meaningful use –ready or not - hcca official site · 2014-10-08 · certified ehrs in order to...
TRANSCRIPT
10/8/2014
1
Meaningful Use – Ready or NotCMS Audits are Underway
Brenda Christman, RN
• Career Health Care Consultant
• 3+ years with Arnett Foster Toothman PLLC
• Prior Big 4 Consultant
• Registered Nurse
• Industry experience as Director of
Reimbursement
2
What Will We Be Covering?
• Requirements of Meaningful Use Audits
• Documentation to Support Meaningful Use Attestation
• Process to Conduct Mock Audit
3
10/8/2014
2
What’s All the Fuss About?
• Recent Meaningful Use (MU)
audits and paybacks have
brought more attention to the
CMS Audits
• Drew Memorial Hospital was unable to
document completion of one 19
objectives for Meaningful Use
• CMS is requesting repayment of entire
amount ~ $900K
• HMA self reported they had an error in
attestation for 11 of their 71 hospitals
• HMA made an error in applying the
requirements for certifying its EHR
technology
• Repaying $31M
4
CMS Audit Procedures
• The CMS is performing pre-payment and
post-payment audits on 5-10% of
healthcare providers
• Selection
– Randomly
– CMS risk profile of suspicious or
anomalous data
• Subcontractor for post-payment is Figliozzi
– Medicare Audits of EPs and eligible
hospitals, as well as on hospitals that are
dually-eligible for both the Medicare and
Medicaid EHR Incentive Programs.
– If you are selected for an audit will receive
a letter from Figliozzi and Company with
the CMS and EHR Incentive Program logos
on the letterhead.
• What triggers a CMS Incentive Payment
Audit?
– 3 tier approach
• Benchmarking/Anomalies of data
• Unusual response in Numerator or
Denominator responses
• Field Auditor Selection
– Eligible Hospitals that received
the largest incentive payments
– Providers who indicated use of
multiple EHRs with the
capability of collecting data for
only a few CQMs
– A representative sample of
certified EHRs in order to
determine each EHRs
capabilities to support
collection of data necessary to
meet MU measures
5
Audit Process
Initial request letter
•Letter will be sent electronically from a CMS email address and will include the audit contractor’s contact information
•The email address provided during registration for the EHR Incentive Programs will be used for the initial request letter
Submit requested data electronically
•The initial review process will be conducted at the audit contractor’s location, using the information received as a result of the initial request letter.
Receive audit determination
letter
•This letter will inform the provider whether they were successful in meeting meaningful use of electronic health records. If found not to be eligible for an EHR incentive payment, the payment will be recouped
6
10/8/2014
3
Preparing/Maintaining Documentation
• Maintain documentation that fully supports the meaningful
use and clinical quality measure data submitted during
attestation
• Save any electronic or paper documentation that supports
your attestation
– Make sure others know where the support is saved
– Centralized, Secured Location
– Effective Naming Convention of files
• Save the documentation that supports the values you entered
in the Attestation Module for clinical quality measures
• Maintain documentation that supports payment calculations
7
Support Documentation Examples
• Proof of Certified Technology– Contracts for all components
– Screen shot from ONC site showing CMS
Certification ID Number
– Letter documenting – if certification notes
“additional software required”
• Source documents for threshold
objectives
– Maintain detail support for each % based
threshold
– Documentation of logic used for
calculation and which ED volume
calculation used
– Report should denote dates covered
(reporting period)
– Same denominator for all measures will be
scrutinized
– Attesting for 100% will also raise suspicion
8
http://www.healthit.gov/policy-researchers-
implementers/certified-health-it-product-list-chpl
Support Documentation Examples
• Yes/No Objectives
– Proof of Yes/No measures active during entire reporting period
• Screen shots
• Confirmation from vendor
• Use of Audit log
– Proof of data transaction with public health agency
• Quality Measures
– Must be reported directly from Certified HER
• Security Risk Analysis
– Maintain a copy per locations
– Need to document conducted before the end of reporting period
– Document any action taken based on analysis
9
10/8/2014
4
Steps of Mock Audit
Ready
•Rally the troops and get a team together to gather all the necessary information: IT, Finance, Compliance, HIM, Clinicians
•Provide education to team on process
•CMS website: Tip sheets and FAQ
•Sample Audit Request
Set
•Gather Data as if submitting to Auditor
•Certified EHR
•CQMs
•Yes/No
•% Threshold Objectives
Go
•Challenge package – allow an outsider to take a look
•Review lessons learned from other
•If find issue – be prepared with a plan
•If using an external reviewer – consider “attorney client privilege”
10
Lessons Learned
Designate a single point of contact for communications with CMS auditor
Only provide the information being requested
Utilize a checklist, and answer as if auditor (yes or no)
Maintain all relevant data for 6 years
Log all documentation supplied to auditor
Protect patient information by de-identifying
11
Questions?
