Health Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps

Transcription

1 Health Informa.on Technology Audits: "Meaningful Use" and HIPAA January 23, 2015 Eli Poliakoff Gary Capps 1

2 HITECH - Related Audits Health Informa.on Technology for Economic and Clinical Health Act ("HITECH") of 2009 "Meaningful Use" Audits Ø Electronic Health Records Incen.ve Program HIPAA Compliance Audits 2

3 "Meaningful Use" Audits Meaningful Use of Electronic Health Records ("EHRs") EHR Incen.ve Program Ø $24 Billion Paid as of May 2014 Ø Eligible Professionals/Eligible Hospitals Ø Medicare/Medicaid Ø AQesta.on Process Figliozzi & Company Provider Resources Inc. SC DHHS Division of Audits

4 AQesta.on I certify that the foregoing information is true, accurate and complete. I understand that the Medicare EHR Incentive Program payment I requested will be paid from Federal funds, that by filing this attestation I am submitting a claim for Federal funds, and that the use of any false claims, statements or documents, or the concealment of a material fact used to obtain a Medicare EHR Incentive Program payment, may be prosecuted under applicable Federal or State criminal laws and may also be subject to civil penalties. It is mandatory that you tell us if you believe you have been overpaid under the Medicare EHR Incentive Program. The Patient Protection and Affordable Care Act, Section 6402, Section 1128J, provides penalties for withholding this information. 4

5 5

6 Audit Process 5% - 10% Subject to Audit Pre- Payment or Post- Payment Six Years Following AQesta.on Random vs. Targeted Common Areas of Focus Appeal Process Ø Provider Resources Inc. SC DHHS Division of Audits

7 Medicare Audit Program Results As of September 2014: Eligible Professionals Ø About 10,000 Audits Ø 23% Failure Rate Ø Average Recoupment: $17,000 Eligible Hospitals Ø About 650 Audits Ø 5% Failure Rate Ø Average Recoupment: $1.1 million 7

8 Tips/Sugges.ons Respond Quickly; Request Extension Maintain Updated Contact Informa.on Retain Suppor.ng Documenta.on Retain/Document Source Data Document Exclusions Vendor Contract Provisions Ø Cer.fica.on Ø Disclosure Ø Technical Capabili.es Security Risk Analysis Ø HIPAA Review Implica.ons 8

9 HIPAA Audits Sec.on of the HITECH Act requires the U.S. Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered en..es and business associates are complying with the HIPAA Privacy and Security Rules and the Breach No.fica.on standards. 9

10 Pilot Program In 2011, HHS Office for Civil Rights (OCR) established a pilot audit program to assess the controls and processes covered en..es have implemented to comply with them. OCR engaged KPMG to conduct the audits. The audit program analyzed processes, controls, and policies of selected covered en..es pursuant to the HITECH Act audit mandate. 115 total audits 47 health plans 61 health care providers 7 health care clearinghouses 10

11 Pilot Program Pilot Audit Program results findings and observa.ons of noncompliance 293 privacy 593 security 94 breach no.fica.on 60% of findings and observa.ons related to security rule deficiencies two- thirds of the en..es audited did not have a complete and accurate risk assessment. Smaller en..es had the most difficulty and struggled with all three areas. Most common cause for noncompliance in findings and observa.ons: En#ty unaware of requirement 11

12 Audit Protocol Through the pilot audit program, OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. 12

13 Audit Protocol The audit protocol covers Privacy Rule requirements for the following: no.ce of privacy prac.ces for PHI; rights to request privacy protec.on for PHI; access of individuals to PHI; administra.ve requirements; uses and disclosures of PHI; amendment of PHI; and accoun.ng of disclosures. The protocol also covers Security Rule requirements for administra.ve, physical, and technical safeguards and the requirements for the Breach No.fica.on Rule. 13

14 Phase 2 Audits In a February 24, 2014 no.ce in the Federal Register, OCR announced its plan to survey 1200 covered en..es and business associates. OCR ini.ally announced that Phase 2 audits would begin in the fall of However, OCR officials have recently stated that the agency is not yet ready to announce the dates of the Phase 2 HIPAA audits. According to these officials, the delay is due to issues with building an online portal that will facilitate submission of documents to the agency. 14

15 What to Expect Audits will be preceded by pre- audit surveys Business associates will now be included Both desk audits and on- site audits Focus on risk areas iden.fied in pilot audits Risk assessments Requirements for access to PHI No.ce of privacy prac.ces Timing and content of breach no.fica.ons 15

16 Contacts Eli Poliakoff (843) Gary Capps (803)