Security Consulting Case Study
Metro Health Relies on AT&T for Meaningful Use Risk Assessment (Cont'd)
It’s entirely possible to think you are in compliance, while someone else feels you are not. That’s why we decided to have outside specialists review our policies.”
– Art King, Privacy and Security Officer, CISSP, Metro Health
About Metro Health
Metro Health Facts
Properly document application requirement for the Medicare/ Medicaid Electronic Health Record (EHR) Incentive Program
Meaningful Use Security Risk Analysis through AT&T Consulting
Confirm processes provide security; help meet requirements for obtaining program funds to expand existing EHR capabilities
Integrated Healthcare System
208-bed hospital and integrated community locations; more than 2,300 employees
Metro Health, based in the suburbs of Grand Rapids, Michigan, is a regional healthcare system with a 208-bed general acute care osteopathic teaching hospital and more than 14 off-site locations, serving more than 250,000 patients in Kent and surrounding counties. It offers a broad range of services, including hospital inpatient and outpatient services, emergency, surgery, cancer, intensive care, rehabilitation, and a wellness and community education program. Physician, therapy and diagnostic services are provided in its 12 neighborhood outpatient centers. As a teaching hospital, Metro offers 10 residency programs and two fellowship programs for physicians.
Metro Health began implementing Electronic Health Records (EHR) in 2005, eventually expanding their use throughout the organization. In the Medicare/Medicaid Electronic Health Record Incentive Program, Metro Health saw an opportunity to use the available funds to assist in expanding the infrastructure and scope of its EHR platform and capabilities. To apply for the funds Metro Health needed to complete a formal Attestation of Meaningful Use, detailing the nature of the hospital’s EHR operations. A key requirement of the Attestation was a Security Risk Analysis of Metro Health’s EHR against HIPAA privacy and security regulations.
While Metro Health could technically have performed a security risk analysis on its own, the IT organization elected to get an outside viewpoint from HIPAA specialists to assure more objectivity. Through its AT&T account team, Metro Health contracted with AT&T Consulting for an analysis of its EHR security, specifically geared to the requirements of the Meaningful Use Attestation. In addition to providing the necessary security review, the AT&T team gave Metro Health specific recommendations for upgrading certain security practices in light of HIPAA regulations.
Taking Healthcare to a Better Place
For more than 250,000 patients in Grand Rapids, Michigan area, Metro Health represents a uniquely fresh and high-quality healthcare experience and a healthy environment for the community.
The AT&T evaluation organized the chaos and brought order to the hundreds of issues involved.”
– Art King, Privacy and Security Officer, CISSP, Metro Health
With its strong osteopathic tradition, Metro Health prides itself on emphasizing the well-being of the whole person, right alongside advanced medical techniques and technologies. The physical surroundings of the hospital – called the Metro Health Village – are also uniquely attractive.
The 170-acre development is designed to create an atmosphere of nature-inspired calm and includes not only the hospital, but a public park, medical offices, a hotel, medical retail and more. A portion of the roof of the main hospital building – itself a LEED-certified building – is actually a 48,500 square-foot garden which gives more than half of patient rooms an interesting view while improving air quality, minimizing storm water runoff and cooling down surrounding air. What’s more, all rooms are private and equipped with flat-screen televisions complete with Internet access and other conveniences that would rival those in a fine hotel.
But there is also hard-working technology behind the scenes at Metro Health. “We were among the first hospitals in the area to vigorously adopt electronic health records,” said Art King, Metro Health Privacy and Security Officer. “We saw the value in moving away from paper-based records several years ago and first implemented EHR as a pilot program in our outpatient facilities. We knew that electronic was the way to go.”
Growing the EHR Platform
As the advantages of EHR became apparent – both in streamlining operations and in improving patient care – Metro Health deployed electronic capabilities throughout its main hospital shortly after moving to the new Metro Health Village in 2007. The experience gained in the neighborhood centers had given Metro Health a head start in configuring the technology to meet its unique requirements throughout the entire organization.
“We’ve always emphasized IT in the organization,” said King. “We recognized that automation would make the hospital work more efficiently, which is especially important with the pressures of rising costs and lower reimbursements.”
