Preparing for HIPAA and Meaningful Use Compliance Audits

Similar documents
How to prepare your organization for an OCR HIPAA audit

HIPAA Audits Are Here!

Meaningful Use Audits. NextGen Physician Consulting Services

Checklist and Related Guidance for Meaningful Use Audits

Don t Panic! Surviving a Meaningful Use Audit October, 2014

OIG Security Audit: What You Need To Know

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Navigating a Meaningful Use Audit: Are You Ready? Brian Flood

HIT Audit Workshop. Jeffrey W. Short.

Medicare s Electronic Health Records Incentive Program- Overview

How to prepare for an EHR incentive audit

Become Audit Proof. What You Need To Know To Protect Your Practice

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

HIPAA - Breaking News!

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

The Medicare and Medicaid EHR incentive

The Advantages and Disadvantages of Having a CEHRT in 2015

HIPAA COMPLIANCE PLAN FOR 2013

Semi-Annual Blueprint Conference October 20, 2014

Audit Alert: Are You Prepared? You Have A Good Chance of Being Selected

Electronic Health Record Incentive Program Update May 29, Florida Health Information Exchange Coordinating Committee

Meaningful Use Audit Red Flags: Pay Careful Attention To The Security Risk Analysis - Or Else

Stage 2 EHR Incentive Programs Supporting Documentation For Audits Last Updated: February 2014

29 OIG 2014 Work Plan explores new compliance projects: Part 2. Nathaniel Lacktman

OIG Security Audits of EHR Incentive Program Participants

Ensuring Privacy & Security of Patient Information

EHR Incentive Programs Supporting Documentation For Audits Last Updated: February 2013

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Objectives 5/5/2015. Quality Health Associates (QHA) of ND

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

MEANINGFUL USE DESK AUDIT

Creating Stable Security & Compliance Relationships

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Community Health Center Association of Connecticut Meaningful Use: Audit Preparedness And Other Challenges February 12, 2015

Stage 2 Medical Billing and reconciliation of Patients

Meaningful Use Preparedness 07/24/2015

Who are we? *Founded in 2005 by Purdue University, the Regenstrief Center for Healthcare Engineering, and the Indiana Hospital Association.

WHAT JUST HAPPENED TO THE EMR PROGRAM?

HIPAA Security Risk Analysis for Meaningful Use

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Medicaid EHR Incentive Program Updates ehealth Services and Support September 24, 2014

Interpreting the HIPAA Audit Protocol for Health Lawyers

EMR and Meaningful Use. How to Prepare for Audits and Avoid Penalties

Meaningful Use and Security Risk Analysis

Meaningful Use Stages 1 and 2 and How to Survive a Meaningful Use Audit. Charles Jarvis, Senior Manager

The HIPAA Audit Program

How To Be A Good Medicare Patient

BEST PRACTICES FOR MEDICARE

How to Leverage HIPAA for Meaningful Use

Medicare & Medicaid EHR Incentive Programs Elizabeth S. Holland, MPA Director, HIT Initiatives Group Office of E-Health Standards & Services, CMS

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Surviving a Meaningful Use Audit: Useful Tips from an Actual Survivor

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA: Compliance Essentials

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Privacy and Security: Meaningful Use in Healthcare Organizations

Meaningful Use Stage 2. Meeting Meaningful Use Stage 2 with InstantPHR TM.

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

PREPARING FOR EMR PROGRAM SUCCESS IN /10/2015. December 15, Travis Skinner, CPA Senior Managing Consultant

What s New with HIPAA? Policy and Enforcement Update

REVIEW OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM EVALUATIONS FOR FISCAL YEAR 2013

HITRUST CSF Assurance Program

Federal Fraud and Abuse Laws

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA and HITECH Compliance for Cloud Applications

Minnesota EHR Incentive Program (MEIP) Program Year Timeline for EPs, EHs and CAHs. Updated November 2015

Preview of the Attestation System for the Medicare Electronic Health Record (EHR) Incentive Program

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Medicaid Electronic Health Records Meaningful Use Audits. Lisa Reuland, Program Manager October 22, 2015

Meaningful Use Update

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Overview of the HIPAA Security Rule

Health Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps

Sustainable Compliance: A System for Ongoing Audit Readiness

Can Your Diocese Afford to Fail a HIPAA Audit?

WHAT S NEW ON THE EHR FRONT?

Meaningful Use of EHR. Presenter:

valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny

HIPAA Security Compliance Reviews

STATE MEDICAID ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM STAGE 1 AND 2 ATTESTATION REFERENCE GUIDE

WHAT S NEW ON THE EHRFRONT?

