost could be a tough pill to swallow.

From the software vendor point of view, the cloud provides endless possibilities to improve how you provide healthcare to your patients. Software updates can be turned around in a fraction of the time when compared to updates on-premise servers and they can be applied with no downtime. Bug fixes are similarly painless which resolves client frustration in a fraction of the time it would take on-premise servers. New features can also be flagged as optional for the end user, eliminating the days of practices being forced into software updates that they do not want. The cloud is the future of computing, and the future is bright.

Have questions about how TriMed’s EHR cloud solution could directly benefit your practice? Reach out to us using sales@trimedtech.com or by calling 866-874-6339 x802 and we will be happy to assist!

Primary Care Risk Scoring and Stratification – A Guide for Getting Started

By Joy Key, Director of Provider Services, Emtiro Health

2019 Alliance sponsor feature article courtesy of Emtiro Health

One of the goals set forth by Medicaid Managed Care in North Carolina is to build upon previous successes by “innovating and evolving to improve the health of North Carolinians.”¹ Stated another way, North Carolina aims to address Population Health at a macro level through innovation at the provider level: using robust data and pioneering service delivery to improve care for Medicaid beneficiaries. More specifically, Tier 3 Advanced Medical Home practices will be responsible for risk scoring and risk stratifying all of their Medicaid patients to achieve these goals and to match patient needs to the optimal level of care management at the right time. Resources can be best allocated using a clear and consistent method of patient stratification.

Accurate risk scoring and risk stratification of patients are two foundational principles of successful population health strategies. At the individual level, accurate risk scoring is the first step in developing a person-centered care plan. At the population level, risk stratification allows providers to develop care models that address the needs of distinct patient subsets with similar complexity and care needs, improving health outcomes for both the individuals involved as well as the overall population.

As our health care system moves away from fee-for-service payment and toward value-based reimbursement, providers and payers will have to fully understand the risks of their patient population in order to optimize care delivery. A risk score is simply a metric that attempts to predict aspects of a patient’s care (i.e. cost, Emergency Department utilization, inpatient readmission, etc.) based upon his/her clinical history and compared to a larger, average population. Sounds simple enough. However, risk scoring and patient stratification are data-driven, iterative processes that should involve providers, data analysts, and care management professionals to be the most successful. Methodologies need near constant evaluation to improve accuracy and increase value to the overall Care Management process and Population Health strategies.

A simple search online will reveal a large number of risk scoring and risk stratification methodologies – some very complex and expensive. While appropriate in some systems or populations, bigger isn’t always necessarily better and one size doesn’t fit all. The first step in choosing or designing risk models is a thorough understanding of the population being served.

Understanding the population will help determine how many risk “levels” are appropriate and what factors to include. In the earliest days of risk scoring, health systems used age and gender as simple factors. As large amounts of clinical data became more accessible, chronic disease measures and utilization rates were added to the risk formulas.

Simple scoring could be “Level 1, Level 2, Level 3”; “Tier A, Tier B, Tier C”; etc. A simple methodology might include condition counts, prescriptions, ED utilization, social determinants of health screening, etc. Again, the key to developing an effective risk scoring and risk stratification system is first understanding the patient population.

The second step in designing appropriate models is access to accurate, reliable patient data. Providers and their staff must use high quality data sources to ensure data integrity. Also, understanding subtle differences in types of data is essential – mortality versus morbidity, claims versus diagnostic data, etc. Risk scoring is only as good as the underlying data. A simple cautionary example is diagnostic data. Ample clinical and diagnostic data elements are likely already readily available from a practice’s own electronic health record (EHR), but any variation among providers in clinical documentation and HCC coding from standardized practices could skew results. Missing or inaccurate clinical data will cause the risk scoring and risk stratification to also be inaccurate and inconsistent.

Other considerations for effective Tier 3 advanced Medical Home risk scoring and risk stratification include:

1. Conduct a thorough and realistic assessment of internal resources and capabilities. Developing and implementing risk scoring and risk stratification methodologies will require significant staff time as well as significant expertise in analytics and statistics. If your practice plans to rely upon risk scoring modules within the EHR, Quality, IT, and Care Management staff members must still thoroughly understand the algorithms and understand how to modify them to address your practice’s unique patient population. Additionally, each iteration of the risk models will require staff retraining.
2. Conduct an inventory of the reporting capabilities of your EHR. All of the data you need to risk score and risk stratify attributed patients may be available from payers or it may lie within the clinical documentation system. If staff cannot retrieve actionable data, the risk scoring and risk stratification models will become stagnant and ineffective. Custom reporting may be available, but it should be determined if that strategy is sustainable for the long run.
3. A Tier 3 practice’s risk scoring and risk stratification methodology must be able to incorporate risk scores from each contracted Prepaid Health Plan. Combined with a practice’s own clinical perspective, the risk stratification system yields a broader view of patients’ needs and health status.
4. Whatever risk scoring and risk stratification methodology is selected, it must be used consistently by the entire care team. Everyone must be onboard with the process and understand how to use the information.
5. Evaluate the published aims and objectives of North Carolina’s Medicaid Managed Care Quality Strategy in order to have a complete understanding of what is to be achieved and which enrollees fall into “priority populations.”²

Ultimately, risk scoring and stratification improve outcomes for both providers and patients, which is why it has become a requirement for Tier 3 Advanced Medical Homes. While risk scoring and stratification are complex undertakings, with thoughtful examination of available data, resource capabilities and care delivery goals your organization can succeed in developing a workable system that best suits your patients’ needs and your overall vision for improved population health.

¹North Carolina’s Quality Strategy for Medicaid Managed Care, pg 5, March 20, 2018.
²The Department defines “priority populations” as: enrollees with Long Term Services and Supports (LTSS) needs; Adults and children with Special Health Care Needs; Individuals identified by the Prepaid Health Plan (PHP) as at Rising Risk; Individuals with high unmet resource needs; At-risk Children (0-5); High-Risk Pregnant Women; and other priority populations as determined by the PHP.