MEANINGFUL USE DESK AUDIT

Transcription

1 MEANINGFUL USE DESK AUDIT October 2015 Protect Electronic Health Information HIPAA Risk Management 1680 E. Joyce Blvd Fayetteville, AR (800) Copyright 2015 by HRM Services, Inc. All rights reserved.

2 Meaningful Use Desk Audit P R O T E C T E L E C T R O N I C H E A L T H I N F O R M A T I O N FORWARD Don t wait until you ve received an audit notice prepare your audit documentation before you complete your attestation. Not only is it easier to make sure that you have everything documented, you will be prepared if you get selected for a pre-payment audit. The pre-payment audits require you to pass the desk audit before you receive your incentive payment 1. This audit guide is intended to help you identify what information should be documented and how it should be documented for Meaningful Use attestation for the Protect Electronic Health Information Objective. Remember: one in 20 providers will likely be subject to a meaningful use desk audit 2 and 1 in 4 audited fail the audit. The most common failure for failing an audit is insufficient documentation for HIPAA: the Protect Electronic Health Information Objective. We hope that the information presented will help you avoid a delay in, or forfeiture of, your incentive payment. This guide is provided as-is, with no warranty or implied liability, and does not imply a guarantee of meaningful use incentive or a successful meaningful use audit. While our team has included helpful tips for the documentation process based on hands-on experience assisting clients with preparing desk audit documentation, nothing in this guide is intended as legal advice. If you have any questions about the information presented, please feel free to contact us. We can be reached at (800) Sincerely, The HIPAA Risk Management Team Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_Audit_Overview_FactSheet.pdf 2 Robert Anthony, Deputy Director of the Health IT Initiatives Group at CMS' Office of e-health Standards and Services Page 1

3 MEANINGFUL USE DESK AUDIT OVERVIEW Process and Notification Beginning in 2013, the Centers for Medicare and Medicaid Services (CMS) began pre-payment audits that included random audits, as well as audits that target suspicious or anomalous data. 3 States were also instructed to implement a similar audit process for incentive payments made under the Medicaid meaningful use program. If you are selected for an audit for the Medicare incentive program, you will receive an initial request letter from the auditor. The request letter will be sent electronically from a CMS address and will include the audit contractor s contact information. To see an example of an audit notification letter, go to the CMS website: Guidance/Legislation/EHRIncentivePrograms/Downloads/SampleAuditLetter.pdf For Medicaid incentive program audits, contact your State Medicaid Agency to find out how you will be notified and who will be conducting the audit. Before sending any protected and sensitive information, verify that the audit notice is authentic and the contact information for the audit documentation and response. Instructions and Deadlines The audit notice will include detailed instructions on what needs to be provided, documentation format, delivery of response, and response deadline. Make sure you do not miss the deadline specified in the notification. If sending your documentation by mail, be sure to use a method that will provide you with confirmation and documentation of receipt. It is also a good idea to notify the auditor when you are sending your reply and confirming the receipt once the documentation has been delivered. Always follow the auditor s instructions, and verify your response is complete and delivered on time. 3 Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_SupportingDocumentation_Audits.pdf Page 2

4 Appeal Process Meaningful Use Desk Audit If you receive a desk audit decision that you believe is in error, you can appeal the decision. Medicare eligible professionals (EPs) should file appeals with CMS, while Medicaid eligible professionals should contact their State Medicaid Agency for information about filing an appeal. 4 To file an appeal with CMS, you must fill out the appeal request form and provide additional documentation related to the justification for the appeal. Remember, CMS will not review appeal documentation for providers who failed to respond to the auditor s request for documentation, so make sure you have your audit documentation ready when you attest. 4 Page 3

