 |
|
Greetings!
When you give your driver's license or credit card to someone, do you wonder if it's really safe? Carelessness with your personal information can be as much of a threat to your identity as the scoundrel trolling for victims. Experts tell us to analyze security threats, vulnerabilities and consequences. But even if we are vigilant about protecting our confidential data, there is no guarantee that third parties will provide the same level of security. Starting August 1, healthcare institutions and medical practices must comply with the Red Flag Rules. These requirements are intended to detect, prevent, and mitigate instances of identity theft, to include medical identity theft. The term creditor is broadly applied in the requirement and includes practices that may not consider themselves creditors. The FTC How-To Guide for Business includes guidance. See our guest article by expert Michael Hill on Identity Theft and Employer Liability. In this issue, we continue with our discussion of Top IT Trends of 2009 with a HITECH Stimulus Update. If you have an idea, article or topic, please send it to MedIT@lansystems.com. | |
HITECH Stimulus Update 
On June 16, 2009, the Health IT Policy Committee work group released its initial recommendations for defining "meaningful use" of electronic health records to qualify for federal incentive programs. National Coordinator for Health IT David Blumenthal stated that the June 16th discussions on meaningful use are the "beginning of a conversation that is going to last for some time," (Merrill, Healthcare IT News, 6/16). The Committee revised the "meaningful use" objectives in early July. Although the work group's recommendations do not include a formal definition of meaningful use, they offer 28 objectives for EHRs by 2011. With an overall goal to "electronically caption in coded format and to report health information and to use that information to track key clinical conditions," the existing plan includes ten Care Goals:
- Provide access to comprehensive patient health data for patient's health care team;
- Use evidence-based order sets and CPOE;
- Apply clinical decision support at the point of care;
- Generate lists of patients who need care and use them to reach out to patients (e.g., reminders, care instructions, etc);
- Report to patient registries for quality improvement, public reporting, etc.;
Provide patients and families with access to data, knowledge, and tools to make informed decisions and to manage their health;
- Exchange meaningful clinical information among professional health care team;
- Communicate with public health agencies;
- Ensure privacy and security protections for confidential information through; operating policies, procedures, and technologies and compliance with applicable law;
- Provide transparency of data sharing to patient.
Following the release of the initial recommendations, some critics question the shear mass of 22 objectives to be met within such a short period of time. The revised objectives now number 28. Many practices would prefer to wait for EHR implementation until they have the final version of the government approved "meaningful use" objectives. Even if the Health IT Policy Committee meets its timeline of completing the final version of "meaningful use" objectives by the end of the 2009 year, that leaves only one year for EHR vendors and physicians to ensure they have the certified tool implemented by 2011.
Additionally, one of the main criteria for "meaningful use" is "exchange of critical information." However, as yet, no standard exist for this exchange. Again, vendors must develop and test the software to comply with the criteria, while preparing to meet the additional objectives for 2013 and 2015. Another critical issue is measurement - how is the HHS/ONC going to measure accomplishment of these objectives? Obviously, there is still a great deal of detail and planning required before practices can be assured that they are implementing the tools to successfully qualify for the Stimulus funds.
The 28 objectives are provided in a published matrix, along with the first draft of recommended objectives through 2015. The 2011 objectives are as follows:
- Use CPOE for all order
- Implement drug-drug, drug-allergy, drug-formulary checks
- Maintain an up-to date problem list of current and active diagnoses based on ICD-9 or SNOMED
- Generate and transmit permissible prescriptions electronically (eRX)
- Maintain active medication list
- Maintain active medication allergy list
- Record demographics:
o Preferred language
o Insurance type
o Gender
o Race
o Ethnicity
- Record advance directives
- Record vital signs:
o Height
o Weight
o Blood pressure
o Calculate and display BMI
- Record smoking status
- Incorporate lab-test results into EHR as structured data
- Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, and outreach
- Report ambulatory quality measures to CMS
- Send reminders to patients per patient preference for preventive/follow up care
- Implement one clinical decision rule relevant to specialty or high clinical priority
- Document a progress note for each encounter
- Check insurance eligibility electronically from public and private payers, where possible
- Submit claims electronically to public and private payers
- Provide patients with an electronic copy of their health information (including lab results, problem list, medication lists, allergies) upon request
- Provide patients with timely electronic access to their health information (including lab results, problem list, medication lists, allergies)
- Provide access to patient-specific education resources
- Provide clinical summaries for patients for each encounter
- Capability to exchange key clinical information (e.g. problem list, medication list, allergies, test results), among providers of care and patient authorized entities electronically
- Perform medication reconciliation at relevant encounters; and each transition of care
- Capability to submit electronic data to immunization registries and actual submission where required and accepted
- Capability to provide electronic syndromic surveillance data to public health agencies and actual transmission according to applicable law and practice
- Compliance with HIPAA Privacy and Security Rules
- Compliance with fair data sharing practices set forth in the Nationwide Privacy and Security Framework
|
By Michael Hill
What do you think of when someone says "Identity Theft"?
