“HOW TO PREPARE FOR HIPAA AND MEANINGFUL USE AUDITS” Presented by:

“HOW TO PREPARE FOR HIPAA
AND
MEANINGFUL USE AUDITS”
Presented by:
Stevie M. Davidson, CPHIT
President & CEO
PROPRIETARY AND CONFIDENTIAL
CONVENTUS RESOURCES
•
•
•
•
•
•
•
•
Conventus Hotline - 24/7/365
Webinars and Podcasts
FREE CME online
Onsite Services
 C.A.R.E. Certification Program
 Office Risk Assessments
EHR Risk Consultations
E-Technologies and Strategic Partnerships
Publications
Website, Facebook, Twitter
 www.conventusnj.com
STEVIE M. DAVIDSON, CPHIT
Stevie M. Davidson, CPHIT
President & CEO
Health Informatics Consulting, LLC.
HIC was founded on the core values of healthcare professional
advocacy, integrity, trust & education. Its mission is to improve
the clinical quality & business performance of healthcare
practices & organizations through specialized consulting
services.
Stevie is a seasoned leader in healthcare, quality improvement
& information technology. She has held an executive position
leading multiple organizations in software development,
implementation & deployment, training, & customer
relationship management. She has written corporate standards
& performed internal audits to support quality process
compliance & project management. Stevie is a Governor
appointed member of the NJ State HIT Commission & Co-Chair
of its Privacy & Security Policy Sub-Committee. She is also a
member of the Ambulatory Meaningful Use Center of
Excellence Work Group Committee of HIMSS National.
DISCLAIMER
DISCLAIMER:
•
Information about incentives and measures are subject to change by the
ONC at any given time
•
This presentation is for the purpose of:
 Stage 1/2 Meaningful Use only
 Medicare incentive for Eligible Professionals (EPs) only
 HIPAA-HITECH Omnibus Rule as of 1/25/13
 Best practice suggestions and NOT LEGAL ADVICE
MU AUDIT BACKGROUND INFO
• Up to 10% of all providers who attest for MU will be audited
• Audits can occur up to 6 years into the future
• Audits can be performed pre-payment or post-payment
• Random audits are being performed but some audits will “target
suspicious or anomalous data.”
• Figliozzi & Company have been contracted by CMS to perform MU
audits
• Medicaid is a separate audit program determined by each State
THREE PRACTICES IN NJ AUDITED
• HIC retained by three (3) separate physician practices
• Retained by legal counsel
• One (1) pre-payment
• Two (2) post payment
• Common denominator?
• Core Measure 15 – Security Risk Analysis
• Numerator and denominator inaccuracies
• EHR version not certified during time of attestation
• Outcome? Success on all three (3), however, not without critical
lessons learned and cost!
SAMPLE AUDIT LETTER
To review complete sample, visit
www.conventusnj.com/wp-content/uploads/2013/10/SampleAuditLetter.pdf
WHAT IS ENTAILED?
• Provider will receive a letter from CMS/Figliozzi & Company
requesting MU information
• Provider will have a timeframe of two (2) weeks to gather
requested information and submit it for review
 Submission can be done via a provided secure web portal or via mail
• After submitting requested information, additional information
may be required
• Figliozzi & Company will make the final determination on whether
provider has sufficient documentation to prove valid attestation
HOW TO PREPARE
• PRINT AND SAVE ALL DOCUMENTATION WHEN ATTESTING
• Have proof of your certified EHR for the reporting period you attested to
 Vendor contracts with the version number of your system in writing, screen
shots of system with version number, and/or letter from vendor
• Report by provider with all numerators and denominators
 Must show the provider’s name and certified version of EHR
• Documentation of evidence to support attestation for all other measures
HOT SPOTS
• Drug-Drug/Drug-Allergy Interaction Checks
 One or more screen shots from the EHR that are dated during the reporting
period showing this functionality
• Report to support Ambulatory Clinical Quality Measures
 Report from the EHR to validate all clinical quality measure data entered during
attestation
• Protect Electronic Health Information – Core Measure 15
 Report that documents the assessment performed and the analysis results.
Report should be dated prior to the end of the reporting period
HOT SPOTS
• Electronic Exchange of Clinical Information
 Dated screenshots from the EHR system that document a test exchange of
clinical information
 An email or screenshot from another system to show a successful or unsuccessful
test
 A letter or email from the receiving provider confirming the test with specific
information (date of exchange, name of providers, and outcome of the test)
 Cannot be another EHR within the same network as yours or Tax ID
• Drug Formulary Checks
 Screenshots from the EHR that are dated during the reporting period showing
this functionality
HOT SPOTS
• Generate Lists of Patients by Specific Conditions
 Report from EHR that is dated during the reporting period. Patient-identifiable
information may be masked/blurred before submission.
• Immunization Registry Submission
 Dated screenshots from the EHR system that document a test submission to
NJIIS
 An email or screenshot from another system to show a successful or
unsuccessful test
 A letter or email from NJIIS confirming the test with specific information (date
of exchange, name of provider, and outcome of the test)
HOT SPOTS
• Exclusions
 Report from the EHR that shows a zero denominator for the measure or other
documents to support the exclusion
• All screenshots should be dated during the reporting period and show
proof of certified EHR and attested provider
• Keep all information for at least six (6) years!
OTHER VALUABLE INFORMATION
• Reports can be both electronic and on paper
• There are numerous pre-payment edit checks build into the EHR Incentive
Program systems to detect inaccurate eligibility, reporting, and payment
• Audit are typically preformed remotely from contractors location,
however, can be on-site if needed
• Once the evaluation is performed, provider will receive an Audit
Determination Letter of whether they met the conditions set by CMS or if
their incentive will be recouped
• RETAIN AN ATTORNEY to ensure that all information is privileged and
confidential, especially if using any third-party assistance
THE HIPAA OMNIBUS RULE
THE OMNIBUS RULE – BRIEF SUMMARY
• Released 1/17/13 and published on 1/25/13. Covered Entities,
Business Associates and sub-BAs must be compliant by 9/23/13,
subject to certain transition provisions
• The Final Rule addressed broad amendments to the HIPAA P&S
Rules, as well as implementation of the new HITECH Breach
Notification requirements and enforcement provisions
• Covered Entities (CEs) and Business Associates (BAs) need to
prepare for a world where audits are the norm, enforcement is
inevitable and fines for non-compliance are costly
THE NEW HIPAA – HITECH & OMNIBUS*
•
Enforcement

