Health Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps

Similar documents
Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

HIPAA Breaches, Security Risk Analysis, and Audits

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Audit Alert: Are You Prepared? You Have A Good Chance of Being Selected

BEST PRACTICES FOR MEDICARE

The HIPAA Audit Program

HIPAA COMPLIANCE PLAN FOR 2013

To start the pre-approval process, providers must fill out a short online survey, available at:

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

HIPAA: AN OVERVIEW September 2013

Data Breach, Electronic Health Records and Healthcare Reform

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

Meaningful Use Audit Red Flags: Pay Careful Attention To The Security Risk Analysis - Or Else

2012 HIPAA Privacy and Security Audits

Somansa Data Security and Regulatory Compliance for Healthcare

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Dissecting New HIPAA Rules and What Compliance Means For You

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals

To: From: Date: Subject: Proposed Rule on Meaningful Use Requirements Stage 2 Measures, Payment Penalties, Hardship Exceptions and Appeals

HIPAA Compliance and the Protection of Patient Health Information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

COMPLIANCE ALERT 10-12

HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

Lessons Learned from HIPAA Audits

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Meaningful Use Audits. NextGen Physician Consulting Services

Meaningful Use Stages 1 and 2 and How to Survive a Meaningful Use Audit. Charles Jarvis, Senior Manager

Patient Privacy and HIPAA/HITECH

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

What do you need to know?

BUSINESS ASSOCIATE AGREEMENT

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

SECURETexas Health Information Privacy & Security Certification Program FAQs

Transcription:

Health Informa.on Technology Audits: "Meaningful Use" and HIPAA January 23, 2015 Eli Poliakoff Gary Capps 1

HITECH - Related Audits Health Informa.on Technology for Economic and Clinical Health Act ("HITECH") of 2009 "Meaningful Use" Audits Ø Electronic Health Records Incen.ve Program HIPAA Compliance Audits 2

"Meaningful Use" Audits Meaningful Use of Electronic Health Records ("EHRs") EHR Incen.ve Program Ø $24 Billion Paid as of May 2014 Ø Eligible Professionals/Eligible Hospitals Ø Medicare/Medicaid Ø AQesta.on Process Figliozzi & Company Provider Resources Inc. SC DHHS Division of Audits

AQesta.on I certify that the foregoing information is true, accurate and complete. I understand that the Medicare EHR Incentive Program payment I requested will be paid from Federal funds, that by filing this attestation I am submitting a claim for Federal funds, and that the use of any false claims, statements or documents, or the concealment of a material fact used to obtain a Medicare EHR Incentive Program payment, may be prosecuted under applicable Federal or State criminal laws and may also be subject to civil penalties. It is mandatory that you tell us if you believe you have been overpaid under the Medicare EHR Incentive Program. The Patient Protection and Affordable Care Act, Section 6402, Section 1128J, provides penalties for withholding this information. 4

5

Audit Process 5% - 10% Subject to Audit Pre- Payment or Post- Payment Six Years Following AQesta.on Random vs. Targeted Common Areas of Focus Appeal Process Ø Provider Resources Inc. SC DHHS Division of Audits

Medicare Audit Program Results As of September 2014: Eligible Professionals Ø About 10,000 Audits Ø 23% Failure Rate Ø Average Recoupment: $17,000 Eligible Hospitals Ø About 650 Audits Ø 5% Failure Rate Ø Average Recoupment: $1.1 million 7

Tips/Sugges.ons Respond Quickly; Request Extension Maintain Updated Contact Informa.on Retain Suppor.ng Documenta.on Retain/Document Source Data Document Exclusions Vendor Contract Provisions Ø Cer.fica.on Ø Disclosure Ø Technical Capabili.es Security Risk Analysis Ø HIPAA Review Implica.ons 8

HIPAA Audits Sec.on 13411 of the HITECH Act requires the U.S. Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered en..es and business associates are complying with the HIPAA Privacy and Security Rules and the Breach No.fica.on standards. 9

Pilot Program In 2011, HHS Office for Civil Rights (OCR) established a pilot audit program to assess the controls and processes covered en..es have implemented to comply with them. OCR engaged KPMG to conduct the audits. The audit program analyzed processes, controls, and policies of selected covered en..es pursuant to the HITECH Act audit mandate. 115 total audits 47 health plans 61 health care providers 7 health care clearinghouses 10

Pilot Program Pilot Audit Program results - 980 findings and observa.ons of noncompliance 293 privacy 593 security 94 breach no.fica.on 60% of findings and observa.ons related to security rule deficiencies two- thirds of the en..es audited did not have a complete and accurate risk assessment. Smaller en..es had the most difficulty and struggled with all three areas. Most common cause for noncompliance in findings and observa.ons: En#ty unaware of requirement 11

Audit Protocol Through the pilot audit program, OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. 12

Audit Protocol The audit protocol covers Privacy Rule requirements for the following: no.ce of privacy prac.ces for PHI; rights to request privacy protec.on for PHI; access of individuals to PHI; administra.ve requirements; uses and disclosures of PHI; amendment of PHI; and accoun.ng of disclosures. The protocol also covers Security Rule requirements for administra.ve, physical, and technical safeguards and the requirements for the Breach No.fica.on Rule. 13

Phase 2 Audits In a February 24, 2014 no.ce in the Federal Register, OCR announced its plan to survey 1200 covered en..es and business associates. OCR ini.ally announced that Phase 2 audits would begin in the fall of 2014. However, OCR officials have recently stated that the agency is not yet ready to announce the dates of the Phase 2 HIPAA audits. According to these officials, the delay is due to issues with building an online portal that will facilitate submission of documents to the agency. 14

What to Expect Audits will be preceded by pre- audit surveys Business associates will now be included Both desk audits and on- site audits Focus on risk areas iden.fied in pilot audits Risk assessments Requirements for access to PHI No.ce of privacy prac.ces Timing and content of breach no.fica.ons 15

Contacts Eli Poliakoff eli.poliakoff@nelsonmullins.com (843) 534-4122 Gary Capps gary.capps@nelsonmullins.com (803) 255-9551 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information