preparing your organization for a mu audit › sites › himsschapter › files › chapter... ·...
TRANSCRIPT
David Holtzman, JD, CIPP
Vice-President for Compliance
CynergisTek, Inc.
Preparing Your Organization for a MU Audit
About Our Presenter
• Vice President of Compliance Services, CynergisTek, Inc.
• Subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules
• Over 10 years of experience in developing, implementing and evaluating health information privacy and security compliance programs
• Former senior advisor for health information technology and the HIPAA Security Rule, Office for Civil Rights
David Holtzman CynergisTek, Inc.
Agenda
• What is the Meaningful Use Audit Program?
• What to Expect in a Meaningful Use Audit
• Meaningful Use Information Security Measures & Objectives
• Preparing for a Meaningful Use Audit
WHAT IS THE MEANINGFUL USE AUDIT PROGRAM?
CMS Meaningful Use Audits
• Any provider attesting to receive EHR incentive payments for either the Medicare or Medicaid program may be subject to audits.
• Medicaid audits are performed by each state. • Medicare audits performed by contractor, Figliozzi & Company.
MU Audits (Figliozzi & Co)
• Audit Approach: – Appropriate Letter and Documentation Request is sent to individual
who attested for the organization (letter is specific to whether it is an Eligible Provider or Eligible Hospital engagement).
– Organization provided 10 business days to provide the documentation requested electronically.
– Auditor reviews documentation and determines if additional information is needed. (This is the primary review step).
– Additional request for information will be provided via email as necessary.
– If documentation is deemed insufficient to support attestation or other data anomalies exist then, an on-site visit is scheduled.
WHAT TO EXPECT IN A MEANINGFUL USE
AUDIT
Documentation for Primary Review
• The source documentation utilized during the attestation process
• Copy of the CHPL certification from the HHS Office of the National Coordinator for Health Information Technology for the EHR application
• Documentation to support the methodology chosen for achieving measures (i.e. observation services or all emergency department visits)
• The numerators and denominators for each measures
Documentation for Primary Review
• The time period the reports cover • Risk analysis and remediation plans for deficiencies • Summary level reports for measures • Screenshots or other evidence to support and
measures that require a “YES” answer • Evidence to support that source information was
generated for that eligible professional or eligible hospital
Onsite Audit Visit
• Detailed reviews of any of the measures via: – Walk-throughs of structured data and functionality in EHRs – Walk-throughs of test patients and scenarios – Review of medical records and patient records; Detailed data
to support summary reports – Census reports – Billing information – Validation of settings or additional detailed information to
support reporting as deemed necessary • Security screen settings • Screen shots of test exchanges of clinical information • Audit logs (date for when a feature was enabled, etc.)
MEANINGFUL USE INFORMATION
SECURITY MEASURES & OBJECTIVES
MU Core Measure – Protect Electronic Health Information
Objective: Protect electronic health information created or maintained by the CEHRT through the implementation of appropriate technical capabilities. 42 C.F.R. § 495.6(f)(14)(i) and (l)(15)(i)
Protect e-PHI
• Measures Stage 1: – Conduct or review a security risk analysis in
accordance with the requirements under 45 CFR 164.308(a)(1); and
– Implement security updates as necessary and correct identified security deficiencies as part of its risk management
– At least once prior to the end of the EHR reporting period and attest to that conduct or review. The testing could occur prior to the beginning of the EHR reporting period.
– A security update is required if any security deficiencies were identified during the risk analysis.
Protect e-PHI
• Measures Stage 2 – Conduct or review a security risk analysis in
accordance with the requirements under 45 CFR 164.308(a)(1);
– Includes addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3); and
– Implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process.
Protect e-PHI
• Stage 2 Security Measures • The testing could occur prior to the beginning of the
first EHR reporting period. However, a new review should occur for each subsequent reporting period.
• Not required to report to CMS or the states on specific data encryption methods used.
• EHs and CAHs affected by 42 CFR Part 2 should consult with the Substance Abuse and Mental Health Services Administration (SAMHSA) or state authorities.
• In order to meet this objective and measure, an EH or CAH must use the capabilities and standards of CEHRT.
Security Risk Analysis
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. 45 C.F.R. § 164.308(a)(1)(ii)(A)
What’s Covered?
