Healthcare Law Blog

HIPAA and “Meaningful Use” Audits: Issues to Consider and How to Prepare

As more and more providers adopt electronic health records (“EHRs”) systems (and with new regulations concerning their required use for purposes of Medicare billing for chronic care management, their popularity can only continue to grow), a myriad of compliance issues continue to surround them. To that end, the federal government has stepped up auditing programs to ensure compliance with HIPAA/HITECH as well as making sure taxpayer money has been invested wisely through the Meaningful Use program. The bent of these audit programs is clearly along the lines that applicable covered entities and business associates should be preparing with a “when” mindset, rather than “if,” as these audits are going to happen.

HIPPA/HITECH Audits

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) has been the enforcement authority for HIPAA since 2003, but it was the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) that began requiring the OCR to perform periodic audits of covered entities and business associates for compliance with HIPAA security rules. The OCR launched an audit pilot program in 2011, which found that 58 of 59 providers audited has at least one negative security finding or observation, and there was no complete and accurate risk assessment in two-thirds of the audited entities. These numbers should immediately give covered entities and business associates a serious moment of pause: the vast majority of audited entities were not in full compliance with the HIPAA Security Rule. Scarier yet, the most common non-compliance finding of the audits was that the entities audited were “unaware of the requirement”. OCR determined that the non-compliance in these cases wasn’t based on confusion surrounding the rules – most of these findings were about “elements of the Rules that explicitly state what a covered entity must do to comply.” The entities with the most trouble complying with the Rules were smaller entities – those with assets of $50 million or less. This audit program and the early findings should be a wake-up call for any entities to which HIPAA protections apply, but especially small ones.

After evaluating the audit process through the 2011 pilot program, the OCR created an audit protocol that contains the requirements assessed through these audits, available online. In 2014, the OCR began a new round of audits designed to test and evaluate the new audit protocol, focused heavily on compliance with the Security Rule. So, in light of the ramping up of the OCR audit program, what should applicable entities do?

• The first thing that any covered entity or business associate should do is take a hard second look at HIPAA Privacy, Security and Breach Notification Rules. As stated above, a great many of the findings were attributable to the entity being unaware of a clearly-stated rule.

• Review every bit of guidance available from federal oversight agencies as to best practices and compliance issues. Read Resolutions Agreements on the OCR website to discover which issues have tripped up other entities so that your organization doesn’t make the same mistakes. Review the OCR audit protocol, as it gives detail and insight into how the OCR conducts audits.

• Bring your organization into compliance before there’s an audit. If your organization has not conducted a Security Risk Assessment (“SRA”), do so. This is a key element of Security Rule compliance, as well as a necessity for Meaningful Use requirements (which will be explored in the next post). This SRA will highlight whether or not the entity has implemented security measures to sufficiently safeguard electronic health information, and should be done whenever technology within the entity changes.

• Train your staff. The most advanced and secure technology in the world can’t overcome an employee who isn’t properly trained in compliance with the Privacy Rule. Training doesn’t have to be painful, but make it thorough and easily understandable.

Meaningful Use Audits

Meaningful Use, of course, is shorthand for the incentive program for eligible health care providers to implement or upgrade electronic health record (“EHR”) technology to demonstrate the meaningful use of such technology. The Medicare HER incentive program is administered through the Centers for Medicare & Medicaid Services (“CMS”), and eligible professionals (“EPs”) can receive up to $44,000 (eligible hospitals (“EHs”) can receive a base payment of $2 million). CMS reported that, by April 2012, $4.5 billion had been dispensed through the program. That year, CMS began conducting post-payment audits, and any EP or EH that received money under the program may be the subject of an audit.

A CMS Meaningful Use audit begins as a desk audit of submitted information, although it can escalate to a site review if necessary. The audit reviews compliance with Meaningful Use requirements for the reporting year and stage of implementation. The harsh reality of these audits is this: if an entity that has received payment under the program fails to meet even a single requirement, the entire incentive payment must be returned. This crucially important fact must be reiterated: failure to meet every single Meaningful Use requirement results in the entire incentive payment being forfeited, long after the costs of the EHR technology have been paid using those incentive funds.

Not only does the failure to comply with Meaningful Use requirements require forfeiture of incentive payments, the knowing noncompliance can also invoke the Federal False Claims Act. Payments under the program can be considered overpayments if the recipient had reason to know that it was not in compliance. Overpayments held for more than sixty days after being identified as such trigger False Claims provisions.

So what should EPs and EHs do to ward off the specter of an unfavorable audit?

• As with HIPAA audits, the first thing EPs or EHs should do is review the rules themselves. Review relevant statutes, regulations and CMS guidance on audits.

• The easiest requirement for recipients to check compliance with is the certification of the EHR system itself – the Office of the National Coordinator for Health Information Technology keeps a list on its website.

• Keep all documentation for at least six years. The EHR should have this capability, but find other ways to document if it does not.

• Also, as with HIPAA audits, the best thing an entity can do is make every possible move to come into full compliance as early as possible – don’t wait until the threat of an audit looms, as mere knowledge of non-compliance can create liability under the Federal False Claims Act. Consult an attorney and begin a compliance checklist.

Finally, the intersection of Meaningful Use and the HIPAA audits discussed in the prior post is this: BOTH laws/programs require a Security Risk Assessment. As two-thirds of entities initially audited under HIPAA Security, Privacy and Breach Notification Rules had not actually conducted one, it becomes clear that many, if not most, entities are not taking these provisions seriously at their own peril. There is no doubt at this point that EVERY entity that must comply with HIPAA rules and that has received payment as Meaningful Use incentives needs to complete a Security Risk Assessment as soon as possible or face severe penalties. With the initial audits showing a shocking lack of compliance, it’s clear that increased oversight through an expanding regime of audits will be the new reality for health care providers. Compliance should be a primary concern, not an afterthought.

If your organization has questions or would like more information about compliance with HIPAA or Meaningful Use programs, consult the attorneys at McBrayer for guidance.

Christopher J. Shaughnessy is a member at McBrayer law.  Mr. Shaughnessy concentrates his practice area in healthcare law and is located in the firm’s Lexington office.  He can be reached at cshaughnessy@mcbrayerfirm.com or at (859) 231-8780, ext. 1251. 

Services may be performed by others.

This article does not constitute legal advice.