NY Medicaid EHR Incentive Program,
A CMS Promoting Interoperability Program
- Presentation is also available in Portable Document Format (PDF)
Security Risk Analysis (SRA)
Q4 2018
Webinar Agenda
| Meaningful Use Objective 1: Protect Patient Health Information |
| SRA Toolkit |
| Safety Areas to Consider |
| Common Considerations and Creating an Action Plan |
| Resources |
| Q&A Session |
The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.
Meaningful Use Objective 1: Protect Patient Health Information
NY Medicaid EHR Incentive Program, a CMS Promoting Interoperability Program
Through the NY Medicaid EHR Incentive Program, Eligible Hospitals and Eligible Professionals in New York who adopt, implement, or upgrade to certified EHR technology, and subsequently become meaningful users of the EHR technology, can qualify for financial incentives.
CMS Promoting Interoperability policy priorities
- Improving quality, safety, efficiency, and reducing health disparities
- Ensuring adequate privacy and security protection for personal health information
- Improving population and public health
- Engaging patients and families in their health
- Improving care coordination
How does this benefit you?
What is a Security Risk Analysis?
Eligible Professionals (EPs) participating in the NY Medicaid EHR Incentive Program must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the electronic protected health information held by that EP.
What is a Vulnerability?
"It is a flaw or weakness. It can be in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system’s security policy."
What is a Threat?
"A threat is the potential for a person or thing to accidentally trigger or intentionally exploit a specific vulnerability."
What is a Risk?
"The U.S. Department of Health & Human Services describes risk as a combination of factors or events:
- What is the likelihood that a given threat will trigger or exploit a vulnerability?
- What is the resulting impact on the provider or organization?"
The SRA MUST be completed
Within the EHR reporting period calendar year
and
Prior to the Attestation Date
Security Areas to Consider
Security Areas
- Administrative
- Technical
- Physical
Additional Considerations
- Policies & Procedures
= written documentation - Organizational Requirements
= agreements with business associates and vendors
Common Considerations and Creating an Action Plan
Common Considerations
| Define the scope |
| Identify potential threats and vulnerabilities |
| Assess the effectiveness of implemented security |
| Determine the likelihood of particular threats |
| Determine and assign risk levels |
| Prioritize remediation or mitigation |
| Document your risk analysis |
| Review and update your risk analysis |
Create an Action Plan
Program Integrity
Providers must retain all attestation supporting documentation for no less than six years after each payment year.
Examples:
- Any reports that support the conclusion that you have met the objectives or exclusions.
- A record to support the numerator and denominator values for the attested measures.
**Additional documentation may be requested, as needed, during the review process. For post payment audit guidance, contact hitech@omig.ny.gov
Resources
Office of the National Coordinator (ONC) website
https://www.healthit.gov/topic/privacy–security–and–hipaa/security–risk–assessment
Certified EHR Technology (CEHRT) Requirements
- Modified Stage 2
- 2014 Edition CEHRT
- 2015 Edition CEHRT
- Combination of 2014 and 2015 CEHRT
- Stage 3
- Immunization Reporting:
- 2015 Edition CEHRT
- All Other Measures:
- 2015 Edition CEHRT
- Combination of 2014 and 2015 CEHRT
- Immunization Reporting:
Effective 2019, all providers must use 2015 Edition CEHRT.
Visit https://chpl.healthit.gov/ to obtain CEHRT ID
Before you submit your Attestation!
| Please make sure this information is up to date: |
|---|
|
- NY EHR Incentive Program SRA Page and Tip Sheet www.health.ny.gov/ehr
- CMS www.cms.gov
- OCR www.hhs.gov/ocr
- ONC www.healthit.gov/topic/privacy–security–and–hipaa/security–risk–assessment
- ONC NIST (National Institute of Standards and Technology http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
Regional Extension Centers
| New York City | NYC Regional Electronic Adoption Center for Health (NYC REACH) Website: www.nycreach.org Email: pcip@health.nyc.gov Phone: 347–396–4888 |
| Outside of New York City | New York eHealth Collaborative (NYeC) Website: www.nyehealth.org Email: hapsinfo@nyehealth.org Phone: 646–619–6400 |
NY Medicaid EHR Incentive Program Support Teams
Phone: 1–877–646–5410
Option 1: ePACES, ETIN, MEIPASS Technical Issues, Enrollment
Email: meipasshelp@csra.com
Option 2: Calculations, Eligibility, Attestation Support and Review, Attestation Status Updates, General Program Questions
Email: hit@health.ny.gov
Option 3: Public Health Reporting Objective Guidance, MURPH Registration Support, Registry Reporting Status
Email: MUPublicHealthHelp@health.ny.gov
Website: http://health.ny.gov/ehr
Survey: https://www.surveymonkey.com/r/ny_ehr
Program Satisfaction Survey
NY Medicaid EHR Incentive Program
A CMS Promoting Interoperability Program
Follow Us