Contact Us
Categories
- Department of Health and Human Services' Office of Civil Rights
- Medical Residents
- EMTALA
- FDA
- Reproductive Rights
- Roe v. Wade
- SCOTUS
- Medical Spas
- medical billing
- No Surprises Act
- Mandatory vaccination policies
- Workplace health
- Coronavirus Aid, Relief and Economic Security Act
- Code Enforcement
- Department of Labor ("DOL")
- Employment Law
- FFCRA
- CARES Act
- Nursing Home Reform Act
- Acute Care Beds
- Clinical Support
- Coronavirus
- COVID-19
- Emergency Medical Services
- Emergency Preparedness
- Families First Coronavirus Response Act
- Family and Medical Leave Act (“FMLA”)
- KBML
- medication assisted therapy
- SB 150
- Department of Health and Human Services
- Legislative Developments
- Corporate
- United States Department of Justice ("DOJ")
- Employee Contracts
- Non-Compete Agreement
- Opioid Epidemic
- Sexual Harassment
- Health Resource and Services Administration
- Litigation
- Medical Malpractice
- House Bill 333
- Senate Bill 79
- locum tenens
- Physician Prescribing Authority
- Senate Bill 4
- Chronic Pain Management
- HIPAA
- Prescription Drugs
- "Two Midnights Rule"
- 340B Program
- EHR Systems
- Hospice
- Kentucky minimum wage
- Minimum wage
- Skilled Nursing Facilities (“SNFs”)
- Uncategorized
- Drug Screening
- Electronic Health Records (“EHR")
- ICD-10
- KASPER
- Mental Health Care
- Primary Care Physicians ("PCPs")
- Urinalysis
- Accountable Care Organizations (“ACO”)
- Affordable Insurance Exchanges
- Anti-Kickback Statute
- Centers for Medicare & Medicaid Services (“CMS”)
- Certificate of Need ("CON")
- Compliance
- Data Breach
- Department of Health and Human Services (HHS)
- Electronic Protected Health Information (ePHI)
- False Claims Act
- Federally Qualified Health Centers (“FQHCs”)
- Fee for Service
- Fraud
- Health Care Fraud
- Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- HIPAA Risk Assessment
- HPSA
- Kentucky Board of Medical Licensure
- Kentucky’s Department for Medicaid Services
- Medicaid
- Medicare
- Office for Civil Rights ("OCR")
- Office of Inspector General of the United States Department of Health and Human Services (OIG)
- Part D
- Patient Protection and Affordable Care Act (“ACA”)
- Pharmacists
- Physician Assistants
- Qui Tam
- Rural Health Centers (“RHCs”)
- Stark Laws
- Telehealth
- Affordable Care Act
- Alternative Payment Models
- American Telemedicine Association (“ATA”)
- Charitable Hospitals
- Criminal Division of the Department of Justice (“DOJ”)
- Health Care Fraud Prevention and Enforcement Action Team (“HEAT”)
- Health Professional Shortage Area ("HPSA")
- Hospitals
- HRSA
- Kentucky Board of Nursing
- Limited Services Clinics
- Medical Staff By-Laws
- Medically Underserved Area ("MUA")
- Mid-Level Practitioners
- Qualified Health Care Centers (“FQHC”)
- Rural Health Clinic
- Telemedicine
- APRNs
- Hydrocodone
- Kentucky Pharmacists Association
- United States ex. Rel. Kane v. Continuum Health Partners
- Webinar
- Agreed Order
- All-Payer Claims Database ("APCD")
- Chain and Organization System (“PECOS”)
- Chiropractic services
- Clinical Laboratory Improvement Amendments of 1988 (“CLIA”)
- Douglas v. Independent Living Center of Southern California
- Drug Enforcement Agency ("DEA")
- Emergency Rooms
- Enrollment
- Hinchy v. Walgreen Co.
- Jimmo v. Sebelius
- Kentucky Senate Bill 7
- Maintenance Standard
- Medicare Part D
- Minors
- Ophthalmological services
- Overpayments
- Physician Compare website
- Re-validation
- Texting
- Vitas Innovative Hospice Care
- 2014 Medicare Physician Fee Schedule (“PFS”)
- 501(c)(3)
- Affinity Health Plan
- Appeal
- Cadillac tax
- Centers for Disease Control and Prevention
- Chronic Care Management
- Community health needs assessment (“CHNA”)
- Compliance Officer
- Compounding
- Condition of Participation ("CoP")
- CPR
- Denied Claims
- Dispenser
- Drug Quality and Security Act (“DQSA”)
- Essential Health Benefits
- Federation of State Medical Boards (“FSMB”)
- Food and Drug Administratio
- Form 4720
- Grace Period
- HealthCare.gov
- Home Medical Equipment Providers
- House Bill 3204
- ICD-9
- Individual mandate
- Inpatient Care
- Kentucky Medical Practice Act
- Kindred v. Cherolis
- Kynect
- Licensure Requirements
- Long-term care communities
- Long-Term Care Providers ("LTC")
- Mobile medical applications ("apps")
- Model Policy for the Appropriate Use of Social Media and Social Networking in Medical Practice (“Model Policy”)
- National Drug Code ("NDC")
- National Institutes of Health
- New England Compounding Center ("NECC")
- Nonprofit hospitals
- Outsourcing facility
- Personal Service Entities
- Physician Payments
- Ping v. Beverly Enterprises
- Power of Attorney ("POA")
- Prescriber
- Qualified Health Plan ("QHP")
- Social Media
- Spousal coverage
- State Health Plan
- Sustainable Growth Rate (“SGR”)
- UPS
- "Plan of Correction"
- Advanced Practice Registered Nurses
- Arbitration
- Audit
- Business Associate Agreements
- Business Associates
- Call Coverage
- Daycare centers
- Decertification
- Department of Medicaid Services’ (“DMS”)
- Division of Regulated Child Care
- Doe v. Guthrie Clinic
- EHR vendor
- Employer Group Health Plans
- Employer Mandate
- ERISA
- Fair Labor Standards Act (FLSA)
- False Billings
- Group Purchasing Organizations ("GPO")
- Health Professional Shortage Areas (“HPSA”)
- Health Reform
- Home Health Prospective Payment System
- Hospitalists
- House Bill 104
- Intermediate Sanctions Agreement
- Kentucky Health Benefit Exchange
- Kentucky House Bill 217
- Licensed practical nurses (LPN)
- List of Excluded Individuals and Entities
- LLC v. Sutter
- Low-utilization payment adjustment ("LUPA")
- Meaningful use incentives
- Medicare Administrative Coordinators
- Medicare Benefit Policy Manual
- Medicare Shared Saving Program (MSSP)
- Network provider agreement
- Nonroutine medical supplies conversion factor (“NRS”)
- Nurse practitioners (NP)
- Office of the National Coordinator for Health Information Technology (“ONC”)
- Part A
- Part B
- Patient Autonomy
- Patient Privacy
- Payors
- Personal Health Information
- Physician Recruitment
- Physician shortages
- Provider Self Disclosure Protocol
- Quality reporting
- Registered nurses (RN)
- Residency Programs
- Self-Disclosure Protocol
- Senate Bill 39
- Senate Finance Committee Report
- State Medicaid Expansion
- Statement of Deficiency ("SOD")
- Trade Association Group Coverage
- Upcoding
- “Superuser”
- Abuse and Waste
- Autism/ASD
- Center for Disease Control
- Compliance Programs
- Consumer Operated and Oriented Plan programs (“CO-OPS”)
- Critical Access Hospitals (“CAHs”)
- Essential Health Benefits (“EHBs”)
- Genetic Information Nondiscrimination Act ("GINA")
- Healthcare Information and Management Systems Society (HIMSS)
- Kentucky Cabinet for Health and Family Services
- Kentucky Health Care Co-Op
- Kentucky Health Cooperative (“KYHC”)
- Kentucky House Bill 159
- Kentucky Primary Care Centers (“PCCs”)
- Managed Care Organizations (“MCOs”)
- Medicare Audit Improvement Act of 2012
- Occupational Safety and Health Administration (“OSHA”)
- Recovery Audit Contractors (“RAC”)
- Small Business Health Options Program (“SHOP”)
- Sunshine Act
- Employee Agreement
- Free Conference Committee Report
- Health Care Fraud and Abuse Control Program
- House Bill 1
- House Bill 4
- Kentucky “Pill Mill Bill”
- Pain Management Facilities
- Health Care Law
- Health Insurance
- Healthcare Regulation
McBrayer Blogs
HIPAA and “Meaningful Use” Audits: Issues to Consider and How to Prepare
As more and more providers adopt electronic health records (“EHRs”) systems (and with new regulations concerning their required use for purposes of Medicare billing for chronic care management, their popularity can only continue to grow), a myriad of compliance issues continue to surround them. To that end, the federal government has stepped up auditing programs to ensure compliance with HIPAA/HITECH as well as making sure taxpayer money has been invested wisely through the Meaningful Use program. The bent of these audit programs is clearly along the lines that applicable covered entities and business associates should be preparing with a “when” mindset, rather than “if,” as these audits are going to happen.
HIPPA/HITECH Audits
The Department of Health and Human Services’ Office for Civil Rights (“OCR”) has been the enforcement authority for HIPAA since 2003, but it was the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) that began requiring the OCR to perform periodic audits of covered entities and business associates for compliance with HIPAA security rules. The OCR launched an audit pilot program in 2011, which found that 58 of 59 providers audited has at least one negative security finding or observation, and there was no complete and accurate risk assessment in two-thirds of the audited entities. These numbers should immediately give covered entities and business associates a serious moment of pause: the vast majority of audited entities were not in full compliance with the HIPAA Security Rule. Scarier yet, the most common non-compliance finding of the audits was that the entities audited were “unaware of the requirement”. OCR determined that the non-compliance in these cases wasn’t based on confusion surrounding the rules – most of these findings were about “elements of the Rules that explicitly state what a covered entity must do to comply.” The entities with the most trouble complying with the Rules were smaller entities – those with assets of $50 million or less. This audit program and the early findings should be a wake-up call for any entities to which HIPAA protections apply, but especially small ones.
After evaluating the audit process through the 2011 pilot program, the OCR created an audit protocol that contains the requirements assessed through these audits, available online. In 2014, the OCR began a new round of audits designed to test and evaluate the new audit protocol, focused heavily on compliance with the Security Rule. So, in light of the ramping up of the OCR audit program, what should applicable entities do?
- The first thing that any covered entity or business associate should do is take a hard second look at HIPAA Privacy, Security and Breach Notification Rules. As stated above, a great many of the findings were attributable to the entity being unaware of a clearly-stated rule.
- Review every bit of guidance available from federal oversight agencies as to best practices and compliance issues. Read Resolutions Agreements on the OCR website to discover which issues have tripped up other entities so that your organization doesn’t make the same mistakes. Review the OCR audit protocol, as it gives detail and insight into how the OCR conducts audits.
- Bring your organization into compliance before there’s an audit. If your organization has not conducted a Security Risk Assessment (“SRA”), do so. This is a key element of Security Rule compliance, as well as a necessity for Meaningful Use requirements (which will be explored in the next post). This SRA will highlight whether or not the entity has implemented security measures to sufficiently safeguard electronic health information, and should be done whenever technology within the entity changes.
- Train your staff. The most advanced and secure technology in the world can’t overcome an employee who isn’t properly trained in compliance with the Privacy Rule. Training doesn’t have to be painful, but make it thorough and easily understandable.
Meaningful Use Audits
Meaningful Use, of course, is shorthand for the incentive program for eligible health care providers to implement or upgrade electronic health record (“EHR”) technology to demonstrate the meaningful use of such technology. The Medicare HER incentive program is administered through the Centers for Medicare & Medicaid Services (“CMS”), and eligible professionals (“EPs”) can receive up to $44,000 (eligible hospitals (“EHs”) can receive a base payment of $2 million). CMS reported that, by April 2012, $4.5 billion had been dispensed through the program. That year, CMS began conducting post-payment audits, and any EP or EH that received money under the program may be the subject of an audit.
A CMS Meaningful Use audit begins as a desk audit of submitted information, although it can escalate to a site review if necessary. The audit reviews compliance with Meaningful Use requirements for the reporting year and stage of implementation. The harsh reality of these audits is this: if an entity that has received payment under the program fails to meet even a single requirement, the entire incentive payment must be returned. This crucially important fact must be reiterated: failure to meet every single Meaningful Use requirement results in the entire incentive payment being forfeited, long after the costs of the EHR technology have been paid using those incentive funds.
Not only does the failure to comply with Meaningful Use requirements require forfeiture of incentive payments, the knowing noncompliance can also invoke the Federal False Claims Act. Payments under the program can be considered overpayments if the recipient had reason to know that it was not in compliance. Overpayments held for more than sixty days after being identified as such trigger False Claims provisions.
So what should EPs and EHs do to ward off the specter of an unfavorable audit?
- As with HIPAA audits, the first thing EPs or EHs should do is review the rules themselves. Review relevant statutes, regulations and CMS guidance on audits.
- The easiest requirement for recipients to check compliance with is the certification of the EHR system itself – the Office of the National Coordinator for Health Information Technology keeps a list on its website.
- Keep all documentation for at least six years. The EHR should have this capability, but find other ways to document if it does not.
- Also, as with HIPAA audits, the best thing an entity can do is make every possible move to come into full compliance as early as possible – don’t wait until the threat of an audit looms, as mere knowledge of non-compliance can create liability under the Federal False Claims Act. Consult an attorney and begin a compliance checklist.
Finally, the intersection of Meaningful Use and the HIPAA audits discussed in the prior post is this: BOTH laws/programs require a Security Risk Assessment. As two-thirds of entities initially audited under HIPAA Security, Privacy and Breach Notification Rules had not actually conducted one, it becomes clear that many, if not most, entities are not taking these provisions seriously at their own peril. There is no doubt at this point that EVERY entity that must comply with HIPAA rules and that has received payment as Meaningful Use incentives needs to complete a Security Risk Assessment as soon as possible or face severe penalties. With the initial audits showing a shocking lack of compliance, it’s clear that increased oversight through an expanding regime of audits will be the new reality for health care providers. Compliance should be a primary concern, not an afterthought.
If your organization has questions or would like more information about compliance with HIPAA or Meaningful Use programs, consult the attorneys at McBrayer for guidance.
Christopher J. Shaughnessy is a member at McBrayer law. Mr. Shaughnessy concentrates his practice area in healthcare law and is located in the firm’s Lexington office. He can be reached at cshaughnessy@mcbrayerfirm.com or at (859) 231-8780, ext. 1251.
Services may be performed by others.
This article does not constitute legal advice.