HIPAA Audit: OCR Is On The Move
The HER audits are around the corner. The Centres for Medicare & Medicaid Services, to encourage healthcare providers to adopt electronic health record systems and ensure secure data sharing practices, brought forth the EHR incentive program. Even as the meaningful use incentive program was intended to encourage healthcare industry adopt digitalization of data, these providers who received EHR incentive payment under Medicare or Medicaid EHR Incentive Program were liable to audit. The Office of the Inspector General recently released their 2015 work plan which specifies that they will continue to pay closer attention to the healthcare industry’s use of electronic health records – in particular HIPAA security, EHR incentive payments and fraud. Preparing for audit of the digitized healthcare industry in the coming year, the Office of Inspector General has also requested $400 million FY 2015 budget, an increase of $105 million, and 284 additional full-time employees to help expand OIG audits and reviews, examining IT security, compliance and even electronic health records.
With the federal money flowing in the form of EHR incentive program, hospitals, providers, vendors and consultants are working their way to a meaningful use of EHR. Nevertheless, if a hospital or medical practitioner accepts the federal money to put EHR to meaningful use, they must also prove it by using appropriate electronic tools as per the norms put across by the Center of Medicare and Medicaid Services. Further, incidents such as those that occurred at Shelby Regional Medical Center in Texas, and Detroit Medical Center that led to heavy data leakage and financial loss, demands that the healthcare providers, their business associates and vendors consider meaningful use of electronic patient health records as a compliance requirement. In the wake of such requirement, the eligible professionals, hospitals, and critical access healthcare centres were asked to maintain relevant documentation to support this activity.
Besides, as Daniel R. Levinson, U.S. inspector general points out, among the important changes that are taking place across the healthcare industry there is an emphasis on coordinated care and increased use of electronic health records. The OIG will therefore need to adopt oversight approaches that are suited to an increasingly sophisticated healthcare system and also customizable to protect programs and patients from existing and new vulnerabilities. The OIG audits till date have discovered that the state agency overpaid 13 hospitals, $3.1 million in federal EHR cash. The payment errors were found to be the result of unclear and incorrect patient volume calculations. Further, nearly 80 % of the state’s hospitals analyzed in the audit also failed to comply with federal regulations.
By 2015, OIG will therefore need to leverage data analytics and “forensic enhancements” to investigate the increasingly sophisticated healthcare frauds, including the electronic health records in the process.
The OIG authorities will not only perform audits of various covered entities receiving the EHR, but will also look into factors such as:
- Identify EHR system fraud and determine if EHR systems address vulnerabilities
- Review Medicaid and Medicare EHR incentive payments
- Analyze the IT security of community health centers funded by the Health Resources and Services Administration.
- Regular review of the Centers for Medicare & Medicaid Services health information technology systems to cross check on necessary security controls.
Besides these, conducting mock audits will help the healthcare providers to stay prepared to face both pre-payment and post-payment audits. However, it is also prudent for enterprises to implement a comprehensive and an effective solution. Security solution like the Aegify Security Posture Management or Aegify SecureGRC offered by the leading service providers of IT Risk and Compliance management solutions will help the healthcare establishments to achieve meaningful use status with ease, while ensuring a near to nil breach of security protocol.
Related posts