Completing Your MPIP Attestation: Supporting Documentation

Six Steps to Achieving Meaningful Use Qualification, Stage 1

The HIPAA Omnibus Final Rule

Colorado Department of Health Care Policy and Financing. Solicitation #: HCPFRFPSF13EHRATTAUDIT Electronic Health Record Attestation Auditing

Data Breach, Electronic Health Records and Healthcare Reform

STATE OF RHODE ISLAND MEDICAL ASSISTANCE EHR INCENTIVE PROGRAM ELIGIBLE PROFESSIONAL PROVIDER MANUAL

How To Test For Meaningful Use In Minnesota

HIPAA AND MEANINGFUL USE AUDITS AND THE SECURITY RISK ANALYSIS NEXUS

MU Security & Privacy Risk Assessments: What It Is & How to Approach It

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

MEDICARE AND MEDICAID ELECTRONIC HEALTH RECORD (EHR) INCENTIVE PROGRAM: OVERVIEW

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Meaningful Use EHR Incentive Program

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Transcription:

Preparing for HIPAA and Meaningful Use Compliance Audits Presented by: David Holtzman VP of Compliance, CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek

Today s Presenter Vice President of Compliance Services, CynergisTek, Inc. Subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules Over 12 years of experience in developing, implementing and evaluating health information privacy and security compliance programs Former senior advisor for health information technology and the HIPAA Security Rule, Office for Civil Rights David Holtzman CynergisTek, Inc. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 2

Agenda What to Expect in OCR Audit Program CMS Meaningful Use Audits OIG Meaningful Use Audits HIPAA Security Risk Analysis Tools and Resources Questions CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 3

OCR HIPAA Audit Program CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 4

OCR HIPAA Audit Program Permanent audit program slated to begin in 2015 Pre-audit survey to pre-screen 1200 entities ~200 Covered Entities to be selected for desk audits Equal number or less BAs selected for desk audits Greater number of on-site audits, but no specific number given yet. Implementing technology to facilitate data collection phases of audit process Carried out by HHS personnel with contractor support CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 5

The Audit Steps Pre-Audit Survey Notification and data request to selected entities Desk review and draft findings to entity Entity provides management review Final Report CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 6

Desk Audit Expectations Data request will specify content and other electronic document submission requirements Only documentation submitted on time is reviewed All documentation must be current as of the date of the request Auditors will not be able to contact the entity for clarifications or ask for additional information Critical that documentation accurately reflects the program Submission of extraneous information increases difficulty for auditor in finding/assessing required items Failure to submit responses leads to compliance review CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 7

Scope of OCR Desk Audits 2015 Desk Audits of Covered Entities Security Risk Analysis and risk management Breach Content and timeliness of breach notifications Privacy Notice of Privacy Practices and Access 2015 Desk Audits of Business Associates Security Risk Analysis and risk management Breach Breach reporting to covered entities 2015-16 On-site Comprehensive Audits Covered entities Business associates CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 8

Scope of OCR Onsite Audits Security Device and media controls Transmission security Encryption of data at rest Facility access controls Privacy Administrative and physical safeguards Workforce training to HIPAA policies & procedures Other Areas High risk areas identified through: 2015 audits Breach reports submitted to OCR Consumer complaints CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 9

Meaningful Use Attestation Audits CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 10

Meaningful Use Program Basics Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs Program established by American Recovery and Reinvestment Act of 2009 Provides incentive payments to certain eligible professionals (EPs), eligible hospitals (EHs), and critical access hospitals Adopt, implement, upgrade or demonstrate meaningful use of certified EHR technology Payments began in 2011 and continue through 2016 (Medicare) or 2021 (Medicaid) Over $28 Billion paid out since 2011 CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 11

CMS MU Audits Any provider attesting to receive EHR incentive payments for either the Medicare or Medicaid program may be subject to audits. Medicaid audits are performed by each state. Medicare audits performed by Figliozzi & Company. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 12

MU Audit Process Audit Approach Appropriate Letter and Documentation Request is sent to individual who attested for the organization (letter is specific to whether it is an Eligible Provider or Eligible Hospital engagement). Client has 10 business days to provide the documentation requested electronically. Auditor reviews documentation and determines if additional information is needed. (This is the primary review step). Additional request will be provided via email as necessary. If documentation is deemed insufficient to support attestation or other data anomalies exist then, an on-site visit/exam is scheduled. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 13

MU Desk Audit Documentation The source documentation utilized during the attestation process Copy of the certification from ONC-CHPL for the EHR application (http://oncchpl.force.com/ehrcert) Documentation to support the methodology chosen for achieving measures (i.e. observation services or all emergency department visits) The numerators and denominators for each measures CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 14

MU Desk Audit Documentation (cont d) The time period the reports cover Risk analysis and remediation plans for deficiencies Summary level reports for measures Screenshots or other evidence to support and measures that require a YES answer Evidence to support that source information was generated for that eligible professional or eligible hospital CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 15

MU Onsite Audit Scope Detailed reviews of any of the measures via: Walk-throughs of structured data and functionality in EHRs Walk-throughs of test patients and scenarios Review of medical records and patient records; Detailed data to support summary reports Census reports Billing information Validation of settings or additional detailed information to support reporting as deemed necessary Security screen settings Screen shots of test exchanges of clinical information Audit logs (date for when a feature was enabled, etc.) CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 16

