Providers and Health Plans Perform Poorly in HIPAA Audits-HHS to Expand Pool of Audited Organizations; CMS Also Targets Meaningful Use Attesters

Share Article

Clearwater Compliance notes that recent data released by the US Department of Health and Human Services Office for Civil Rights (OCR) show that providers account for more than two-thirds of all HIPAA Audit Findings and Observations in seven of the eight categories reviewed, and more than half in the category. Health plans don’t perform well either, accounting for between 25% and 38% of reported findings and observations.

News Image
A big bull’s-eye will be deficiencies in an organization’s risk analysis. Covered entities audited in the pilot program often had conducted a shallow analysis that wasn’t updated as events warranted…Leon Rodriguez

Recent data released by the US Department of Health and Human Services Office for Civil Rights (OCR) show that providers account for more than two-thirds of all HIPAA Audit Findings and Observations in seven of the eight categories reviewed, and more than half in the category. Health plans don’t perform well either, accounting for between 25% and 38% of reported findings and observations.

Simultaneously, and following on the heels of the promulgation of the Omnibus Final Rule (OFR) in February, OCR and the Centers for Medicare and Medicaid Services (CMS) have announced significant expansions of the HIPAA Audit program and stepped-up reviews of Meaningful Use Attesters prior to payment of incentive fees that can be earned under the Meaningful Use regulations.

“Whether or not the increase in oversight is a result of the poor performance of providers and health plans is irrelevant,” Clearwater Compliance, CEO Bob Chaput observed. “The reality is that organizations handling HIPAA data are going to be increasingly exposed to significant financial penalties and loss of revenue if they don’t have their act together. And time is running out to do that. The provisions of the OFR must be incorporated into these organizations’ programs by September."

“What constantly amazes me is the fact that most deficiencies being noted start with an inadequate security risk analysis,” Chaput added, reflecting comments by OCR Director Leon Rodriguez who recently said, “A big bull’s-eye will be deficiencies in an organization’s risk analysis. Covered entities audited in the pilot program often had conducted a shallow analysis that wasn’t updated as events warranted, such as new business strategies or new information systems. With any business change, an entity must review its risk analysis; yet, two-thirds of pilot participants – including 80 percent of providers – did not have a complete and accurate risk analysis.”

“OCR is learning which gaps in protecting health information cause the most breaches,” Rodriguez added. “We want to hit more entities and be more focused on parts of the privacy and security rules for which breaches are at high risk. We want to be focused on the things that really matter in terms of compromising patient confidentiality.”

An authentic risk assessment is also a prerequisite for incentive payments under CMS’ Meaningful Use program. In this area too, department officials have let organizations know that audit activity will be stepped up. “CMS has targeted 5 to 10 percent of those who attested to Meaningful Use in January 2013,” according to Elizabeth Holland, director of the Health IT Initiative Group's Office of E-Health Standards and Services. Eligible professionals selected for audit were chosen both "randomly" and "based on protocols that identify suspicious or anomalous attestation data."

“We have a fiduciary responsibility to make sure that we are paying appropriately,” Holland continued at the recently concluded HIMSS13 conference. “After widespread concern about questionable billing practices among providers vying for government funds – and accusations that CMS hasn’t been doing enough to combat fraud, the agency has ramped up its efforts to keep an eye on Meaningful Use participants. And with budgets being slashed due to sequestration, every dollar counts for both CMS and providers, who can’t afford to take an additional hit due to auditing.”

“The stakes are increasing every day,” Chaput concluded, “and it’s clear that HIPAA Covered Entities and Business Associates are going to have to do a better job and, most likely get professional help to get their programs in order before auditors show up at their door.”

###

About Clearwater Compliance: http://clearwatercompliance.com
Clearwater Compliance, LLC, is all about and only about helping healthcare organizations and their service providers become and remain HIPAA-HITECH Compliant. Owned and operated by veteran, C-suite health care executives, Clearwater Compliance provides comprehensive, by-the-regs software and tools, risk management solutions, training, and professional services for small medical practices and healthcare startups to major healthcare systems, health plans and Fortune 100 companies. Since 2003, the company has served more than 250 organizations (including 100 hospitals). Find out more at clearwatercompliance.com.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Elaine Axum
Follow us on
Visit website