Meaningful Use Ready or Not. Brenda Christman, RN. What Will We Be Covering? 10/8/2014

Transcription

1 Meaningful Use Ready or Not CMS Audits are Underway Brenda Christman, RN Career Health Care Consultant 3+ years with Arnett Foster Toothman PLLC Prior Big 4 Consultant Registered Nurse Industry experience as Director of Reimbursement 2 What Will We Be Covering? Requirements of Meaningful Use Audits Documentation to Support Meaningful Use Attestation Process to Conduct Mock Audit 3 1

2 What s All the Fuss About? Recent Meaningful Use (MU) audits and paybacks have brought more attention to the CMS Audits Drew Memorial Hospital was unable to document completion of one 19 objectives for Meaningful Use CMS is requesting repayment of entire amount ~ $900K HMAself reported they had an error in attestation for 11 of their 71 hospitals HMA made an error in applying the requirements for certifying its EHR technology Repaying $31M 4 CMS Audit Procedures The CMS is performing pre-paymentand post-paymentaudits on 5-10% of healthcare providers Selection Randomly CMS risk profile of suspicious or anomalous data Subcontractor for post-payment is Figliozzi Medicare Audits of EPs and eligible hospitals, as well as on hospitals that are dually-eligible for both the Medicare and Medicaid EHR Incentive Programs. If you are selected for an audit will receive a letter from Figliozzi and Company with the CMS and EHR Incentive Program logos on the letterhead. What triggers a CMS Incentive Payment Audit? 3 tier approach Benchmarking/Anomalies of data Unusual response in Numerator or Denominator responses Field Auditor Selection Eligible Hospitals that received the largest incentive payments Providers who indicated use of multiple EHRs with the capability of collecting data for only a few CQMs A representative sample of certified EHRs in order to determine each EHRs capabilities to support collection of data necessary to meet MU measures 5 Audit Process Initial request letter Letter will be sent electronically from a CMS address and will include the audit contractor s contact information The address provided during registration for the EHR Incentive Programs will be used for the initial request letter Submit requested data electronically The initial review process will be conducted at the audit contractor s location, using the information received as a result of the initial request letter. Receive audit determination letter This letter will inform the provider whether they were successful in meeting meaningful use of electronic health records. If found not to be eligible for an EHR incentive payment, the payment will be recouped 6 2

3 Preparing/Maintaining Documentation Maintain documentation that fully supports the meaningful use and clinical quality measure data submitted during attestation Save any electronic or paper documentation that supports your attestation Make sure others know where the support is saved Centralized, Secured Location Effective Naming Convention of files Save the documentation that supports the values you entered in the Attestation Module for clinical quality measures Maintain documentation that supports payment calculations 7 Support Documentation Examples Proof of Certified Technology Contracts for all components Screen shot from ONC site showing CMS Certification ID Number Letter documenting if certification notes additional software required Source documents for threshold objectives Maintain detail support for each % based threshold Documentation of logic used for calculation and which ED volume calculation used Report should denote dates covered (reporting period) Same denominator for all measures will be scrutinized Attesting for 100% will also raise suspicion 8 Support Documentation Examples Yes/No Objectives Proof of Yes/No measures active during entire reporting period Screen shots Confirmation from vendor Use of Audit log Proof of data transaction with public health agency Quality Measures Must be reported directly from Certified HER Security Risk Analysis Maintain a copy per locations Need to document conducted before the end of reporting period Document any action taken based on analysis 9 3

4 Steps of Mock Audit Ready Rally the troops and get a team together to gather all the necessary information: IT, Finance, Compliance, HIM, Clinicians Provide education to team on process CMS website: Tip sheets and FAQ Sample Audit Request Set Go Gather Data as if submitting to Auditor Certified EHR CQMs Yes/No % Threshold Objectives Challenge package allow an outsider to take a look Review lessons learned from other If find issue be prepared with a plan If using an external reviewer consider attorney client privilege 10 Lessons Learned Designate a single point of contact for communications with CMS auditor Only provide the information being requested Utilize a checklist, and answer as if auditor (yes or no) Maintain all relevant data for 6 years Log all documentation supplied to auditor Protect patient information by de-identifying 11 Questions? Brenda P. Christman Member/Arnett Foster ToothmanPLLC Brenda.christman@aftcpas.com

5 Appendix Additional Guidance from CMS 13 Documentation for Non- Percentage-Based Objectives 14 Documentation for Non- Percentage-Based Objectives 15 5

