Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
86 Cards in this Set
- Front
- Back
|
Meaningful use
|
-using certified EHR technology for: Improve quality, safety, efficiency, and reduce health disparities
-Engage patients and families in their health care -Improve care coordination -Improve population and public health -All the while maintaining privacy and security |
|
|
The American Recovery and Reinvestment Act of 2009 (ARRA)
|
Act specifies 3 main components of Meaningful Use
|
|
|
3 main components of Meaningful Use part 1
|
-The use of a certified EHR in a meaningful manner, such as e-prescribing.
-The use of certified EHR technology for electronic exchange of health information to improve quality of health care. |
|
|
3 main components of Meaningful Use part 2
|
-The use of certified EHR technology to submit clinical quality and other measures.
|
|
|
meaningful use
|
providers need to show they're using certified EHR technology in ways that can be measured significantly in quality and in quantity
|
|
|
CMS EHR Meaningful Use Criteria Summary
|
staged in three steps over the course of the next five years.
Stage 1 Stage 2 Stage 3 |
|
|
CMS EHR Meaningful Use Criteria Summary part 1
|
Stage 1 (2011 and 2012) sets the baseline for electronic data capture and information sharing.
-Stage 2 expected to be implemented in 2013 |
|
|
Stage 3
|
(expected to be implemented in 2015) will continue to expand on this baseline and be developed through future rule making
|
|
|
Meaningful Use
Stage 1 |
(2011-2012) Data Capture and Sharing
|
|
|
Meaningful Use
Stage 2 |
(2014) Advance Clinical Processes
|
|
|
Meaningful Use
Stage 3 |
(2016) Improved Outcomes (EBM focus on best practices)
|
|
|
Meeting Meaningful Use Requirements
|
To qualify for incentive payments, meaningful use requirements must be met in the following ways:
Medicare EHR Incentive Program Medicaid EHR Incentive Program |
|
|
Meeting Meaningful Use Requirements
Medicare EHR Incentive Program |
Eligible professionals, eligible hospitals, and critical access hospitals (CAHs) must successfully demonstrate meaningful use of certified electronic health record technology every year they participate in the program. (65 and older and disabled)
|
|
|
Meeting Meaningful Use Requirements
Medicaid EHR Incentive Program |
EPs and eligible hospitals qualify for incentive payments if they adopt, implement, upgrade or demonstrate meaningful use in their 1st year of participation. They must successfully demonstrate MU for subsequent participation years.
|
|
|
MEANINGFUL USE part 1
|
-Adopted: Acquired and installed certified EHR technology. (show evidence of installation.)
-Implemented: Began using certified EHR technology. (provide staff training or data entry of patient demographic information into EHR.) |
|
|
MEANINGFUL USE part 2
|
-Upgraded: Expanded existing technology to meet certification requirements. (For example, upgrade to certified EHR technology or add new functionality to meet the definition of certified EHR technology.)
|
|
|
Requirements for Stage 1 of Meaningful Use part 1
|
Meaningful use includes both a CORE SET and a MENU SET OF OBJECTIVES that are specific to EP or eligible hospitals and CAHs.
|
|
|
Requirements for Stage 1 of Meaningful Use part 2
|
For EPS, there are a total of 25 MU objectives. To qualify for an incentive payment, 20 of these 25 objectives must be met.
-There are 15 required core objectives. |
|
|
Requirements for Stage 1 of Meaningful Use part 3
|
-The remaining 5 objectives may be chosen from the list of 10 menu set objectives.
-EPs must report on 6 total Clinical Quality Measures (3 required core measures; 3 out of 38 from additional set) |
|
|
Requirements for Stage 1 of Meaningful Use part 4
|
-For ELIGIBLE HOSPITALS AND CAHS, there are a total of 24 meaningful use objectives. To qualify for an incentive payment, 19 of these 24 objectives must be met.
-There are 14 required core objectives. |
|
|
Requirements for Stage 1 of Meaningful Use part 5
|
-The remaining 5 objectives may be chosen from the list of 10 menu set objectives.
