Initial Needs/Goals Assessment
Determine what the clinics goals for participating in the HIE. Is the clinic participating in an ACO or trying to achieve PCMH status?
and set expectations
Validate Requirements and Set Expectations
Participation in the HIE requires resources and time. Clinics should validate they have network capability and computers up to date with antivirus software. Clinics should expect 4-5 months for project completion.
Identify champion, super user
and point of contact
Identify Champion, Super User and Point of Contact
Our experience has shown clinics who readily adopt change in workflows and new technology have a Leader/champion in place. Typically a Physician or Office manager will lead the change in office culture. In addition, the clinic should identify a super user. A super user is the go to person for questions about using the HIE Community Portal. Either the champion or super user can serve as the point of contact but for the project we will need a resource engaged throughout the project.
Request EMR vendor resource
be assigned to project
Request EMR vendor Resource be Assigned to Project
4. It is important to engage your EMR vendor early in the project. Contact your EMR vendor and let them know are requesting to connect to your local HIE. Ask for EMR vendor to assign a point of contact for the project.
1. HIPAA/Privacy & Security Policies
Protecting patient health information and meeting your HIPAA privacy and security responsibilities regarding electronic health information exchange is a shared responsibility among all participants of the HIE. Your practice not your EHR developer is responsible for taking the steps needed to protect the confidentiality, integrity, and availability of health information in your EMR.
2. Clinic’s Risk Assessment
Conduct a security risk analysis (or reassessment if you already conducted an initial risk analysis) that compares your current security measures to what is legally and pragmatically required to safeguard patient health information. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards.
3. HIPAA Training for Staff
To safeguard patient health information, your workforce must know how to implement your policies, procedures, and security audits. HIPAA requires you as a covered provider to train your workforce on policies and procedures. Also, your staff must receive formal training on breach notification.
2. Risk assessment Tool: this tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment.
How to use C-CDA to meet 2014 Edition EHR Certification Criteria
Civil and Criminal Penalties
Civil Monetary Penalties
|1. Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.||$100-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.|
|2. The HIPAA violation had a reasonable cause and was not due to willful neglect.||$1,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.|
|3. The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.||$10,000-$50,000 for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.|
|4. The HIPAA violation was due to willful neglect and was not corrected.||$50,000 or more for each violation, up to a maximum of $1.5 million for identical provisions during a calendar year.|
|1. Unknowingly or with reasonable cause||Up to one year|
|2. Under false pretenses||Up to five years|
|3. For personal gain or malicious reasons||Up to ten years|