OPERATIONAL

Document Sample
OPERATIONAL Powered By Docstoc
					GENERAL QUESTIONS

What are the changes to PIP IM/IT Incentive?
 In November 2006, the three existing IM/IT tiers will be replaced with two new tiers with
  new IM/IT system requirements.

Tier 1    The practice maintains electronic patient records, which include clinical data on
           allergies/sensitivities for the majority of active patients; and
          The practice implements appropriate information security measures (e.g. virus
           protection, firewall, backup and recovery, access control and practice
           procedures/processes to support/maintain appropriate information security). The
           practice also uses appropriate security (e.g. encryption systems) when patient
           information and/or clinical data are transferred electronically.

Tier 2    The practice qualifies for Tier 1; and
          The practice uses electronic patient records to record and store clinical
           information on the majority of active patients, including current and past major
           diagnoses and current medications.


When do the new PIP IM/IT requirements commence?
Practices will need to meet the new requirements on 31 October 2006 in order to be eligible
for a PIP IM/IT payment in November 2006. The first payments will be made to eligible
practices with the PIP November 2006 quarterly payment.

Why have the requirements for the PIP IM/IT Incentive changed?
The changes are part of a wider range of reforms to simplify and improve the Practice
Incentives Program and Enhanced Primary Care (EPC) Medicare items as recommended by
the Red Tape Taskforce and the General Practice Representative Group in late 2003.

The reforms have been developed in close consultations with general practice organisations.
These changes are also consistent with the Australian Government’s e-Health agenda.

How does the IM/IT Incentive promote improvements in safety and quality?
The PIP IM/IT Incentive is part of the broader e-Health agenda that works towards a secure
national flow of key electronic health information accessible to clinicians at the point of care,
to improve clinical outcomes.

The e-Health agenda aims to promote improvements in safety and quality, leading to
improved health outcomes. When fully implemented, it will assist hospitals, pharmacies,
pathologists and other health care providers to exchange and share information electronically.
In an emergency situation, lives could be saved as access to patient health information would
be more readily available. Errors in clinical decisions and medication management would be
reduced as health providers can keep in touch electronically, no matter where they are
located.
Privacy and security issues apply to both paper-based and electronic records. As general
practices adopt electronic health records, it is essential to ensure that these systems provide
the same level of security and confidentiality as paper-based systems. In order to have secure
electronic health records, practices need to have appropriate information security measures in
place.


                                                                                                1
In summary, the principal benefits will be:
     More timely access to important health information;
     Better informed decisions and strengthened patient relations; and
     Time saved as you will no longer have to spend as much time chasing medical records
      created elsewhere.

Why should practices use electronic health records?
Health care in Australia is moving towards increased computerisation and connectivity.
Recording information electronically can facilitate data transfer, shared access to health
records by health care providers, access to and storage of information, and back-up of records
to prevent damage and loss. Accurate and complete medical documentation is essential for
supporting good clinical care and ensuring good communication between health providers,
allowing them to respond quickly to patient needs to benefit both consumers and providers.

Are electronic health records safe?
Privacy and security issues apply to both paper-based and electronic records. As general
practices adopt electronic health records, it is essential to ensure the same level of security
and confidentiality as paper-based records. Each system poses different challenges to privacy
and information security.

In order to have secure electronic health records, practices need to have appropriate
information security measures in place.

What is an active patient?
An active patient has an active health record. The RACGP Standards for General Practices,
3rd Edition defines an ‘active health record’ as a record of a patient who has attended the
practice three or more times in the past two years.

How much is a ‘majority’ of active patients?
A majority is more than 50% of active patients.

How often do allergies need to be updated?
The frequency of reviewing and updating the record on allergies is a clinical decision for the
treating doctor.

What sort of past diagnoses are considered to be major?
Which past major diagnoses to record is a clinical decision for the treating doctor.

What are ‘current medications’?
Whether medications are current is a clinical decision for the treating doctor.

Where do I store data offsite?
Back-up disks, tapes etc need to be stored in a secure offsite environment.

