HIPAA HITECH Privacy & Security Rules for E-prescribing
Disclaimer
The materials available on this document and web site are for informational purposes only and not for the purpose of providing legal and or clinical advice.
You should contact your attorney and information security officer to obtain proper advice with respect to any particular issue or problem. Use of and access to this document or any of the e-mail links, materials, etc., contained within the document do not create an attorney-client relationship, consulting between the authors, legal and / or medical advice . between the user or browser. Only guidance from U.S. Government agencies directly should be used.for decision making.
7. HIPAA – HITECH e-Prescribing & Risk Analysis The Center for Improving Medication Management www.thecimm.org
8. HIPAA – HITECH e-Prescribing & Risk Analysis The Center for Improving Medication Management www.thecimm.org
9. Delaware E-Prescribing Process Flow 42nd ISM Annual Conference September 1, 2009 Physician Software vendors Pharmacy Network Surescripts SIG Master Beneficiary and Formulary Database Surescripts PRN Medicaid Other Pharmacy Benefit Manager Other Payers Mail Order Pharmacy Retail Pharmacy Pharmacy Network Payer Network Institutional Pharmacy
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
Notas del editor
Two-factor credentials include two of the following: – Something you know—password, PIN. – Something you have—hard token separate from computer being accessed. – Something you are—any biometric that meets the DEA’s requirements (e.g., must operate at a false match rate of 0.001 or lower, etc.). • Prescribers must retain sole possession of hard tokens (if used) and must not share passwords, other knowledge factors, or biometric information with anyone. Failure by prescribers to secure these items may be the basis for revocation or suspension of their DEA registration.
Two-factor credentials include two of the following: – Something you know—password, PIN. – Something you have—hard token separate from computer being accessed. – Something you are—any biometric that meets the DEA’s requirements (e.g., must operate at a false match rate of 0.001 or lower, etc.). • Prescribers must retain sole possession of hard tokens (if used) and must not share passwords, other knowledge factors, or biometric information with anyone. Failure by prescribers to secure these items may be the basis for revocation or suspension of their DEA registration.
SSAE 16 Audit Process - Statement on Standards for Attestation Engagements (SSAE) No. 16 An SSAE 16 (SOC 1) can only be performed by a CPA or CPA Firm, however SSAE 16 effectively replaces Statement on Auditing Standards No. 70 (SAS 70) for service auditor's reporting periods ending on or after June 15, 2011. Two (2) types of SSAE 16 reports are to be issued, a Type 1 and a Type 2. Additionally, SSAE 16 requires that the service organization provide a description of its "system" along with a written assertion by management. For a brief overview of the SSAE 16 (SOC 1) Audit Process, please see below: - On-site consultation to support management in pinpointing the control objectives and control procedures. - Present guidance to management regarding the adequacy of their control objectives and controls. - Execute the on-site testing at various points in time during the testing period to ascertain the effectiveness of the controls put into operation as well as the operating effectiveness of the controls for Type II reports. Testing typically includes inquiry, inspection, and observation. - Preparation of the draft report to be evaluated by the service organization for accuracy and completeness of the details. Distribution of a findings memo to management noting any control deficiencies uncovered throughout the course of the review. Delivery of the SSAE 16 report in hardcopy and electronic PDF format. Some issues to be aware of: The audit should be limited to the area(s) of the business which the service offering under review touches as it is being performed. If controls are being tested that do not have a correlation to the service under review, they should be excluded. Having superfluous controls in place will lead to more complex, higher cost, and a higher chance for a failure on the report.