HIPAA - Breaking News!

(1)

Health IT and Meaningful Use

Update

Nebraska Healthcare Quality Forum June 4, 2014

Barbara E. Person and Michael W. Chase Baird Holm LLP

#1258792

HIPAA - Breaking News!

• Office for Civil Rights (OCR) will begin second round of HIPAA audits

• Assess compliance with the Privacy, Security and Breach Notification Rules

• Initial survey of 800 CEs; 400 BAs

• OCR will select organizations for audit based on survey

(2)

HIPAA - Breaking News!

• Previous HIPAA audit program (2012)

– Use/Disclosure violations – Minimum Necessary violations – Inadequate access controls – Security Rule violations

– 2/3 did not have complete or accurate risk assessment

HIPAA - Breaking News!

• Prepare for a HIPAA audit

– Security risk assessment

– Updated policies and procedures after Omnibus Rule (e.g., Breach Notification) – Ongoing privacy risk assessment

– Encryption

(3)

HIPAA - Breaking News!

• Adult & Pediatric Dermatology, P.C. (Mass.) (December 2013)

–Unencrypted thumb drive stolen (2,200+ patients)

– OCR investigation: no thorough risk assessment

– No breach notification policies

– $150,000 settlement + Corrective Action Plan

HIPAA - Breaking News!

• Skagit County, Washington Public Health Dept. (March 2014)

– ePHI (1,583 money receipts) moved to publicly accessible server

– Lacking policies and procedures

– Breach notification to OCR; not to individuals – $215,000 settlement + Corrective Action Plan

(4)

HIPAA - Breaking News!

• Concentra Health Services (April 2014)

–Unencrypted laptop stolen from facility

– OCR investigated following breach report – Previous risk analysis identified lack of

encryption as a critical risk

– Steps taken to begin encryption; not complete – $1,725,220 settlement + Corrective Action

Plan

HIPAA - Breaking News!

• QCA Health Plan, Inc. (April 2014)

–Unencrypted laptop stolen from car

– OCR investigation: failure to comply with multiple requirements of Privacy/Security Rule – $250,000 settlement

– Submit updated risk analysis and risk management plan to OCR

(5)

Meaningful Use – Breaking News!

• USA v. White (U.S. District Court, E.D. Texas)

– Former CFO of Texas hospital indicted by Federal Grand Jury for falsely attesting to MU – In charge of MU implementation at several

facilities – total of $16.79M in incentive payments

– Shelby Regional Medical Center (Center, TX) received approx. $700,000

(6)

USA v. White

- Charges

• Directed EHR vendor and hospital staff to manually input data from paper records months after patient encounters

– Some records input after EHR reporting period

• Federal Charges: making false statements, ID theft

• Not charged under Federal False Claims Act

USA v. White

- Charges

Providing False Statement to CMS

“I certify that the foregoing information is true, accurate, and complete. I understand that the Medicare EHR Incentive

Program payment I requested will be paid from Federal funds, that by filing this attestation I am submitting a claim for

Federal funds, and that the use of any false claims, statements, or documents, or the concealment of a material

fact used to obtain a Medicare EHR Incentive Program payment, may be prosecuted under applicable Federal or

State criminal laws and may also be subject to civil penalties.”

(7)

USA v. White

- Charges

Aggravated Identity Theft

• Created User ID of another employee (P.B.) • Without P.B.’s knowledge

• P.B. had previously refused to participate in attestation

• Submitted attestation under P.B.’s name and SSN

Meaningful Use Audits

• September 2012: Sebelius/Holder letter warning of abuse of EHR technology

• As of January 2014: $20.93B in incentive payments

– $20.93B Medicare – $94M Medicaid (Iowa)

• Stages 1 and 2; various EHR reporting periods

• 2014 OIG Work Plan addresses Medicare and Medicaid incentive payments

(8)

Meaningful Use Audits

• CMS: “small” percentage of providers will be selected for audits

• Figliozzi and Company (CPAs) selected as auditor

• Eligible Hospitals, CAHs, and Eligible Professionals

Meaningful Use Audits

• Pre and post-payment audits • Random and targeted audits • “Complete audits”

• “Mini” audits (e.g., ONC certification) • Don’t forget Medicaid audits!

(9)

Meaningful Use Audits

• Failed audit will result in Medicare payment being recouped

• Failed Medicare MU audit will also result in Medicaid incentives being reclaimed by the State

• Civil and criminal penalties for fraudulently attesting – False Claims Act

– Imprisonment – Exclusion

(10)

Meaningful Use Audits -

Process

• Letter from Figliozzi/CMS (via e-mail) • Gather requested documents (1 month to

respond)

• Follow instructions for submission (electronic vs. paper)

• Hurry up and wait! (For a follow-up request) • Audit Determination Letter (success or

recoupment)

Meaningful Use Audits -

Process

• Communicate with Compliance Officer, Privacy Officer and Legal Counsel

• Document request

– Vendor invoices and/or or license agreements – Documentation to support attestation to selected

core/menu measures

• Reports generated • Screenshots

(11)

Meaningful Use Audits –

Prepare

• Review underlying regulations and guidance for each Stage (and each objective/measure) • Know the EHR systems – Inpatient vs.

Ambulatory; dates when upgraded

• Maintain all vendor license agreements and invoices

• Educate/train on audit process and preparation

Meaningful Use Audits -

Prepare

• Conduct (or review) a security risk assessment

– HIPAA Security Rule requirements – Conduct/review during EHR Reporting

Period

– Applies to eligible hospitals, CAHs, and eligible professionals

(12)

Meaningful Use Audits -

Prepare

• Security risk assessment

– Inpatient vs. Ambulatory EHRs

– Consider redacting information outside the scope of a security risk assessment

– 2014 OIG Work Plan: review Security Rule compliance for CEs receiving MU payment and

BAs (e.g., cloud service; downstream providers)

Meaningful Use Audits -

Prepare

• Document attestation process start to finish

– Eachentity and/or provider

– Process to calculate numerators and

denominators (and/or generate report) for each objective

– Payment calculations (e.g., cost report data) – Save all electronic and paper documentation • Retain documentation for at least 6 years

(13)

Consider an Internal/Mock Audit

• Assemble a team (including MU experts, but not those involved in actual attestation)

• Review supporting documentation

– Adequacy of documentation

– Policies and procedures for attestation and document retention

– Review screenshots/process

– Review changes/updates to EHR systems

• Communicate lessons learned

Consider an Internal/Mock Audit

• Health Management Associates(Nov. 2013)

– 11 of 71 hospitals failed to meet MU – Not using “certified” EHR technology – Withdrew 11 hospitals from MU program

– HMA notified CMS of error (not discovered on CMS audit) – Repaid $31M to Medicare; also repaid Medicaid

– Restated corporate earnings for 2010-2012 period

• Lesson learned: ensure compliance with all MU requirements before attestation

(14)

Questions?

Barbara E. Person Michael W. Chase (402) 636-8224 (402) 636-8326 [email protected] [email protected]