Brenda P. ChristmanMember/Arnett Foster Toothman PLLC
614.223.9209
12
10/8/2014
5
Appendix
Additional Guidance from CMS
13
Documentation for Non-
Percentage-Based Objectives
14
Documentation for Non-
Percentage-Based Objectives
15
10/8/2014
6
Documentation for Non-
Percentage-Based Objectives
16
IT Security and Risk
Analysis
Scott Stone
• CIO for Carbis Walker LLP
• Senior IT Consultant and Auditor for the CW
Group
• 25 years in the IT industry
• 17 years with Carbis Walker LLP
• Master Degree in Communications
• Trained Certified Ethical Hacker
• Sophos Firewalls Certified Engineer
• Certified in Microsoft, Cisco, Novell, etc. 18
10/8/2014
7
What will we be covering?
Top 10 HIPAA IT Security Risk Areas
– Common Areas of Risk Found During IT Audits
– Ways to Mitigate IT Risk
– IT Trends In Health Care
– Reducing PHI On Your Network
19
IT RISK MITIGATION BASICS
• Laptops are encrypted
• Redundant Internet Access exists at all locations
• Good Antivirus is in place with Centralized
Management
• BAAs up to date and being sent out
• Acceptable Use Policy is up to date and signed
• Disaster Recovery Policy is up to date
20
Top 10 IT Security / Risk Areas
1. Legacy Operating Systems
2. Patch Management – Microsoft and other
software
3. Malware / Virus infections
4. Vendor Accounts
5. Virtualization – Server sprawl - Backups
6. Password Fatigue
7. Mobile Devices & BYOD (Bring Your Own
Disaster)21
10/8/2014
8
Still using Windows XP?
22
Support Ended April 8th 2014
Other Legacy Operating Systems
End of Life Timelines:
• Windows 2000 Server – July 13, 2010
• AS400 – Prior to V5R4 (rel 2006) – Already EOL
• Novell 6.5 – Dec 31, 2014
• Windows 2003 Server R2 – July 14, 2015
• Windows XP Embedded - 1/12/2016
23
Patch Management
• Microsoft – Windows & Office =
WSUS (Windows Server Update Services)
• Adobe – Acrobat / Reader / Flash
• Other Software (JAVA)
• Scripting of Updates
• Patch Management Systems
• Silent Updates
• Software inventory systems - reporting
24
10/8/2014
9
Antivirus / Antimalware
• Becoming the same thing in some suites
• Reactive technology
• Must be centrally managed to be effective
• Response to AV infection = reimage machine
• Virus writing is an enormous business now (Zeus,
RansomWare, Botnets)
• CryptoLocker
25
Value of a Hacked PC – krebsonsecurity.com
26
Vendor Accounts
• Vendors reuse or create poor passwords
• Often have constant access
• Lots of Vendors – Software, HVAC, Phone, etc.
• Hiring standards may not be solid
• Allow Limited IP Range for Access
• Ask what they have available to improve security
• Target Breach = Vendor Account
27
10/8/2014
10
Virtualization / Backups
• Server Sprawl
• Hidden / Forgotten Systems
• HUGE Images / Data Sets
• Tapes / Portable Hard Drives / Cloud Backups
• Factors for every type:
– Encryption
– Portability
– Integration with DR policy
28
Password Fatigue
• Standard Policy – was 8$1C - now 12$1C
• Extended Change Intervals > 90 Days
• Password Fatigue Solutions
– Password Managers
• Lastpass
• RoboForm
– Biometrics
– Two Factor
• RSA Keys
• YubiKey
• FOBs with PINs
29
Mobile Devices & BYOD
• “Wild West” of IT Security
• Issues:
– Email everywhere – Attachments cached
– Notification of lost devices
– Remote wipe including personal information
– Expectation of privacy by the user
• Solutions:
– Newer versions of Exchange
– AirWatch, Sophos, MobileIron
30
10/8/2014
11
Patient Portals
• Meaningful Use pushing implementation
• Internal IT staff generally not qualified
• Database (SQL) systems – target rich
• Easy Access ≠ Secure
• External testing is a minimum
• Solution providers starting to appear
Heartbleed type vulnerabilities likely
31
Old PHI On The Network
• Admission Forms / Face Sheets
• Incident Response Forms
• Old Billing Systems / Databases
• Patient care tracking excel sheets
• Solutions:
– Archive and remove from the network
– Create administrative access VLAN
– Automatic Cleanup Scripts
32
Encrypting Data at Rest
• No real guidance from HHS
• Any stored data – servers, databases, etc.
• CDs, DVDs, backup tapes, hard drives, etc.
• Encryption solutions:
– Hardware (Brocade, CISCO, HP, etc.)
– Software (MS Bitlocker, Sophos, EMC, etc.)
• Long term key management and control
33
10/8/2014
12
Review: Top 10 IT Security / Risk Areas
1. Legacy Operating Systems
2. Patch Management – Microsoft and other software
3. Malware / Virus infections
4. Vendor Accounts
5. Virtualization – Server Sprawl - Backups
6. Password Fatigue
7. Mobile Devices & BYOD (Bring Your Own Disaster)
8. Patient Portals – Website access
9. Old PHI on the network
10. Encrypting Data at Rest
34
Questions?
Scott StoneSr. IT Consultant / CIO
724.658.1565
35