10/8/2014

1

Meaningful Use – Ready or NotCMS Audits are Underway

Brenda Christman, RN

• Career Health Care Consultant

• 3+ years with Arnett Foster Toothman PLLC

• Prior Big 4 Consultant

• Registered Nurse

• Industry experience as Director of

Reimbursement

2

What Will We Be Covering?

• Requirements of Meaningful Use Audits

• Documentation to Support Meaningful Use Attestation

• Process to Conduct Mock Audit

3

10/8/2014

2

What’s All the Fuss About?

• Recent Meaningful Use (MU)

audits and paybacks have

brought more attention to the

CMS Audits

• Drew Memorial Hospital was unable to

document completion of one 19

objectives for Meaningful Use

• CMS is requesting repayment of entire

amount ~ $900K

• HMA self reported they had an error in

attestation for 11 of their 71 hospitals

• HMA made an error in applying the

requirements for certifying its EHR

technology

• Repaying $31M

4

CMS Audit Procedures

• The CMS is performing pre-payment and

post-payment audits on 5-10% of

healthcare providers

• Selection

– Randomly

– CMS risk profile of suspicious or

anomalous data

• Subcontractor for post-payment is Figliozzi

– Medicare Audits of EPs and eligible

hospitals, as well as on hospitals that are

dually-eligible for both the Medicare and

Medicaid EHR Incentive Programs.

– If you are selected for an audit will receive

a letter from Figliozzi and Company with

the CMS and EHR Incentive Program logos

on the letterhead.

• What triggers a CMS Incentive Payment

Audit?

– 3 tier approach

• Benchmarking/Anomalies of data

• Unusual response in Numerator or

Denominator responses

• Field Auditor Selection

– Eligible Hospitals that received

the largest incentive payments

– Providers who indicated use of

multiple EHRs with the

capability of collecting data for

only a few CQMs

– A representative sample of

certified EHRs in order to

determine each EHRs

capabilities to support

collection of data necessary to

meet MU measures

5

Audit Process

Initial request letter

•Letter will be sent electronically from a CMS email address and will include the audit contractor’s contact information

•The email address provided during registration for the EHR Incentive Programs will be used for the initial request letter

Submit requested data electronically

•The initial review process will be conducted at the audit contractor’s location, using the information received as a result of the initial request letter.

Receive audit determination

letter

•This letter will inform the provider whether they were successful in meeting meaningful use of electronic health records. If found not to be eligible for an EHR incentive payment, the payment will be recouped

6

10/8/2014

3

Preparing/Maintaining Documentation

• Maintain documentation that fully supports the meaningful

use and clinical quality measure data submitted during

attestation

• Save any electronic or paper documentation that supports

your attestation

– Make sure others know where the support is saved

– Centralized, Secured Location

– Effective Naming Convention of files

• Save the documentation that supports the values you entered

in the Attestation Module for clinical quality measures

• Maintain documentation that supports payment calculations

7

Support Documentation Examples

• Proof of Certified Technology– Contracts for all components

– Screen shot from ONC site showing CMS

Certification ID Number

– Letter documenting – if certification notes

“additional software required”

• Source documents for threshold

objectives

– Maintain detail support for each % based

threshold

– Documentation of logic used for

calculation and which ED volume

calculation used

– Report should denote dates covered

(reporting period)

– Same denominator for all measures will be

scrutinized

– Attesting for 100% will also raise suspicion

8

http://www.healthit.gov/policy-researchers-

implementers/certified-health-it-product-list-chpl

Support Documentation Examples

• Yes/No Objectives

– Proof of Yes/No measures active during entire reporting period

• Screen shots

• Confirmation from vendor

• Use of Audit log

– Proof of data transaction with public health agency

• Quality Measures

– Must be reported directly from Certified HER

• Security Risk Analysis

– Maintain a copy per locations

– Need to document conducted before the end of reporting period

– Document any action taken based on analysis

9

10/8/2014

4

Steps of Mock Audit

Ready

•Rally the troops and get a team together to gather all the necessary information: IT, Finance, Compliance, HIM, Clinicians

•Provide education to team on process

•CMS website: Tip sheets and FAQ

•Sample Audit Request

Set

•Gather Data as if submitting to Auditor

•Certified EHR

•CQMs

•Yes/No

•% Threshold Objectives

Go

•Challenge package – allow an outsider to take a look

•Review lessons learned from other

•If find issue – be prepared with a plan

•If using an external reviewer – consider “attorney client privilege”

10

Lessons Learned

Designate a single point of contact for communications with CMS auditor

Only provide the information being requested

Utilize a checklist, and answer as if auditor (yes or no)

Maintain all relevant data for 6 years

Log all documentation supplied to auditor

Protect patient information by de-identifying

11

Questions?