We plan to contract an IT company to look after our computers. Will this breach privacy
issues?
Privacy issues should be covered in your agreement with the contractor.




                                                                                                 2
Will there be changes to other PIP Incentives?
A number of changes to PIP and the EPC Medicare items have already been implemented
including removing the need to submit evidence of public liability insurance and medical
indemnity cover to join the PIP, and making the After Hours Tier 2 available to smaller
practices.

The Department of Health and Ageing is consulting with the medical profession on further
improvements to the PIP.

What are the payments for the new PIP IM/IT Incentive?
For Tier 1: $4 per SWPE per annum
For Tier 2: $3 per SWPE per annum

Practices that qualify for Tier 2 have already met the requirements for Tier 1. Therefore the
total payment received by practices will be: $4 + $3 = $7 per SWPE per annum

What do practices have to do to meet the IT security component of the IM/IT Incentive?
 A Security Self Assessment (SSA) tool has been developed for this purpose. The SSA is
  based on the materials developed by the General Practice Computing Group (GPCG).
 To meet the PIP IM/IT security requirements, practices must meet all the requirements in
  the SSA that apply to their practice IT category.
 Practices may wish to use an IM/IT specialist to assist with the SSA.

So I don’t need Internet anymore to qualify for PIP IM/IT Incentive?
Most practices already have an Internet connection. After August 2006, PIP Incentive
payments will not be available for this and other existing requirements, e.g. for providing
data to the Commonwealth, using electronic prescribing software to generate the majority of
scripts after August 2006. Payments will now be made to encourage practices to meet the
new requirements i.e. for using electronic health records and ensuring that these records are
appropriately protected.




                                                                                                3
IT QUESTIONS

Where can I get IT help from?
IT advice and support may be sought from your practice manager, current IT support, your
Internet Service Provider, or through your local Division of General Practice. Refer to
supporting education and guidance material developed by IT security and communications
specialists. Examples include the GPCG Computer Security Self-Assessment Guideline, and
GPCG Computer Security Firewall Guideline available at www.gpcg.org.org/topics/security.
These documents and other available material developed both nationally and internationally
can assist in addressing areas of technology security which require further clarification.

Practices can receive support for IT security through the Broadband for Health Program. The
Broadband for Health approved providers have made targeted telephone assistance available
in remote areas. Please call 1800 818 111 or visit www.health.gov.au/ehealth/broadband

What is a firewall?
A firewall is used to provide added security by acting as a gateway or barrier between a
private network and an outside or unsecured network (such as the Internet). A firewall can be
used to filter the flow of data through the gateway according to specific rules. Firewalls will
help prevent patient information from appearing on the Internet.

How does a practice know it has a firewall?
Advice and support may be sought from your practice manager, current IT support, your
Internet Service Provider, or through your local Division of General Practice.

How do I find out the specifications of my firewall?
Check with your current IT support, your Internet Service Provider or your local Division of
General Practice.

What is encryption?
Encryption is a mechanism for protecting the confidentiality of data by encoding it so that
only the appropriate parties can interpret it. To support encryption you need a ‘key’ and a
computer program to encrypt and decrypt your messages.

What encryption keys do I need to get?
PIP does not specify the type of encryption practices should use. Public Key Infrastructure
(PKI) is available free to general practices through the Health eSignature Authority (HeSA)
to ensure the security of communications across the health sector. This technology ensures
data can be identified, and that data will be secure and private. PKI enables the transfer of
sensitive medical information across the Internet, without compromising the individual’s
right to privacy.

If your practice uses Medicare Online claiming, you already have the ability to send
encrypted clinical information. Check with your current IT support, your Internet Service
Provider, or your local Division of General Practice to determine which encryption system
will suit your practice.




                                                                                                4
Do I still need a firewall or encryption when I don’t have an Internet connection?
To obtain the PIP IM/IT Incentive, you are not required to have a firewall or encrypt clinical
data unless your personal computer or your local area network is connected to the Internet.

Why do I need virus protection when I don’t have an Internet connection?
Viruses can cause minor annoyances or catastrophic system crashes. Viruses are generally
‘caught’ while communicating electronically with the outside world via email or the Internet.
However, they can be transmitted via floppy disks, CD-ROMS and other portable media.

