HIPAA Risk Analysis Tip – EHR Pre- and Post-Payment Audits

This entry is part 37 of 39 in the series HIPAA Security Risk Analysis Tips

Some Eligible Providers, Eligible Hospitals and Critical Access Hospitals who have purchased and implemented an electronic health record (EHR) system and attested to meaningful use of that EHR may be subjected to an audit before they see an incentive payment. That’s the word from CMS’ Office of E-Health Standards and Services. Here’s today’s big TIP – Learn the Audit Validation Process and Required Documentation for HIPAA Risk Analysis.  

harnessing risk starts with a bona fide risk analysis

HIPAA Risk Analysis Tip – EHR Pre- and Post-Payment Audits

The Centers for Medicare & Medicaid Services (CMS) has begun auditing providers attesting to Meaningful Use of their electronic health record systems before making incentive payments.

CMS has targeted 5 to 10 percent of those who attested to Meaningful Use in January 2013, according to Elizabeth Holland, director of the Health IT Initiative Group’s Office of E-Health Standards and Services. Eligible professionals selected for audit were chosen both “randomly” and “based on protocols that identify suspicious or anomalous attestation data,” according to the AAFP News Now article.

Providers who receive an EHR incentive payment for either the Medicare or Medicaid EHR Incentive Program potentially may be subject to an audit. Eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) should retain ALL relevant supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses.

CMS provides guidance in EHR Incentive Programs Supporting Documentation For Audits, updated in February 2013.  This guidance covers the requirements related to a HIPAA Risk Analysis on page 4:

Meaningful Use Objective Audit Validation Suggested Documentation
Protect Electronic Health Information Security risk analysis of the certified EHR technology was performed prior to the end of the reporting period Report that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.)

Documentation to support attestation data for meaningful use objectives and clinical quality measures should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.

An additional 5 to 10 percent of physicians and others will be subject to post-payment audits, according to Holland. The audits are being conducted by Garden City, NY-based CPA firm Figliozzi and Company.

Watch Our Recorded, On Demand Webinar

Download HIPAA Risk Analysis Buyer’s Guide Checklist

We are often asked, “How do I go about selecting a reputable firm to complete a bona fide HIPAA Security Risk Analysis?”  This HIPAA Risk Analysis Buyer’s Guide Checklist is an easy-to-use tool to assist you in comparing alternative solutions and making your selection.

Other Help Getting Started With Your Bona Fide HIPAA Risk Analysis

Over the years, we’ve helped 100s of organizations complete their HIPAA Risk Analysis. Please benefit from our HIPAA Risk Analysis expertise by:

  1. Accessing our HIPAA Risk Analysis Resources area
  2. Downloading our HIPAA Risk Analysis Buyer’s Guide Checklist
  3. Attending our upcoming live webinar “How to Conduct a Bona Fide HIPAA Risk Analysis”
  4. Viewing a Guided Tour of the Clearwater HIPAA Risk Analysis™
  5. Calling us if you need immediate assistance at 800-704-3394
  6. Requesting a quotation for HIPAA Risk Analysis software or assistance

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Risk Analysis Tip – How To Conduct a Bona Fide HIPAA Risk AnalysisHIPAA Risk Analysis Tip – Eligible Provider EHR Pre-Payment Audit Document Request >>
Share

No comments yet.

Leave a Reply