CMS Contractor Has Begun Meaningful Use Audits
In a post this past week, Ober | Kaler, Attorneys at Law posted Health Law Alert Newsletter entitled “FIGLOIOZZI AND COMPANY BEGIN MEANINGFUL USE AUDITS AS CMS DESIGNEE”. We recently wrote a post entitled“HIPAA Security Risk Analysis Tips – MU Attesters, Watch Your Flank”. As a Meaningful Use Attester, you’re approaching the intersection of the “Electronic Health Record Incentive Program; Final Rule” and the “HIPAA Security Final Rule”. Proceed with Caution! OCR is actively auditing for overall HIPAA compliance and Risk Analysis is a focus area.
Here’s today’s big tip – Please complete a Bona Fide HIPAA Security Risk Analysis !
HIPAA Security Risk Analysis Help
Ober | Kaler report that “…A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS’s auditor for the EHR Incentive Program (the “Program” or “Meaningful Use Program”), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials.”
In the recent ONC Guide to Privacy and Security of Health Information, you might want specifically read page 27 and the discussion of a potential filing under the False Claims Act for failing to complete a proper risk analysis. Yes, there are whistle blower incentives.
We would expect that the documentation requests include specific documentation related to completing a risk analysis. Information about the CMS Audits can be found here, in case you haven’t seen this information before: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10
Risk analysis is a fundamental, foundational part of any risk management program, including your cyber security program. It’s not an evil creation of HIPAA or HITECH statutes or their promulgated rules. In fact, it’s been around since the beginning of mankind. In a nutshell, risk analysis is determining your biggest to smallest risks (a.k.a., exposures) and then using this information to make informed decisions about treating them (accept, avoid, mitigate, transfer).
Bottom Line: Validate that your organization has complete a formal HIPAA Security Risk Analysis, according to HHS/OCR risk analysis guidance and the underlying NIST Security framework.
To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis Video Overview.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.