05 Aug Please read ‘Case 16: The admitting system crashes’ on page 506-507?of the textbook and discuss either question 1 or question 2?at the end of the case.

Chapter Ten

Performance Standards and Measures

Health Care Information Systems: A Practical Approach for Health Care Management

Karen A. WagerIFrances Wickham LeeIJohn P. Glaser

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• To explain the significant role of health information in national private andpublic quality improvement initiatives
• To compare and contrast licensure, certification, and accreditation processes
• To discuss the role of the Joint Commission and the National Committee forQuality Assurance in ensuring the quality of care in the US
• To understand performance measurement development in the US
• To identify the roles of specific public and private organizations in thedevelopment and endorsement of national performance measures
• To understand the origins and uses of major health care comparative data sets

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Learning Objectives

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Licensure, certification, and accreditation
• The Joint Commission
• National Committee for Quality Assurance (NCQA)
• Data sources for quality measures
• Comparative health care data sets
• Quality improvement

• –Federal initiatives
• –CMS initiatives

Outline

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Licensure

• –The process that gives a facility legal approval to operate
• –State governments oversee the licensure of health care facilities

• Certification

• –Gives a health care organization the authority to participate in the federalMedicare and Medicaid programs
• –CMS developed minimum standards, conditions of participation (CoPs)

• Accreditation

• –Voluntary, external review process
• –Financial and legal incentives for accredited organizations

Definitions

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• An independent, not-for-profit organization
• Best-known health care accrediting agency in the US
• Site-surveys every 3 years(2 years for laboratories)
• Standards manuals are publishedannually
• Categories of accreditation

1. Preliminary accreditation
2. Accreditation
3. Accreditation with follow-up survey

The Joint Commission

1. Contingent accreditation
2. Preliminary denial of accreditation
3. Denial of accreditation

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Record of Care (RC), Treatment, and Services Standards

• –Content needed for a complete health record, regardless of its format

• Information Management (IM) Standards

• –Apply to bothnoncomputerizedsystems and systems with the latesttechnologies

StandardsThe Joint Commission

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• National Committee for Quality Assurance (NCQA)
• Leading accrediting body for health plans

• –Quality management and improvement
• –Utilization management
• –Credentialing andrecredentialing
• –Member’s rights and responsibilities
• –Member connections
• –Medicaid benefits and services
• –Health effectiveness data and information set (HEDIS)

NCQA

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Crossing the Quality Chasm

• –Published in 2001 by Institute of Medicine (IOM)
• –Outlined 6 aims for establishing quality health care

• Safe
• Effective
• Patient-centered
• Timely
• Efficient
• Equitable

Quality of Care

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Administrative Data

• –Claims databases

• Disease registries

• –Data on patients with specific conditions

• Health records

• –Detailed patient information

• Qualitative data

• –Patient surveys or interviews

Quality CareData Sources for Measures

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• HEDIS

• –Set of health care performance measures
• –90% of health plans in the US collect and report HEDIS data

• Clinicalquality measures (CQMs)

• –Identified and updated by CMS each year
• –Developed by private organizations, health care societies,collaboratives,alliances, and government agencies
• –Required for accreditation by the Joint Commission

Quality CareMeasurement Development

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Comparative health data sets

• –Benchmarking: comparing one or more performance measures against astandard

• Patient satisfaction data sets

• –Survey data
• –Agency for Healthcare Research and Quality (AHRQ)

• Consumer Assessment of Healthcare Providers and Systems (CAHPS) program

• Practice patterns data set

• –Dartmouth Atlas: interactive, online tool funded by the Dartmouth Institutefor Health Policy and Clinical Practice

Data Sets

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Clinical data sets

• –Quality Check: established by the Joint Commission
• –Hospital Compare: sponsored by CMS

• Comparative data for health plans

• –NCQA health care report cards
• –Accessible athttp://reportcard.ncqa.org

Data Sets

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Patient Safety Act

• –Patient safety organizations (PSOs): responsible for the collection andanalysis of health information that is referred to in the Final Rule as patientsafety work product (PSWP)
• –PSWP: contains identifiable patient information covered by specificprivilege and confidentiality protections

• Incidents
• Near misses (or close calls)
• Unsafe conditions

• –Common formats: established by AHRQ to help providers uniformly reportpatient safety events

Quality ImprovementFederal Initiatives

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• National Quality Strategy (NQS)

