As my friend and fellow HIPAA Audit Prep BootCamp™ faculty member, Jim Pyles, Esq., poses: Did you really think the government was going to hand out $30B in Meaningful Use (MU) Incentives without checking on the meaningful use part? The HIPAA Security Risk Analysis requirement (at 45 CFR 164.308(a)(1)(ii)(A)) is MU Core Objective 14 and 15 for eligible hospitals and eligible providers. CMS announced its intention to audit up to 10% of the organizations attesting to MU and receiving incentive money. In a recent Guide to Privacy and Security of Healthcare Information, ONC connected the dots between failure to perform a risk analysis AND the False Claims Act. Oh yes, don’t forget about the HITECH-mandated audits focusing on Risk Analysis and the HHS/OCR Settlement Agreements highlighting failures to perform risk analyses.
Here’s today’s big tip — Watch Your Flanks; there are Risk Analysis several attack vectors.
HIPAA Security Risk Analysis Tips – Watch Your Flank
Here are the top four (4) ways to find yourself in trouble with DHSS over risk analysis… and possibly having to pay treble damages:
- Be found to not have completed one in an OCR HIPAA Compliance Audit.
- Earn an OCR Investigation as the result of a complaint and be found to not have completed one.
- Be found to not have completed on as a result of a CMS Meaningful Use Audit.
- Have an (qui tam) employee or member or patient file a claim under the False Claims Act stating that you really didn’t complete a risk analysis the right way.
NIST SP800-30 Risk Analysis – The Right Way
HHS / OCR published its “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” relies on the NIST Security framework and specifically NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT. According to both documents and NIST SP800-30,
“A Risk Analysis is the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. “
CMS Meaningful Use Audits
From the CMS web site:
Will CMS conduct audits?
Any provider attesting to receive an EHR incentive payment for either the Medicare EHR Incentive Program or the Medicaid EHR Incentive Program potentially may be subject to an audit. Here’s what you need to know to make sure you’re prepared:
Overview of the CMS EHR Incentive Programs Audits
- All providers attesting to receive an EHR incentive payment for either Medicare or Medicaid EHR Incentive Programs should retain ALL relevant supporting documentation (in either paper or electronic format used in the completion of the Attestation Module responses). Documentation to support the attestation should be retained for six years post-attestation. Documentation to support payment calculations (such as cost report data) should continue to follow the current documentation retention processes.
- CMS, and its contractors, will perform audits on Medicare and dually-eligible (Medicare and Medicaid) providers.
- States, and their contractors, will perform audits on Medicaid providers.
- CMS and states will also manage appeals processes.
Preparing for an Audit
- To ensure you are prepared for a potential audit, save the supporting electronic or paper documentation that support your attestation. Also save the documentation to support your Clinical Quality Measures (CQMs). Hospitals should also maintain documentation to support their payment calculations.
- Upon audit, the documentation will be used to validate that the provider accurately attested and submitted CQMs, as well as to verify that the incentive payment was accurate.
Details of the Audits
- There are numerous pre-payment edit checks built into the EHR Incentive Programs’ systems to detect inaccuracies in eligibility, reporting and payment.
- Post-payment audits will also be completed during the course of the EHR Incentive Programs.
- If, based on an audit, a provider is found to not be eligible for an EHR incentive payment, the payment will be recouped.
- CMS will be implementing an appeals process for eligible professionals, eligible hospitals and critical access hospitals that participate in the Medicare EHR Incentive Program. More information about this process will be posted to the CMS Web site soon.
- States will implement appeals processes for the Medicaid EHR Incentive Program. For more information about these appeals, please contact your State Medicaid Agency.
Bottom Line: if you have not completed a bona fide risk analysis HHS/OCR guidance and NIST robust methodology , you may be in big trouble with both OCR (Security, Privacy and Breach Rule enforcers) AND CMS which operates the Meaningful Use EHR Incentive Program and will perform audits on attestations… and possibly DOJ, if it results in a false claims filing.
To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST SP800-30 guidance, view Clearwater HIPAA Risk Analysis Video Overview.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016