5 STEP ONE: CREATING AN AUDIT BINDER AND FILE Creating a single location for all of your meaningful use documentation will make it easier to respond to a desk audit and allow you to verify that you have the necessary documentation for each objective. You don t have to keep it in a binder, but for the purposes of this guide, the single location for your audit documentation will be referred to as your audit binder. You should also keep a digital copy of your audit documentation, which may include: Scanned or electronic copy of the audit binder documents s including header information from public health agencies for transmission objectives Backup of EHR data Remember, if any of your audit documentation includes patient names, medical record numbers or other identifiable protected health information, you must comply with your HIPAA policies and procedures to protect that data from unauthorized access or disclosure, including encryption. Documentation Requirements All documentation should include the following: The date the report/file was created Practice/clinic name and provider name (if applicable) or Hospital name Start and end date of the report data Source of the data (such as system/application or external organization) Multiple Systems Some eligible professionals may practice at multiple locations or clinics, which may require reporting from multiple systems. Verify that you have document for all applicable systems and sources. Page 4

6 STEP TWO: REVIEWING THE OBJECTIVE Meaningful Use Desk Audit Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1), including addressing the encryption/security of data stored in CEHRT [Certified Electronic Health Record Technology] in accordance with requirements under 45 CFR (a)(2)(iv) and 45 CFR (d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process - Meaningful Use Core Measure Stage 2: Protect Electronic Health Information Do You Need a New Risk Analysis for this Reporting Period? Unless you have an ongoing Risk Management Plan that includes assessment and monitoring of HIPAA security policies throughout the year, you may need to perform a Risk Analysis for the current reporting period. Also, you may need to perform a Risk Analysis if: You have not performed a Risk Analysis since upgrading to the certified electronic health record system for Stage 2 You have not documented your analysis of all data at rest (encryption) as part of your Risk Analysis You do not have a Compliance Analysis that documents your compliance with each of the standards and implementation specifications in the HIPAA Security Rule as part of your Risk Analysis You do not have a Threat Analysis that documents the Likelihood, Impact, and Risk from natural, human, and environmental threats such as lost/stolen device, malware (computer virus), etc., as part of your Risk Analysis Common Misconception: Risk Analysis for Meaningful Use Only Needs to Cover your CEHRT data FALSE. The objective states that your risk analysis must include data created by your CEHRT, not that the risk analysis is limited to this data. In accordance with the requirements means that you must perform a full HIPAA Risk Analysis. Is the Risk Assessment from my EHR Vendor Enough? NO. A Risk Assessment is only part of what is required for a HIPAA Risk Analysis. In addition to a comprehensive assessment, review of your information systems and the security measures currently in place, your HIPAA Risk Analysis must also include a Compliance Analysis and Threat Analysis. COMPLIANCE ANALYSIS In order to meet the requirements of the objective for correcting deficiencies, your Risk Analysis must include each standard and implementation specification in the HIPAA Security Rule and your compliance status for each. Page 5

7 THREAT ANALYSIS In the guidance published by the Department of Health and Human Services for performing a risk analysis Guidance on Risk Analysis Requirements under the HIPAA Security Rule it includes Vulnerability is defined in NIST SP as [a] flaw or weakness in system security procedures, design, implementation, (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. Threat: An adapted definition of threat, from NIST SP , is [t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include: o Natural threats may include floods, earthquakes, tornadoes, and landslides. o Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to EPHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions. o Environmental threats may include power failures, pollution, chemicals, and liquid leakage. For each of these threats, you must determine the: Likelihood of the threat occurrence Impact of the threat occurrence Level of Risk If you don t have a Threat Analysis that includes the Likelihood, Impact, and Risk Level of specific threats, such as lost/stolen device or malware (computer virus), you do not have a complete Risk Analysis. ADDRESSING ENCRYPTION/DATA STORED IN CEHRT FOR STAGE 2 Within your Risk Analysis and Threat Analysis, you must identify where all data that is created, maintained, or transmitted by your CEHRT is stored throughout your organization. This may include computers, mobile devices, removable media, other information systems and applications (if integrated with other systems), and backup files. Your CEHRT should provide you with a document concerning the encryption of the data created by your CEHRT, but you need to also assess your use of the system and data within your organization. Addressing Deficiencies If you are not in compliance with any required standards or implementation specifications or you plan to mitigate any high levels of risk, you must have a corrective action plan in place before the end of your Page 6

8 reporting period. Your Corrective Action Plan, which may be part of your implementation plan, should include the following: Specific security measure (or task to implement measure) Person/department assigned to perform Date security measure (or task to implement measure) was assigned Person who implemented or verified security measure (if completed) Date/time security measure was implemented/completed (if completed) Risk Management All covered entities are required to have an ongoing risk management process, usually called a Risk Management Plan. The Risk Management Plan will include periodic tasks that are performed to ensure your policies and procedures are being followed, such as verifying that all computers have the latest operating system security update installed. HRM s Online HIPAA Security Manager Is your process incomplete? Do you have the documentation you need for Meaningful Use? We can help! Contact us today to find out how our Online HIPAA Security Manager (OHSM) can provide a comprehensive HIPAA Security Compliance Program for as low as $199 a month. You can cancel at any time, and we offer a 30-day money back guarantee. All of the documentation described in the Protect Electronic Health Information/HIPAA Security objective section can be generated in a few clicks. YOU CAN T COMPLETE YOUR HIPAA PROGRAM FOR MEANINGFUL USE IN A FEW DAYS. YOU MUST GET STARTED TODAY IN ORDER TO COMPLETE THE OBJECTIVE BEFORE THE DECEMBER 31, 2015 DEADLINE. Page 7

9 STEP THREE: GATHERING DOCUMENTATION Always follow the instructions from the audit request for providing documentation for your meaningful use objectives. Risk Analysis You may not want to submit your entire Risk Analysis Report, unless specifically requested to do so. Your Risk Analysis may include confidential information about your information systems, security, and practice. If your Risk Analysis was performed by a 3 rd party, request a Risk Analysis executive summary report that includes the following: Covered entity for which the Risk Analysis was performed Date Risk Analysis was performed Organization and/or person performing the Risk Analysis, including specific credentials or experience to perform a Risk Analysis Methodology used to perform the Risk Analysis, such as NIST SP Guide for Implementing HIPAA Summary of how you are addressing the of encryption/data stored in CERHT Compliance status (meets/does not meet) of all standards and implementation specifications or a Compliance Summary Likelihood, impact and risk of threats analyzed or a Threat Summary If you performed your Risk Analysis, create the Risk Analysis executive summary including all of the information noted above as well as the specific toolkit or other resource used to perform the Risk Analysis. In many cases, auditors will request the details mentioned above instead of the entirety of your Risk Analysis documentation. Addressing Deficiencies You may not want to submit your entire Corrective Action Plan, unless specifically requested to do so, as it may include confidential information about your information systems, security, and practice. For your audit documentation, create a Corrective Action Plan Summary that includes: Name of the HIPAA Security Officer Date plan was approved by the HIPAA Security Officer Security Measure Summary (what security measures are to be implemented) Estimated date the corrective action will be completed In many cases, auditors will request the details mentioned above instead of the entirety of your Corrective Acton plan documentation. Page 8

10 Risk Management Meaningful Use Desk Audit You may not wish to submit your entire Risk Management Plan, unless specifically requested to do so. For your audit documentation, create a Risk Management Plan Summary that includes: Name of the HIPAA Security Officer Date plan was approved by the HIPAA Security Officer List of policies verified by the Risk Management Plan Page 9

11 ONLINE HIPAA SECURITY MANAGER GET IN AND STAY IN COMPLIANCE. HIPAA SECURITY COMPLIANCE MADE SIMPLE Risk Analysis COMPREHENSIVE RISK ANALYSIS Policies & Procedures CUSTOMIZED TO YOUR PRACTICE, NOT TEMPLATES Ongoing Management MONITORING AND AUDITING HIPAA COMPLIANCE Documentation HIPAA ACTIVITIES DOCUMENTED WITH A FEW CLICKS (MEANINGFUL USE) Training ONLINE HIPAA SECURITY TRAINING FOR STAFF Experts HIPAA SECURITY EXPERTS READY TO HELP Without expert help and tools to manage your HIPAA security compliance, how many staff hours would it take to document your compliance and respond to a HIPAA incident? With the right tool, you can get in and stay in compliance. With our Online HIPAA Security Manager, practice owners can see if they are in compliance at any time. Don t wait until it is too late to get your staff the tool they need protect your practice. Page 10