Considering that these audits are random, he figured he was done with his turn last year. However, this is the second time in a row that that he has received another notification, indicating that it is not totally uncommon for healthcare enterprises to face a second meaningful use audit. Jeff Smith, director of federal affairs at CHIME, said the CIO trade organization doesn’t have data on frequency of audits, but pointed out that they were 94 facilities who received audit requests in a 2013 survey. Smith also mentioned that there were other hospitals to have been audited twice from the CMS auditors, once from Medicaid (state-based) and one more from HHS OIG.

Does CMS have any audit specifics?

Of those providers attesting for meaningful use, at least 5 percent are likely to undergo a CMS audit, with half of those being subjected to a pre-payment audit. Additionally, detailed documentation is an absolute necessity as CMS wants to ensure that providers are using certified EHR technology, take a closer look at MU reports for core and menu attestation data, and check copies of security assessments.

While CMS won’t actually discuss specific audits, a spokesperson did provide some information related to the incentive program. According to CMS, the attestations submitted during and after January 2013 by Medicare providers may have to endure pre-payment audits. These pre-payment audits will include random audits, as well as audits that target anomalous data. CMS also stated that those providers selected for pre-payment audits will need to provide supporting documentation to validate the submitted attestation data before releasing payment. CMS will continue to conduct post-payment audits during the course of the EHR Incentive Programs. All providers selected for post-payment audits need to submit supporting documentation to validate their submitted attestation data.

Are you prepared?

Of those providers attesting for meaningful use, at least 5 percent are likely to undergo a CMS audit, with half of those being subjected to a pre-payment audit. Additionally, detailed documentation is an absolute necessity as CMS wants to ensure that providers are using certified EHR technology, take a closer look at MU reports for core and menu attestation data, and check copies of security assessments.

While CMS won’t actually discuss specific audits, a spokesperson did provide some information related to the incentive program. According to CMS, the attestations submitted during and after January 2013 by Medicare providers may have to endure pre-payment audits. These pre-payment audits will include random audits, as well as audits that target anomalous data. CMS also stated that those providers selected for pre-payment audits will need to provide supporting documentation to validate the submitted attestation data before releasing payment. CMS will continue to conduct post-payment audits during the course of the EHR Incentive Programs. All providers selected for post-payment audits need to submit supporting documentation to validate their submitted attestation data.

Handling MU Audits Twice

Johnson feels that the random MU audits are not really random, bringing a tremendous amount of make-work and sleepless nights. However, on the other hand, having already gained some first-hand experience the first time around, the second time audit preparations can be completed quickly. Being audited for the second time, he adds that the other advantage is that the hospital’s auditors are happy as they don’t have to worry about putting a reserve in case there is an audit. Believing that he had the right formula to satisfy them, Johnson also stated that the auditors were not actually evaluating his responses but rather looking to check if an issue was identified and addressed.

Stay Prepared

With the likelihood of audits increasing, it is best to always stay prepared. After submitting for attestation, the auditors can knock on your door at any time. Either, prior to or after receiving the incentive payment – an audit can occur anytime up to six years. It is thus best to be prepared and ensure that your documentation and your enterprise are in order. What will also prove beneficial is the adoption of a unified and comprehensive solution such as Aegify Security Posture Management or Aegify SecureGRC that can help organizations remain continually secure and compliant. The meaningful use assessment in Aegify SecureGRC will help sail through these audits very smoothly. Aegify SecureGRC provides has a built-in repository for policies, best practices and citation guidance with quick access to documentation and evidences from a central repository for pre/post audits, making the whole process simple and efficient.

The post Are MU Audits Causing Nightmares for CIOs? appeared first on Aegify.

Many healthcare entities share a similar trepidation. Colin Banas, MD, the chief medical information officer at the Virginia Commonwealth University (VCU) Medical Center firmly believes that this process is driven by – "fear of audit, fear of penalty, and fear of vendor abandonment if should a client choose to forge a different path." His worries stem from the fact that VCU occasionally tailors a vendor’s certified product in order to make it more usable, and this could fail meaningful use requirements. Given that VCU already follows the intent of the measure, Banas, further states that it could be next to impossible to estimate the resources used by VCU to readjust clinical workflows and codes to adhere to the letter of the law.

The New York-Presbyterian Hospital also shares a like-wise anxiety. According to Virginia Lorenzi, a health IT veteran with nearly 25 years of experience and associate manager of information services, the hospital has spent time and energy aplenty in trying to ascertain if its EHR would be safe when there were modifications to what was actually written into the certified product. Bad meaningful use audit drives many of her decisions, worries Lorenzi, and if an area is gray and unclear, like all others, she would prefer to land on the safe side.

What do the certifying bodies say?

