February, 2011

Permanent EHR Certification Program, Now Final

The Office of the National Coordinator for Health IT (ONC) has finalized the permanent EHR certification program for the Meaningful Use (MU) incentive program. This was published in January 7 in the Federal Register. The program is effective January 1, 2012. The temporary certification program published on June 24, 2010 will be in effect until it sunsets on December 31, 2011 or at a later date when the processes necessary for the permanent certification program to operate are completed.

The ONC has specifically separated the powers in approving organizations to test and certify health IT products. The National Institute of Standards and Technology (NIST) will accredit organizations to test products. NIST through its National Laboratory Accreditation Program (NVLAP) will develop a laboratory accreditation program for organizations to be accredited to test Health Information Technology (HIT) for purposes of the permanent certification program.

The ONC will designate one organization to approve other organizations to certify health IT products. The accrediting organization will be referred to as the ONC-Approved Accreditor. Eligible professionals and eligible hospitals participating in the MU/EHR incentive program must use HIT that has been certified by organizations approved by the ONC.

Organizations must first be accredited in order to test and/or certify HIT. Certification bodies authorized by the National Coordinator - ONC-Authorized Certification Bodies (ONC-ATBs) are required to conduct post-certification surveillance. ONC-ACBs are permitted to perform “gap certification.” More information is available at healthit.hhs.gov

Have you addressed the Meaningful Use core objective mandate for risk analysis? Ask ecfirst for a complimentary proposal to address the risk analysis requirement and about the STePS Meaningful Use program.

Contact Audra at Audra.Curtis@ecfirst.com to schedule a private Webcast focused on Meaningful Steps to Meaningful Use.

Red Flags Rule Update - FTC’s FACTA Regulation

President Obama signed the Red Flag Program Clarification Act of 2010 into law on December 18, 2010. The law is effective as of January 1, 2011 and enforced by the Federal Trade Commission (FTC).
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) regulation requires organizations to identify, detect and mitigate instances of identity theft. The FTC originally proposed the Red Flags Rule in 2008. The Rule was designed to address the threat of identity thieves trying to misappropriate consumer accounts to purchase goods and services for themselves using someone else’s name. FACTA applies to financial institutions and creditors. “Creditors” were defined as any entity that regularly allows a person to buy property or services and to defer making payment on the purchase.
The Red Flag Clarification Act of 2010 addressed the issue related to the healthcare industry by limiting a “creditor” to an entity that:
• Obtains or uses credit reports in connection with a credit transaction
• Furnishes information to consumer reporting agencies in connection with a credit transaction or
• Advances funds to a person based on an obligation of the person to repay the funds or make the funds repayable from specific property pledged for that purpose

It specifically excludes entities that “advance funds” to consumers for expenses incidental to a service being provided. For example, healthcare providers delivering care and then billing or it in arrears.
Healthcare providers now covered by the Red Flags Rule seem to be those that either use consumer reports in order to establish patient credit or furnish information to credit reporting agencies.
The Act does state that the FTC can extend the Red Flags Rule to a business based on the determination that the business offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.
Providers that are unlikely to see the Red Flags Rule extended to them by the FTC include those with a more personable relationship with their patients - this would include small medical practices, home health agencies, and long term care facilities.
It is ecfirst position that healthcare providers already impacted by HIPAA, HITECH and other privacy and security regulations would be well served to address the requirements of the FACTA regulation. Organizations should establish a credible Identity Theft Prevention Program, within the context of a more comprehensive framework of privacy and security policies, controls and capabilities.
Have you developed an Identity Theft Prevention Program? ecfirst can help. Ask about the ecfirst On-Demand Consulting Program to jumpstart and address your requirements for compliance with FACTA, HIPAA, HITECH, and State mandates.

Contact Audra at Audra.Curtis@ecfirst.com to schedule a private Webcast focused on Policies & Procedures to comply with HIPAA, HITECH, FACTA & More.

Learning from the Hack @ Nasdaq Computers

Computer systems that run the Nasdaq Stock Market have been repeatedly penetrated over the past year, reported The Wall Street Journal on February 5, 2011. The possible motives include unlawful financial gain, theft of trade secrets, and a national security threat to damage the exchange. The Nasdaq exchange is regarded by the government as critical, similar to power companies and air travel control operations - all considered part of the U.S. basic infrastructure. 

In the recent past, hackers planted potentially disruptive software programs in the U.S. electrical grid. In the case of the Nasdaq hack, it seems that the intent was to “snoop” and learn about the system; it does not appear that any information had been tampered with. The U.S. Secret Service and the FBI are investigating the matter.

Businesses and organizations are under constant attacks, with estimates of a an attack every 1.5 seconds on the business information infrastructure - about 60,000 attacks every day. In recent years U.S. authorities have experienced cyberattacks linked to computers in Russia, China and Eastern Europe.

With breaches on the rise with attacks from the outside and inside, it is critical to conduct a comprehensive and thorough assessment of the threats and vulnerabilities to the confidentiality, integrity and availability of all critical assets and sensitive information managed by the organization. When is the last time your organization conducted a risk analysis activity?

A checklist of steps to review to address breaches and incidents, include:

1. Develop policy on Discovery, Reporting & Notification of Information Breaches
2. Review, update and integrate security controls and reporting capabilities for incident management
3. Create a specific procedure for information breach management
4. Develop specific procedure for information breach notification
5. Conduct training for all members of the workforce on your policies and regulatory mandates for security

It is not a question of if your organization will experience a breach. It will. It is a question of how quickly you can discover the incident and what are the specific steps that must be taken to address the assets and information that may have been compromised. In the case of many industries, including healthcare, there are severe fines and penalties related to breach notification. 

Have you recently reviewed and updated your organization’s policies, procedures and controls for managing breaches and incidents?

Review ecfirst breach and policy templates at the Resource Center at www.ecfirst.com. Contact Audra at  Audra.Curtis at ecfirst.com to schedule a private Webcast focused on breach and incident management.