6 Documentation for Non- Percentage-Based Objectives 16 IT Security and Risk Analysis Scott Stone CIO for Carbis Walker LLP Senior IT Consultant and Auditor for the CW Group 25 years in the IT industry 17 years with Carbis Walker LLP Master Degree in Communications Trained Certified Ethical Hacker Sophos Firewalls Certified Engineer Certified in Microsoft, Cisco, Novell, etc. 18 6

7 What will we be covering? Top 10 HIPAA IT Security Risk Areas Common Areas of Risk Found During IT Audits Ways to Mitigate IT Risk IT Trends In Health Care Reducing PHI On Your Network 19 IT RISK MITIGATION BASICS Laptops are encrypted Redundant Internet Access exists at all locations Good Antivirus is in place with Centralized Management BAAs up to date and being sent out Acceptable Use Policy is up to date and signed Disaster Recovery Policy is up to date 20 Top 10 IT Security / Risk Areas 1. Legacy Operating Systems 2. Patch Management Microsoft and other software 3. Malware / Virus infections 4. Vendor Accounts 5. Virtualization Server sprawl - Backups 6. Password Fatigue 7. Mobile Devices & BYOD (Bring Your Own Disaster) 21 7

8 Still using Windows XP? Support Ended April 8 th Other Legacy Operating Systems End of Life Timelines: Windows 2000 Server July 13, 2010 AS400 Prior to V5R4 (rel2006) Already EOL Novell 6.5 Dec 31, 2014 Windows 2003 Server R2 July 14, 2015 Windows XP Embedded - 1/12/ Patch Management Microsoft Windows &Office = WSUS (Windows Server Update Services) Adobe Acrobat / Reader / Flash Other Software (JAVA) Scripting of Updates Patch Management Systems Silent Updates Software inventory systems - reporting 24 8

9 Antivirus / Antimalware Becoming the same thing in some suites Reactive technology Must be centrally managed to be effective Response to AV infection = reimage machine Virus writing is an enormous business now (Zeus, RansomWare, Botnets) CryptoLocker 25 Value of a Hacked PC krebsonsecurity.com 26 Vendor Accounts Vendors reuse or create poor passwords Often have constant access Lots of Vendors Software, HVAC, Phone, etc. Hiring standards may not be solid Allow Limited IP Range for Access Ask what they have available to improve security Target Breach = Vendor Account 27 9

10 Virtualization / Backups Server Sprawl Hidden / Forgotten Systems HUGE Images / Data Sets Tapes / Portable Hard Drives / Cloud Backups Factors for every type: Encryption Portability Integration with DR policy 28 Password Fatigue Standard Policy was 8$1C -now 12$1C Extended Change Intervals > 90 Days Password Fatigue Solutions Password Managers Lastpass RoboForm Biometrics Two Factor RSA Keys YubiKey FOBs with PINs 29 Mobile Devices & BYOD Wild West of IT Security Issues: everywhere Attachments cached Notification of lost devices Remote wipe including personal information Expectation of privacy by the user Solutions: Newer versions of Exchange AirWatch, Sophos, MobileIron 30 10

11 Patient Portals Meaningful Use pushing implementation Internal IT staff generally not qualified Database (SQL) systems target rich Easy Access Secure External testing is a minimum Solution providers starting to appear Heartbleed type vulnerabilities likely 31 Old PHI On The Network Admission Forms / Face Sheets Incident Response Forms Old Billing Systems / Databases Patient care tracking excel sheets Solutions: Archive and remove from the network Create administrative access VLAN Automatic Cleanup Scripts 32 Encrypting Data at Rest No real guidance from HHS Any stored data servers, databases, etc. CDs, DVDs, backup tapes, hard drives, etc. Encryption solutions: Hardware (Brocade, CISCO, HP, etc.) Software (MS Bitlocker, Sophos, EMC, etc.) Long term key management and control 33 11

12 Review: Top 10 IT Security / Risk Areas 1. Legacy Operating Systems 2. Patch Management Microsoft and other software 3. Malware / Virus infections 4. Vendor Accounts 5. Virtualization Server Sprawl - Backups 6. Password Fatigue 7. Mobile Devices & BYOD (Bring Your Own Disaster) 8. Patient Portals Website access 9. Old PHI on the network 10. Encrypting Data at Rest 34 Questions? Scott Stone Sr. IT Consultant / CIO sstone@carbis.com