To power its EHR operations, Metro Health chose the EPIC platform. “The platform allows us to move beyond mere record-keeping and documentation,” said King. “For example, we have already launched Computerized Physician Order Entry (CPOE), which helps ‘close the circle’ with medical records. Instead of hand-writing patient orders, physicians can use our electronic CPOE, which speeds up the process and makes the orders easily accessible to the appropriate staff.
“Our physicians – even our long-standing veterans – are happy with the new process because it gives them more time to spend with patients,” added King. “We also offer patients an on-line portal, which lets them handle appointment scheduling and other communications with the healthcare team.”
Metro Health’s EHR system has proven so popular that the hospital offers the platform for use by individual physicians’ offices, under an application service provider model.
Seeking the Incentives
The Medicare and Medicaid EHR Incentive Programs have been put in place to provide incentive payments to eligible professionals, eligible hospitals and critical access hospitals (CAHs) as they adopt, implement, upgrade or demonstrate meaningful use of certified EHR technology. When it was announced – just as Metro Health was implementing EHR in the main hospital – Metro Health realized that the organization would very likely qualify. “We were quite well along in our implementation of EHR,” said King, “a lot further along than most hospitals in our area. And we were at about 70 to 80 percent use for CPOE which is far beyond the thirty percent required for the program.”
Metro Health saw that the incentive could provide millions of dollars for funding important upgrades to its EHS infrastructure. This included investing in servers, hardware and software as well ongoing maintenance and support of the technology.
To pursue the incentives, Metro Health needed to file an Attestation of Meaningful Use to document that the hospital was indeed utilizing EHR in the required ways. “As Privacy and Security Officer, one of the required check-marks on the Attestation was demonstrating that we met provision 164-308(a)(1) of the HIPAA regulations,” said King. Metro Health essentially needed to attest that a security risk analysis had been performed and that any deficiencies had been addressed.
One difficulty in complying with HIPAA is making sure that the regulations are interpreted properly when designing safeguards and processes. “It’s entirely possible to think you are in compliance, while someone else feels you are not. That’s why we decided to have outside specialists review our policies. We wanted to make sure we had the all bases covered for our attestation.”
At that point, the Metro Health AT&T account team suggested calling in AT&T Consulting to handle the Meaningful Use security risk analysis. “I had had experience with them on other projects, so I was confident in their skills and expertise,” said King. “They have Security services designed expressly for Meaningful Use reviews and analyses and knew precisely what was required.”
A Smooth and Thorough Review
After a few initial conferences with the Consulting team, King scheduled the formal analysis. The team sent an auditing specialist out to Metro Health to gather the necessary information, interview selected staff and perform on-site evaluations of the physical security for Metro Health’s EHR.
“They looked at our data center security, our network security, physical security and terminal security. They even walked through the hospital and pointed out where certain computer screens might be visible to people walking by. It was a very thorough inspection.” Within weeks, AT&T Consulting submitted a report to King and his team that neatly summarized Metro Health’s compliance with the relevant HIPAA regulations.
“What impressed me about the report was how well it was organized,” said King. “It made it clear exactly how well we stacked up against the requirements in 150 or so areas, and provided an actionable checklist of things we needed to address. The AT&T evaluation organized the chaos and brought order to the hundreds of issues involved. It also gave me the detailed documentation I needed to explain to management what budget is required for going forward.”
Best of all, noted King, was being assured that Metro Health’s processes were right in line with what was required. “They did uncover some areas that we needed to address, relatively minor things we hadn’t recognized before. But it was good to learn we had set up our security properly.”
Once 90 days of data collection is completed, King is confident of passing the first stage of the Meaningful Use Attestation. “We’re delighted with the insights and help we received from AT&T Consulting. It’s invaluable and very reassuring to have your operations evaluated by an organization with the expertise and resources of AT&T.”
What is King’s advice for other hospital teams looking to apply for the Medicare/Medicaid EHS Incentive Program? “Start yesterday and get expert assistance with the HIPAA issues. As good as you think you are, you are most likely missing something.”