Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIT Audit Workshop Jeffrey W. Short 1.

Published byJimena Lilly Modified over 9 years ago

Similar presentations

Presentation on theme: "HIT Audit Workshop Jeffrey W. Short 1."— Presentation transcript:

1 HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1

2 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations 2

3 Meaningful Use Audits 3

4 Medicare & Medicaid Meaningful Use Incentive Payment Program provide financial incentives to qualifying practitioners and hospitals to use “Certified Electronic Health Record Technology”. Eligible providers must satisfy measures and objectives in Stages (1-3) to receive an incentive payment. Eligible Providers who attest for an incentive payment may be audited. Pre-Payment/Post-Payment Audits Audits will be conducted by: Designated State Contractor (Medicaid) Figliozzi and Company (Medicare & Dual-Eligible)

5 Meaningful Use Audits What do Auditors Look For: An audit may include a review of any of the documentation needed to support the information that was entered in the attestation. Red Flags: Incomplete EHR Mismatched Denominator & Numerator Misaligned reporting periods Failure to conduct a HIPAA Risk Analysis

6 Meaningful Use Audits Risks for an Audit Failure: Repayment of Meaningful Use Incentive Payment. Payment Adjustment for Medicare Meaningful Use Eligible Providers: Eligible Professionals: 1%-5% reduction in Medicare physician fees schedule. Eligible Hospitals: reduction in the percentage increase to the IPPS payment rate. Critical Access Hospital: reduction in reimbursement to cost report. Possible Legal Risks: False Claims Act HIPAA investigation & Penalty

7 Meaningful Use Audits Audit Preparation Build a Meaningful Use Compliance Team Audit preparation begins before the applicable reporting period. Eligible providers should retain documentation to support: 1.Attestation data for all objectives and clinical quality measures; and 2.payment calculations, such as cost report data, that follows applicable documentation retention processes. Eligible provider should be able to provide documentation to support each measure to which he or she attested, including any exclusions claimed.

8 Meaningful Use Audits Meaningful Use Objectives Audit ValidationSuggested Documentation Clinical Decision Support Rule Functionality is available, enabled, and active in the system for the duration of the EHR reporting period. One or more screenshots from the certified EHR system that are dated during the EHR reporting period selected for attestation. Generate Lists of Patients by Specific Conditions One report listing patients of the provider with a specific condition. Report with a specific condition that is from the certified EHR system and is dated during the EHR reporting period selected for attestation. Patient‐identifiable information may be masked/blurred before submission.

9 Meaningful Use Audits Meaningful Use Objectives Audit ValidationSuggested Documentation Electronic Exchange of Clinical Information One test of certified EHR technology’s capacity to electronically exchange key clinical information to another provider of care with a distinct certified EHR or other system capable of receiving the information was performed during the EHR reporting period. Dated screenshots from the EHR system that document a test exchange of key clinical information (successful or unsuccessful) with another provider of care during the reporting period. A dated record of successful or unsuccessful electronic transmission (e.g., email, screenshot from another system, etc.). A letter or email from the receiving provider confirming a successful exchange, including specific information such as the date of the exchange, name of providers, and whether the test was successful.

10 HIPAA Audits 10

11 Audit Requirement The HITECH Act requires HHS to conduct periodic audits to ensure HIPAA compliance by covered entities and business associates. The Office for Civil Rights (OCR) piloted a program in 2012 where it performed 115 audits of covered entities. OCR plans to start the audit program back up in 2015, utilizing a combination of desk and field audits. The 2015 version of the audit program will involve both covered entities and business associates. OCR will identify covered entity audit subjects through a survey that will be sent out in late 2014, and will identify business associate audit subjects based on lists provided by covered entities.

12 Audit Program Objectives The purposes of the Audit Program include: – assessing the current level of HIPAA compliance at covered entities and business associates – Examining mechanisms of HIPAA compliance – Identifying best practices to share with other covered entities and business associates – Identifying risks, weaknesses, and vulnerabilities for appropriate corrective action OCR may initiate an enforcement action if an audit reveals serious compliance issues.

13 Audit Risks/Concerns Could expose HIPAA compliance issues to OCR that otherwise wouldn’t be known to OCR Could expose patterns or trends of non-compliance Cooperation with audits will require substantial time and resources. Inability to respond to audit requests in a timely manner could demonstrate organization’s lack of preparedness to effectively coordinate and communicate HIPAA matters.

14 How to Prepare for an Audit Ready your personnel – Subject matter experts Which individuals can speak to each aspect of HIPAA implementation? Who handles access requests? Who monitors system activity? Who is responsible for business associate contracts? Who handles privacy complaints? – All levels of workforce HIPAA Awareness and Practices

15 How to Prepare for an Audit Mock Audit – Conduct a HIPAA audit based on the OCR audit protocol. – Consider protecting under the attorney-client privilege Risk Analysis – If an entity has not assessed HIPAA compliance and conducted an IT security risk analysis in the last 12 months, it should do so now. – Failure to conduct and document a security risk analysis was a common finding in the pilot audits. Incident Response – Conduct a trial run of the organization’s Incident Response Plan and make any adjustments needed.

16 How to Prepare for an Audit Training – Employee training should be consistent and current. – Employee training should be documented. Business Associates – HITECH-compliant Business Associate Agreements should be in place with all vendors that access PHI while performing services on covered entity’s behalf. Timely Response – Ensure that the necessary people will receive OCR’s notice of intent to audit in a timely fashion. – Prepare for absences and vacations of key people.

17 Data Breach Audits 17

18 HIPAA Breach Notification Rule Covered Entities are required to give notice to individuals, HHS, and in some cases the media when there is a breach: – An acquisition, access, use, or disclosure not permitted by the HIPAA Privacy Rule of personal health information (“PHI”) – That is unsecured – No exception applies, and – It compromises security or privacy per risk assessment Business Associate must give notice of breach to Covered Entity Covered Entity or Business Associate must rebut presumption of breach and document the risk assessment

19 Data Involved in Breach Critical Data Demographic Information –Social Security Number –Drivers License Number –Birth Date –Protected Health Information Clinical Information –Diagnosis –Procedure Codes –Sensitive PHI Threat Actions Malware Hacking Social Misuse Physical Error Environmental

20 Next Steps Activate data breach response team and confirm leader Devise an investigation plan Determine applicable state and federal law requirements Submit notice of claim to insurance agency Engage outside resources as needed for forensics, legal call center, breach notification mailing and credit monitoring services Prepare breach notification letters to individuals Prepare press release and website posting Submit breach report to Office for Civil Rights and state agency Create or review call center scripts Train internal staff and external call center staff as needed

21 Tasks for Legal Counsel Determine the breach notifications laws that are applicable in the jurisdictions in which the client operates Review the entity’s breach notification policy in conjunction with these applicable laws and regulations, making changes as appropriate Be conscious of documents and communications that are subject to attorney-client privilege and those that are not Advise on application of breach notification rules to data breach incidents

22 Practice Tips Perform system risk assessment Implement company-wide security training Enable network security monitoring Review access and security log files Require physical access controls for facilities and computers Review hardware and software contracts for security obligations and liabilities Secure cyber liability insurance Conduct a mock breach investigation and response

23 Software Vendor Audits 23

24 Software Vendor Rights Frequently, Vendor license agreements contain provision granting the vendor the right to audit for license compliance Vendor’s that do not have specific contract rights to conduct an audit will contact with allegations of non-compliance and ask for an audit to avoid a legal claim of copyright infringement being filed – But how did they find out? 24

25 What you should do Carefully consider any contractual language granting audit rights to ensure appropriate scope, processes and remedies for non-compliance Educate your IT staff to involve legal whenever any software audit or license review is requested by a vendor 25

26 What to do during an audit Require a pre-conference that limits scope of audit to identified contracts and their audit provisions Discuss and mutually agree to audit tools and processes in advance, with assignments and deliverables Have all iterations of audit analytics mutually reviewed Reserve right to submit a statement of disagreement with license entitlement process or tabulations Draft and execute an NDA that outlines the audit scope 26

27 FTC Investigations 27

28 FTC Enforcement Action against LabMD  Background  LabMd is a clinical laboratory company that handles PHI and other sensitive personal information  The FTC filed complaint against LabMD in August of 2013 alleging that it failed to take appropriate measures to protect sensitive, personal information  LabMD claimed that the FTC did not have authority to address these types of data security issues  The FTC rejected LabMD’s arguments and is moving forward with its complaint

29  The Implications of the FTC’s Actions against LabMD In its denial of LabMD’s motion to dismiss, the FTC was clear that it has authority to address these types of issues to protect consumers from unwanted privacy intrusions, fraudulent misuse of their personal information, or identity theft. Despite the absence of regulations, the FTC will continue to institute enforcement actions against companies with inadequate data security protocols. Companies that store, transmit and use consumer information are expected to reasonable and appropriate data security safeguards to protect consumer information. FTC Enforcement Action against LabMD, cont.

30  What can you do to avoid this? Review your data security practices for compliance not only with HIPAA, but with other applicable data security standards such as the FTC, SEC, PCI, etc. Make certain your policies are consistent with your capabilities as an organization. Train your employees. Address any deficiencies promptly when brought to your attention Document your data security practices and remedial measures that you take FTC Enforcement Action against LabMD, cont.

31 Questions? 31

Download ppt "HIT Audit Workshop Jeffrey W. Short 1."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.

CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA

Similar presentations

Ads by Google