-Eligible hospitals and CAHs must report on all 15 of their Clinical Quality Measures. |
|
|
MEANINGFUL USE
Clinical Quality Measures [CQM] part 1 |
-CQMs can be measures of processes, experiences and/or outcomes of patient care, observations or treatment that relate to one or more quality aims for health care such as effective, safe, efficient, patient-centered, equitable, and timely care.
|
|
|
MEANINGFUL USE
Clinical Quality Measures [CQM] part 2 |
-CQMs help CMS ensure that quality health care is delivered to Medicare beneficiaries and Medicaid recipients.
-CQMs provide a standardized means of measuring and comparing delivery of care. |
|
|
MEANINGFUL USE
CQM Reporting Requirements part 1 |
EPs must complete 3 of the following:
-Hypertension – Blood Pressure Measurement -Preventive Care and Screening Measure Pair -Tobacco Use Assessment -Tobacco Cessation Intervention |
|
|
MEANINGFUL USE
CQM Reporting Requirements part 2 |
-Adult Weight Screening and Follow up
-Weight Assessment and Counseling for Children and Adolescents -Preventive Care and Screening -Influenza Immunization for Patients > aged 50 |
|
|
MEANINGFUL USE
CQM Reporting Requirements part 3 |
-Childhood Immunization Status
-EPs must also complete 3 of the 38 listed in the additional set |
|
|
MEANINGFUL USE
-Reporting of CQM |
2011 – Eligible Professionals seeking to demonstrate meaningful use are required to submit aggregate CQM numerator, denominator, and exclusion data to CMS or the States by Attestation
|
|
|
MEANINGFUL USE
-Reporting of CQM |
2012 – Eligible Professionals seeking to demonstrate meaningful use are required to electronically submit aggregate CQM numerator, denominator, and exclusion data to CMS or the States
|
|
|
Eligible Professionals Must Complete ALL 15 Core Objectives
|
1.Computerized Provider Order Entry (CPOE)
2.E-Prescribing (eRx) 3.Report 4.Implement one clinical decision support rule |
|
|
Eligible Professionals Must Complete ALL 15 Core Objectives
|
5.Provide patients with an electronic copy of their health information, upon request
6.Provide clinical summaries for patients for each office visit 7.Drug-drug and drug-allergy interaction checks |
|
|
Eligible Professionals Must Complete ALL 15 Core Objectives
|
8.Record demographics
9.Maintain an up-to-date problem list of current and active diagnoses 10.Maintain active medication list 11.Maintain active medication allergy list |
|
|
Eligible Professionals Must Complete ALL 15 Core Objectives
|
12.Record and chart changes in vital signs
13.Record smoking status for patients 13 years or older 14.Capability to exchange key clinical information among providers of care 15.Protect electronic health information |
|
|
Eligible Professionals Must Complete 5 Out of 10 Set Objectives
|
1.Drug formulary checks
2.Incorporate clinical lab test results as structured data 3.Generate lists of patients by specific conditions 4.Send reminders to patients per patient preference for preventive/follow up care |
|
|
Eligible Professionals Must Complete 5 Out of 10 Set Objectives
|
5.Provide patients with timely electronic access to their health information
6.Use certified EHR technology to identify patient-specific education resources and provide to patient, if appropriate |
|
|
Eligible Professionals Must Complete 5 Out of 10 Set Objectives
|
7.Medication reconciliation
8.Summary of care record for each transition of care/referrals 9.Capability to submit electronic data to immunization registries/systems* |
|
|
Eligible Professionals Must Complete 5 Out of 10 Set Objectives
|
10. Capability to provide electronic syndromic surveillance data to public health agencies*
|
|
|
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)
|
Passed in 1996 – laid much of the groundwork for the privacy and security measures adopted within HIT today
|
|
|
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)
|
-Directions on how patient data was used and made available when patients switched physicians or insurers
Included two (2) major rules covering privacy and security |
|
|
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)
-COVERED ENTITIES: |
Health Plans – Health insurers, HMOs, Company health plans,Government programs such as Medicare & Medicaid
|
|
|
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)
