ehealth Privacy & Security Interest Group Monthly Call Friday September 26, 2014

Transcription

1 ehealth Privacy & Security Interest Group Monthly Call Friday September 26, 2014 Meaningful Use (MU) Incentives and the Security Risk Analysis (SRA) Jim Tate 1

2 ehealth Privacy & Security Interest Group The ehealth, Privacy & Security Interest Group focuses on cutting edge issues dealing with technology and privacy as they relate to health care. Substantive topics of interest to committee members include health information privacy and security, electronic communications, electronic transactions and telehealth. The Interest Group will seek to encourage discussion and debate on emerging legal issues in these areas. 2

3 Links to ehealth Privacy & Security Interest Group twitter.com/hlseps ABA Health Law Section American Bar Association Health Law Section 3

4 Mark Your Calendars Now for Next Monthly ehealth, Privacy & Security Calls October 31, 2014 November 21, 2014 December 19,

5 ehealth Privacy & Security Interest Group Where to Send Your Ideas for Programming: Peter Ricoy Lee Kim Clinton Mikel 5

6 Improved Audio Through Telephone Call Phone Number and Enter Unique Pin Number for Improved Audio Quality XXXX XX 6

7 How to Ask a Question on Today s Program Type Question Anytime During Program in Question Box on Control Panel [Type question here] 7

8 Today s Webinar Meaningful Use (MU) Incentives and the Security Risk Analysis (SRA) Jim Tate President and Founder, EMR Advocate, Inc. 8

9 Reminder: Upcoming Programs November, 2014 [Actual date TBD] December 19, 2014 January 23, 2014 ehealth, Privacy & Security Medical Device Cybersecurity/FDA regulation ehealth, Privacy & Security Getting on the Career Path: Program for Law Students ehealth, Privacy & Security Ebola and mhealth 9

10 Thank you! ehealth, Privacy & Security Interest Group 10

11 Security Risk Assessment Meaningful Use Jim Tate October 31, 2014

12 Who Gets the Audit? As of July 2014 over 4,700 unique EHs/CAHs have received CMS EHR incentives. Medicare only: 270 $568,000,000+ Medicaid only: 156 $348,000,000+ Dually eligible: 4,301 $13,915,000,000+ CMS states the aim is to audit 5%+.

13 What Generates the Audit? Random Risk profile - suspicious data Successive audits based on history Reach back Whistleblowers

14 The Audit Process ed letter of audit engagement Request for documentation Response and request Final Determination

15 Audit The Letter This letter is to inform you that you have been selected by CMS for an audit of your meaningful use of certified EHR technology for the attestation period. Attached to this letter is an information request list. Be aware that this list may not be all-inclusive and that we may request additional information necessary to complete the audit. -or Limited audit: proof of Certified EHR

16 Documentation Request Protect Electronic Health Information: Provide proof that a security risk analysis of the Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis). If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.

17 Security Risk Analysis for MU Objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Exclusion: No exclusion.

18 Security Risk Analysis for MU Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year. In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted. Any security updates and deficiencies that are identified in the review should be included in the provider s risk management process and implemented or corrected as indicated by that process. CMS

19 Security Risk Analysis for MU There is no single method or best practice that guarantees compliance, but most risk analysis and risk management processes have steps in common. Here are some considerations as you conduct your risk analysis: Review the existing security infrastructure in your hospital against legal requirements and industry best practices Identify potential threats to patient privacy and security and assesses the impact on the confidentiality, integrity and availability of e-phi Prioritize risks based on the severity of their impact CMS

20 Security Risk Analysis for MU Question: Do the auditors use a checklist when the SRA is reviewed? The key for us is the security risk assessment encompasses the EHR system and that it is a review either performed by the EH or a consultant. Given the vast spectrum of security risk assessments we have seen it would be hard to put together a checklist to be used. We review each one on an individual basis and at times have meetings with the staff and point out why the particular assessment meets the criteria or why it does not. Of course there are a great deal of assessments that fall into that gray zone of, is this really an assessment or is it just policies or checklists?

21 Final Determination Good We performed a desk review on your facility s meaningful use attestation for the Program Year 2011 and Payment Year 1. Based on our desk review of the supporting documentation furnished by the facility, we have determined that Hospital XYZ has met the meaningful use criteria.

22 Final Determination Bad Based on our desk review of the supporting documentation furnished by the facility, we have determined that Hospital XYZ has not met the meaningful use criteria, for the following reasons: Failed Eligible Hospital Meaningful Use Core Measure X. Since your facility did not meet the meaningful use criteria, the incentive payment will be recouped. You will receive a demand for your total Medicare EHR incentive payment shortly from the EHR HITECH Incentive Payment Center.

23 The Demand Letter The purpose of this letter is to inform you that a Meaningful Use Audit determined a HITECH incentive overpayment in the amount of $X,XXX,XXX..to be repaid to our office in full. Full refund within 30 days...interest begins on 31 st day.referred to Department of Treasury on 61 st day.

24 Things Change - CMS - 10/6/14 (FAQ10754) To meet the Protect Electronic Health Information core objective for Stage 1, eligible professionals (EP), eligible hospitals or critical access hospitals (CAH) must conduct or review a security risk analysis in accordance with the requirements under 45 CFR (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process) These steps may be completed outside of the EHR reporting period timeframe but must take place no earlier than the start of the reporting year and end of the reporting year. For example, a EP who is reporting Meaningful use for a 90 day EHR reporting period may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed no earlier than January 1st and no later than December 31st of the EHR reporting year.

25 Things Change - 10/27/14 (Auditor Clarification) The new guidance is wrong. The SRA must be completed before attestation date. CMS will be correcting the guidance and hopefully it gets the same amount of coverage.

26 Appeals CMS handles the appeal process for EPs, EHRs, and CAHs in the Medicare and dually eligible hospitals. States are responsible for appeals related to the Medicaid EHR Incentives.

27 Appeals Filed electronically More flexibility than at the audit level Less communication than during audit Timeline of appeal process Only failed MU measures addressed

28 Appeals 1/27/2014 Failed audit for SRA 3/18/2014 Based on our review of you Appeal Filing Request, supporting documentation and the Program policies, we have accepted the documentation you provided to support your appeal. Therefore, CMS upholds your appeal.

29 Appeals 5/13/2014 CMS has reopened the review of your appeal and supporting documentation along with others in your practice. The documentation provided to justify that a security risk assessment was conducted in late 2011 and early 2012 is insufficient to support the appeal and CMS is reversing the March 18, 2014 decision to uphold your appeal. As a result, the final CMS decision denies your appeal and upholds the adverse audit finding. This decision is not subject to further appeal.

30 Contact