It’s Official…CMS Audits of Meaningful Users Commence

From Ober Kaler’s Health Law Alert Newsletter, 2012: Issue 12 – Focus on HIPAA/Privacy we learn from James B. Wieland and Joshua J. Freemire that it is “unofficially official” – audits of meaningful users have begun.

Are Mandatory 14/15 the chink in a meaningful user’s armor?  After all, the other core measures are explicit and require daily measurement.  Most meaningful users have cracked the code on such measurement and reporting.  But what is the measurement to demonstrate that your organization is “protecting electronic health information” with the same vigilance and accountability as you perform against the other core measures?

Did you perform or review a risk analysis consistent with the ONC’s published guidance?  A real risk analysis?

Do you have a documented plan to remediate any deficiencies or unacceptable risks? 

How do you document your performance against that plan?  It is probably unrealistic, impractical or of little value to measure daily, but can we agree that a monthly “status” is reasonable?  If so, is your organization performing to that level?

Do not let the simplicity of the “check box” for Mandatory 14/15 on the attestation profile fool you into a false sense of security (no pun intended) about your organization’s performance.  In fact, in its simplicity it may represent the greatest risk to your organization in the event of an audit.

The cost/benefit analysis here is really a no-brainer when you consider the penalty for a fraudulent attestation could be as much as 3x the stimulus your organization has received.  If there is any doubt in your organization’s mind that you have met the requirement of Mandatory 14/15, now is the time to take action.

Wieland and Freemire write:

A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS’s auditor for the EHR Incentive Program (the “Program” or “Meaningful Use Program”), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials.

The letters from Figloiozzi and Company, as the Department of Health and Human Services (HHS) Secretary’s designee, request four categories of information:

• Audited entities are asked to produce a copy of their certification from the HHS Office of the National Coordinator for Health Information Technology for the technology they used to meet Program requirements. Presumably, this documentation will be used to demonstrate that the entity “possesses” a certified Electric Health Record technology system as required under Program rules.
• Audited entities are asked to provide documentation to support the method (observation services or all emergency department visits) they chose to report emergency department admissions. This distinction plays a large role in several of the Program requirements as it determines which patients were included in the denominators of certain meaningful use core and menu items.
• Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to core set objectives and measures. While the audit letter’s request is not specific, it would appear that this request is intended to solicit information beyond that already provided to CMS as part of the attestation process. A hospital might consider, for instance, producing reports substantiating the encounters that gave rise to the calculation relied upon to successfully attest. Such reports should be deidentified.
• Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to “menu set” or voluntary, objectives and measures. Again, the information request appears to solicit a level of information beyond that provided in the attestation documents themselves.

Based on questions from recipients, an amended version of the audit letter has been sent out, adding “(i.e., a report from your EHR system that ties to your attestation)” to the latter two categories of requested documentation. This clarifies that the audit letters seek additional detailed information but are not, at this time, requesting identifiable or detailed patient records.

The audit letters do not provide audited entities much time to respond – a short, two-week response time is specified. Unfortunately, it is also unclear how audit candidates are selected, so hospitals and professionals will not be able to “plan ahead” for an audit they can be certain is coming.

You may also appreciate an article on FierceEMR today by Marla Durben Hirsch on this topic:  CMS starts Meaningful Use attestation audits – FierceEMR http://www.fierceemr.com/story/cms-meaningful-use-attestation-audits-providers/2012-07-23#ixzz21VMMAsFc

To learn more:
– here’s some general information from CMS
– read the GAO report
– check out the FAQ

CynergisTek and Davis Wright Tremaine Announce HIPAA Audit Readiness and Response Solutions Portfolio

Leading Healthcare IT Security Company Partners with Top Law Firm; Launches Solutions and Legal Services for OCR Audit Compliance 

Austin, Texas, April  24, 2012— CynergisTek™, an authority in security and privacy solutions and services for healthcare organizations, announced today that it has partnered with Davis Wright Tremaine LLP (DWT), a nationally-recognized law firm focusing on health information technology (HIT), to create the HIPAA Audit Readiness and Response Solution Portfolio^™. The joint offering provides a range of solutions and legal services designed to prepare healthcare organizations for the Office for Civil Rights’ (OCR) HIPAA Audit Program to ensure compliance in this new era of heightened enforcement. Investigation and response support services, for those that are selected for audit or subject to an OCR investigation, are also a key offering in the portfolio.  The portfolio will expand to include CMS audit readiness and response solutions related to security measures associated with meaningful use.

“HIPAA compliance programs and practices vary greatly across the industry as does the audit readiness posture of covered entities.  We recognized the significant need for a solution series that provides organizations with the tools and services to both prepare for and respond to  the increasing rigor of audits that we are seeing from OCR and we expect from CMS,” said CynergisTek CEO, Mac McMillan.  “We developed the HIPAA Audit Readiness and Response Solution Portfolio based on lessons learned in our work supporting one of the first 20 organizations selected for the pilot phase of the OCR HIPAA Audit program. It represents our firsthand, in-depth knowledge of the audit process, and each major milestone in the process from the initial notification and documentation request, to the site survey process, and the reporting phase.  This experience and the contributions of DWT HIPAA team partner and former OCR official, Adam Greene, are the foundation upon which this entire portfolio was conceived and designed.”

CynergisTek and DWT designed the HIPAA Audit Readiness and Response Solution Portfolio to meet the unique needs of all healthcare organizations, regardless of resource level or compliance objectives. The services included in the portfolio range from a true-to-life, invasive mock audit, to a less disruptive review of organizational policies and procedures related to the HIPAA privacy and/or security rules. All solutions can also be performed under the direction of DWT, which provides the benefit of legal consultation and a claim of attorney-client privilege governing the engagement. The full solution portfolio includes:

• CynergisTek-Davis Wright Tremaine HIPAA Audit Toolkit
• Audit Readiness Training Program
• Audit Response Readiness Exercise
• Mock Privacy and Security Audit
• Legal Privacy Policy Review
• Security Policy Review
• Privacy Policy and Operational Audit
• Security Policy and Operational Audit
• IT Security Risk Assessment
• Privacy and Security Program Design and Remediation
• Real-Time Audit and Investigation Assistance

“HIPAA enforcement is here,” said Adam Greene, Partner, DWT. “The healthcare industry has seen a flurry of highly consequential legal action around HIPAA compliance and data breaches over the last year, and I expect the trend to accelerate. By working with CynergisTek, we are able to offer a well-informed, well-rounded set of solutions that address healthcare privacy and security compliance from a legal, technical and operational standpoint. I believe the services we have developed will benefit any organization hoping to avoid the often monumental financial, reputational and legal ramifications that can result from an inadequate HIPAA compliance program.”

About CynergisTek

CynergisTek is an authority in healthcare information security and privacy management, regulatory compliance, IT audit and advisory services, business continuity management, security technology selection and implementation, and secure IT infrastructure architecture and design solutions. The firm offers practical, manageable and affordable consulting services for organizations of all sizes and complexity. Using an organized, planned and collaborative approach, CynergisTek applies multidisciplinary expertise to serve as partner and mentor, to enhance the consulting experience and, ultimately, clients’ compliance and business performance. CynergisTek participates in and contributes to HIMSS, AHIMA, HFMA, HCCA, AHIA and other industry bellwether organizations. For more information visit www.cynergistek.com, call 512.402.8550 or email info@cynergistek.com.

About Davis, Wright Tremaine LLP

Davis Wright Tremaine LLP is dedicated to providing excellent legal services, and delivering them in a manner customized to each client’s particular needs and preferences. DWT’s health information technology (HIT) and HIPAA practice group has decades of experience helping clients develop practical privacy and security policies and procedures, plan and implement health information sharing networks and exchanges, and acquire and implement health information technology. For more information visit www.dwt.com or e-mail adamgreene@dwt.com.

# # #

Media Contact:

Megan Malarkey

Senior Account Executive

Aria Marketing, Inc.

(617) 332-9999  x 215

mmalarkey@ariamarketing.com