Some Eligible Providers, Eligible Hospitals and Critical Access Hospitals who have purchased and implemented an electronic health record (EHR) system and attested to meaningful use of that EHR may be subjected to an audit before they see an incentive payment. That’s the word from CMS’ Office of E-Health Standards and Services. Here’s today’s big TIP — Learn the Audit Validation Process and Required Documentation for HIPAA Risk Analysis.
HIPAA Risk Analysis Tip – EHR Pre- and Post-Payment Audits
The Centers for Medicare & Medicaid Services (CMS) has begun auditing providers attesting to Meaningful Use of their electronic health record systems before making incentive payments.
CMS has targeted 5 to 10 percent of those who attested to Meaningful Use in January 2013, according to Elizabeth Holland, director of the Health IT Initiative Group’s Office of E-Health Standards and Services. Eligible professionals selected for audit were chosen both “randomly” and “based on protocols that identify suspicious or anomalous attestation data,” according to the AAFP News Now article.
Providers who receive an EHR incentive payment for either the Medicare or Medicaid EHR Incentive Program potentially may be subject to an audit. Eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) should retain ALL relevant supporting documentation (in either paper or electronic format) used in the completion of the Attestation Module responses.
CMS provides guidance in EHR Incentive Programs Supporting Documentation For Audits, updated in February 2013. This guidance covers the requirements related to a HIPAA Risk Analysis on page 4:
|Meaningful Use Objective||Audit Validation||Suggested Documentation|
|Protect Electronic Health Information||Security risk analysis of the certified EHR technology was performed prior to the end of the reporting period||Report that documents the procedures performed during the analysis and the results. Report should be dated prior to the end of the reporting period and should include evidence to support that it was generated for that provider’s system (e.g., identified by National Provider Identifier (NPI), CMS Certification Number (CCN), provider name, practice name, etc.)|
Documentation to support attestation data for meaningful use objectives and clinical quality measures should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.
An additional 5 to 10 percent of physicians and others will be subject to post-payment audits, according to Holland. The audits are being conducted by Garden City, NY-based CPA firm Figliozzi and Company.
Watch Our Recorded, On Demand Webinar
Download HIPAA Risk Analysis Buyer’s Guide Checklist
We are often asked, “How do I go about selecting a reputable firm to complete a bona fide HIPAA Security Risk Analysis?” This HIPAA Risk Analysis Buyer’s Guide Checklist is an easy-to-use tool to assist you in comparing alternative solutions and making your selection.
Other Help Getting Started With Your Bona Fide HIPAA Risk Analysis
Over the years, we’ve helped 100s of organizations complete their HIPAA Risk Analysis. Please benefit from our HIPAA Risk Analysis expertise by:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources