CMS Contractor Has Begun Meaningful Use Audits
In a post this past week, Ober | Kaler, Attorneys at Law posted Health Law Alert Newsletter entitled “FIGLOIOZZI AND COMPANY BEGIN MEANINGFUL USE AUDITS AS CMS DESIGNEE”. We recently wrote a post entitled “HIPAA Security Risk Analysis Tips – MU Attesters, Watch Your Flank“. As a Meaningful Use Attester, you’re approaching the intersection of the “Electronic Health Record Incentive Program; Final Rule” and the “HIPAA Security Final Rule”. Proceed with Caution! OCR is actively auditing for overall HIPAA compliance and Risk Analysis is a focus area.
Here’s today’s big tip — Please complete a Bona Fide HIPAA Security Risk Analysis !
HIPAA Security Risk Analysis Help
Complete a Real HIPAA Security Risk Analysis!
(continued…)
Ober | Kaler report that “…A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS’s auditor for the EHR Incentive Program (the “Program” or “Meaningful Use Program”), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials.”
In the recent ONC Guide to Privacy and Security of Health Information, you might want specifically read page 27 and the discussion of a potential filing under the False Claims Act for failing to complete a proper risk analysis. Yes, there are whistle blower incentives.
We would expect that the documentation requests include specific documentation related to completing a risk analysis. Information about the CMS Audits can be found here, in case you haven’t seen this information before: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Attestation.html#10
At the 2012 NIST/OCR HIPAA Security Conference we attended, an HHS official announced that 10% of the MU attesters would be audited.
Risk analysis is a fundamental, foundational part of any risk management program, including your cyber security program. It’s not an evil creation of HIPAA or HITECH statutes or their promulgated rules. In fact, it’s been around since the beginning of mankind. In a nutshell, risk analysis is determining your biggest to smallest risks (a.k.a., exposures) and then using this information to make informed decisions about treating them (accept, avoid, mitigate, transfer).
Bottom Line: Validate that your organization has complete a formal HIPAA Security Risk Analysis, according to HHS/OCR risk analysis guidance and the underlying NIST Security framework.
To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis Video Overview.
Wanna be even more hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://www.twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter: http://clearwaterc.wpengine.com/resources/newsletters/
- Subscribing to our RSS feed: Clearwater HIPAA Compliance Blog
- Checking our company web site: http://clearwaterc.wpengine.com/
- Attending a HIPAA HITECH live webinar: http://abouthipaa.com/webinars/upcoming-live-webinars/
- Attending a HIPAA HITECH Blue Ribbon Panel Live Web Event: http://abouthipaa.com/webinars/blue-ribbon-panel-live-events/
- Viewing a pre-recorded webinar: http://abouthipaa.com/webinars/on-demand-webinars/
Bob Chaput
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017