spacer

Meaningful Use Audits, HIPAA Privacy and Security and Safeguards

May 26th, 2015

Meaningful Use requires both compliance to HIPAA Privacy and Security and compliance with HITECH Act safeguards.

The HIPAA Security Rule§ 164.316(b)(1) requires HIPAA covered entities to

“Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) if an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment.”

HIPAA Covered Entities must conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

The HITECH Act, which was enacted as part of ARRA, promotes the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information. While the HITECH Act mirrors HIPAA, it elaborates with specific requirements including:

For example, §170.302(o) Access control requires that HIPAA covered entities assign a unique name and/or number for identifying and tracking user identity and establish controls that permit only authorized users to access electronic health information.

If your firm is audited with respect to a Meaningful Use Attestation you will need to provide, among other documents:

  • Documentation including budgets for HIPAA privacy and security risk analysis
  • Meaningful Use reports from CEHRT (certified E.H.R. technology) and screen shots
  • Documentation from the certified E.H.R. vendor
  • Clinical quality measure information

If your firm has proof of exclusion from any measure that must be provided as well, though there are no exclusions for HIPAA security or HITECH Act Safeguards.

Policies and procedures must :

“Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach]. This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.”

Eligible hospitals and CAHs must attest YES to having conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure.

Eligible hospitals and CAHs must conduct or review a security risk analysis of certified EHR technology and implement updates as necessary at least once prior to the end of the EHR.  If there are any changes in your E.H.R. or security infrastructure, ensure that you document updated risk assessments.

Share

Medicare Audit Improvement Act of 2015 Proposes Revised RAC Audits Just in time for ICD-10

May 19th, 2015

Both sides of the aisle in Washington DC believe that the current approach of auditing health care providers needs to be changed.   Recently, representatives Sam Graves (R-MO) and Adam Schiff (D-CA) introduced HR 2156, the Medicare Audit Improvement Act of 2015.  This legislation proposes changes to the Recovery Audit Contractor (RAC) program from a bounty hunter approach to a flat fee.  Auditors would also be held accountable for poor performance.  The hope is that this will make RAC audits more reasonable instead of being overly invasive and overzealous.  The RAC audit practice combined with Meaningful Use audits has been a doubly serious audit process for many providers.

The bill would accomplish these changes, if passed:

  • Require RACs to make inpatient claims decisions using exactly the same information the physician had when treating the patient, not information that becomes available after the patient leaves the hospital.
  • Hold RACs more accountable by setting payments to RACs at lower rates if there is poor RAC performance due to high rates of incorrect denials;
  • The bill would eliminate the current RAC contingency fee structure. Instead, the bill would direct the Centers for Medicare & Medicaid Services (CMS) to pay RACs flat fees to reduce the financial incentive for overzealous auditing practices;
  • Set an improved and more transparent method to calculate RACs total appeal overturn rates;
  • Fix CMS’s unfair rebilling rules by allowing hospitals to rebill claims when appropriate;

This bill is timely.  The shift to ICD-10 will create more opportunities for audits in documenting the patient condition and entering diagnosis and procedure codes, and may cause some shifts in reimbursement.  Therefore RAC auditors would be incentivized to do what is reasonable rather than opportunistic.

Share
© 2015 - No World Borders. All Rights Reserved.Email: info@noworldborders.com