• –Established by the Affordable CareAct
• –3 broad aims

• Better care
• Healthy people/healthycommunities
• Affordable care

• –“Levers” to ensure alignment withthe NQS

• Measurement and feedback
• Public reporting
• Learning and technical assistance
• Certification, accreditation, regulation
• Consumer incentives & benefit designs
• Payment
• Health information technology
• Innovation and diffusion
• Workforce development

Quality ImprovementFederal Initiatives

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Original value-based programs were an attempt to link performance onendorsed quality measures to reimbursement

• –Hospital value-based purchasing (HVBP)
• –Hospital readmissions reduction (HRR)
• –Hospital-acquired conditions (HAC)
• –Value modifier (VM) (or Physician value-based modifier [PVBM])

• The Medicare Access and CHIP Reauthorization Act (MACRA)

• –Enacted in 2015
• –Streamlines quality programs under the Merit-based Incentive PaymentSystem (MIPS)

Quality ImprovementCMS Programs

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Licensure, certification, andaccreditation
• The Joint Commission
• National Committee for QualityAssurance (NCQA)
• Datasources for qualitymeasures

• –Administrative data
• –Disease registries
• –Health records
• –Qualitative data

• Measurement development

• –HEDIS
• –CQMs

• Comparativehealth care datasets

• –Benchmarking
• –Patient satisfaction
• –Practice patterns
• –Clinical data
• –Comparative data for health plans

Summary

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Qualityimprovement

• –Federalinitiatives

• Patient Safety Act
• Patient safety workproduct (PSWP)
• National Quality Strategy (NQS)

• –CMSinitiatives

• Value-based programs
• MACRA

• –MIPS

Summary

,

Chapter Nine

Privacy and Security

Health Care Information Systems: A Practical Approach for Health Care Management

Karen A. WagerIFrances Wickham LeeIJohn P. Glaser

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Distinguish among privacy, confidentiality, and security as they relate to healthinformation
• Identify the purpose of the Privacy Act of 1974 and 42 C.F.R. Part 2,Confidentiality of Substance Abuse Patient Records
• Describe and discuss the impact of the HIPAA Privacy, Security, and BreachNotification rules
• Identify threats to health care information and information systems caused byhumans (intentional and unintentional), natural causes, and the environment
• Understand the purpose and key components of the health care organizationsecurity program and the need to mitigate security risks
• Discuss the increased need for and identify resources to improve cybersecurityin health care organizations

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Learning Objectives

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Outline

• Privacy, confidentiality, and security
• Legal protection
• HIPAA

• –Privacy Rule
• –Security Rule
• –Breach Notification Rule

• Threats
• Cybersecurity
• NIST

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Privacy

• –An individual’s right to be left alone and to limit access to his or her healthcare information

• Confidentiality

• –Addresses the expectation that information shared with a health careprovider during the course of treatment will be used only for its intendedpurpose and not disclosed otherwise

• Security

• –The systems in place to protect health information and the systems withinwhich it resides

Definitions

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Federal HIPAA Privacy, Security, and Breach Notification rules
• State privacy laws
• Federal Trade Commission (FTC) Act consumer protection
• The Privacy Act of 1974

• –Protected patient confidentiality only infederally operatedhealth carefacilities

• Confidentiality and Substance Abuse Patient Records

• –Set stringent release of information standards, designed to protect theconfidentiality of patients seeking alcohol or drug treatment

Legal Protection

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• 1996: Signed into law
• First comprehensive federal regulation to offer specific protection toprivate health information
• 2003: HIPAA Privacy Rule
• 2005: HIPAA Security Rule
• Defines covered entities (CE) to which these rules apply

HIPAA

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Defines PHI

• –Relates to a person’s physical ormental health, the provision ofhealth care, or the payment forhealth care
• –Identifies the person who is thesubject of the information
• –Is created or received by a coveredentity
• –Is transmitted or maintained in anyform (paper, electronic, or oral)

• 5major components

• –Boundaries
• –Security
• –Consumer control
• –Accountability
• –Public responsibility

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Privacy Rule

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Written authorization required forallnonroutineuses or disclosureof PHI

• –School
• –Relative

• PHI can be released withoutpatient authorization in someinstances

• –Presence of a communicabledisease
• –Suspected child or adult abuse
• –Legal duty to warn of a clear andimminent danger from a patient
• –Bona fide medical emergency
• –Valid court order

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Patient Authorization

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Elementsof a valid release form