 Most people think of credit reports, credit cards and bank accounts. We see television commercials pushing "free credit reports" to solve the problem. Banks and credit card companies are bragging about their theft deterrence systems and zero liability programs. There's even one company that will "guarantee" your identity will not be stolen!
Unfortunately, it's just not that simple. The fact is there is no realistic way to stop identity theft in the world we live in today. Here's why:
FIRST, our personal information is already irretrievably "out there", in the hands of hundreds (maybe thousands) of businesses, schools, healthcare providers and government agencies. We are all literally at the mercy of those organizations to keep our information safe.
SECOND, while financial Identity Theft can be devastating, it's only a small part of the story. Almost 75% of all Identity Theft is in other areas- your driver's license, your Social Security number, your medical information (the fastest growing area of ID theft), and Criminal ID theft (crimes committed in your name). And many of the trends in today's society (like immigration, the weak economy, the credit crisis, and the health insurance crisis) are throwing gasoline on the Identity Theft fire.
IDENTITY THEFT AT WORK
But Identity Theft is not only an issue affecting individuals. As awareness grows, companies across the country in virtually all industries are facing new laws and liability risks. With over 51% of data breaches occurring in the workplace, the FTC perceive the behavior of companies in protecting the personal information entrusted to them as the predominant cause of identity theft risk, and the only area where they can force improvement.
Identity Theft is not just about someone else. It is about a company, their employee's and their customer's DATA. It is about a problem that has gone ballistic. And the government has said, since they can't stop it, employers must now become responsible for the data they handle. It is the fastest growing white collar crime in America and is now more profitable than illegal drug trafficking. Every week, we now see extensive publicity surrounding substantial security breaches - in all kinds of industries - from small and large companies.
Just this year, the law of identity theft changed dramatically - and we can expect more laws to continue and expand. One such law went into effect on Jan. 1, 2008 with mandatory compliance by August 1, 2009. This law, the FACTA Red Flag Rule, is a provision of the Fair and Accurate Credit Transaction Act of 2003. The Red Flag Rule is designed to strike at identity theft in its earliest stages and requires virtually every company to develop and deploy an Identity Theft Prevention Program that detects, prevents and mitigates Identity Theft. Plus, the law directs that businesses be sure that the companies they do business with; also have a plan in place. That's why everyone will soon be hearing about the rules.
In order to have a credible legal defense, business owners must educate themselves and their employees on the applicable data breach & identity theft laws and take proactive steps to change the behavior of their company and their employees regarding the handling of sensitive information.
YOUR AFFIRMATIVE DEFENSE
1. Appoint, re-appoint, in writing, an Information Security Officer
2. Develop a written plan and policy to protect all non-public information for employees and customers including identity theft red flags
3. Hold mandatory training meetings for all employees
4. Oversee service provider arrangements - before outsourcing any of your business functions - payroll, web hosting, data processing, insurance, cleaning company, CPA, attorney, BA's, etc, - investigate the company's data security practices. Your liability follows your data.
5. Mitigation plan for employees and/or customers
Michael Hill is a Certified Identity Theft Risk Management Specialist, Privacy Professional and a professional speaker where he specializes in assisting businesses with compliance obligations in these areas. You may contact him at (404) 216-3751 or by email at mhill@databreachexperts.com; WWW.IDTHEFT101.NET; Twitter - @idtexpert |
Spyware removal & registry protection
We like Advanced SystemCare for spyware removal and registry protection. Download the free version or you can purchase Pro from their website.
If you have a chronic infection that requires help or just have questions, contact the LAN Systems Helpdesk at 770 662-0312. Just call - we'll be there!
| |
|
|
|
| eNewsletter for the HealthCare Community |
|
Technology
Solutions and Services for the business side of medicine
EHR and Practice Management
Consulting
Setting solution goals
Functionality requirements
System selection
Implementation planning
Ongoing technology review
Virtual Chief Technology Officer (vCTO)
Virtual Chief Technology Officer expertise to align practice and IT strategy
Set IT goals
Manage IT costs
Plan for growth
Architecture Review
Assess system needs
Define objectives
Recommend upgrades
System Installation
Hardware implementation
Software implementation
LAN / WAN Design & Integration
Turn key installation and testing
Support Services
Packages with on-site, remote and HelpDesk support
24 x 7 maintenance
Security
Virus protection Printer repair
Internet Solutions
High-Speed Practice Internet Access
Practice Email
Web design & hosting
Wi-Fi HotSpots
Emergency Services
Server, network, hardware
Business critical software
| |
