Contact Us
Categories
- Workplace Violence
- Assisted Living Facilities
- Department of Health and Human Services' Office of Civil Rights
- Medical Residents
- EMTALA
- FDA
- Reproductive Rights
- Roe v. Wade
- SCOTUS
- Medical Spas
- medical billing
- No Surprises Act
- Mandatory vaccination policies
- Workplace health
- Coronavirus Aid, Relief and Economic Security Act
- Code Enforcement
- Department of Labor ("DOL")
- Employment Law
- FFCRA
- CARES Act
- Nursing Home Reform Act
- Acute Care Beds
- Clinical Support
- Coronavirus
- COVID-19
- Emergency Medical Services
- Emergency Preparedness
- Families First Coronavirus Response Act
- Family and Medical Leave Act (“FMLA”)
- KBML
- medication assisted therapy
- SB 150
- Department of Health and Human Services
- Legislative Developments
- Corporate
- United States Department of Justice ("DOJ")
- Employee Contracts
- Non-Compete Agreement
- Opioid Epidemic
- Sexual Harassment
- Health Resource and Services Administration
- Litigation
- Medical Malpractice
- House Bill 333
- Senate Bill 79
- Locum Tenens
- Physician Prescribing Authority
- Senate Bill 4
- Chronic Pain Management
- HIPAA
- Prescription Drugs
- "Two Midnights Rule"
- 340B Program
- EHR Systems
- Hospice
- ICD-10
- Kentucky minimum wage
- Minimum wage
- Primary Care Physicians ("PCPs")
- Skilled Nursing Facilities (“SNFs”)
- Uncategorized
- Affordable Insurance Exchanges
- Drug Screening
- Electronic Health Records (“EHR")
- Fraud
- Health Care Fraud
- HIPAA Risk Assessment
- KASPER
- Kentucky Board of Medical Licensure
- Kentucky’s Department for Medicaid Services
- Mental Health Care
- Office for Civil Rights ("OCR")
- Physician Assistants
- Qui Tam
- Stark Laws
- Urinalysis
- Accountable Care Organizations (“ACO”)
- Affordable Care Act
- Alternative Payment Models
- Anti-Kickback Statute
- Centers for Medicare & Medicaid Services (“CMS”)
- Certificate of Need ("CON")
- Charitable Hospitals
- Compliance
- Data Breach
- Department of Health and Human Services (HHS)
- Electronic Protected Health Information (ePHI)
- False Claims Act
- Federally Qualified Health Centers (“FQHCs”)
- Fee for Service
- Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Health Professional Shortage Area ("HPSA")
- Hospitals
- HPSA
- HRSA
- Limited Services Clinics
- Medicaid
- Medical Staff By-Laws
- Medically Underserved Area ("MUA")
- Medicare
- Mid-Level Practitioners
- Office of Inspector General of the United States Department of Health and Human Services (OIG)
- Part D
- Patient Protection and Affordable Care Act (“ACA”)
- Pharmacists
- Rural Health Centers (“RHCs”)
- Rural Health Clinic
- Telehealth
- American Telemedicine Association (“ATA”)
- Criminal Division of the Department of Justice (“DOJ”)
- Health Care Fraud Prevention and Enforcement Action Team (“HEAT”)
- Hydrocodone
- Kentucky Board of Nursing
- Kentucky Pharmacists Association
- Qualified Health Care Centers (“FQHC”)
- Telemedicine
- Agreed Order
- APRNs
- Chain and Organization System (“PECOS”)
- Douglas v. Independent Living Center of Southern California
- Drug Enforcement Agency ("DEA")
- Emergency Rooms
- Enrollment
- Hinchy v. Walgreen Co.