What are virus definitions and how often do you update them?
New viruses are created and circulated every day. Your virus software needs to be updated
daily if possible, to protect your computer from infection. Automatic updating of viral
definitions can be enabled in your software settings. This will allow your computer to detect
and destroy new viruses that were created after you installed your anti-viral software.

Which anti-viral software is recommended?
PIP does not recommend any particular brand of software. Ask your current IT support, your
ISP, or check with your local Division of General Practice for advice.

How do I backup?
Ask your technical support person about back-up software and hardware. You will want the
back-up process to be as automated as possible. There are various types of back-up media
which include DVDs, CD-ROMs, magnetic tape, zip drives, memory cards and portable hard
disks.

How often do I need to backup data?
Data can be lost through human error, software crashes and hardware problems. It is critical
to make regular back-ups of all your data in case any of these occur. It is recommended that
back-ups be done on an as needs basis – preferably daily, weekly and monthly. Back-up
should be stored securely offsite.

How often do I need to test the backup procedure?
Back-ups of data should be done daily and the back-up procedure tested (by performing a
restoration of data) at regular intervals determined by the practice. The back-up procedure
could be included in the disaster recovery plan.

Why do I need a disaster recovery plan?
Disasters can be due to a number of causes including human error, hardware failure, software
failure, and interruptions to the power supply. A written disaster recovery plan covers the
critical functions of the practice so it can continue without major interruptions to the patients
and staff, thus ensuring that no patient is at risk and that the ongoing viability of the practice
is maintained. Information on how to develop a disaster recovery plan can be found at
Appendix C of the General Practice Computing Group (GPCG) Security Self-Assessment
Guide (www.gpcg.org.au ).

How do I develop a disaster recovery plan?
A disaster recovery plan is a written plan which explains what should be done when the
computer system goes down. A disaster recovery proforma can be found at Appendix C in
the GPCG Computer Security Self-Assessment Guide (www.gpcg.org.au ).



                                                                                                 5
Why do I need access control?
It is important to ensure privacy of patient data complies with National Privacy Principles.
One of the key features of data security is that only certain people should see some types of
information such as sensitive financial or clinical information. Practices should work out a
policy on who can have access to specific data and systems. Practice staff can then choose
passwords to provide them with the appropriate level of access. Passwords can be
implemented for the operating system, application software, files within software and email.

What are appropriate practice procedures/processes to support/maintain information
security?
Practices must meet all the requirements in the SSA that apply to their practice IT category.
These include:
    Practice computer security coordinator
    Practice IT security policies and procedures
    Access control
    Disaster recovery plan
    Consulting room and ‘front desk’ security
    Back-up procedure
    Virus protection
    Firewalls*
    Network maintenance
    Secure electronic communication*
*This IT item is only required for Internet connected Personal Computers or Local Area
Networks.

How do I know my practice IT category?
The level of connectivity of practice computers systems varies greatly. For the purposes of
the PIP IM/IT Incentive, two practice IT categories have been defined.

      Standalone Personal Computers or Local Area Networks. One or more computers
       which may be linked to each other but do not link to the Internet.
      Internet connected Personal Computers or Local Area Networks. One or more
       computers that connect to the Internet.




                                                                                                6
TRAINING/ROLE DESCRIPTION QUESTIONS

What is the role of the Practice IT Security Coordinator?
A role description for IT security coordinator can be found at Appendix A of the General
Practice Computing Group (GPCG) Security Self-Assessment Guide (www.gpcg.org.au) and
can be adapted to meet practice requirements (and could be incorporated into an existing job
description). The person’s role will vary in every practice, depending on the IT skills of
available staff, the availability of technical support and the interest of other staff members.
The nominated IT security coordinator is responsible for ensuring that policies are current
and is not necessarily required to undertake the tasks personally.

Where can I get a role description for a practice IT security coordinator?
The generic practice computer security coordinator role description at Appendix A of the
General Practice Computing Group (GPCG) Security Self-Assessment Guide
(www.gpcg.org.au ) could be adapted to meet practice requirements (and could be
incorporated into an existing job description.

