HIT Audit Workshop Jeffrey W. Short 1

Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations 2

Meaningful Use Audits 3

Medicare & Medicaid Meaningful Use Incentive Payment Program provide financial incentives to qualifying practitioners and hospitals to use “Certified Electronic Health Record Technology”. Eligible providers must satisfy measures and objectives in Stages (1-3) to receive an incentive payment. Eligible Providers who attest for an incentive payment may be audited. Pre-Payment/Post-Payment Audits Audits will be conducted by: Designated State Contractor (Medicaid) Figliozzi and Company (Medicare & Dual-Eligible)

Meaningful Use Audits What do Auditors Look For: An audit may include a review of any of the documentation needed to support the information that was entered in the attestation. Red Flags: Incomplete EHR Mismatched Denominator & Numerator Misaligned reporting periods Failure to conduct a HIPAA Risk Analysis

Meaningful Use Audits Risks for an Audit Failure: Repayment of Meaningful Use Incentive Payment. Payment Adjustment for Medicare Meaningful Use Eligible Providers: Eligible Professionals: 1%-5% reduction in Medicare physician fees schedule. Eligible Hospitals: reduction in the percentage increase to the IPPS payment rate. Critical Access Hospital: reduction in reimbursement to cost report. Possible Legal Risks: False Claims Act HIPAA investigation & Penalty

Meaningful Use Audits Audit Preparation Build a Meaningful Use Compliance Team Audit preparation begins before the applicable reporting period. Eligible providers should retain documentation to support: 1.Attestation data for all objectives and clinical quality measures; and 2.payment calculations, such as cost report data, that follows applicable documentation retention processes. Eligible provider should be able to provide documentation to support each measure to which he or she attested, including any exclusions claimed.

Meaningful Use Audits Meaningful Use Objectives Audit ValidationSuggested Documentation Clinical Decision Support Rule Functionality is available, enabled, and active in the system for the duration of the EHR reporting period. One or more screenshots from the certified EHR system that are dated during the EHR reporting period selected for attestation. Generate Lists of Patients by Specific Conditions One report listing patients of the provider with a specific condition. Report with a specific condition that is from the certified EHR system and is dated during the EHR reporting period selected for attestation. Patient‐identifiable information may be masked/blurred before submission.

Meaningful Use Audits Meaningful Use Objectives Audit ValidationSuggested Documentation Electronic Exchange of Clinical Information One test of certified EHR technology’s capacity to electronically exchange key clinical information to another provider of care with a distinct certified EHR or other system capable of receiving the information was performed during the EHR reporting period. Dated screenshots from the EHR system that document a test exchange of key clinical information (successful or unsuccessful) with another provider of care during the reporting period. A dated record of successful or unsuccessful electronic transmission (e.g., , screenshot from another system, etc.). A letter or from the receiving provider confirming a successful exchange, including specific information such as the date of the exchange, name of providers, and whether the test was successful.

HIPAA Audits 10

Audit Requirement The HITECH Act requires HHS to conduct periodic audits to ensure HIPAA compliance by covered entities and business associates. The Office for Civil Rights (OCR) piloted a program in 2012 where it performed 115 audits of covered entities. OCR plans to start the audit program back up in 2015, utilizing a combination of desk and field audits. The 2015 version of the audit program will involve both covered entities and business associates. OCR will identify covered entity audit subjects through a survey that will be sent out in late 2014, and will identify business associate audit subjects based on lists provided by covered entities.

Audit Program Objectives The purposes of the Audit Program include: – assessing the current level of HIPAA compliance at covered entities and business associates – Examining mechanisms of HIPAA compliance – Identifying best practices to share with other covered entities and business associates – Identifying risks, weaknesses, and vulnerabilities for appropriate corrective action OCR may initiate an enforcement action if an audit reveals serious compliance issues.

Audit Risks/Concerns Could expose HIPAA compliance issues to OCR that otherwise wouldn’t be known to OCR Could expose patterns or trends of non-compliance Cooperation with audits will require substantial time and resources. Inability to respond to audit requests in a timely manner could demonstrate organization’s lack of preparedness to effectively coordinate and communicate HIPAA matters.

How to Prepare for an Audit Ready your personnel – Subject matter experts Which individuals can speak to each aspect of HIPAA implementation? Who handles access requests? Who monitors system activity? Who is responsible for business associate contracts? Who handles privacy complaints? – All levels of workforce HIPAA Awareness and Practices

How to Prepare for an Audit Mock Audit – Conduct a HIPAA audit based on the OCR audit protocol. – Consider protecting under the attorney-client privilege Risk Analysis – If an entity has not assessed HIPAA compliance and conducted an IT security risk analysis in the last 12 months, it should do so now. – Failure to conduct and document a security risk analysis was a common finding in the pilot audits. Incident Response – Conduct a trial run of the organization’s Incident Response Plan and make any adjustments needed.

How to Prepare for an Audit Training – Employee training should be consistent and current. – Employee training should be documented. Business Associates – HITECH-compliant Business Associate Agreements should be in place with all vendors that access PHI while performing services on covered entity’s behalf. Timely Response – Ensure that the necessary people will receive OCR’s notice of intent to audit in a timely fashion. – Prepare for absences and vacations of key people.

Data Breach Audits 17

HIPAA Breach Notification Rule Covered Entities are required to give notice to individuals, HHS, and in some cases the media when there is a breach: – An acquisition, access, use, or disclosure not permitted by the HIPAA Privacy Rule of personal health information (“PHI”) – That is unsecured – No exception applies, and – It compromises security or privacy per risk assessment Business Associate must give notice of breach to Covered Entity Covered Entity or Business Associate must rebut presumption of breach and document the risk assessment

Data Involved in Breach Critical Data Demographic Information –Social Security Number –Drivers License Number –Birth Date –Protected Health Information Clinical Information –Diagnosis –Procedure Codes –Sensitive PHI Threat Actions Malware Hacking Social Misuse Physical Error Environmental

Next Steps Activate data breach response team and confirm leader Devise an investigation plan Determine applicable state and federal law requirements Submit notice of claim to insurance agency Engage outside resources as needed for forensics, legal call center, breach notification mailing and credit monitoring services Prepare breach notification letters to individuals Prepare press release and website posting Submit breach report to Office for Civil Rights and state agency Create or review call center scripts Train internal staff and external call center staff as needed

Tasks for Legal Counsel Determine the breach notifications laws that are applicable in the jurisdictions in which the client operates Review the entity’s breach notification policy in conjunction with these applicable laws and regulations, making changes as appropriate Be conscious of documents and communications that are subject to attorney-client privilege and those that are not Advise on application of breach notification rules to data breach incidents

Practice Tips Perform system risk assessment Implement company-wide security training Enable network security monitoring Review access and security log files Require physical access controls for facilities and computers Review hardware and software contracts for security obligations and liabilities Secure cyber liability insurance Conduct a mock breach investigation and response

Software Vendor Audits 23

Software Vendor Rights Frequently, Vendor license agreements contain provision granting the vendor the right to audit for license compliance Vendor’s that do not have specific contract rights to conduct an audit will contact with allegations of non-compliance and ask for an audit to avoid a legal claim of copyright infringement being filed – But how did they find out? 24

What you should do Carefully consider any contractual language granting audit rights to ensure appropriate scope, processes and remedies for non-compliance Educate your IT staff to involve legal whenever any software audit or license review is requested by a vendor 25

What to do during an audit Require a pre-conference that limits scope of audit to identified contracts and their audit provisions Discuss and mutually agree to audit tools and processes in advance, with assignments and deliverables Have all iterations of audit analytics mutually reviewed Reserve right to submit a statement of disagreement with license entitlement process or tabulations Draft and execute an NDA that outlines the audit scope 26

FTC Investigations 27

FTC Enforcement Action against LabMD  Background  LabMd is a clinical laboratory company that handles PHI and other sensitive personal information  The FTC filed complaint against LabMD in August of 2013 alleging that it failed to take appropriate measures to protect sensitive, personal information  LabMD claimed that the FTC did not have authority to address these types of data security issues  The FTC rejected LabMD’s arguments and is moving forward with its complaint

 The Implications of the FTC’s Actions against LabMD In its denial of LabMD’s motion to dismiss, the FTC was clear that it has authority to address these types of issues to protect consumers from unwanted privacy intrusions, fraudulent misuse of their personal information, or identity theft. Despite the absence of regulations, the FTC will continue to institute enforcement actions against companies with inadequate data security protocols. Companies that store, transmit and use consumer information are expected to reasonable and appropriate data security safeguards to protect consumer information. FTC Enforcement Action against LabMD, cont.

 What can you do to avoid this? Review your data security practices for compliance not only with HIPAA, but with other applicable data security standards such as the FTC, SEC, PCI, etc. Make certain your policies are consistent with your capabilities as an organization. Train your employees. Address any deficiencies promptly when brought to your attention Document your data security practices and remedial measures that you take FTC Enforcement Action against LabMD, cont.

Questions? 31