- Jimmo v. Sebelius
- Maintenance Standard
- Overpayments
- Re-validation
- United States ex. Rel. Kane v. Continuum Health Partners
- Vitas Innovative Hospice Care
- Webinar
- 2014 Medicare Physician Fee Schedule (“PFS”)
- 501(c)(3)
- All-Payer Claims Database ("APCD")
- Appeal
- Chiropractic services
- Chronic Care Management
- Clinical Laboratory Improvement Amendments of 1988 (“CLIA”)
- Compliance Officer
- Compounding
- CPR
- Dispenser
- Drug Quality and Security Act (“DQSA”)
- Essential Health Benefits
- HealthCare.gov
- House Bill 3204
- ICD-9
- Kentucky Senate Bill 7
- Kindred v. Cherolis
- Long-term care communities
- Medicare Part D
- Minors
- National Drug Code ("NDC")
- New England Compounding Center ("NECC")
- Ophthalmological services
- Outsourcing facility
- Physician Compare website
- Ping v. Beverly Enterprises
- Power of Attorney ("POA")
- Prescriber
- State Health Plan
- Sustainable Growth Rate (“SGR”)
- Texting
- "Plan of Correction"
- Affinity Health Plan
- Arbitration
- Audit
- Cadillac tax
- Centers for Disease Control and Prevention
- Community health needs assessment (“CHNA”)
- Condition of Participation ("CoP")
- Daycare centers
- Decertification
- Denied Claims
- Department of Medicaid Services’ (“DMS”)
- Division of Regulated Child Care
- Doe v. Guthrie Clinic
- EHR vendor
- Employer Group Health Plans
- Employer Mandate
- ERISA
- Fair Labor Standards Act (FLSA)
- False Billings
- Federation of State Medical Boards (“FSMB”)
- Food and Drug Administratio
- Form 4720
- Grace Period
- Health Professional Shortage Areas (“HPSA”)
- Health Reform
- Home Health Prospective Payment System
- Home Medical Equipment Providers
- Hospitalists
- Individual mandate
- Inpatient Care
- Intermediate Sanctions Agreement
- Kentucky Health Benefit Exchange
- Kentucky Medical Practice Act
- Kynect
- Licensed practical nurses (LPN)
- Licensure Requirements
- List of Excluded Individuals and Entities
- LLC v. Sutter
- Long-Term Care Providers ("LTC")
- Low-utilization payment adjustment ("LUPA")
- Meaningful use incentives
- Medicare Administrative Coordinators
- Medicare Benefit Policy Manual
- Medicare Shared Saving Program (MSSP)
- Mobile medical applications ("apps")
- Model Policy for the Appropriate Use of Social Media and Social Networking in Medical Practice (“Model Policy”)
- National Institutes of Health
- Network provider agreement
- Nonprofit hospitals
- Nonroutine medical supplies conversion factor (“NRS”)
- Nurse practitioners (NP)
- Office of the National Coordinator for Health Information Technology (“ONC”)
- Part A
- Part B
- Patient Privacy
- Payors
- Personal Service Entities
- Physician Payments
- Physician Recruitment
- Physician shortages
- Provider Self Disclosure Protocol
- Qualified Health Plan ("QHP")
- Quality reporting
- Registered nurses (RN)
- Residency Programs
- Self-Disclosure Protocol
- Social Media
- Spousal coverage
- Statement of Deficiency ("SOD")
- Trade Association Group Coverage
- Upcoding
- UPS
- “Superuser”
- Advanced Practice Registered Nurses
- Autism/ASD
- Business Associate Agreements
- Business Associates
- Call Coverage
- Compliance Programs
- Critical Access Hospitals (“CAHs”)
- Essential Health Benefits (“EHBs”)
- Genetic Information Nondiscrimination Act ("GINA")
- Group Purchasing Organizations ("GPO")
- House Bill 104
- Kentucky House Bill 159
- Kentucky House Bill 217
- Kentucky Primary Care Centers (“PCCs”)
- Managed Care Organizations (“MCOs”)
- Medicare Audit Improvement Act of 2012
- Patient Autonomy
- Personal Health Information
- Recovery Audit Contractors (“RAC”)
- Senate Bill 39
- Senate Finance Committee Report
- Small Business Health Options Program (“SHOP”)
- State Medicaid Expansion
- Abuse and Waste
- Center for Disease Control
- Consumer Operated and Oriented Plan programs (“CO-OPS”)
- Free Conference Committee Report
- Healthcare Information and Management Systems Society (HIMSS)
- House Bill 1
- House Bill 4
- Kentucky Cabinet for Health and Family Services
- Kentucky Health Care Co-Op
- Kentucky Health Cooperative (“KYHC”)
- Kentucky “Pill Mill Bill”
- Occupational Safety and Health Administration (“OSHA”)
- Pain Management Facilities
- Sunshine Act
- Employee Agreement
- Health Care Fraud and Abuse Control Program
- Health Insurance
- Healthcare Regulation
- Health Care Law
McBrayer Blogs
HIPAA and “Meaningful Use” Audits: Issues to Consider and How to Prepare
As more and more providers adopt electronic health records (“EHRs”) systems (and with new regulations concerning their required use for purposes of Medicare billing for chronic care management, their popularity can only continue to grow), a myriad of compliance issues continue to surround them. To that end, the federal government has stepped up auditing programs to ensure compliance with HIPAA/HITECH as well as making sure taxpayer money has been invested wisely through the Meaningful Use program. The bent of these audit programs is clearly along the lines that applicable covered entities and business associates should be preparing with a “when” mindset, rather than “if,” as these audits are going to happen.
HIPPA/HITECH Audits
The Department of Health and Human Services’ Office for Civil Rights (“OCR”) has been the enforcement authority for HIPAA since 2003, but it was the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) that began requiring the OCR to perform periodic audits of covered entities and business associates for compliance with HIPAA security rules. The OCR launched an audit pilot program in 2011, which found that 58 of 59 providers audited has at least one negative security finding or observation, and there was no complete and accurate risk assessment in two-thirds of the audited entities. These numbers should immediately give covered entities and business associates a serious moment of pause: the vast majority of audited entities were not in full compliance with the HIPAA Security Rule. Scarier yet, the most common non-compliance finding of the audits was that the entities audited were “unaware of the requirement”. OCR determined that the non-compliance in these cases wasn’t based on confusion surrounding the rules – most of these findings were about “elements of the Rules that explicitly state what a covered entity must do to comply.” The entities with the most trouble complying with the Rules were smaller entities – those with assets of $50 million or less. This audit program and the early findings should be a wake-up call for any entities to which HIPAA protections apply, but especially small ones.
After evaluating the audit process through the 2011 pilot program, the OCR created an audit protocol that contains the requirements assessed through these audits, available online. In 2014, the OCR began a new round of audits designed to test and evaluate the new audit protocol, focused heavily on compliance with the Security Rule. So, in light of the ramping up of the OCR audit program, what should applicable entities do?
- The first thing that any covered entity or business associate should do is take a hard second look at HIPAA Privacy, Security and Breach Notification Rules. As stated above, a great many of the findings were attributable to the entity being unaware of a clearly-stated rule.
- Review every bit of guidance available from federal oversight agencies as to best practices and compliance issues. Read Resolutions Agreements on the OCR website to discover which issues have tripped up other entities so that your organization doesn’t make the same mistakes. Review the OCR audit protocol, as it gives detail and insight into how the OCR conducts audits.
- Bring your organization into compliance before there’s an audit. If your organization has not conducted a Security Risk Assessment (“SRA”), do so. This is a key element of Security Rule compliance, as well as a necessity for Meaningful Use requirements (which will be explored in the next post). This SRA will highlight whether or not the entity has implemented security measures to sufficiently safeguard electronic health information, and should be done whenever technology within the entity changes.
- Train your staff. The most advanced and secure technology in the world can’t overcome an employee who isn’t properly trained in compliance with the Privacy Rule. Training doesn’t have to be painful, but make it thorough and easily understandable.
Meaningful Use Audits
Meaningful Use, of course, is shorthand for the incentive program for eligible health care providers to implement or upgrade electronic health record (“EHR”) technology to demonstrate the meaningful use of such technology. The Medicare HER incentive program is administered through the Centers for Medicare & Medicaid Services (“CMS”), and eligible professionals (“EPs”) can receive up to $44,000 (eligible hospitals (“EHs”) can receive a base payment of $2 million). CMS reported that, by April 2012, $4.5 billion had been dispensed through the program. That year, CMS began conducting post-payment audits, and any EP or EH that received money under the program may be the subject of an audit.
A CMS Meaningful Use audit begins as a desk audit of submitted information, although it can escalate to a site review if necessary. The audit reviews compliance with Meaningful Use requirements for the reporting year and stage of implementation. The harsh reality of these audits is this: if an entity that has received payment under the program fails to meet even a single requirement, the entire incentive payment must be returned. This crucially important fact must be reiterated: failure to meet every single Meaningful Use requirement results in the entire incentive payment being forfeited, long after the costs of the EHR technology have been paid using those incentive funds.
Not only does the failure to comply with Meaningful Use requirements require forfeiture of incentive payments, the knowing noncompliance can also invoke the Federal False Claims Act. Payments under the program can be considered overpayments if the recipient had reason to know that it was not in compliance. Overpayments held for more than sixty days after being identified as such trigger False Claims provisions.
So what should EPs and EHs do to ward off the specter of an unfavorable audit?
- As with HIPAA audits, the first thing EPs or EHs should do is review the rules themselves. Review relevant statutes, regulations and CMS guidance on audits.
- The easiest requirement for recipients to check compliance with is the certification of the EHR system itself – the Office of the National Coordinator for Health Information Technology keeps a list on its website.
- Keep all documentation for at least six years. The EHR should have this capability, but find other ways to document if it does not.
- Also, as with HIPAA audits, the best thing an entity can do is make every possible move to come into full compliance as early as possible – don’t wait until the threat of an audit looms, as mere knowledge of non-compliance can create liability under the Federal False Claims Act. Consult an attorney and begin a compliance checklist.
Finally, the intersection of Meaningful Use and the HIPAA audits discussed in the prior post is this: BOTH laws/programs require a Security Risk Assessment. As two-thirds of entities initially audited under HIPAA Security, Privacy and Breach Notification Rules had not actually conducted one, it becomes clear that many, if not most, entities are not taking these provisions seriously at their own peril. There is no doubt at this point that EVERY entity that must comply with HIPAA rules and that has received payment as Meaningful Use incentives needs to complete a Security Risk Assessment as soon as possible or face severe penalties. With the initial audits showing a shocking lack of compliance, it’s clear that increased oversight through an expanding regime of audits will be the new reality for health care providers. Compliance should be a primary concern, not an afterthought.
If your organization has questions or would like more information about compliance with HIPAA or Meaningful Use programs, consult the attorneys at McBrayer for guidance.
Christopher J. Shaughnessy is a member at McBrayer law. Mr. Shaughnessy concentrates his practice area in healthcare law and is located in the firm’s Lexington office. He can be reached at cshaughnessy@mcbrayerfirm.com or at (859) 231-8780, ext. 1251.
Services may be performed by others.
This article does not constitute legal advice.