Expanded enforcement authority (i.e., AGs)

Expanded enforcement penalty obligation (i.e., mandatory CMPs)

Broadened scope of enforcement applicability (i.e., BAs & subs) *

Increased penalties – up to $1.5 m per violation per year

Use of collected CMPs – reinvestment back into program for audits & more...
Copyright © 2013 Oscislawski LLC
The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit.
THE NEW HIPAA – HITECH & OMNIBUS*
• Amended HIPAA Privacy Rule
• Amended HIPAA Security Rule
• Security Breach Notification Rule (No more “Risk of Harm” test)*
• STILL WAITING for Final Rule on:

Accounting of Disclosures

Distribution of CMPs to individuals “harmed” by unauthorized
disclosures of their PHI
Copyright © 2013 Oscislawski LLC
The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit.
HIPAA COMPLIANCE
START RIGHT NOW!
• Revisit and reinstitute your HIPAA compliance program
• Understand “deep” how ARRA/HITECH changed HIPAA
• Get “Coordinated” and build your compliance team
• Perform a FULL Privacy, Security & Breach Notification Rule
Assessment – Core Measure 15 Will not protect you!!!
• Have updated policies and procedures – new HIPAA manual
• Figure out your vulnerabilities & assess your threats and remediate
• Train providers, staff, and business associates on your policies and
procedures
• Institute internal controls and accountability (sanction plan)
DOCUMENT EVERYTHING
• In writing on paper, electronic, or both. Update or create policies
and procedures that reflect changes in your organization:

Policies and procedures

Awareness/mandate to report incidents to compliance officer

Retain for six (6) years from date of its creation or date when it
was last in effect, whichever is later
• Training:

One area that you should expect 100% compliance

Keep training materials to show compliance effort

Staff training logs – sign off and mock audits
HIPAA AUDIT AND BREACH
WHAT TO EXPECT
• A complaint must allege an activity that, if proven
true, would violate the Privacy Rule or Security
Rule
• Complaints must be filed within 180 days of when
the person submitting the complaint knew or
should have known about the alleged violation of
the Privacy Rule or Security Rule
STEPS OF A HIPAA AUDIT
• OCR will contact you in reference to the complaint and ask basic
questions about the complaint and your organization
• Contact HHS and verify the contact information of the individual
from OCR
• OCR will send a letter to you outlining the nature of the complaint
• CALL YOUR ATTORNEY FOR GUIDANCE and BE COOPERATIVE!
STEPS OF A HIPAA AUDIT
• Be prepared to send any policies to OCR that pertain to the
complaint at hand
• Be prepared to answer questions about workforce training
and proof
• Minimum – do not send more than you need to
• They will ask if you performed any mitigation
• You will need to provide evidence of what was done
STEPS OF A HIPAA BREACH
• The compliance officer must, with the appropriate individuals in their
organization, prepare to prove “low probability” using the Four Factor
Assessment. Risk of Harm has been eliminated due to Omnibus
• Prepare to notify your patients by letter with information of “who, what,
where, when, and why”. You must figure out what patient records were
affected. Must be done within 60 days. Don’t wait till the last minute!
• Know your state laws and notify your BAs appropriately
• Offer to pay for credit-monitoring (reputational step)
• Have all of your patients updated information and assess the best way of
contacting them. Post the letter on your website or put through a
newswire if necessary
STEPS OF A HIPAA BREACH
• Letter should contain information on the date of the breach, when it
was discovered, what was stolen, and what PHI it contained
• Anyone that has received a letter has the right to release it to the
Media, so be wise and have guidance on what it says
• Ensure you have a crisis management team established. This includes
your attorney, insurance agent, and any consultants
• There are companies out there that specifically manage these types of
situations on your behalf
NO ONE IS DOING IT FOR YOU
• Don’t be mislead that your EHR or IT vendor is handling compliance
for you. “They told me they were HIPAA compliant!”
• You must preform a full risk assessment of all three rules (privacy,
security and breach notification against OCR published protocol)
• You must have updated policies and procedures (know your state
laws)
• Workforce training and an internal compliance plan must be put in
place and overseen by the compliance officer
• You must have a penetration test, business contingency plan, and
disaster recovery plan in place (164.308)
SECURITY BREACH NOTIFICATION
IT IS MANDATORY FOR A BREACH
• The HITECH Rule requires that a CE or BA conduct a Risk
Assessment in order to determine whether a “low
probability” exists that the PHI has been compromised.
At a minimum, the following 4 factors are required as part
of the Risk Assessment:
• This applies to CE, BA, and a BA’s subcontractors
“LOW PROBABILITY” FOUR FACTOR ASSESSMENT
4 Factors
Assessment
Nature & Extent
of PHI
Consider the type of PHI involved i.e., if PHI is more “sensitive” nature. IF credit card
numbers, SS#s, or other info that increases the risk of identity theft or financial fraud are
involved, this cuts against finding “low probability” that PHI was compromised. With clinical
info, consider nature of the services, as well as the amount of info & details involved.
Unauthorized
Person
Consider who the unauthorized recipient is or might be. If the recipient person is someone
at another CE or BA, then lower probability that the PHI has been compromised since such
entities are obligated to protect the privacy and security of PHI in a similar manner as the
CE or BA from where the breached PHI originated. Compare to if PHI was impermissibly
disclosed to their employer who could compare info against dates of absence from work.
Acquired or
Viewed
Consider if the PHI was actually acquired or viewed or, rather, only the opportunity existed i.e., if
CE mails information to the wrong individual who opens the envelope and calls the CE to say that
he/she received the information in error. HHS points out that in such a case, the unauthorized
recipient viewed and acquired the info because he/she opened and read the information and so
this cuts against a finding that there is low probability that the PHI was compromised. To contrast, if
a laptop computer is stolen and later recovered and a forensic analysis shows that the otherwise
unencrypted PHI on the laptop was never accessed, viewed, acquired, transferred, or otherwise
compromised, could determine that the information was not actually acquired.
Mitigation
A CE or BA must attempt to mitigate the risks to PHI following any impermissible use or disclosure, such as by
obtaining the recipient’s satisfactory assurances that the PHI will not be further used or disclosed (through a
confidentiality agreement or similar means) or will be destroyed. When determining the probability that the
PHI has been compromised, CE or BA should consider the extent of what steps needed to be taken to
mitigate, and how effective the mitigation was.
Copyright © 2013 Oscislawski LLC
The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit.
ENFORCEMENT
The HIPAA Auditors are here and they are asking for
copies of all our HIPAA Policies and most recent Security
Risk Analysis!
I thought nobody
ever enforces
HIPAA??!!
PREVENTION
• The only way to be ready for a HIPAA Audit is to ensure you have all
of the elements in place to cooperate with the Office for Civil
Rights (OCR) effectively
• In 2013, OCR reported 85,239 complaints by patients against
medical practices. 16 of which resulted in fines of more than $1
million, and more than 20,000 resulted in corrective action
• How you manage a complaint or breach will determine your
practice’s survival – and its reputation moving forward
TRIGGERS, ENFORCERS: CONSEQUENCES
•
Triggers for Enforcement
 HIPAA Complaints
 Reported Breach
 HIPAA Audit
•
Enforcers of HIPAA