My security risk analysis only needs to look at my EHR. False. Review all electronic devices that store, capture, or modify e-PHI. Include your EHR hardware and software and devices that can access your EHR data (e.g., tablet computer, practice manager’s Smart-Phone).
http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf
Correction of Identified Deficiencies
Interpretation 1: Deficiencies must be corrected during EHR reporting period “The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.” CMS Eligible Hospital and Critical Access Hospital Meaningful Use Core Measure (Measure 13 of 13) Stage 1 (last updated: April 2013), http://www.cms.gov/Regulations-and-Guidance/Legislation/ EHRIncentivePrograms/downloads/14_Protect_Electronic_Health_Information.pdf
Correction of Identified Security Deficiencies
Interpretation 2: No specific time limit “Timing of security updates and deficiency corrections is driven by the provider’s risk management process.” CMS FAQ #7705, https://questions.cms.gov/faq.php?id=5005&faqId=7705
MU Stage 2 – Core Measure Protect Electronic Health Information
• Privacy and Security Certification and Standards Criteria:
– In order to meet this objective and measure, an eligible hospital or CAH must use the capabilities and standards of CEHRT at 45 CFR 170.314(d)(4), (d)(2), (d)(3), (d)(7), (d)(1), (d)(5), (d)(6), (d)(8), and (d)(9):
Cert. & Stndrds. Criteria
– Amendments – Auditable events and tamper-resistance – Audit report(s) – End-user device encryption – Authentication, access control, and authorization – Automatic log-off – Emergency access – Integrity – Optional: Accounting of Disclosures Stage 2 Meaningful Use Specification Sheet for Eligible Hospitals and CAHs, http://www.cms.gov/Regulations-and-Guidance/Legislation/ EHRIncentivePrograms/downloads/Stage2_HospitalCore_7_ProtectElectronicHealthInfo.pdf
Will You Be Audited?
Pre-Payment Audits of EPs
• 3820 Completed Audits • 21.5% Failed Pre-payment Audit
– 7% of failures because did not use CEHRT
– 93% of failures did not meet MU objectives and measures
(CMS Data as of September 15, 2014)
Post-Payment Audits EPs
• 4601 Completed Audits • 24% Failed to Meet MU Standards
– 99% of the failure did not meet MU objectives and measures
– Average proposed returned incentive amount $16,863 per provider
(CMS Data as of September 15, 2014)
Post-Payment Audits of EHs
• 613 Completed Post-Payment Audits • 4.7% Failed Post-Payment Audits
– Average proposed returned incentive payment $1.13 million per hospital
– $33 million total proposed EH returned incentive payments
(CMS Data as of September 15, 2014)
Overpayments
• CMS evidently doesn’t penalize providers for typos and other trivial errors in their documentation
• If a core element is missed, CMS asks that all of the money is returned.
• CMS gives the EP/EH 30 days to repay a overpayment of HITECH funds is determined
• Right to appeal • Interest continues to accumulate and the 31 and 61 day
repayment penalties accrue. • Penalties not waived if provider wins appeal.
False Claims Act Exposure - ACA
• Affordable Care Act of 2010 (ACA): – If a person has “received an overpayment,” the
person shall “report and return the overpayment to the Secretary, the State, an intermediary, a carrier, or a contractor as appropriate and provide notice of the reason for the overpayment
– Overpayments must be reported and returned within 60 days after the date on which the overpayment was identified
– Any overpayment retained by a person after the deadline for reporting and returning the overpayment is an “obligation” under the False Claims Act
CMS Guidance: Correcting Mistakes?
How can I change my attestation information after I have attested and/or received an incentive payment under the Medicare Electronic Health Record (EHR) Incentive Program? • “If you discover that the information you entered during your
Medicare attestation was not complete and accurate for some reason, please contact our EHR Information Center Help Desk and ask about the process for amending your attestation data. You can contact the EHR Information Center at 1-888-734-6433 (primary number) or 1-888-734-6563 (TTY number), 7:30 a.m. - 6:30 p.m. (Central Time) Monday through Friday, except federal holidays.” (CMS.gov)
• Providers that have questions about changing its completed Medicaid attestation should contact the local State Medicaid Agency for assistance.
Prepare Yourself for Audit
• Maintain documents to support attestation • Ensure correct populations are included in Unique
Patient Lists • Ensure measures that require a “Yes” answer remain
active throughout attestation periods. Be able to prove the functionality was enabled.
• Verify Metrics – Recalculate – Ensure correct structured data
• Practice for a CMS audit through a “mock audit”
Security Risk Assessment Tools
• HHS Risk Assessment Tool for Small Providers
– http://www.healthit.gov/providers-professionals/security-risk-assessment
• NIST HIPAA Security Risk Assessment Tool – http://www.scap.nist.gov/HIPAA