Where can I find training for our IT security coordinator?
The GPCG has produced a set of comprehensive educational modules on how to make the
best use of computers in general practice (www.gpcg.org.au ). The resources cover clinical
and administrative uses of computers, provide tips for enhancing computer security, and raise
some legal and ethical issues for consideration. However, security training may not be
required or necessary, e.g. practices may choose to retain an appropriately trained IT security
contractor.

How often does the coordinator role need to be reviewed?
The coordinator’s role should be reviewed at regular intervals determined by the practice.
More frequent reviews may be required when a coordinator is replaced or when there is a
significant change in the practice IT systems.

Why do staff need to be trained in IT security procedures?
Practice staff need to know about appropriate security processes, e.g. secure passwords,
responsibility for back-ups and how to protect computers against viruses. The extent of any
training requirements is a matter for the practice.




                                                                                              7
GLOSSARY OF TERMS

Access control
Access control is the use of passwords on the operating system, application software and
emails to provide practice staff with the appropriate level of access to clinical and financial
information.

Active patient
An active patient has an active health record. The RACGP Standards for General Practices,
3rd Edition defines an ‘active health record’ as a record of a patient who has attended the
practice three or more times in the past two years.

Anti-viral software
Helps protect your computer system from viruses.

Broadband
Broadband is a widely used method of accessing the Internet. Broadband provides a high-
speed connection to either the Internet or private networks.

Dial-up connection
A dial-up connection uses ordinary phone lines to connect to the Internet.

Disaster recovery plan
This is a written plan which explains what should be done when the computer system goes
down. It is sometimes called a business continuity plan. A disaster recovery proforma can be
found at Appendix C in the GPCG Computer Security Self-Assessment Guide
(www.gpcg.org.au ).

Encryption System
Encryption is the process of converting plain text characters into cipher text (i.e. meaningless
data) as a means of protecting the contents of the data and guaranteeing its authenticity.

Firewall
A firewall is used to provide added security by acting as a gateway or barrier between a
private network and an outside network (such as the Internet). A firewall can be used to filter
the flow of data through the gateway according to specific rules.

GPCG
The General Practice Computing Group (GPCG) is the peak national body for GP informatics
in Australian General Practice

Hardware
Hardware is a physical component of a computer, such as a monitor, hard drive, or Central
Processing Unit (CPU)

ISP
Internet Service Provider is a company that provides access to the Internet for companies or
individuals.




                                                                                                  8
Server
A server is typically a computer in a network environment that provides services to users
connected to a network, such as printing and accessing files. A server can be used as a
central data repository for the users of the network.

Standalone computer
This is a computer that is not connected to a network or to other computers

Virus
Viruses are programs that cause varying degrees of havoc with computer systems. They are
generally ‘caught’ while communicating electronically with the outside world via email or
the Internet. They can also be transmitted via floppy disks, CD-ROMS and other portable
media.

Virus protection
Virus protection, such as anti-viral software, helps protect your computer system from
viruses.


RESOURCES

PIP IM/IT Security Self Assessment and Guidelines: www.medicareaustralia.gov.au/pip
General Practice Computing Group: www.gpcg.org.au
Handbook for the Management of Health Information in Private Practice: www.racgp.org.au
Privacy Resource Handbooks: www.ama.com.au/web.nsf/doc/WEEN-5py2EG
RACGP Standards for General Practices 3rd Edition http://www.racgp.org.au/standards
Australian Division of General Practice: www.adgp.com.au/
Medicare Australia: www.medicareaustralia.gov.au
HealthConnect: www.healthconnect.gov.au
Broadband for Health: www.health.gov.au/broadband




Any additional questions should be referred to Tuija Uotila
Director, Practice Incentives Section, phone (02) 6289 3645.

Any enquiries from the media should be referred to Kay McNiece of the
Department of Health and Ageing on (02) 6289 5027.




                                                                                            9

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:52
posted:10/4/2012
language:English
pages:9