The truth is that many certifiers believe that the gray areas are indeed convoluted. To add to this, the Office of the National Coordinator for Health Information Technology (ONC) has not unified the way various certification bodies interpret measures. Considering that some believe  that there is a lack of guidance from the ONC, Kyle Meadors, director of EHR testing with the Drummond Group, also an authorized testing and certification body of the ONC, suggests that information-sharing among the certification bodies is likely to bring some clarity. Given that the certifiers are not privy to each other’s interpretations, Meadors deems it is necessary for ONC to start engaging the certification bodies periodically to understand the challenges and start seeing different interpretations from other vendors. Amit Trivedi, program manager of healthcare at ICSA Labs, a certification body, thinks it may be best for ONC to conduct pilot certification tests involving all the bodies, observe testing, understand the expected results, learn how test tools operate, and provide feedback.

As always, ONC on its part is listening to feedback, and will accordingly make necessary changes when appropriate. Certification workgroup member Charlene Underwood, senior director of government and industry affairs at Siemens Medical, doesn’t think it is possible to certify the actual intent of what they are trying to accomplish, as the same gets lost in the standards. However, Jacob Reider, MD, deputy national coordinator, who is in charge of certification, stated that ONC is gearing up a new initiative that will soon address the challenges and irregularities in certification and auditing.

A clean gap analysis of a company’s security posture and compliance levels to regulatory controls, using cloud-based solutions such as Aegify Security Posture Management or Aegify SecureGRC can help organizations meet the Meaningful Use requirements more effectively through a thorough gap analysis and remediation recommendation in a comprehensive manner ensuring that health records remain safe, while also ensuring that there is  significant benefit from ‘Meaningful Use’ of EHR. The adoption of such a unified and comprehensive solution can take away all fears and anxieties from the process of Meaningful Use.

The post Is Meaningful Use Requirement Triggering Panic? You’re Not Alone appeared first on Aegify.

As per the indictment which was made in November last year, Joe White the former CFO of Shelby Regional had falsely attested to CMS that the entity met meaningful use requirements for the fiscal year 2012, thereby receiving payments of $785,655. However, according to officials, the entity had only used paper records throughout the fiscal year and only made minimal use of EHR, and in order to make it appear that the hospital was using MU-certified technology, had directed its software vendor and hospital staff to manually input data from paper records into EHR software, months after patients were discharged or at the end of the fiscal year.

Moreover, according to officials, White falsely attested to meaningful use, using the name and information of another person without that individual’s consent or authorization. A noteworthy fact is that the hospital was shut down in 2013 following the investigation of its MD Tariq Mahmood for healthcare fraud. Six hospitals operated by Mahmood in Texas received $16.8 million in meaningful use incentives during the fiscal years 2011 and 2012.

As on date, CMS has paid eligible providers and hospitals more than $19.2 billion for attesting to meaningful use requirements. With more emphasis on the adoption of electronic health systems and with more and more federal dollars made available to providers to adopt these systems, the US Department of Health and Human Services Office of Inspector General is expecting to see more cases such as this one.

Joe White may face up to five years in federal prison if convicted for making false statements and up to two years for aggravated identity theft. Any type of healthcare fraud is bound to invite stringent legal action. But the truth is that this Texas hospital could have avoided this incident altogether if it had put in place, a comprehensive security solution like Aegify Security Posture Management or Aegify SecureGRC, which could have helped achieve meaningful use status with ease, and also ensured that there is no breach of security protocol.

The post False Attestation to Meaningful Use by Texas Hospital appeared first on Aegify.

Taking an Incremental Approach – This would mean conducting tests to prove that healthcare providers can comply with the updated requirements of the rule. This can help determine how transparency of data disclosures can be ensured without overburdening healthcare organizations. Approaching this in a structured fashion and pursuing an implementation method that would be feasible from the perspectives of policy and technology would prove helpful. The HIT Policy Committee urges HHS to take a focused approach that gives priority to quality over quantity, where the scope of disclosures and related details reported to patients contains information that is useful to them while not overwhelming them or putting undue burden on providers.

Focusing on Disclosure of Records to Those Outside the Entity – Providing patients with a report of disclosures made to parties outside of the healthcare entity, should be the first step in taking an incremental approach. So HHS should follow a method wherein disclosure reports are triggered whenever an entity transfers control of information to an external party. While the current HIPAA Privacy Rule requires covered entities to make available, an account of information disclosures of individual Patient Health Information (PHI), on paper or in electronic form, upon request, the HITECH Act calls for revising the disclosure requirement to include those disclosures made for healthcare payment, treatment, or operations made using an EHR.

Scaling Back Plans for Providing Detailed Access Reports – OCR’s notice in May 2011 for carrying out the HITECH Act requisite for revising the disclosure requirements, also included a controversial provision necessitating that, upon a patient’s request, an ‘access report’ should list out everyone, including internal users who have viewed their information. As per this requirement, patients have to be provided details of the date and time of access, name of the person/entity accessing the information, and the action performed, such as creation, modification, or deletion. However, the HIT Policy Committee has now endorsed scaling back on these reports, allowing patients to suspect inappropriate access to their health information and requesting for an investigation inside the entity that controls the information. These recommendations were crafted over several months based on public and industry feedback about the original rule revision that was proposed.

Conducting Technology Pilots – To enable covered entities to conduct investigations of inappropriate access, the HIT Policy committee recommends the addition of the two following implementation specifications to the existing audit control standard in the HIPAA rule: 1. Addressable audit controls must record PHI access activities to the granularity of the individual user and the individual whose PHI is accessed; and 2. Information recorded by the audit controls must be sufficient to support the information system activity review required by the HIPAA Security Rule and the investigation of potential inappropriate access to PHI.

As soon as the pilots are completed, OCR will resume work on a revised rule taking the recommendations and pilot findings into account. However, safeguarding PHI is not just about being transparent in disclosing details of access to patients. It has to begin with ensuring comprehensive security, improving risk assessment capabilities, and building an efficient system of information access management, for which, Aegify Security Posture Management and Aegify SecureGRC can come in handy. These solutions can prove valuable in preventing breaches due to inappropriate access to PHI and other such HIPAA violations.

The post Revamp of HIPAA Disclosures Rule Endorsed appeared first on Aegify.

Moreover, while some entities use systems that generate reports based on a snapshot in time, others have ‘rolling systems’ that cause numbers in the EHR to change after the entity has attested. In these cases, a copy of the original report has to be kept to substantiate the numbers used for attestation. While this is one of the concerns, there are also many other issues to be considered and steps to be taken while preparing for the Meaningful Use audit.

How to Survive a Meaningful Use Audit

Although only a small percent of healthcare entities will go through the Meaningful Use attestation audit, all healthcare entities should bear in mind that even a single attestation misstep could result in loss of the entire incentive payment. This is a major concern for a number of healthcare CIOs, and is one of the main topics addressed by the attendees at the CHIME13 CIO forum in Scottsdale, Arizona recently. Elizabeth Johnson, Vice President of Applied Clinical Informatics at Tenet Healthcare Corporation, and Pam McNutt, Senior Vice President and CIO at the Methodist Health System in North Texas provide 5 steps to survive the Meaningful Use audit:

1. Preserve the Data. Meaningful Use audits may go as far back as six years. So entities should have preserved data over all those years to support attestation claims. It is therefore important to protect data at all costs. Entities that have an aggressive purge criteria to save disc space, should be careful not to do away with all the data that may be needed to prove Meaningful Use. It may also be helpful to configure EHR systems ahead of time in such a way that patient records and audit logs contain everything the auditors may seek.
2. Plan in Advance. Logs and system settings should help produce the required data when needed. Moreover, in order to make documentation easier, the vendor’s name and software version should be on the header of all the Meaningful Use reports. This can help prove that they have come from a certified system.
3. Be Prepared for Surprises. Although it is crucial to prepare well in advance for the audits, it is also equally important to expect the unexpected. For both Tenet and Methodist, an unexpected area of focus was HIPAA security risk assessment. While many entities may be conducting vulnerability testing and annual HIPAA risk assessment, these may not suffice for the Meaningful Use audit. The audits may also focus on the EHR technology and the version that is being used. In addition to this, the audit, the report, and the reaction to the report should all be done within the attestation time period. Hence entities should proceed with caution and be prepared for surprises.
4. Think Before Upgrading. Entities may have to prove to auditors that they have been on a certified release the entire time. But some entities get tripped up with this during the upgrade cycles thinking that all that is needed is to be on the certified release before running all the reports. But this is not the case, because they have to prove with screenshots showing the date on which the certified EHR technology went into production. And this date has to be on or before the date of the attestation period.
5. Proceed Quickly. Once the Meaningful Use audit notice is received, entities have two weeks to respond and send documentation through an online portal. But it is important to be ready to file in less than two weeks because there is no guarantee that the notice will reach the right person. There have been cases where the notice had been completely overlooked. So entities should prepare all employees to recognize the audit notification, and understand the importance of taking quick action by alerting the right person.

While these steps can be extremely helpful in facing the Meaningful Use audits with confidence, what will also prove beneficial is the adoption of a unified and comprehensive solution such as Aegify Security Posture Management or Aegify SecureGRC which can help organizations sail through these audits very smoothly. Aegify SecureGRC provides quick access to documentation and evidences from a central repository for pre/post audits. This significantly eases the audit process.

The post Surviving a ‘Meaningful Use’ Audit appeared first on Aegify.