Appeals A determination by CMS that a provider or hospital has been denied an EHR incentive payment have been determined to be ineligible for the program received an audit decision believed to be in error, you can appeal the decision. http://www.cms.gov/regulations-and- Guidance/Legislation/EHRIncentivePrograms/Appeals.html A provision of ACA provides that there is no right of due process for review of CMS determinations CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 17

ACA Ups Ante on Exposure Affordable Care Act of 2010 (ACA): If a person has received an overpayment, the person shall report and return the overpayment to the Secretary, the State, an intermediary, a carrier, or a contractor as appropriate and provide notice of the reason for the overpayment Overpayments must be reported and returned within 60 days after the date on which the overpayment was identified Any overpayment retained by a person after the deadline for reporting and returning the overpayment is an obligation under the False Claims Act CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 18

Post Payment Audits of EPs 4601 Completed Audits 24% Failed to Meet MU Standards 99% of the failure did not meet MU objectives and measures Average proposed returned incentive amount $16,863 per provider (CMS Data as of September 15, 2014) CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 19

Pre-Payment Audits of EPs 3820 Completed Audits 21.5% Failed Pre-payment Audit 7% of failures because did not use CEHRT 93% of failures did not meet MU objectives and measures (CMS Data as of September 15, 2014) CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 20

Post-Payment Audits of EHs 613 Completed Post-Payment Audits 4.7% Failed Post-Payment Audits Average proposed returned incentive payment $1.13 million per hospital $33 million total proposed EH returned incentive payments (CMS Data as of September 15, 2014) CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 21

OIG Meaningful Use Audits CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek

OIG Focus on Meaningful Use OIG FY 2015 Workplan - Security of certified electronic health record technology - Perform audits of various covered entities receiving EHR incentive payments from CMS and their business associates, such as EHR cloud service providers, to determine whether they adequately protect electronic health information created or maintained by certified EHR technology - Engagements in each OIG region through the Office of Audit Services CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 23

Case Study in OIG Audit Process Document Preparation 18 areas in which documentation requested prior to onsite engagement Covers prior year attestation period and more recent information Audit Team Onsite Visit 2 weeks Exit interview with preliminary Notification of Findings Opportunity for Remediation that can be reflected in final report Interviews with staff involved in IT Security Draft report (about 3 months after onsite visit) Covered entity comment/response to findings Final report is shared with CMS and OCR Rollup report summarizing all provider audits is posted to OIG Website CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 24

OIG Audit Process Areas of Focus Organizational Risk Analysis Access Controls Audit of alerts and logs from EHR Patch Management Encryption Security System Scans CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 25

OIG System Scanning Tools OIG employs an appliance to perform database scanning for security safeguards App Detective is optimized to scan Oracle Sybase SQL Server DB 2 Not effective on Cache Reading for critical patches & updates Effective access controls CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 26

Enforcement Outlook Takeaways from recent HCCA Regional Conference in Dallas: OIG DC HQ Assoc. Counsel said OIGs approach to audit attestations has moved to a tool for incentive funds recovery Asst. US Atty from Dallas said its office is working with the OIG to investigate/prosecute Medicare fraud for knowing/false MU attestations CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 27

HIPAA Security Risk Analysis CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek

HIPAA Security Risk Assessment Required element for Security Rule and Meaningful Use An assessment of threats and vulnerabilities to information systems that handle e-phi. This provides the starting point for determining what is appropriate and reasonable. Organizations determine their own technology and administrative choices to mitigate their risks. The risk analysis process should be ongoing and repeated as needed when the organization experiences changes in technology or operating environment. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 29

Performing a Risk Analysis Gather Information Prepare inventory lists of information assets-data, hardware and software. Determine potential threats to information assets. Identify organizational and information system vulnerabilities. Document existing security controls and processes. Develop plans for targeted security controls. Analyze Information Evaluate and measure risks associated with information assets. Rank information assets based on asset criticality and business value. Develop and analyze multiple potential threat scenarios. Develop Remedial Plans Prioritize potential threats based on importance and criticality. Develop remedial plans to combat potential threat scenarios. Repeat risk analysis to evaluate success of remediation and when there are changes in technology or operating environment. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 30

Resources & Tools CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 31

Resources & Tools OCR HIPAA Privacy & Security http://hhs.gov/ocr/privacy HIPAA Security Rule Risk Assessment HHS Risk Assessment Tool for Small Providers http://www.healthit.gov/providers-professionals/securityrisk-assessment NIST HIPAA Security Risk Assessment Tool http://www.scap.nist.gov/hipaa ONC-Certified Electronic Health Technology Product List http://oncchpl.force.com/ehrcert CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 32

Questions?? Questions? David Holtzman david.holtzman@cynergistek.com 512.405.8550 x7020 CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information