1. Patient identification (name, DOB)
2. Name of person/entity to whom theinformation is being released
3. Description of specific healthinformation authorized for disclosure
4. Statement of reason/purpose of thedisclosure
5. Date, event, or condition which theauthorization will expire, unlessrevoked earlier
6. Statement that authorization issubject to revocation by patient/legalrepresentative
7. Patient’s/legal representative’ssignature
8. Signature date (must be after date ofencounter that produced theinformation to be released)

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Patient Authorization

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• GovernsePHI

• Protected health information maintained or transmitted in electronic form
• May be stored in any type of electronicmedia

• HIPAA Security Administrative Safeguards

1. Security management functions
2. Assigned security responsibility
3. Workforce security
4. Information access management
5. Security awareness andtraining

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Security Rule

1. Security incident reporting
2. Contingency plan
3. Evaluation
4. Business associate contracts andother arrangements

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• HIPAA Security PhysicalSafeguards

1. Facility access controls
2. Workstation use
3. Workstation security
4. Device and media controls

• Policies, Procedures, andDocumentation
• HIPAA Security TechnicalSafeguards

1. Access control
2. Audit controls
3. Integrity
4. Person or entity authentication
5. Transmission security

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Security Rule

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Requires CEs and their business associates to provide notificationfollowing a breach ofunsecuredprotected health information

• –Unsecured: PHI that has not been rendered unusable, unreadable, orindecipherable to unauthorized persons through the use of a technologyor methodology specified by the Secretary in guidance
• –Secured: encrypted using a valid encryption process, or the media onwhich the PHI is sorted have been destroyed

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Breach Notification Rule

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Who is notified?

• –Individuals affected
• –Health and Human Services Secretary (via the Office for Civil Rights)
• –Major media outlets

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Breach Notification Rule

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Office for Civil Rights

• –Responsible for enforcing the HIPAA Privacy and Security rules

• State attorneys general

• –Given authority by HITECH to bring civil actions on behalf of the residentsof their state for HIPAA violations

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Enforcement

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Tiered scheduled (both civil and criminal penalties)
• Civil penalties involve fines

• –Cannot be levied if resolved within a specified period of time

• Criminal penalties involve jail time (anywhere from 1 to 10 years)

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Violation Penalties

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• Human tampering threats

• –Intentional or unintentional
• –Internal or external

• Natural and environmental threats
• Environmental factors and technology malfunctions

Threats

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• General term for software that is written to “infect” and subsequentlyharm a host computer system
• Commons forms of malware

• –Viruses: infects the host system and spreads itself
• –Trojans: designed to look like a safe program; steals personal informationor takes over the resources of the host computer
• –Spyware: tracks Internet activities assisting the hacker in gatheringinformation without consent
• –Worms: replicates itself and destroys files on the host computer
• –Ransomeware: encrypts and locks folders; demands money to unlock

Malware

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

1. Lead your culture, select your team, learn
2. Document your process, findings, and actions
3. Review existing security ofePHI/Perform security risk analysis
4. Develop an action plan
5. Manage and mitigate risks
6. Attest for meaningful use security related objectives
7. Monitor, audit, and update security on an ongoing basis

Security Management Process

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

1. Protect mobile devices
2. Maintain good computer habits
3. Use a firewall
4. Install and maintain antivirus software
5. Plan for the unexpected (i.e., create backups)
6. Control access to PHI
7. Use strong passwords
8. Limit network access
9. Control physical access

Cybersecurity

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

• National Institute of Standards and Technology (NIST)
• Developed a cybersecurity framework to reduce cyber attack risks

• –Framework Core (identify, protect, detect, respond, recover)
• –Framework implementation tiers
• –Framework profile

NIST

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Summary

• Privacy, confidentiality, security
• HIPAA Privacy Rule

• –Authorization

• HIPAA Security Rule

• –Administrative safeguards
• –Physical safeguards
• –Technical safeguards
• –Policies, procedures,documentation

• HIPAA Breach Notification Rule
• HIPAA Enforcement

• –Office of Civil Rights
• –State attorney general

• Violation penalties

• –Fines and jail time

• Threats

• –Human
• –Natural
• –Environmental

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Summary

• Malware

• –Viruses
• –Trojans
• –Spyware
• –Worms
• –Ransomware

• Security management process
• Tips for cybersecurity
• NIST cybersecurity framework

• –Framework Core
• –Framework Implementation Tiers
• –Framework Profile

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser