MEANINGFUL USE DESK AUDIT
|
|
- Solomon Haynes
- 8 years ago
- Views:
Transcription
1 MEANINGFUL USE DESK AUDIT October 2015 Protect Electronic Health Information HIPAA Risk Management 1680 E. Joyce Blvd Fayetteville, AR (800) Copyright 2015 by HRM Services, Inc. All rights reserved.
2 Meaningful Use Desk Audit P R O T E C T E L E C T R O N I C H E A L T H I N F O R M A T I O N FORWARD Don t wait until you ve received an audit notice prepare your audit documentation before you complete your attestation. Not only is it easier to make sure that you have everything documented, you will be prepared if you get selected for a pre-payment audit. The pre-payment audits require you to pass the desk audit before you receive your incentive payment 1. This audit guide is intended to help you identify what information should be documented and how it should be documented for Meaningful Use attestation for the Protect Electronic Health Information Objective. Remember: one in 20 providers will likely be subject to a meaningful use desk audit 2 and 1 in 4 audited fail the audit. The most common failure for failing an audit is insufficient documentation for HIPAA: the Protect Electronic Health Information Objective. We hope that the information presented will help you avoid a delay in, or forfeiture of, your incentive payment. This guide is provided as-is, with no warranty or implied liability, and does not imply a guarantee of meaningful use incentive or a successful meaningful use audit. While our team has included helpful tips for the documentation process based on hands-on experience assisting clients with preparing desk audit documentation, nothing in this guide is intended as legal advice. If you have any questions about the information presented, please feel free to contact us. We can be reached at (800) Sincerely, The HIPAA Risk Management Team Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_Audit_Overview_FactSheet.pdf 2 Robert Anthony, Deputy Director of the Health IT Initiatives Group at CMS' Office of e-health Standards and Services Page 1
3 MEANINGFUL USE DESK AUDIT OVERVIEW Process and Notification Beginning in 2013, the Centers for Medicare and Medicaid Services (CMS) began pre-payment audits that included random audits, as well as audits that target suspicious or anomalous data. 3 States were also instructed to implement a similar audit process for incentive payments made under the Medicaid meaningful use program. If you are selected for an audit for the Medicare incentive program, you will receive an initial request letter from the auditor. The request letter will be sent electronically from a CMS address and will include the audit contractor s contact information. To see an example of an audit notification letter, go to the CMS website: Guidance/Legislation/EHRIncentivePrograms/Downloads/SampleAuditLetter.pdf For Medicaid incentive program audits, contact your State Medicaid Agency to find out how you will be notified and who will be conducting the audit. Before sending any protected and sensitive information, verify that the audit notice is authentic and the contact information for the audit documentation and response. Instructions and Deadlines The audit notice will include detailed instructions on what needs to be provided, documentation format, delivery of response, and response deadline. Make sure you do not miss the deadline specified in the notification. If sending your documentation by mail, be sure to use a method that will provide you with confirmation and documentation of receipt. It is also a good idea to notify the auditor when you are sending your reply and confirming the receipt once the documentation has been delivered. Always follow the auditor s instructions, and verify your response is complete and delivered on time. 3 Guidance/Legislation/EHRIncentivePrograms/Downloads/EHR_SupportingDocumentation_Audits.pdf Page 2
4 Appeal Process Meaningful Use Desk Audit If you receive a desk audit decision that you believe is in error, you can appeal the decision. Medicare eligible professionals (EPs) should file appeals with CMS, while Medicaid eligible professionals should contact their State Medicaid Agency for information about filing an appeal. 4 To file an appeal with CMS, you must fill out the appeal request form and provide additional documentation related to the justification for the appeal. Remember, CMS will not review appeal documentation for providers who failed to respond to the auditor s request for documentation, so make sure you have your audit documentation ready when you attest. 4 Page 3
5 STEP ONE: CREATING AN AUDIT BINDER AND FILE Creating a single location for all of your meaningful use documentation will make it easier to respond to a desk audit and allow you to verify that you have the necessary documentation for each objective. You don t have to keep it in a binder, but for the purposes of this guide, the single location for your audit documentation will be referred to as your audit binder. You should also keep a digital copy of your audit documentation, which may include: Scanned or electronic copy of the audit binder documents s including header information from public health agencies for transmission objectives Backup of EHR data Remember, if any of your audit documentation includes patient names, medical record numbers or other identifiable protected health information, you must comply with your HIPAA policies and procedures to protect that data from unauthorized access or disclosure, including encryption. Documentation Requirements All documentation should include the following: The date the report/file was created Practice/clinic name and provider name (if applicable) or Hospital name Start and end date of the report data Source of the data (such as system/application or external organization) Multiple Systems Some eligible professionals may practice at multiple locations or clinics, which may require reporting from multiple systems. Verify that you have document for all applicable systems and sources. Page 4
6 STEP TWO: REVIEWING THE OBJECTIVE Meaningful Use Desk Audit Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1), including addressing the encryption/security of data stored in CEHRT [Certified Electronic Health Record Technology] in accordance with requirements under 45 CFR (a)(2)(iv) and 45 CFR (d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process - Meaningful Use Core Measure Stage 2: Protect Electronic Health Information Do You Need a New Risk Analysis for this Reporting Period? Unless you have an ongoing Risk Management Plan that includes assessment and monitoring of HIPAA security policies throughout the year, you may need to perform a Risk Analysis for the current reporting period. Also, you may need to perform a Risk Analysis if: You have not performed a Risk Analysis since upgrading to the certified electronic health record system for Stage 2 You have not documented your analysis of all data at rest (encryption) as part of your Risk Analysis You do not have a Compliance Analysis that documents your compliance with each of the standards and implementation specifications in the HIPAA Security Rule as part of your Risk Analysis You do not have a Threat Analysis that documents the Likelihood, Impact, and Risk from natural, human, and environmental threats such as lost/stolen device, malware (computer virus), etc., as part of your Risk Analysis Common Misconception: Risk Analysis for Meaningful Use Only Needs to Cover your CEHRT data FALSE. The objective states that your risk analysis must include data created by your CEHRT, not that the risk analysis is limited to this data. In accordance with the requirements means that you must perform a full HIPAA Risk Analysis. Is the Risk Assessment from my EHR Vendor Enough? NO. A Risk Assessment is only part of what is required for a HIPAA Risk Analysis. In addition to a comprehensive assessment, review of your information systems and the security measures currently in place, your HIPAA Risk Analysis must also include a Compliance Analysis and Threat Analysis. COMPLIANCE ANALYSIS In order to meet the requirements of the objective for correcting deficiencies, your Risk Analysis must include each standard and implementation specification in the HIPAA Security Rule and your compliance status for each. Page 5
7 THREAT ANALYSIS In the guidance published by the Department of Health and Human Services for performing a risk analysis Guidance on Risk Analysis Requirements under the HIPAA Security Rule it includes Vulnerability is defined in NIST SP as [a] flaw or weakness in system security procedures, design, implementation, (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. Threat: An adapted definition of threat, from NIST SP , is [t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include: o Natural threats may include floods, earthquakes, tornadoes, and landslides. o Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to EPHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions. o Environmental threats may include power failures, pollution, chemicals, and liquid leakage. For each of these threats, you must determine the: Likelihood of the threat occurrence Impact of the threat occurrence Level of Risk If you don t have a Threat Analysis that includes the Likelihood, Impact, and Risk Level of specific threats, such as lost/stolen device or malware (computer virus), you do not have a complete Risk Analysis. ADDRESSING ENCRYPTION/DATA STORED IN CEHRT FOR STAGE 2 Within your Risk Analysis and Threat Analysis, you must identify where all data that is created, maintained, or transmitted by your CEHRT is stored throughout your organization. This may include computers, mobile devices, removable media, other information systems and applications (if integrated with other systems), and backup files. Your CEHRT should provide you with a document concerning the encryption of the data created by your CEHRT, but you need to also assess your use of the system and data within your organization. Addressing Deficiencies If you are not in compliance with any required standards or implementation specifications or you plan to mitigate any high levels of risk, you must have a corrective action plan in place before the end of your Page 6
8 reporting period. Your Corrective Action Plan, which may be part of your implementation plan, should include the following: Specific security measure (or task to implement measure) Person/department assigned to perform Date security measure (or task to implement measure) was assigned Person who implemented or verified security measure (if completed) Date/time security measure was implemented/completed (if completed) Risk Management All covered entities are required to have an ongoing risk management process, usually called a Risk Management Plan. The Risk Management Plan will include periodic tasks that are performed to ensure your policies and procedures are being followed, such as verifying that all computers have the latest operating system security update installed. HRM s Online HIPAA Security Manager Is your process incomplete? Do you have the documentation you need for Meaningful Use? We can help! Contact us today to find out how our Online HIPAA Security Manager (OHSM) can provide a comprehensive HIPAA Security Compliance Program for as low as $199 a month. You can cancel at any time, and we offer a 30-day money back guarantee. All of the documentation described in the Protect Electronic Health Information/HIPAA Security objective section can be generated in a few clicks. YOU CAN T COMPLETE YOUR HIPAA PROGRAM FOR MEANINGFUL USE IN A FEW DAYS. YOU MUST GET STARTED TODAY IN ORDER TO COMPLETE THE OBJECTIVE BEFORE THE DECEMBER 31, 2015 DEADLINE. Page 7
9 STEP THREE: GATHERING DOCUMENTATION Always follow the instructions from the audit request for providing documentation for your meaningful use objectives. Risk Analysis You may not want to submit your entire Risk Analysis Report, unless specifically requested to do so. Your Risk Analysis may include confidential information about your information systems, security, and practice. If your Risk Analysis was performed by a 3 rd party, request a Risk Analysis executive summary report that includes the following: Covered entity for which the Risk Analysis was performed Date Risk Analysis was performed Organization and/or person performing the Risk Analysis, including specific credentials or experience to perform a Risk Analysis Methodology used to perform the Risk Analysis, such as NIST SP Guide for Implementing HIPAA Summary of how you are addressing the of encryption/data stored in CERHT Compliance status (meets/does not meet) of all standards and implementation specifications or a Compliance Summary Likelihood, impact and risk of threats analyzed or a Threat Summary If you performed your Risk Analysis, create the Risk Analysis executive summary including all of the information noted above as well as the specific toolkit or other resource used to perform the Risk Analysis. In many cases, auditors will request the details mentioned above instead of the entirety of your Risk Analysis documentation. Addressing Deficiencies You may not want to submit your entire Corrective Action Plan, unless specifically requested to do so, as it may include confidential information about your information systems, security, and practice. For your audit documentation, create a Corrective Action Plan Summary that includes: Name of the HIPAA Security Officer Date plan was approved by the HIPAA Security Officer Security Measure Summary (what security measures are to be implemented) Estimated date the corrective action will be completed In many cases, auditors will request the details mentioned above instead of the entirety of your Corrective Acton plan documentation. Page 8
10 Risk Management Meaningful Use Desk Audit You may not wish to submit your entire Risk Management Plan, unless specifically requested to do so. For your audit documentation, create a Risk Management Plan Summary that includes: Name of the HIPAA Security Officer Date plan was approved by the HIPAA Security Officer List of policies verified by the Risk Management Plan Page 9
11 ONLINE HIPAA SECURITY MANAGER GET IN AND STAY IN COMPLIANCE. HIPAA SECURITY COMPLIANCE MADE SIMPLE Risk Analysis COMPREHENSIVE RISK ANALYSIS Policies & Procedures CUSTOMIZED TO YOUR PRACTICE, NOT TEMPLATES Ongoing Management MONITORING AND AUDITING HIPAA COMPLIANCE Documentation HIPAA ACTIVITIES DOCUMENTED WITH A FEW CLICKS (MEANINGFUL USE) Training ONLINE HIPAA SECURITY TRAINING FOR STAFF Experts HIPAA SECURITY EXPERTS READY TO HELP Without expert help and tools to manage your HIPAA security compliance, how many staff hours would it take to document your compliance and respond to a HIPAA incident? With the right tool, you can get in and stay in compliance. With our Online HIPAA Security Manager, practice owners can see if they are in compliance at any time. Don t wait until it is too late to get your staff the tool they need protect your practice. Page 10
Guidance on Risk Analysis Requirements under the HIPAA Security Rule
Guidance on Risk Analysis Requirements under the HIPAA Security Rule Introduction The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.
More informationHIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationHow to Leverage HIPAA for Meaningful Use
How to Leverage HIPAA for Meaningful Use The overlap between HIPAA and Meaningful Use requirements 2015 SecurityMetrics How to Leverage HIPAA for Meaningful Use 2 About this ebook Who should read this
More informationYOUR HIPAA RISK ANALYSIS IN FIVE STEPS
Ebook YOUR HIPAA RISK ANALYSIS IN FIVE STEPS A HOW-TO GUIDE FOR YOUR HIPAA RISK ANALYSIS AND MANAGEMENT PLAN 2015 SecurityMetrics YOUR HIPAA RISK ANALYSIS IN FIVE STEPS 1 YOUR HIPAA RISK ANALYSIS IN FIVE
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationStrategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager
Strategies for 1 Proactively Auditing HIPAA Security Compliance to Mitigate Risk Matt Jackson, Director Kevin Dunnahoo, Manager AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org
More informationHIPAA: Compliance Essentials
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?
More informationMeaningful Use Audits. NextGen Physician Consulting Services
Meaningful Use Audits NextGen Physician Consulting Services Agenda Audit Overview Documentation for measures requiring numerator and denominator data Documentation for attestation only measures Security
More informationPreparing for HIPAA and Meaningful Use Compliance Audits
Preparing for HIPAA and Meaningful Use Compliance Audits Presented by: David Holtzman VP of Compliance, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com
More informationSTATE MEDICAID ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM STAGE 1 AND 2 ATTESTATION REFERENCE GUIDE WITH FLEXIBILITY
STATE MEDICAID ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM STAGE 1 AND 2 ATTESTATION REFERENCE GUIDE WITH FLEXIBILITY ELIGIBLE PROFESSIONALS AHCCCS 801 East Jefferson Street Phoenix, Arizona 85034 (602)417-4000
More informationStage 2 Medical Billing and reconciliation of Patients
Making Sense of Meaningful Use: Stage 2 1 Who are we? Purdue Healthcare Advisors (PHA)*, a business unit of Purdue University, specializes in affordable assistance to organizations that share our passion
More informationRisk Management Guide for Information Technology Systems. NIST SP800-30 Overview
Risk Management Guide for Information Technology Systems NIST SP800-30 Overview 1 Risk Management Process that allows IT managers to balance operational and economic costs of protective measures and achieve
More informationReady for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP
Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? You receive a phone call from your CEO. They just received
More informationAre You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives
Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)
More informationMedicaid EHR Incentive Program Updates ehealth Services and Support September 24, 2014
Medicaid EHR Incentive Program Updates ehealth Services and Support September 24, 2014 Today s presenter: Nicole Bennett, Provider Enrollment and Verification Manager Goals and Objectives Goals of today
More informationWho are we? *Founded in 2005 by Purdue University, the Regenstrief Center for Healthcare Engineering, and the Indiana Hospital Association.
Who are we? Purdue Healthcare Advisors (PHA)*, a business unit of Purdue University, specializes in affordable assistance to organizations that share our passion for healthcare transformation. We bring
More informationSunday March 30, 2014, 9am noon HCCA Conference, San Diego
Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose
More informationMeaningful Use Crosswalk to the Security Rule
Meaningful Use Crosswalk to the Security Rule Safeguarding Health Information: Building Assurance through HIPAA Security June 7, 2012 Adam H. Greene, J.D., M.P.H. Partner, Davis Wright Tremaine EHR Certification
More informationMeaningful Use Audit: A Quick Reference For Certified EHR Eligible Professionals. www.revenuexl.com
Meaningful Use Audit: A Quick Reference For Certified EHR Eligible Professionals www.revenuexl.com CONTENTS Meaningful Use Audit : What Physicians Must Expect from it? 1 Meaningful Use Audit : An Essential
More informationHIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions
HIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions Bob Chaput, MA, CHP, CHSS, MCSE 1 Table of Contents Table of Contents... 2 Introduction... 3 Regulatory Requirement...
More informationHIPAA Compliance Review Analysis and Summary of Results
HIPAA Compliance Review Analysis and Summary of Results Centers for Medicare & Medicaid Services (CMS) Office of E-Health Standards and Services (OESS) Reviews 2008 Table of Contents Introduction 1 Risk
More informationHIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com
HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations
More informationSemi-Annual Blueprint Conference October 20, 2014
Semi-Annual Blueprint Conference October 20, 2014 Heather EJ Kendall, PhD Medicaid Operations Administrator EHR Incentive Program Audit Lead VT Department of Health Access Incentive program audit background
More informationSecuring the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer
Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health
More informationAudit Alert: Are You Prepared? You Have A Good Chance of Being Selected
Audit Alert: Are You Prepared? You Have A Good Chance of Being Selected HIT Summit July 26, 2014 Lee Castonguay Hawaii Pacific Regional Extension Center lcastonguay@hawaiihie.org Or How to keep your incentive
More informationElectronic Health Records: Issues, Concerns, and Best Practices
Electronic Health Records: Issues, Concerns, and Best Practices Financial Disclosures Paul Larson is a Senior Consultant with Corcoran Consulting Group. He acknowledges a financial interest in the subject
More informationMedicare & Medicaid EHR Incentive Programs Elizabeth S. Holland, MPA Director, HIT Initiatives Group Office of E-Health Standards & Services, CMS
Medicare & Medicaid EHR Incentive Programs Elizabeth S. Holland, MPA Director, HIT Initiatives Group Office of E-Health Standards & Services, CMS Program Progress Registered Eligible Hospitals 5.33% 94.67%
More informationHow to Use the NYeC Privacy and Security Toolkit V 1.1
How to Use the NYeC Privacy and Security Toolkit V 1.1 Scope of the Privacy and Security Toolkit The tools included in the Privacy and Security Toolkit serve as guidance for educating stakeholders about
More informationStage 2 EHR Incentive Programs Supporting Documentation For Audits Last Updated: February 2014
Stage 2 EHR Incentive Programs Supporting Documentation For Audits Last Updated: February 2014 Overview Providers who receive an EHR incentive payment for Stage 2 of the Medicare or Medicaid EHR Incentive
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationSTATE MEDICAID ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM STAGE 1 AND 2 ATTESTATION REFERENCE GUIDE
STATE MEDICAID ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM STAGE 1 AND 2 ATTESTATION REFERENCE GUIDE ELIGIBLE PROFESSIONALS AHCCCS 801 East Jefferson Street Phoenix, Arizona 85034 (602)417-4000 www.azahcccs.gov
More informationAGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED
Michael Almvig Skagit County Information Services Director 1 AGENDA 1 2 HIPAA How Did Privacy The Breach Happen? HIPAA Incident Security Response 3 Corrective Action Plan 4 What We Learned Questions? ACRONYMS
More informationOIG Security Audit: What You Need To Know
Watch the Replay on YouTube OIG Security Audit: What You Need To Know Executive Series Webinar July 23rd, 2015 Today s Speakers Elana R. Zana Attorney & Author Ogden Murphy Wallace P.L.L.C. ezana@omwlaw.com
More informationPrivacy and Security Meaningful Use Requirement HIPAA Readiness Review
Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationChecklist and Related Guidance for Meaningful Use Audits
Checklist and Related Guidance for Meaningful Use Audits This checklist was prepared by Jill M. Girardeau, Partner, Womble Carlyle Sandridge & Rice, LLP and Dina Marty, Counsel, Wake Forest Baptist Medical
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationElectronic Health Record Incentive Program Update May 29, 2015. Florida Health Information Exchange Coordinating Committee
Electronic Health Record Incentive Program Update May 29, 2015 Florida Health Information Exchange Coordinating Committee Topics Payment Data Participation Years and Payments Meaningful Use Progression
More informationHIPAA Security Risk Analysis for Meaningful Use
HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA
More informationHow to prepare for an EHR incentive audit
How to prepare for an EHR incentive audit What is an EHR incentive program? The Medicare and Medicaid EHR Incentive Programs provide incentive payments to eligible professionals, eligible hospitals, and
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationMeaningful Use Audit Red Flags: Pay Careful Attention To The Security Risk Analysis - Or Else
Meaningful Use Audit Red Flags: Pay Careful Attention To The Security Risk Analysis - Or Else Jim Tate Founder: EMR Advocate, Inc. Managing Partner: HITECH Answers Author of The Incentive Roadmap The Meaningful
More informationThe Medicare and Medicaid EHR incentive
Feature The Meaningful Use Program: Auditing Challenges and Opportunities Your pathway to providing value By Phyllis Patrick, MBA, FACHE, CHC Meaningful Use is an area ripe for providing value through
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationCommunity Health Center Association of Connecticut Meaningful Use: Audit Preparedness And Other Challenges February 12, 2015
Community Health Center Association of Connecticut Meaningful Use: Audit Preparedness And Other Challenges February 12, 2015 Joan W. Feldman, Esq. William J. Roberts, Esq. Shipman & Goodwin LLP 2014. All
More informationNavigating a Meaningful Use Audit: Are You Ready? Brian Flood
Navigating a Meaningful Use Audit: Are You Ready? Brian Flood 2014 Husch Blackwell LLP Agenda For This Segment ARRA, HITECH, and Meaningful Use What is Meaningful Use? Progress to Date How providers meet
More informationHIPAA Security Overview of the Regulations
HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.
More informationSEC s Cybersecurity Risk Alert Part 2 of 3
SEC s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting - O Connor Davies, LLP Timothy M. Simons,
More informationObjectives 5/5/2015. Quality Health Associates (QHA) of ND
Privacy and Security: HIPAA/HITECH/Meaningful Use Looking Back, Forging Ahead Patti Kritzberger, RHIT, CHPS Quality Health Associates of North Dakota HIT/Quality Improvement Specialist Quality Health Associates
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationCITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard
CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationEHR Incentive Programs for Eligible Professionals: What You Need to Know for 2015 Tipsheet
EHR Incentive Programs for Eligible Professionals: What You Need to Know for 2015 Tipsheet CMS recently published a final rule that specifies criteria that eligible professionals (EPs), eligible hospitals,
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationIowa Health Information Network (IHIN) Security Incident Response Plan
Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security
More informationHIPAA Security Boot Camp
HIPAA Security Boot Camp Telligen Health Information Technology Regional Extension Center Agenda: For the Day Introductions First Hour: The Risk Assessment Second Hour: Administrative Controls Third Hour:
More informationHIPAA Audits Are Here!
HIPAA Audits Are Here! How to prepare for and what to expect when OCR comes knocking May 12, 2016 James B. Wieland, Principal, Ober Kaler Emily H. Wein, Principal, Ober Kaler David Holtzman, VP of Compliance,
More informationHIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationEvaluation Report. Office of Inspector General
Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury
More information2016 OCR AUDIT E-BOOK
!! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that
More informationEmpowering Nurses & Building Trust Through Health IT
Empowering Nurses & Building Trust Through Health IT Helen Caton-Peters, MSN, RN Health Information Privacy & Security Specialist Office of the National Coordinator for Health Information Technology 2
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationHIPAA COMPLIANCE PLAN FOR 2013
HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationHIPAA Security Rule Changes and Impacts
HIPAA Security Rule Changes and Impacts Susan A. Miller, JD Tony Brooks, CISA, CRISC HIPAA in a HITECH WORLD American Health Lawyers Association March 22, 2013 Baltimore, MD Agenda I. Introduction II.
More informationNIST National Institute of Standards and Technology
NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are
More informationCyber Security An Exercise in Predicting the Future
Cyber Security An Exercise in Predicting the Future Paul Douglas, August 25, 2014 AUDIT & ACCOUNTING + CONSULTING + TAX SERVICES + TECHNOLOGY I www.pncpa.com I www.pntech.net What is Cyber Security? Measures
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationMedicaid EHR Incentive Program. Focus on Stage 2. Kim Davis-Allen, Outreach Coordinator Kim.davis@ahca.myflorida.com
Medicaid EHR Incentive Program Focus on Stage 2 Kim Davis-Allen, Outreach Coordinator Kim.davis@ahca.myflorida.com Understanding Participation Program Year Program Year January 1 st - December 31st. Year
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationNJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS
NJ-HITEC PARTICIPATION AGREEMENT FOR MEDICAID SPECIALISTS The undersigned practice (the Practice ) and participating providers (each, a Provider, and collectively, Providers ) presently intend to become
More informationDeveloping HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant
Developing HIPAA Security Compliance Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant Learning Objectives Identify elements of a HIPAA Security compliance program Learn the HIPAA Security Rule basics
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationMeaningful Use Preparedness 07/24/2015
Meaningful Use Preparedness HEALTHCARE FINANCIAL MANAGEMENT ASSOCIATION 07/24/2015 Agenda Incentive Payments Measures Tracking Physicians Tracking Payment Audits EHR Incentive Program Meaningful Use The
More informationB. For example, a health system could own a hospital, medical groups and DME supplier and designate them as an ACE.
Kimberly Short Kirk and Brad Rostolsky I. HIPAA Implications of Physician-Hospital Integration As physicians and hospitals become increasing integrated, regulatory compliance is a key consideration. The
More informationParticipation Agreement Medicaid Provider Program
Participation Agreement Medicaid Provider Program PLEASE FAX THE FOLLOWING PAGES #4, #7, #8, #14, #15 211 Warren Street Newark, NJ 07103 PHONE: 973-642-4777 FAX: 973-645-0457 E-mail: info@njhitec.org www.njhitec.org
More informationData Management & Protection: Common Definitions
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationEligible Professional s Checklist 2015 Modified Stage 2 Meaningful Use
This checklist provides a look into Ohio s Medicaid Provider Incentive Program (MPIP) system for eligible professionals and may be used as a guide to help eligible professionals gather information that
More informationEHR Incentive Programs Supporting Documentation For Audits Last Updated: February 2013
Overview EHR Incentive Programs Supporting Documentation For Audits Last Updated: February 2013 Providers who receive an EHR incentive payment for either the Medicare or Medicaid EHR Incentive Program
More informationHIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability
More informationMinnesota EHR Incentive Program
Minnesota EHR Incentive Program Meaningful Use in Minnesota: Changes in the Medicaid EHR Incentive Program Landscape June 2016 Today s Speaker Dean Ewald MN EHR incentive program (MEIP) Team Lead Government
More informationArt Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
More informationDon t Panic! Surviving a Meaningful Use Audit October, 2014
Don t Panic! Surviving a Meaningful Use Audit October, 2014 Angie Falletti, RN, PMP Senior Consultant, Encore, A Quintiles Company DISCLAIMER: The views and opinions expressed in this presentation are
More informationIT Security Incident Management Policies and Practices
IT Security Incident Management Policies and Practices Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Feb 6, 2015 i Document Control Document
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationCYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS
CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS These Cybersecurity Testing and Certification Service Terms ( Service Terms ) shall govern the provision of cybersecurity testing and certification services
More informationAn Independent Member of Baker Tilly International
Healthcare Security and Compliance July 23, 2015 Presenters Kelley Miller, CISA, CISM - Principal Kelley.Miller@mcmcpa.com Barbie Thomas, MBA, CHC Barbie.Thomas@mcmcpa.com 2 Agenda Introductions Cybersecurity
More informationHealthcare Management Service Organization Accreditation Program (MSOAP)
ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee
More informationLaptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice
Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice Agenda Learning objectives for this session Fundamentals of Mobile device use and correlation to HIPAA compliance HIPAA
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More information