-COVERED ENTITIES: |
Health Care Providers – Most doctors, Clinics, Hospitals,Psychologists, Chiropractors, Nursing homes, Pharmacies,Dentists
|
|
|
HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT (HIPAA)
-COVERED ENTITIES: |
-Health Plans – Health insurers, HMOs, Company health plans,Government programs such as Medicare & Medicaid
-Health Care Clearinghouses |
|
|
ORGANIZATIONS USING PHI BUT NOT A COVERED ENTITY
|
-Life insurers, Employers, Workers compensation carriers, Schools and school districts, State Agencies like Child Protective Service Agencies, Law enforcement agencies, Municipal offices
|
|
|
HIPAA
|
-Patient data and personal information MUST be protected according to the SECURITY RULE
-Applies to ALL personal health information (PHI) - |
|
|
Personal health information (PHI)
|
-Hard copy records
-Electronic personal health information (ePHI) stored on computing systems -Verbal discussion between medical professionals |
|
|
CONSUMER RIGHTS: part 1
|
-Ask to see and get a copy of their health records
-Have corrections added to their health information -Receive a notice that discusses how health information may beused and shared |
|
|
CONSUMER RIGHTS: part 2
|
-Provide permission on whether health information can be used or shared for certain purposes, such as for marketing
•Get reports on when and why health information was shared for certain purposes |
|
|
CONSUMER RIGHTS: part 3
|
-File a complaint with a provider, health insurer and/or the U.S.Government if patient rights are being denied or health information is not being protected
|
|
|
Privacy Rule permits de-identifying data by removing the following 18 identifiers
part 1 |
All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code,and their equivalent geographical codes
|
|
|
Privacy Rule permits de-identifying data by removing the following 18 identifiers
part 2 |
All elements of dates (except year) directly related to an individual, including DOB, admission date, discharge date, death; and all ages over 89 and all
|
|
|
Privacy Rule permits de-identifying data by removing the following 18 identifiers
part 3 |
elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
|
|
|
Privacy Rule permits de-identifying data by removing the following 18 identifiers
part 4 |
-Telephone numbers
-Facsimile numbers -Electronic mail addresses -Social security numbers -Medical Record number- |
|
|
Privacy Rule permits de-identifying data by removing the following 18 identifiers
part 5 |
-Health plan beneficiary numbers
-Account numbers -Certificate/license numbers -Vehicle identifiers and serial numbers, include license plate numbers |
|
|
Privacy Rule permits de-identifying data by removing the following 18 identifiers
part 6 |
-Device identifiers and serial numbers
-Web universal resource locaters -Biometric identifiers, including fingerprints and voiceprints |
|
|
Privacy Rule permits de-identifying data by removing the following 18 identifiers
part 7 |
-Full-face photographic images and any comparable images
-Any other unique identifying number, characteristic, or code, unless otherwise permitted by the PrivacyRule for re-identification |
|
|
Covered Entity Permitted Uses and Disclosure According to the Privacy Rule part 1
|
•To the individual
•For treatment, payment or health care operations •Uses and disclosures with opportunity to agree or object •Facility directories; For notification and other purposes |
|
|
Covered Entity Permitted Uses and Disclosure According to the Privacy Rule part 2
|
•Incidental use and disclosure
•Public interest and benefit activities •Required by law; Public health activities; Victims of abuse, neglect or domestic violence; Health oversight activities; Judicial and administrative proceedings; Law enforcement purposes; |
|
|
Covered Entity Permitted Uses and Disclosure According to the Privacy Rule part 3
|
Decedents; Cadaveric organ,eye, or tissue donation; Research; Serious threat to health or safety;Essential government function; Worker’s compensation
•Limited data set |
|
|
ADMINISTRATIVE REQUIREMENTS: part 1
|
Administrative requirements were established by the Privacy Rule to ensure that all covered entities, regardless of size or organization, met a minimum standard for protecting patient privacy and permitting patients to exercise their rights.
|
|
|
ADMINISTRATIVE REQUIREMENTS: part 2
|
•Develop and implement written privacy policies and procedures
•Designate a privacy official •Workforce training and management •Mitigation strategy for privacy breaches |
|
|
ADMINISTRATIVE REQUIREMENTS: part 3
|
•Data safeguards - administrative, technical, and physical
•Designate a complaint official and procedure to file complaints |
|
|
ADMINISTRATIVE REQUIREMENTS: part 4
|
•Establish retaliation and waiver policies and restrictions
•Documentation and record retention - six years •Fully-insured group health plan exception |
|
|
ADMINISTRATIVE REQUIREMENTS: part 5
|
Focuses on policy and procedures
|
|
|
HIPAA SECURITY FOR COVERED ENTITIES
|
ADMINISTRATIVE SAFEGUARDS
PHYSICAL SAFEGUARDS TECHNICAL SAFEGUARDS |
|
|
HIPAA SECURITY FOR COVERED ENTITIES
ADMINISTRATIVE SAFEGUARDS |
-Security management processes to reduce risks and vulnerabilities
-Security personnel responsible for developing and implementing security policies |
|
|
HIPAA SECURITY FOR COVERED ENTITIES
ADMINISTRATIVE SAFEGUARDS |
-Information access management - minimum access necessary to perform duty
-Workforce training and management -Evaluation of security policies and procedures |
|
|
HIPAA SECURITY FOR COVERED ENTITIES
PHYSICAL SAFEGUARDS |
-Facility access and control limiting physical access to facilities
-Workstation and device security policies and procedures covering transfer, removal, disposal, and re-use of electronic media |
|
|
HIPAA SECURITY FOR COVERED ENTITIES
|
Access control that restrict access to authorized personnel
Audit controls for hardware, software, and transactions -Integrity controls to ensure data is not altered or destroyed -Transmission security to protect against unauthorized access to data transmitted on networks and via email |
|
|
10 BIGGEST HIPAA SECURITY BREACHES IN THE U.S.10
|
Since the 2009 Breach Notification Rule included in HITECH Act, 489 HIPAA-covered entities have reported breaches involving 500 individuals or more….
|
|
|
10.EISENHOWER MEDICAL CENTER
Individuals Affected: 514,330 When: March 11, 2011 |
10.EISENHOWER MEDICAL CENTER-Rancho Mirage, Calif.-stolen an unencrypted computer containing patient names, ages, DOB, partial Social Security numbers and the hospital’s medical record number. Not discovered missing stolen until March 14, 2011.
|
|
|
9.UTAH DEPARTMENT OF HEALTH
Individuals Affected: 780,000 When: March 10, 2012 |
Unlike the other top breaches, Utah Department of Health confirmed that a server containing personal health information had been actively hacked into. Officials reported that thieves had begun removinginformation from the server.
|
|
|
9.UTAH DEPARTMENT OF HEALTH
Individuals Affected: 780,000 When: March 10, 2012 |
Addresses, dates of birth, SSN diagnoses codes, NPI numbers, billing codes and taxpayer identification numbers were all included on the server. The Utah Department of Technology Services shut down the server when the breach was discovered on April 2,
|
|
|
9.UTAH DEPARTMENT OF HEALTH
Individuals Affected: 780,000 When: March 10, 2012 |
2012. The breach had occurred more than one month earlier. One year of free credit monitoring and identity theft insurance was extended to those affected.
|
|
|
8.SOUTH SHORE HOSPITAL
Individuals Affected: 800,000 When: Feb. 26, 2010 Settlement: $750,000 to the state of MassachusettsThe 318-bed, Weymouth, Mass.- |
hospital shipped 3 boxes containing 500 unencrypted back-up computer tapes with protected health information (PHI) to be erased by Archive Data Solutions. The boxes then went missing, and only one has since been recovered.
|
|
|
7.SUTTER MEDICAL FOUNDATION
Individuals Affected: 943, 434 When: Oct. 15, 2011 Settlement: 11 total lawsuits could amount to between $944 million and $4.25 billion The Sutter Health Sacramento, Calif.- |
based affiliate reported the theft of a company desktop computer containing clinical data and medical diagnoses information of patients. Moreover, the computer also contained limited demographic data of more than 3.3 million additional individuals.
|
|
|
6.BLUE CROSS BLUE SHIELD OF TENNESSEE
Individuals Affected: 1,023,209 When: Oct. 2, 2009 Settlement: $1.5 million to U.S. Department of Health and Human Services Chattanooga, Tenn.- |
health insurer reported stolen 57 unencrypted computer hard drives from one of the company’s leased facilities. The hard drives contained member demographic information in addition to
|
|
|
6.BLUE CROSS BLUE SHIELD OF TENNESSEE
Individuals Affected: 1,023,209 When: Oct. 2, 2009 Settlement: $1.5 million to U.S. Department of Health and Human Services Chattanooga, Tenn.- |
SSN, diagnosis codes and health plan identification numbers. BCBST paid over $6 mill for additional data encryption, and spent nearly $17 mill for protection, investigation and member notification.
|
|
|
6.BLUE CROSS BLUE SHIELD OF TENNESSEE
Individuals Affected: 1,023,209 When: Oct. 2, 2009 Settlement: $1.5 million to U.S. Department of Health and Human Services Chattanooga, Tenn.- |
The settlement paid to the HHS was the first enforcement action resulting from HITECH Breach Notification Rule.
|
|
|
5. THE NEMOURS FOUNDATION
Individuals Affected: 1,055,489 When: August 10, 2011 |
The foundation reported that three unencrypted backup tapes in a locked storage cabinet went missing from its Wilmington, Del. facility. The tapes contained patient names, addresses, dates of birth, Social Security numbers and personal health information.
|
|
|
5. THE NEMOURS FOUNDATION
Individuals Affected: 1,055,489 When: August 10, 2011 |
Employee, vendor and patient guarantor financial and demographic information were also included on the tape. The foundation offered individuals affected one year of free credit monitoring and credit protection.
|
|
|
4.AVMED, INC.
Individuals Affected: 1,220,000 When: December 10, 2009 The Miami, Fla. |
based health insurer reported stolen 2 unencrypted laptops containing member names, DOB, addresses, SSN and PHI. both laptops were reported missing from a locked conference room.
|
|
|
4.AVMED, INC.
Individuals Affected: 1,220,000 When: December 10, 2009 The Miami, Fla. |
Despite the breach occurring in 12/2009, the company waited until 2/2010 to notify members affected. The number of patients affected by the breach was initially pegged at 208,000; however, that number shot up to 1.22 million by June 2010.
|
|
|
3.NY CITY HEALTH & HOSPITALS CORP’S NORTH BRONX HEALTHCARE NETWORK
Individuals Affected: 1,700,000 When: Dec. 23, 2010 |
based health network reported 2 back-up tapes for 2 computer systems stolen from a vendor truck parked on a Manhattan street. The tapes contained 20 years of PHI of both employees, vendors and patients.
|
|
|
3.NY CITY HEALTH & HOSPITALS CORP’S NORTH BRONX HEALTHCARE NETWORK
Individuals Affected: 1,700,000 When: Dec. 23, 2010 |
The Bronx Healthcare Network includes Jacobi Medical Center, North Central Bronx Hospital, the Health Center at Gun Hill and the Health Center at Tremont. One year of free credit monitoring was provided to individuals affected.
|
|
|
2.HEALTH NET, INC.; Individual Affected: 1,900,000 When: January 21, 2011; reported Mar. 14, 2011
The Woodland Hills, Calif The company offered two years of free identity and fraud protection and identity theft insurance. |
HI Company lost nine 9 server drives on 1/2011 and waited two 2 months to report breach. The servers contained the SSNs, names, addresses, and health information of Health Net employees, members and providers.
|
|
|
1.TRICARE MANAGEMENT ACTIVITY
Individuals Affected: 4,901,432 When: Sep. 14, 2011 Settlement: $4.9 billion sought in filed class-action lawsuit |
biggest HIPAA data breaches, lost back-up tapes containing personally identifiable and PHI from military beneficiaries’ EHR. According to officials, back-up tapes may have contained patient addresses, phone numbers, SSN, clinical data
|
|
|
3 PILLARS OF INFORMATION SECURITY
|
Confidentiality
Integrity Availability |
