Meaningful Use Audit Red Flags: Pay Careful Attention To The Security Risk Analysis - Or Else

Similar documents
Audit Alert: Are You Prepared? You Have A Good Chance of Being Selected

Navigating a Meaningful Use Audit: Are You Ready? Brian Flood

How To Test For Meaningful Use In Minnesota

Meaningful Use Audits. NextGen Physician Consulting Services

9/9/2015. Medicare/Medicaid Incentive Program. Medicare/Medicaid Incentive Program. Meaningful Use, Penalties and Audits

5/11/2015 AGENDA ROUNDTABLE PARTICIPANTS TALES FROM THE FRONTLINES OF MEANINGFUL USE: FOCUS ON OPTOMETRY

Preview of the Attestation System for the Medicare Electronic Health Record (EHR) Incentive Program

Meaningful Use Stage 2 MU Audits

Meaningful Use Stages 1 and 2 and How to Survive a Meaningful Use Audit. Charles Jarvis, Senior Manager

Checklist and Related Guidance for Meaningful Use Audits

Minnesota EHR Incentive Program (MEIP) Program Year Timeline for EPs, EHs and CAHs. Updated November 2015

Care360 Guide for CMS Meaningful Use Audit

MEDICARE AND MEDICAID ELECTRONIC HEALTH RECORD (EHR) INCENTIVE PROGRAM: OVERVIEW

Alaska Department of Health and Social Services Medicaid Electronic Health Record (EHR) Incentive Program

Auditing PQRS & Meaningful Use To Maintain Compliance. Standard Disclaimer. Learning Objectives 12/2/2014

Meaningful Use of EHR. Presenter:

Electronic Health Record Incentive Program Update May 29, Florida Health Information Exchange Coordinating Committee

HIPAA COMPLIANCE PLAN FOR 2013

Completing Your MPIP Attestation: Supporting Documentation

Modified Stage 2 Meaningful Use

Provider Incentive Payment Program (PIPP) User Manual Full Version

CMS Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs Final Rule Overview October 8, 2015

Six Steps to Achieving Meaningful Use Qualification, Stage 1

Meaningful Use Stage 2. Presenter: Linda Wise, EMR Training Specialist

Meaningful Use and Release of Information

Adopting an EHR & Meaningful Use

Medicaid Electronic Health Records Meaningful Use Audits. Lisa Reuland, Program Manager October 22, 2015

Nevada Incentive Payment Program For Electronic Health Records

Modifications to the Medicare and Medicaid Electronic Health Record (EHR) Incentive Program for 2014 Final Rule Summary

Registration and Attestation

Meaningful Use: FAQs for Providers

February 24, 2012 (202) CMS PROPOSES DEFINITION OF STAGE 2 MEANINGFUL USE OF CERTIFIED ELECTRONIC HEALTH RECORDS (EHR) TECHNOLOGY

Minnesota EHR Incentive Program

CMS Medicaid Electronic Health Record (EHR) Incentive Programs 2015 Final Rule Overview Meaningful Use

CMS FINALIZES REQUIREMENTS FOR THE MEDICAID ELECTRONIC HEALTH RECORDS (EHR) INCENTIVE PROGRAM

EHR Incentive Programs for Eligible Professionals: What You Need to Know for 2015 Tipsheet

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

An Overview of Meaningful Use: FAQs

Meaningful Use 2015 and beyond. Presented by: Anna Mrvelj EMR Training Specialist

Considering Meaningful Use Participation when Acquiring a Hospital or Professional Practice

BEST PRACTICES FOR MEDICARE

CMS EHR Incentive Programs:

Health Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps

Overview of MU Stage 2 Joel White, Health IT Now

Frequently Asked Questions (FAQs)

Transcription:

Meaningful Use Audit Red Flags: Pay Careful Attention To The Security Risk Analysis - Or Else

Jim Tate Founder: EMR Advocate, Inc. Managing Partner: HITECH Answers Author of The Incentive Roadmap The Meaningful Use of Certified EHR Technology Certified Technology direct involvement in over 250 EHR certification projects Subject Matter Expert to RECs and Law Firms on MU & Audits Specialist in Meaningful Use Audits/Appeals & Mock Audits

Audit Basics CMS, and its contractors, will perform audits on Medicare and dually-eligible Medicare/Medicaid providers. States, and their contractors, will perform audits on Medicaid providers. CMS and states will also manage appeals processes.

Who Gets the Audit? As of April 2014 over 4,700 unique EHs/CAHs have received CMS EHR incentives. Medicare only: 270 $561,000,000+ Medicaid only: 156 $335,000,000+ Dually eligible: 4,301 $13,607,000,000+ CMS states the aim is to audit 5%+.

What Generates the Audit? Random Risk profile - suspicious data Successive audits based on history Reach back Whistleblowers

The Audit Process Emailed letter of audit engagement Request for documentation Response and request Final Determination

Audit The Letter Email from Figliozzi & Company from a CMS email address to the email address provided during registration for the EHR Incentive Program. - or - Email from CMS EHR Meaningful Use Audit Team

Audit The Letter This letter is to inform you that you have been selected by CMS for an audit of your meaningful use of certified EHR technology for the attestation period. Attached to this letter is an information request list. Be aware that this list may not be all-inclusive and that we may request additional information necessary to complete the audit. - or Limited audit: proof of Certified EHR

Documentation Request As proof of use of a Certified Electronic Health Record Technology system, provide a copy of your licensing agreement with the vendor or invoices. Please ensure that the licensing agreements or invoices identify the vendor, product name and product version number of the Certified Electronic Health Record Technology system utilized during your attestation period. If the version number is not present on the invoice/contract, please supply a letter from your vendor attesting to the version number used during your attestation period.

Documentation Request Provide the documentation to support the method (Observation Services or All ED Visits) chosen to report Emergency Department (ED) admissions designating how patients admitted to the ED were included in the denominators of certain meaningful use core and menu measures (i.e. an explanation of how the ED admissions were calculated and a summary of ED admissions).

Documentation Request For Core Measures #1, 3, 4, 5, 6, 7, 8, 11, & 12, provide the supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation).please Note: If you are providing a summary report from your EHR system as support for your numerators/ denominators, please ensure that we can identify that the report has actually been generated by your EHR (i.e. your EHR logo is displayed on the report, or step by step screenshots which demonstrate how the report is generated by your EHR are provided.)

Documentation Request Protect Electronic Health Information: Provide proof that a security risk analysis of the Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis). If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.

Documentation Request If attested to Menu Set Measures #2, 3, 5, 6, or 7, provide the supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses (i.e. a report from your EHR system that ties to your attestation).please Note: If you are providing a summary report from your EHR system as support for your numerators/ denominators, please ensure that we can identify that the report has actually been generated by your EHR (i.e. your EHR logo is displayed on the report, or step by step screenshots which demonstrate how the report is generated by your EHR are provided.) If attested to Y/N Menu Set Measures #4, 8, 9, or 10, please supply supporting documentation.

Security Risk Analysis for MU Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Exclusion: No exclusion.

Security Risk Analysis for MU Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year. In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted. Any security updates and deficiencies that are identified in the review should be included in the provider s risk management process and implemented or corrected as indicated by that process. CMS

Security Risk Analysis for MU There is no single method or best practice that guarantees compliance, but most risk analysis and risk management processes have steps in common. Here are some considerations as you conduct your risk analysis: Review the existing security infrastructure in your hospital against legal requirements and industry best practices Identify potential threats to patient privacy and security and assess the impact on the confidentiality, integrity and availability of e-phi Prioritize risks based on the severity of their impact CMS

Security Risk Analysis for MU Question: Do the auditors use a checklist when the SRA is reviewed? The key for us is the security risk assessment encompasses the EHR system and that it is a review either performed by the EH or a consultant. Given the vast spectrum of security risk assessments we have seen, it would be hard to put together a checklist to be used. We review each one on an individual basis and at times have meetings with the staff and point out why the particular assessment meets the criteria or why it does not. Of course, there are a great deal of assessments that fall into that gray zone of, is this really an assessment or is it just policies or checklists?

Final Determination Good We performed a desk review on your facility s meaningful use attestation for the Program Year 2011 and Payment Year 1. Based on our desk review of the supporting documentation furnished by the facility, we have determined that Hospital XYZ has met the meaningful use criteria.

Final Determination Bad We performed a desk review on your facility s meaningful use attestation for the Program Year 2011 and Payment Year 1. Based on our desk review of the supporting documentation furnished by the facility, we have determined that Hospital XYZ has not met the meaningful use criteria, for the following reasons: Failed Eligible Hospital Meaningful Use Core Measure X. Since your facility did not meet the meaningful use criteria, the incentive payment will be recouped. You will receive a demand for your total Medicare EHR incentive payment shortly from the EHR HITECH Incentive Payment Center.

The Demand Letter The purpose of this letter is to inform you that a Meaningful Use Audit determined a HITECH incentive overpayment in the amount of $X,XXX,XXX..to be repaid to our office in full. Full refund within 30 days...interest begins on 31 st day.referred to Department of Treasury on 61 st day.

Appeals CMS handles the appeal process for EPs, EHRs, and CAHs in the Medicare and dually eligible hospitals. States are responsible for appeals related to the Medicaid EHR Incentives.

Appeals Filed electronically More flexibility than at the audit level Less communication than during audit Timeline of appeal process Only failed MU measures addressed

Best Practices for Audits & Appeals Have response plan in place Full documentation available Watch the deadlines Look to vendor for support Mock audit

Mock Audits Best Practices The mock audit should never be conducted by the same individuals that were involved in the incentive attestation. The team performing the mock audit must be extremely knowledgeable in all aspects of the foundational elements of the CMS EHR Incentive programs. The mock audit should follow as closely as possible the documentation requests and process utilized by the CMS Medicare audit contractors, Figliozzi & Company.

Jim Tate President, EMR Advocate, Inc. 828.691.3239 jimtate@emradvocate.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information