Brenda P. ChristmanMember/Arnett Foster Toothman PLLC

Brenda.christman@aftcpas.com

614.223.9209

12

10/8/2014

5

Appendix

Additional Guidance from CMS

13

Documentation for Non-

Percentage-Based Objectives

14

Documentation for Non-

Percentage-Based Objectives

15

10/8/2014

6

Documentation for Non-

Percentage-Based Objectives

16

IT Security and Risk

Analysis

Scott Stone

• CIO for Carbis Walker LLP

• Senior IT Consultant and Auditor for the CW

Group

• 25 years in the IT industry

• 17 years with Carbis Walker LLP

• Master Degree in Communications

• Trained Certified Ethical Hacker

• Sophos Firewalls Certified Engineer

• Certified in Microsoft, Cisco, Novell, etc. 18

10/8/2014

7

What will we be covering?

Top 10 HIPAA IT Security Risk Areas

– Common Areas of Risk Found During IT Audits

– Ways to Mitigate IT Risk

– IT Trends In Health Care

– Reducing PHI On Your Network

19

IT RISK MITIGATION BASICS

• Laptops are encrypted

• Redundant Internet Access exists at all locations

• Good Antivirus is in place with Centralized

Management

• BAAs up to date and being sent out

• Acceptable Use Policy is up to date and signed

• Disaster Recovery Policy is up to date

20

Top 10 IT Security / Risk Areas

1. Legacy Operating Systems

2. Patch Management – Microsoft and other

software

3. Malware / Virus infections

4. Vendor Accounts

5. Virtualization – Server sprawl - Backups

6. Password Fatigue

7. Mobile Devices & BYOD (Bring Your Own

Disaster)21

10/8/2014

8

Still using Windows XP?

22

Support Ended April 8th 2014

Other Legacy Operating Systems

End of Life Timelines:

• Windows 2000 Server – July 13, 2010

• AS400 – Prior to V5R4 (rel 2006) – Already EOL

• Novell 6.5 – Dec 31, 2014

• Windows 2003 Server R2 – July 14, 2015

• Windows XP Embedded - 1/12/2016

23

Patch Management

• Microsoft – Windows & Office =

WSUS (Windows Server Update Services)

• Adobe – Acrobat / Reader / Flash

• Other Software (JAVA)

• Scripting of Updates

• Patch Management Systems

• Silent Updates

• Software inventory systems - reporting

24

10/8/2014

9

Antivirus / Antimalware

• Becoming the same thing in some suites

• Reactive technology

• Must be centrally managed to be effective

• Response to AV infection = reimage machine

• Virus writing is an enormous business now (Zeus,

RansomWare, Botnets)

• CryptoLocker

25

Value of a Hacked PC – krebsonsecurity.com

26

Vendor Accounts

• Vendors reuse or create poor passwords

• Often have constant access

• Lots of Vendors – Software, HVAC, Phone, etc.

• Hiring standards may not be solid

• Allow Limited IP Range for Access

• Ask what they have available to improve security

• Target Breach = Vendor Account

27

10/8/2014

10

Virtualization / Backups

• Server Sprawl

• Hidden / Forgotten Systems

• HUGE Images / Data Sets

• Tapes / Portable Hard Drives / Cloud Backups

• Factors for every type:

– Encryption

– Portability

– Integration with DR policy

28

Password Fatigue

• Standard Policy – was 8$1C - now 12$1C

• Extended Change Intervals > 90 Days

• Password Fatigue Solutions

– Password Managers

• Lastpass

• RoboForm

– Biometrics

– Two Factor

• RSA Keys

• YubiKey

• FOBs with PINs

29

Mobile Devices & BYOD

• “Wild West” of IT Security

• Issues:

– Email everywhere – Attachments cached

– Notification of lost devices

– Remote wipe including personal information

– Expectation of privacy by the user

• Solutions:

– Newer versions of Exchange

– AirWatch, Sophos, MobileIron

30

10/8/2014

11

Patient Portals

• Meaningful Use pushing implementation

• Internal IT staff generally not qualified

• Database (SQL) systems – target rich

• Easy Access ≠ Secure

• External testing is a minimum

• Solution providers starting to appear

Heartbleed type vulnerabilities likely

31

Old PHI On The Network

• Admission Forms / Face Sheets

• Incident Response Forms

• Old Billing Systems / Databases

• Patient care tracking excel sheets

• Solutions:

– Archive and remove from the network

– Create administrative access VLAN

– Automatic Cleanup Scripts

32

Encrypting Data at Rest

• No real guidance from HHS

• Any stored data – servers, databases, etc.

• CDs, DVDs, backup tapes, hard drives, etc.

• Encryption solutions:

– Hardware (Brocade, CISCO, HP, etc.)

– Software (MS Bitlocker, Sophos, EMC, etc.)

• Long term key management and control

33

10/8/2014

12

Review: Top 10 IT Security / Risk Areas

1. Legacy Operating Systems

2. Patch Management – Microsoft and other software

3. Malware / Virus infections

4. Vendor Accounts

5. Virtualization – Server Sprawl - Backups

6. Password Fatigue

7. Mobile Devices & BYOD (Bring Your Own Disaster)

8. Patient Portals – Website access

9. Old PHI on the network

10. Encrypting Data at Rest

34

Questions?

Scott StoneSr. IT Consultant / CIO

sstone@carbis.com

724.658.1565

35