•
OCR (Office of Civil Rights)
DOJ (Department of Justice)
HIPAA Auditor (KPMG)
State AGs (Attorneys General)
Consequences
 Civil Monetary Penalties
 Criminal Prosecution (intentional misuse)
 Reputation and Public perception
Copyright © 2013 Oscislawski LLC
The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit.
THE OMNIBUS RULE – ENFORCEMENT
Violation Category
Each Violation
All Violations of an
Identical Provision in
a Calendar Year
(A) Did Not Know/But by
exercising reasonable diligence
would have
$ 100 - $50,000
$1,500,000
(B) Reasonable Cause/not willful
neglect of the person/entity
$ 1,000 - $50,000
$1,500,000
(C) Willful Neglect – Corrected
within 30 days
$10,000 - $50,000
$1,500,000
(D) Willful Neglect – Uncorrected
within 30 days
$50,000
$1,500,000
OCR clarified that the $1.5 million cap is per a type of violation and there could therefore be multiple violations
that could result in a much higher amount
LESSONS LEARNED
• Advocate Health System – Projected - $100 million in fines
•
One medical office – break in (2) desktops stolen with patient
records
• Pheonix Cardiac Surgery, P.C. - $100,000 Settlement and CAP
• Mass. Eye and Ear Associates - $1.5 million, CAP for 3 years





Public Calendar used disclosing PHI
Lack of internal policies and procedures
No documentation of workforce training
No compliance officer or assessment performed/documented
No business associate agreements in place
• Hospice of North Idaho - $50,000 Fine for less than 500 patients
•
•
Lost laptop not encrypted
Lack of internal policies and procedures
Copyright © 2013 Oscislawski LLC
The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit.
WALL OF SHAME
• Resolution Agreement (RA) – Terms and conditions of settlement
• Fines must be paid upfront and in full
• Corrective Action Plan (CAP) – Operating Agreement with total
oversight of your business by OCR and HHS – 2 to 3 years
 Additional costs:
 Attorneys
 Accountants
 Patient notification
 Consultants
 Patient loss/trust
 Local media
 Identify theft protections
 And more…
DO NOT LET THIS BE YOU!
EFFECTIVENESS
•
Ensure you document what you do
•
Ensure you do what you document you do
•
Ensure you validate you do what you document you do
•
Fix it if you don’t
HELPFUL RESOURCES
Topic
Resource
Description
MU Audit
MU Audit Tipsheet
A PDF document that explains the expectations
and requirements of a MU audit
MU Audit
Sample Audit Letter
A PDF document that is an example of a MU
Audit letter a provider might receive
Certified EHR
Technology
CPHL Certified EHR List
A webpage with a comprehensive listing of
certified EHRs with certification IDs
HHS.gov
Privacy & Security
Official website of Health and Human Services
with information on compliance
HIPAA HelpBook –
YouTube video
HIC's HIPAA Manual
HIC and AAO’s NJ State specific manual for
practices. Everything you need is right here
HIC Website
HIC Website
HIC’s website that talks about us, our services
and how we can help you
HIC LinkedIn
HIC's LinkedIn Page
Join us for posting and reading about topics
from HIC and our over 800 members
Blog by Helen
Oscislawski, Esq.
Law Blog on HIPAA
HIC’s attorney Helen Oscislawski, Esq. provides
information and guidance with today’s HIPAA
CONTACT INFORMATION
Susan Lieberman, MBA
Vice President, Risk Management
Conventus Inter-Insurance Exchange
[email protected]
www.conventusnj.com
877-444-0484, x466
Stevie M. Davidson, CPHIT
President & CEO
Health Informatics Consulting
[email protected] | www.myhic.net
Phone: 609-925-9008 | Fax: 609-925-9008