“HOW TO PREPARE FOR HIPAA AND MEANINGFUL USE AUDITS” Presented by: Stevie M. Davidson, CPHIT President & CEO PROPRIETARY AND CONFIDENTIAL CONVENTUS RESOURCES • • • • • • • • Conventus Hotline - 24/7/365 Webinars and Podcasts FREE CME online Onsite Services C.A.R.E. Certification Program Office Risk Assessments EHR Risk Consultations E-Technologies and Strategic Partnerships Publications Website, Facebook, Twitter www.conventusnj.com STEVIE M. DAVIDSON, CPHIT Stevie M. Davidson, CPHIT President & CEO Health Informatics Consulting, LLC. HIC was founded on the core values of healthcare professional advocacy, integrity, trust & education. Its mission is to improve the clinical quality & business performance of healthcare practices & organizations through specialized consulting services. Stevie is a seasoned leader in healthcare, quality improvement & information technology. She has held an executive position leading multiple organizations in software development, implementation & deployment, training, & customer relationship management. She has written corporate standards & performed internal audits to support quality process compliance & project management. Stevie is a Governor appointed member of the NJ State HIT Commission & Co-Chair of its Privacy & Security Policy Sub-Committee. She is also a member of the Ambulatory Meaningful Use Center of Excellence Work Group Committee of HIMSS National. DISCLAIMER DISCLAIMER: • Information about incentives and measures are subject to change by the ONC at any given time • This presentation is for the purpose of: Stage 1/2 Meaningful Use only Medicare incentive for Eligible Professionals (EPs) only HIPAA-HITECH Omnibus Rule as of 1/25/13 Best practice suggestions and NOT LEGAL ADVICE MU AUDIT BACKGROUND INFO • Up to 10% of all providers who attest for MU will be audited • Audits can occur up to 6 years into the future • Audits can be performed pre-payment or post-payment • Random audits are being performed but some audits will “target suspicious or anomalous data.” • Figliozzi & Company have been contracted by CMS to perform MU audits • Medicaid is a separate audit program determined by each State THREE PRACTICES IN NJ AUDITED • HIC retained by three (3) separate physician practices • Retained by legal counsel • One (1) pre-payment • Two (2) post payment • Common denominator? • Core Measure 15 – Security Risk Analysis • Numerator and denominator inaccuracies • EHR version not certified during time of attestation • Outcome? Success on all three (3), however, not without critical lessons learned and cost! SAMPLE AUDIT LETTER To review complete sample, visit www.conventusnj.com/wp-content/uploads/2013/10/SampleAuditLetter.pdf WHAT IS ENTAILED? • Provider will receive a letter from CMS/Figliozzi & Company requesting MU information • Provider will have a timeframe of two (2) weeks to gather requested information and submit it for review Submission can be done via a provided secure web portal or via mail • After submitting requested information, additional information may be required • Figliozzi & Company will make the final determination on whether provider has sufficient documentation to prove valid attestation HOW TO PREPARE • PRINT AND SAVE ALL DOCUMENTATION WHEN ATTESTING • Have proof of your certified EHR for the reporting period you attested to Vendor contracts with the version number of your system in writing, screen shots of system with version number, and/or letter from vendor • Report by provider with all numerators and denominators Must show the provider’s name and certified version of EHR • Documentation of evidence to support attestation for all other measures HOT SPOTS • Drug-Drug/Drug-Allergy Interaction Checks One or more screen shots from the EHR that are dated during the reporting period showing this functionality • Report to support Ambulatory Clinical Quality Measures Report from the EHR to validate all clinical quality measure data entered during attestation • Protect Electronic Health Information – Core Measure 15 Report that documents the assessment performed and the analysis results. Report should be dated prior to the end of the reporting period HOT SPOTS • Electronic Exchange of Clinical Information Dated screenshots from the EHR system that document a test exchange of clinical information An email or screenshot from another system to show a successful or unsuccessful test A letter or email from the receiving provider confirming the test with specific information (date of exchange, name of providers, and outcome of the test) Cannot be another EHR within the same network as yours or Tax ID • Drug Formulary Checks Screenshots from the EHR that are dated during the reporting period showing this functionality HOT SPOTS • Generate Lists of Patients by Specific Conditions Report from EHR that is dated during the reporting period. Patient-identifiable information may be masked/blurred before submission. • Immunization Registry Submission Dated screenshots from the EHR system that document a test submission to NJIIS An email or screenshot from another system to show a successful or unsuccessful test A letter or email from NJIIS confirming the test with specific information (date of exchange, name of provider, and outcome of the test) HOT SPOTS • Exclusions Report from the EHR that shows a zero denominator for the measure or other documents to support the exclusion • All screenshots should be dated during the reporting period and show proof of certified EHR and attested provider • Keep all information for at least six (6) years! OTHER VALUABLE INFORMATION • Reports can be both electronic and on paper • There are numerous pre-payment edit checks build into the EHR Incentive Program systems to detect inaccurate eligibility, reporting, and payment • Audit are typically preformed remotely from contractors location, however, can be on-site if needed • Once the evaluation is performed, provider will receive an Audit Determination Letter of whether they met the conditions set by CMS or if their incentive will be recouped • RETAIN AN ATTORNEY to ensure that all information is privileged and confidential, especially if using any third-party assistance THE HIPAA OMNIBUS RULE THE OMNIBUS RULE – BRIEF SUMMARY • Released 1/17/13 and published on 1/25/13. Covered Entities, Business Associates and sub-BAs must be compliant by 9/23/13, subject to certain transition provisions • The Final Rule addressed broad amendments to the HIPAA P&S Rules, as well as implementation of the new HITECH Breach Notification requirements and enforcement provisions • Covered Entities (CEs) and Business Associates (BAs) need to prepare for a world where audits are the norm, enforcement is inevitable and fines for non-compliance are costly THE NEW HIPAA – HITECH & OMNIBUS* • Enforcement Expanded enforcement authority (i.e., AGs) Expanded enforcement penalty obligation (i.e., mandatory CMPs) Broadened scope of enforcement applicability (i.e., BAs & subs) * Increased penalties – up to $1.5 m per violation per year Use of collected CMPs – reinvestment back into program for audits & more... Copyright © 2013 Oscislawski LLC The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit. THE NEW HIPAA – HITECH & OMNIBUS* • Amended HIPAA Privacy Rule • Amended HIPAA Security Rule • Security Breach Notification Rule (No more “Risk of Harm” test)* • STILL WAITING for Final Rule on: Accounting of Disclosures Distribution of CMPs to individuals “harmed” by unauthorized disclosures of their PHI Copyright © 2013 Oscislawski LLC The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit. HIPAA COMPLIANCE START RIGHT NOW! • Revisit and reinstitute your HIPAA compliance program • Understand “deep” how ARRA/HITECH changed HIPAA • Get “Coordinated” and build your compliance team • Perform a FULL Privacy, Security & Breach Notification Rule Assessment – Core Measure 15 Will not protect you!!! • Have updated policies and procedures – new HIPAA manual • Figure out your vulnerabilities & assess your threats and remediate • Train providers, staff, and business associates on your policies and procedures • Institute internal controls and accountability (sanction plan) DOCUMENT EVERYTHING • In writing on paper, electronic, or both. Update or create policies and procedures that reflect changes in your organization: Policies and procedures Awareness/mandate to report incidents to compliance officer Retain for six (6) years from date of its creation or date when it was last in effect, whichever is later • Training: One area that you should expect 100% compliance Keep training materials to show compliance effort Staff training logs – sign off and mock audits HIPAA AUDIT AND BREACH WHAT TO EXPECT • A complaint must allege an activity that, if proven true, would violate the Privacy Rule or Security Rule • Complaints must be filed within 180 days of when the person submitting the complaint knew or should have known about the alleged violation of the Privacy Rule or Security Rule STEPS OF A HIPAA AUDIT • OCR will contact you in reference to the complaint and ask basic questions about the complaint and your organization • Contact HHS and verify the contact information of the individual from OCR • OCR will send a letter to you outlining the nature of the complaint • CALL YOUR ATTORNEY FOR GUIDANCE and BE COOPERATIVE! STEPS OF A HIPAA AUDIT • Be prepared to send any policies to OCR that pertain to the complaint at hand • Be prepared to answer questions about workforce training and proof • Minimum – do not send more than you need to • They will ask if you performed any mitigation • You will need to provide evidence of what was done STEPS OF A HIPAA BREACH • The compliance officer must, with the appropriate individuals in their organization, prepare to prove “low probability” using the Four Factor Assessment. Risk of Harm has been eliminated due to Omnibus • Prepare to notify your patients by letter with information of “who, what, where, when, and why”. You must figure out what patient records were affected. Must be done within 60 days. Don’t wait till the last minute! • Know your state laws and notify your BAs appropriately • Offer to pay for credit-monitoring (reputational step) • Have all of your patients updated information and assess the best way of contacting them. Post the letter on your website or put through a newswire if necessary STEPS OF A HIPAA BREACH • Letter should contain information on the date of the breach, when it was discovered, what was stolen, and what PHI it contained • Anyone that has received a letter has the right to release it to the Media, so be wise and have guidance on what it says • Ensure you have a crisis management team established. This includes your attorney, insurance agent, and any consultants • There are companies out there that specifically manage these types of situations on your behalf NO ONE IS DOING IT FOR YOU • Don’t be mislead that your EHR or IT vendor is handling compliance for you. “They told me they were HIPAA compliant!” • You must preform a full risk assessment of all three rules (privacy, security and breach notification against OCR published protocol) • You must have updated policies and procedures (know your state laws) • Workforce training and an internal compliance plan must be put in place and overseen by the compliance officer • You must have a penetration test, business contingency plan, and disaster recovery plan in place (164.308) SECURITY BREACH NOTIFICATION IT IS MANDATORY FOR A BREACH • The HITECH Rule requires that a CE or BA conduct a Risk Assessment in order to determine whether a “low probability” exists that the PHI has been compromised. At a minimum, the following 4 factors are required as part of the Risk Assessment: • This applies to CE, BA, and a BA’s subcontractors “LOW PROBABILITY” FOUR FACTOR ASSESSMENT 4 Factors Assessment Nature & Extent of PHI Consider the type of PHI involved i.e., if PHI is more “sensitive” nature. IF credit card numbers, SS#s, or other info that increases the risk of identity theft or financial fraud are involved, this cuts against finding “low probability” that PHI was compromised. With clinical info, consider nature of the services, as well as the amount of info & details involved. Unauthorized Person Consider who the unauthorized recipient is or might be. If the recipient person is someone at another CE or BA, then lower probability that the PHI has been compromised since such entities are obligated to protect the privacy and security of PHI in a similar manner as the CE or BA from where the breached PHI originated. Compare to if PHI was impermissibly disclosed to their employer who could compare info against dates of absence from work. Acquired or Viewed Consider if the PHI was actually acquired or viewed or, rather, only the opportunity existed i.e., if CE mails information to the wrong individual who opens the envelope and calls the CE to say that he/she received the information in error. HHS points out that in such a case, the unauthorized recipient viewed and acquired the info because he/she opened and read the information and so this cuts against a finding that there is low probability that the PHI was compromised. To contrast, if a laptop computer is stolen and later recovered and a forensic analysis shows that the otherwise unencrypted PHI on the laptop was never accessed, viewed, acquired, transferred, or otherwise compromised, could determine that the information was not actually acquired. Mitigation A CE or BA must attempt to mitigate the risks to PHI following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the PHI will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed. When determining the probability that the PHI has been compromised, CE or BA should consider the extent of what steps needed to be taken to mitigate, and how effective the mitigation was. Copyright © 2013 Oscislawski LLC The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit. ENFORCEMENT The HIPAA Auditors are here and they are asking for copies of all our HIPAA Policies and most recent Security Risk Analysis! I thought nobody ever enforces HIPAA??!! PREVENTION • The only way to be ready for a HIPAA Audit is to ensure you have all of the elements in place to cooperate with the Office for Civil Rights (OCR) effectively • In 2013, OCR reported 85,239 complaints by patients against medical practices. 16 of which resulted in fines of more than $1 million, and more than 20,000 resulted in corrective action • How you manage a complaint or breach will determine your practice’s survival – and its reputation moving forward TRIGGERS, ENFORCERS: CONSEQUENCES • Triggers for Enforcement HIPAA Complaints Reported Breach HIPAA Audit • Enforcers of HIPAA • OCR (Office of Civil Rights) DOJ (Department of Justice) HIPAA Auditor (KPMG) State AGs (Attorneys General) Consequences Civil Monetary Penalties Criminal Prosecution (intentional misuse) Reputation and Public perception Copyright © 2013 Oscislawski LLC The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit. THE OMNIBUS RULE – ENFORCEMENT Violation Category Each Violation All Violations of an Identical Provision in a Calendar Year (A) Did Not Know/But by exercising reasonable diligence would have $ 100 - $50,000 $1,500,000 (B) Reasonable Cause/not willful neglect of the person/entity $ 1,000 - $50,000 $1,500,000 (C) Willful Neglect – Corrected within 30 days $10,000 - $50,000 $1,500,000 (D) Willful Neglect – Uncorrected within 30 days $50,000 $1,500,000 OCR clarified that the $1.5 million cap is per a type of violation and there could therefore be multiple violations that could result in a much higher amount LESSONS LEARNED • Advocate Health System – Projected - $100 million in fines • One medical office – break in (2) desktops stolen with patient records • Pheonix Cardiac Surgery, P.C. - $100,000 Settlement and CAP • Mass. Eye and Ear Associates - $1.5 million, CAP for 3 years Public Calendar used disclosing PHI Lack of internal policies and procedures No documentation of workforce training No compliance officer or assessment performed/documented No business associate agreements in place • Hospice of North Idaho - $50,000 Fine for less than 500 patients • • Lost laptop not encrypted Lack of internal policies and procedures Copyright © 2013 Oscislawski LLC The content in this slide is developed by the Attorneys at Oscislawski LLC with full credit. WALL OF SHAME • Resolution Agreement (RA) – Terms and conditions of settlement • Fines must be paid upfront and in full • Corrective Action Plan (CAP) – Operating Agreement with total oversight of your business by OCR and HHS – 2 to 3 years Additional costs: Attorneys Accountants Patient notification Consultants Patient loss/trust Local media Identify theft protections And more… DO NOT LET THIS BE YOU! EFFECTIVENESS • Ensure you document what you do • Ensure you do what you document you do • Ensure you validate you do what you document you do • Fix it if you don’t HELPFUL RESOURCES Topic Resource Description MU Audit MU Audit Tipsheet A PDF document that explains the expectations and requirements of a MU audit MU Audit Sample Audit Letter A PDF document that is an example of a MU Audit letter a provider might receive Certified EHR Technology CPHL Certified EHR List A webpage with a comprehensive listing of certified EHRs with certification IDs HHS.gov Privacy & Security Official website of Health and Human Services with information on compliance HIPAA HelpBook – YouTube video HIC's HIPAA Manual HIC and AAO’s NJ State specific manual for practices. Everything you need is right here HIC Website HIC Website HIC’s website that talks about us, our services and how we can help you HIC LinkedIn HIC's LinkedIn Page Join us for posting and reading about topics from HIC and our over 800 members Blog by Helen Oscislawski, Esq. Law Blog on HIPAA HIC’s attorney Helen Oscislawski, Esq. provides information and guidance with today’s HIPAA CONTACT INFORMATION Susan Lieberman, MBA Vice President, Risk Management Conventus Inter-Insurance Exchange [email protected] www.conventusnj.com 877-444-0484, x466 Stevie M. Davidson, CPHIT President & CEO Health Informatics Consulting [email protected] | www.myhic.net Phone: 609-925-9008 | Fax: 609-925-9008
© Copyright 2024